" ransomware "

new-malware

Ransomware on the Rise – PandaLabs Quarterly Report

The second quarter of 2015 shows that there was an average of 230 000 new malware samples created daily, totaling 21 million from April to June. This is a 43% increase in comparison to the second quarter of 2014.

Trojans continue to be the most common type of malware and are the main source of infection, with 76.25% of users infected. This quarter also showed the proliferation of PUPs (Potentially Unwanted Programs) which accounted for 14.39% of infections.

There has been a dramatic increase in ransomware over the last few months. What users don’t realise is that these kinds of attacks will continue to grow, as long as companies and consumers succumb to paying the ransom – this should be a last resort.

(more…)

pattern_unlock

New Android Ransomware Changes Lock Screen PIN

Dubbed Android/Lockerpin.A, the new trojan app tricks users into granting it device administrator privileges. To achieve this it mimics a patch installation window on top of an activation notice. When victims click on the continue button, they actually grant the malicious app rights that allow it to make changes to the Android settings. Lockerpin the sets or resets the PIN that unlocks the screen lock, effectively requiring users to perform a factory reset to regain control over the device. By contrast, earlier forms of Android ransomware generally were thwarted, usually by deactivating administrator privileges and then uninstalling the app after the infected device is booted into safe mode.

(more…)

Ransomware

Human Resource Departments a Target for Ransomware

Physically presenting your CV for a prospective job offer is fast becoming obsolete. The digital world has simplified correspondence between people by electronic or digital means. Applicants are able to send their CV’s to companies via email attachments.

In recent attacks cyber-criminals send malicious data disguised as CV’s, upon opening the attachment, the malware installs itself on the victim’s computer. It then encrypts the data on the PC/Network and requests a ransom in-turn for the decryption code. This type of attack is known as ransomware.

(more…)

Police-Virus

Cyber Police Virus Strikes Again

The Cyber Police Virus is malware that attacks Android devices. Designed by cyber criminals who focus primarily on phone markets to collect money from unwary users, using counterfeit fines and violations.  The virus locks users’ phones and displays a fake fine on the screen, demanding a fee be paid. Although this virus does not encrypt data, as with ransomware for PC’s, the message remains on the screen and the virus is somewhat difficult to remove.  This Trojan is targeting users from 31 different countries around the world; 23 of which are European countries and is one of many new malware samples attacking Android devices. This is just more evidence that mobile devices are no longer considered “safe” and that users can start looking at protection for all their devices.

 

(more…)

CTB-Locker

The Latest on Ransomware: CTB – Locker

Ransomware is malware that limits access to data on devices and demands a ransom be paid to the developer. Some forms of ransomware encrypt files on the systems hard drive, while some simply lock the system and display messages intended to persuade the user into paying.

In the past week there have been several cases of ransomware called CTB-Locker also known as Critroni Ransom. Generally spread via e-mail as an attachment; CTB-locker is released from time to time with the most recent cases occurring 18/19/20 January 2015.

CTB locker is run by a user. The application encrypts common file-types such as Excel and Word documents and images files such as Jpegs. The user then receives a display message stating that the data has been encrypted and that they need to pay a ransom.

It is not likely that the encrypted files are recoverable, in some cases users may be able to use Volume Shadow Copy, but essentially the most effective means of “recovery” is to back-up data/files on a regular basis and restore the most recent back-up.

CTB Locker doesn´t always remove the volume shadow copy (VSS), so depending on the affected operating system, if it is Windows Vista or higher, it is possible to retrieve a copy of the files affected by malware.

In this case, it is necessary to follow the steps below:

  1. Download and install the following software: http://www.shadowexplorer.com/downloads.html
  1. Once installed, browse to the location where the affected files are located
  1. Select a date prior to the infection.
  1. Select the affected file or folder, and choose the option “Export”.

(more…)

Fake antivirus now hijacks, blocks computers

Panda Security’s anti-malware laboratory has identified a new, more aggressive trend for selling fake antivirus programs or rogueware. Until now, when a computer was infected by this type of malware, users would typically see a series of warnings prompting them to buy a pay version of the program. Now, these technologies are being combined with ransomware, hijacking the computer and rendering it useless until victims complete the purchase.

“The way this rogueware operates presents a dual risk: firstly, users are tricked into paying money simply in order to use their computers; and secondly, these same users may believe that they have a genuine antivirus installed on the computer, thereby leaving the system unprotected,” explains Jeremy Matthews, head of Panda’s sub-Saharan operations.

Once a computer is infected, any attempt made by the user to run a program or open a document will be frustrated. The only response from the computer will be to display a message falsely informing the victim that all files are infected with the only solution being to buy the fake antivirus.

This fake program, called Total Security 2009, is offered for €79.95 (almost R600). Victims are also offered ‘premium’ tech support services for an additional €19.95 (about R150). Users that pay the ransom will receive a serial number, which, when entered in the application, will release all files and executables, allowing them to work normally and recover their information. The fake antivirus however, will remain on the system.

“Users are often infected unknowingly – in most cases, through visiting hacked websites, and once a computer is infected it is extremely difficult to eliminate the threat, even for those with a certain degree of technical knowledge,” says Matthews. “Users are also prevented from using any type of detection or disinfection tool, as all programs are blocked. The only application that can be used is the Internet browser, conveniently allowing the victim to pay for the fake antivirus.”

For this reason, Panda has published the serial numbers required to unblock the computer if it has been hijacked on the PandaLabs blog. Users can then install genuine security software to scan the computer in-depth and eliminate all traces of the fake antivirus.

PandaLabs recently published a report about the lucrative business of rogueware. The shift towards hijacking computers indicates either that users are becoming more adept at recognizing these threats and that security companies are beginning to close the net. This would explain why hackers are becoming more aggressive in the methods used to force the victims into paying. The PandaLabs report is available here.

The serial numbers and a video demonstrating how this scam operates is available on the PandaLabs blog.