LOCKED_PAY Ransomware

Most cybercriminals are not the highly-skilled individuals that the public tends to perceive them as. For example, when it comes to building ransomware, most cyber crooks do not construct this threat type from the ground up but instead rely on open-source projects on which they base their creations. This is the case with the ransomware threat in question today - LOCKED_PAY Ransomware. It would seem that the authors of the LOCKED_PAY Ransomware have used the JigSaw Ransomware builder tool to create their own ransomware threat. However, when borrowing and altering the code, the authors of the LOCKED_PAY Ransomware have made some errors, which have resulted in their ransomware threat being unable to lock any data whatsoever. As a result of this, the LOCKED_PAY Ransomware will not be able to encrypt any of your files. The Infection Vectors...

Posted on September 27, 2019 in Ransomware

Axzyte Ransomware

Despite its name, the Axzyte Ransomware does not fall in the category of ransomware threats. This is a bogus threat, which is meant to resemble a file-locking Trojan, but in fact, has nothing to do with genuine ransomware threats. Most data-encrypting Trojans would sneak into your system, scan your files, encrypt them, and then extort you. Sometimes, less competent ill-minded actors fail to add a functioning encryption module. However, in the case of the Axzyte Ransomware, its creators have not attempted to add such a feature at all. What is the Main Goal of Ransomware Developers Usually, the cyber crooks who build ransomware threats have only one thing in mind as an end goal – cash. This is not the case with the Axzyte Ransomware. The creators of the Axzyte Ransomware are not in it for cash but for fame. In their ransom message, they...

Posted on September 27, 2019 in Ransomware

Kronos Ransomware

Recently, cybersecurity researchers have spotted a new ransomware threat. This brand-new file-locking Trojan is named Kronos Ransomware. After looking into it deeper, malware experts found striking similarities between this project and the already known Zeropadypt Ransomware. This made the researchers believe that it is likely the same actors are responsible for both data-encrypting Trojans. However, they have not yet been capable of cracking either one of them so that there are no free, publicly available decryption tools yet. However, if you have become a victim of the Kronos Ransomware, we encourage you to keep checking daily for a decryption tool. The Distribution of the Kronos Ransomware Researchers are not aware of the exact propagation methods employed in the spreading of the Kronos Ransomware. Some speculate that the...

Posted on September 27, 2019 in Ransomware

Li Ransomware

Malware experts have located a new file-encrypting Trojan. It is called the Li Ransomware, but it also is known under another name – Scarab-Li Ransomware. Like most ransomware threats, if the Li Ransomware manages to infiltrate your system, it will scan your files, encrypt them, and then ask you for cash in exchange for a decryption key. The majority of cyber crooks who engage in the creation of ransomware threats are not as technically capable as most regular users tend to believe they are. Most file-locking Trojans are not unique projects but are rather variants of another. This is the case with the Li Ransomware too. This ransomware threat is based on the wildly popular Scarab Ransomware. This infamous threat caused a lot of trouble in 2018, as it was one of the most popular and widely spread ransomware families. The Propagation...

Posted on September 27, 2019 in Ransomware

LonleyCrypt Ransomware

There is a growing number of shady actors, which take up creating ransomware threats. Some are highly-skilled individuals who build malware from the ground up, while others simply borrow readily available code and alter it to meet their needs. The Distribution Method Among the newest spotted ransomware threats is the LonleyCrypt Ransomware. After uncovering and studying this data-locking Trojan, cybersecurity experts speculate that this is likely a project in progress. It is likely that the authors of the LonleyCrypt Ransomware may use spam email campaigns to propagate this threat. Once it has infiltrated your computer, the LonleyCrypt Ransomware will locate all the files of interest by performing a brief scan. Next, the LonleyCrypt Ransomware will trigger the encryption process. All the files, which have undergone the encryption...

Posted on September 26, 2019 in Ransomware

Shade8 Ransomware

The cyber crooks' interest in ransomware threats is ever-growing. While some very capable individuals have no issues building file-locking Trojans from scratch, others tend to use already available code. This is what happens with the newly uncovered Shade8 Ransomware. The Encryption Process After spotting this new data-encrypting Trojan, malware experts concluded that this is a variant of the popular HiddenTear Ransomware. However, the good news is that since the cybercriminals behind the Shade8 Ransomware have used the open-source builder toolkit of the HiddenTear Ransomware and have barely bothered changing the code, that means that this threat is decryptable. If the Shade8 Ransomware manages to compromise your system, it will scan your files. Once the files it is looking for are located, the Shade8 Ransomware will begin the...

Posted on September 26, 2019 in Ransomware

Pack14 Ransomware

Ransomware threats are very popular in the world of cybercrime. Usually, the attack is carried out in a similar manner – the threat infiltrates a system, locks down all the targeted files, and then drops a ransom note informing the users that if they want to decrypt their data, there must be a payment. The Propagation Method The recently spotted Pack14 Ransomware does not stray from this well-trodden path. Malware researchers have not been able to tell what are the exact methods applied in the propagation of the Pack14 Ransomware. Some believe that the creators of this file-encrypting Trojan may be using pirated fake copies of popular software tools, mass spam email campaigns, and bogus application updates to spread the Pack14 Ransomware. A scan will be executed as soon as the Pack14 Ransomware worms its way into a user's system. After...

Posted on September 26, 2019 in Ransomware

M3gac0rtx Ransomware

Nobody is safe when it comes to ransomware threats. Some authors of file-locking Trojans target government bodies and large corporations and sometimes manage to extract huge sums of money from them. However, other, usually smaller actors, do not shy away from targeting regular users. The Distribution Method More and more cyber crooks take up creating and spreading ransomware and malware researchers are struggling to keep up. One of the most recently spotted threats of this type is the M3gac0rtx Ransomware. Once cybersecurity experts looked into this file-locking Trojan, they found out that this is a variant of the infamous MegaCortex Ransomware. It is likely that the attackers rely upon emails containing macro-laced attachments to propagate the M3gac0rtx Ransomware. Upon infiltrating a PC, the M3gac0rtx Ransomware will scan it to...

