Petya Ransomware Attacks your Hard Drive

This year should be declared as year of Ransomware! Cyber-criminals come up with new families and new versions of it, resulting in making life miserable for victims of their extortion campaigns. In our threat predictions for 2016, we had predicted that Ransomware will be a major threat in this year. Little we did know that Ransomware would target Master Boot Record. We have witnessed Ransomware locking desktop, encrypting files, Web servers, shared drives and backups and targeting various operating systems.

According to the latest research of eScan, a new variant of Ransomware named Petya (Trojan.Ransom.Petya.C) has been found targeting human resources in German companies, the Malware replaces Master Boot Record (MBR) and encrypts the Master File Table on an infected Windows computer’s hard drive and demands 9 Bitcoin in return for the decryption key.

How does Petya enter the system?

It is typically transmitted through spam emails targeting business users pretending to contain job applications. For instance, HR personnel receiving a Dropbox link to a file, which pretends to be resume of a candidate, who is seeking a position in the company. Clicking the file leads to installation of Ransomware. The Malware replaces boot drive’s Master Boot Record (MBR) with a malicious loader. MBR is the first sector of any hard disk which tells computer how it should boot the operating system. The Malicious loader will prevent the computer loading the OS correctly and disables booting up in Safe Mode and it will force Windows to reboot. In order to execute the Ransomware, it will display a phony checkdisk (CHKDSK) operation. During this process, the Malware will encrypt master file table. Master File table (MFT) is a database in which information about every file and directory on an NTFS volume is stored. Once MFT is encrypted, the system does not know where files are located, or if they even exist, as it is inaccessible. After successful encryption of MFT is carried out, Ransomware displays a ransom message to victim, instructing them to connect to TOR site and pay 9 Bitcoin to make ransom payment. The cyber crooks intentionally choose Tor to maintain anonymity.

What makes this Ransomware is unique?

Typical Ransomware usually encrypts files of certain types like pictures, office documents and so on. The OS is untouched by the Malware as cyber-crook expects the victim to use the pc for ransom payment. However, in this case, it does not happen likewise since access to the whole hard drive is blocked.

How to safeguard?

  • Update your antivirus software (eScan) on regular basis, which will protect your system from all kinds of Malware attacks.
  • Ensure that all software’s installed in your system are updated frequently, including Oracle Java and Adobe.
  • Implement a three dimensional security policy in your organization, i.e. firstly understand your requirement based on which IT Security policy would be prepared accordingly. Secondly, educate your staff about the policy and finally enforce the policy.
  • Make sure you either implement MailScan at gateway level or enable Mail Anti-virus on endpoint in order to block extensions such as *.EXE, *.SCR, *.JS, *.VBE etc. These attachments would infect your system.
  • Open emails only if you are positive about the source.
  • Regularly backup your important files.
Posted in eScan 11, eScan 14, MailScan, Security | Tagged , , , , , , | Leave a comment

Mandiant Virus: the Adversities and Dangers

We have found lot of questions online regarding Mandiant virus. Keeping those in mind, we thought of enlightening our readers and users regarding the same.

What is Mandiant Virus?

It is a Ransomware belonging to the family of Urausy, which locks victim computer and demands to pay $300 fine for allegedly violating several laws through their online activity. It locks the computers and asks the respective owners to pay fines for violating cyber laws during their online activities. These transactions are generally non-reversible and hard to trace.

How does it work?

The Mandiant virus is transmitted through spam with shipment notification of delivery attachment. The purpose of cyber-crook is to lure many innocent users, who instinctively gets inclined towards it or when the user browses compromised websites. The malware with the help of exploit kit takes the advantage of the vulnerabilities of the system and install it without the knowledge of the user. Once the system is affected with this ransomware, the infection displays a localized webpage that curtains the whole desktop and asks for the required payment for keeping illegal material. An alert message is displayed on the computer screen demanding ransom amount to be paid.

What should you do?

If you are using anti-virus other than eScan, we advise you to make use of Rescue Disk. Rescue Disk provides a Windows based clean environment that not only helps to scan and clean the system but also to fix the Windows registry changes done by destructive viruses like Mandiant. To know more about Rescue Disk, click: http://bit.ly/1QZVKfc Users can also make use of free toolkit offered by eScan which checks system registry, cleans Viruses, Spyware, Adware and any other Malware that could have infected your system. To download MWAV toolkit, click: http://bit.ly/1UihRQo.

Alternatively, use eScan antivirus which protects your system from all kinds of Malware attack.

Posted in eScan 11, eScan 14, Security | Tagged , , , , , , , | Leave a comment

New First OS X Ransomware Appears

eScan’s Threat predictions for 2016 proved to be correct! As we stated, “Ransomware creators would be looking to target new operating system such as Mac”, now we can see a new Ransomware known as KeRanger (Trojan.MAC.KeRangerRansom.A) was detected on Mac OS X by eScan researchers. The Ransomware was distributed by popular Bit Torrent client called Transmission for OS X users who downloaded Transmission on March 4 and March 5 2016.

How does the Trojan Work?