Posted on September 26, 2019 in Ransomware

Domen

Social engineering kits are nothing new in the world of malware, with yet another tool entering the field with Domen. Тhe basic idea behind this kind of threat is compromising a website, most often WordPress, then using it to display overlays loaded with an iframe on the screen. The overlay asks visitors to install an update, something which downloads the NetSupport RAT (remote access trojan or remote administration tool). It is similar to other threats like the Fake Updates campaign that popped up around April of 2018. The campaign also bears some similarities to the EITest and the HoeflerText social engineering scheme used in 2017, when the malware payload was an ad fraud malware – Fleercivet. That malware was later seen spreading the Spora malware. The difference between those and the new campaign is mostly in complexity and the...

Posted on September 25, 2019 in Malware

Moose Botnet

Botnets are harmless rarely, and their activity often ends up being problematic to either the owner of the infected device or to the target designated by the botnet's operators. For example, the Mirai Botnet was used to launch very large-scale DDoS (distributed-denial-of-service) attacks that took down websites and company networks offline, causing millions of dollars in losses. In other cases, botnets are used to mine for cryptocurrency, and all profits are sent to the wallets of the attacker. However, there appears to be an alternative strategy where a botnet can make money for its operators without causing direct harm to anyone. The authors of the Moose Botnet have done just that by using the devices they infect, to set up fake social media profiles that have the sole purpose of generating fake follows, subscriptions and likes. The...

Posted on September 25, 2019 in Botnets

CXK-NMSL Ransomware

The CXK-NMSL Ransomware is a file-locker that is likely to target Chinese users predominantly. The ransom note that it delivers is in Chinese, and there is no translation included – it is highly improbable that it will be distributed to other regions in its current state. Despite focusing on just one specific region, the CXK-NMSL Ransomware is a threat that should not be underestimated since it has the ability to cause long-lasting damage to your files. Just like many other file-encryption Trojans this one also strives to encrypt as many files as possible, rendering their contents unusable. After the CXK-NMSL Ransomware encrypts a file, it will apply a change to its name and mark it with the '.cxk_nmsl' extension. The Authors of the CXK-NMSL Ransomware Want to be Paid via the Bilibili Platform Of course, the CXK-NMSL Ransomware will...

Posted on September 25, 2019 in Ransomware

'The system is badly damaged, virus found (4)!' Pop-Ups

Online tactics have been around ever since the Internet became accessible to most households, and it appears that this fraudulent business is still profitable since security researchers continue to encounter new tactics that fraudsters use to get money from their victims. One of the recent examples is the 'The system is badly damaged, virus found (4)!' pop-ups, a series of Web browser messages that supply users with fake security information on purpose. The pop-ups state that the computer has been attacked by hackers or malware, and the user's payment details and personal information may be leaked to evil-minded individuals. Thankfully, these statements are fake, and they should not be trusted for a single second – Web browser pop-ups, notifications, and alerts are never a trustworthy source of info regarding the state of your system....

Posted on September 25, 2019 in Adware

'Panda' Cryptojacking

Cybercriminals love working with cryptocurrency when they get their hands on it in illicit ways especially. It is a widely known fact that pratically all ransomware authors use some cryptocurrency to collect ransom payments – their usual choice is Bitcoin, but there have been cases in which victims were offered to pay via Ethereum, Monero or Litecoin. Another shady thing that cybercriminals do to fill their cryptocurrency wallets is to plant silent cryptocurrency miners on computers they have illicit access to – this way they can harvest the computer's processing power to mine for a cryptocurrency like Monero. This is the exact scheme used by Panda, a group of cybercriminals whose name is linked to large crypto-jacking campaigns such as MassMiner. The Panda group uses a wide range of tools to gain access to the compromised host, and...

Posted on September 25, 2019 in Malware

LokiStealer

LokiStealer is a password and cryptocurrency collector and also can be used as a loader. LokiStealer is written in C++ and can infect Linux and Windows XP e Vista computers. LokiStaler has a feature that allows it to check the wallet of its victim and collect browsers, emails and poker clients password. By checking the victim wallet, LokiStealer can uncover its balance and transactions and check if it is locked so that it will need to use brute force to hack it and retrieve cryptocurrency. LokiStealer can delete a processed wallet, backup and update it. LokiStealer hides its content so that its victims will not be aware of its presence. It is not difficult to see why LokiStealer should be detected and removed from an infected computer, the sooner, the better. Luckily, by using an updated and efficient anti-malware product, the victims...

Posted on September 24, 2019 in Stealers

Dtrack RAT

The Lazarus group is a very active and famous name in cybercrime at the moment. They were the hackers behind the infamous WannaCry Ransomware attacks, the hack against Sony Entertainment, and many other attacks against high-profile targets. One of the recent tools believed to originate from the computers of the Lazarus Advanced Persistent Threat group is Dtrack RAT, a Remote Access Trojan that allows its operators to take almost complete control over infected computers. It is believed that the Dtrack RAT is related to ATMDtrack, a piece of ATM malware that was found on the computers of Indian banks in 2018. Both tools are developed and used by the Lazarus APT group, and it is likely that the ATMDtrack is a stripped-down version of the Dtrack RAT. The Dtrack RAT's Code can Reside in the Memory of a System Process The hackers from...

Posted on September 24, 2019 in Remote Administration Tools