According to eScan research team, Windows Ransomware enters the system with word files as attachment. However, in this scenario, the cyber-criminals hacked the most popular Bit Torrent client and created a fake version number 2.90 and published it in Transmissions official website. Infected Transmission installers include an extra file General.rtf, which looks like a regular OX executable file but is actually a Mach-O format executable.Mach-O is a file format for executables, object code, shared libraries for OS X, Mach Kernel systems. The file gets executed because the KeRanger application was signed with a valid Mac app development certificate. As a result it could bypass Apple’s Gatekeeper protection and it changes the entries in Kernel following which it encrypts the files along with wide range of extensions such as *.zip, *.doc, *.jpg, *.mp3, .db etc. and it also encrypts the file found in users directory and its associated sub-directories. The Malware connects to CnC server through Tor anonymiser network and downloads the payload, following which it displays a ransom note demanding victims to pay a bitcoin to retrieve their files.  

If you happen to download Transmission installer from their official website from March 4 to March 5 2016 you might have been infected by the Malware and eScan advises you to download updated version 2.92 of Transmission and follow the steps given below:

  • Update your eScan antivirus on regular basis, which will protect your system from all kinds of Malware attacks.
  • Regularly backup your important files.
  • Ensure your operating system and other software installed are up-to-date.
  • Open emails only if you are positive about the source.

Ransomware2

Posted in eScan 11, eScan 14, Security | Tagged , , , , , | Leave a comment

Stay Away from Money Laundering Scams

Recently there was a sms from an unknown cancer patient who wanted to transfer her funds to help poor people in our country. Who would not love to accept the fund and help the needy? But do you think it is wise decision to accept money from a stranger and help the needy? To know more about the possibilities you need to read this.

Apart from sms, there can be similar emails also which convey somewhat similar message. Are you the person, who got an email from an unknown person about money transferring?

An individual receives an email from a spammer who makes use of eye grabbing subject such as “Your assistance is required”. The spammer states in the email that the recipient

would be offered a large amount of money with one of the reasons given below:

  • Sender introduces himself as a John Doe, a wealthy merchant and is seriously ill. John seeks assistance in distributing his wealth to charity, as he has no relatives.
  • Sender portrays himself as a bank manager, whose customer was late Bob. Since Bob and his wife are no more, the bank manager initially decided to handover the savings account money left by Bob to his relatives, who were reluctant. As a result the bank manager suggested the recipient to be the next kin of the deceased and claim the money.
  • The Spammer claims to be from a genuine lottery organization, who informs the recipient that he has won a large sum of money in a lottery through a computer ballot system.

In order to receive the money, one needs to furnish his confidential details such as name, phone number, bank account number along with a certain amount of fees, which is to be paid. Fees are nothing but processing costs, taxes and other legalities that would be completed by the spammer. Spammer also mentions to recipient that Western Union or MoneyGram as the payment mode for fees.

Do you think after following Spammer’s instructions, the recipient will get the money, which he was assured before? The answer is ‘No’ and he has become a victim of Nigerian 419 Scam.

What is Nigerian 419 Scam?

It is a money transfer scam, which started from Nigeria. The scam is no longer limited to Nigeria, as it has been reported from various parts of the world .The number ‘419’ in the name was derived from the Nigeria Criminal Code, which outlaws the practice.

The attackers use Western Union or MoneyGram because it is fast. International money transfers cannot be cancelled or reversed. And most importantly, the scammer can easily forge his identity and collect the money.

Do you think, the spammer will continue to extort the money from the victim, even   after he pays him the required fees? The answer is ‘Yes’, as the Scammer will continue to ask more money with justifiable reasons to the recipient such as telling him about the amount will be required for import tax, bribing the custom officials .By the time the victim realizes the scam, his account has been drained out.

There are many scams which are quite similar to Nigerian 419 Scam such as Employment Scam, Social Networking Scam to name a few.

Employment Scam

This is intended to target people, who have registered in job searching sites along with their resume. The scammer offers the job seeker a job offer with a lucrative salary along with an Offer Letter, written in a company’s letterhead. The letterhead may belong to an illegitimate company or a legitimate company. The job seeker is asked to deposit a certain amount in the account number provided to him in his email address. After the victim deposits the money, the scammer is nowhere to be seen.

Social Networking Scam

The Scammers also use popular social Networking sites such as LinkedIn, Facebook for money transferring.

EmploymentScamforBlog

How can a user identify such scams?

  • Getting an opportunity to help an unidentified person from a different country, that which involves transfer of money.
  • Asking you to furnish your confidential information such as Name, bank account number.
  • The spammer has a quite long story to tell.
  • Checking the spammer’s email address, URL if provided.
  • The amount mentioned to the recipient by the spammer is quite enormous.
  • The English used by the spammer is awkward.

To avoid being a victim of such scams, users should follow the below steps:

  • Delete suspicious emails, without having any second thoughts.
  • Never provide confidential information such as name, phone number, bank account number over the phone or through email to an unknown person.
  • In the case of the employment scam, user should report the scam details to the legitimate company.
  • In case of social networking scam, user should never accept strangers’ proposals without a proper background check.
Posted in Security | Tagged , , , , , , | 2 Comments