New Ransomware now Accepting Gift Cards

Ever wondered how your Amazon Gift Card can be used as payment for Ransomware? The answer is probably ‘yes’, thanks to the wily cyber criminals. According to the latest research of eScan, a new file encrypting program has been discovered named TrueCrypter, which is used by the hackers to extort money from the users.

What is TruCrypter Ransomware?

It is a Ransomware, which prohibits the users from accessing their personal document files, zip files and a host of other files. The victims cannot access their files unless they have a private key, which is owned by the malware author and in order to obtain the key, the victim has to pay ransom amount to the cyber-criminal in virtual currency, such as Bitcoins.

So how does it work?

The malware enters into the user’s system through a spam e-mail attachment. It can also distribute through malicious websites, third party software downloads etc. Firstly, it will check if the process is running under Sandboxie. This is a sandbox based isolation program for 32 and 64-bit Windows NT-based operating systems. Secondly, if Sandboxie is present, it would terminate the processes and not continue. In addition, it will kill process related to the Task Manager (taskmgr.exe) and other security programs. Next, it would proceed to encryption. TruCrypter Ransomware uses AES-256 encryption, which encrypts the following extensions: .xlsx, .docx, .jpeg, .pptx files. During the process of encryption, Shadow volume copies are deleted and in addition to it, the victim’s wallpaper is changed with an image containing a message, which states that files are encrypted and the victim must pay 2-5 Bitcoins or $ 115 USD in Amazon gift cards.

What should you do?

If you are using anti-virus other than eScan, we advise you to make use of eScan Rescue Disk which provides a Windows based clean environment that not only helps to scan and clean the system but also to fix the Windows registry changes done by destructive Malware like TrueCrypt. To know more about eScan Rescue Disk, click: http://bit.ly/1QZVKfc. It is recommended to update your antivirus software (eScan), which will protect your system from all kinds of Malware attacks and maintain backup of your data on regular basis.

ransomware-file-encryption

Posted in eScan 11, eScan 14, Security | Tagged , , , , | Leave a comment

Petya Ransomware Attacks your Hard Drive

This year should be declared as year of Ransomware! Cyber-criminals come up with new families and new versions of it, resulting in making life miserable for victims of their extortion campaigns. In our threat predictions for 2016, we had predicted that Ransomware will be a major threat in this year. Little we did know that Ransomware would target Master Boot Record. We have witnessed Ransomware locking desktop, encrypting files, Web servers, shared drives and backups and targeting various operating systems.

According to the latest research of eScan, a new variant of Ransomware named Petya (Trojan.Ransom.Petya.C) has been found targeting human resources in German companies, the Malware replaces Master Boot Record (MBR) and encrypts the Master File Table on an infected Windows computer’s hard drive and demands 9 Bitcoin in return for the decryption key.

How does Petya enter the system?

It is typically transmitted through spam emails targeting business users pretending to contain job applications. For instance, HR personnel receiving a Dropbox link to a file, which pretends to be resume of a candidate, who is seeking a position in the company. Clicking the file leads to installation of Ransomware. The Malware replaces boot drive’s Master Boot Record (MBR) with a malicious loader. MBR is the first sector of any hard disk which tells computer how it should boot the operating system. The Malicious loader will prevent the computer loading the OS correctly and disables booting up in Safe Mode and it will force Windows to reboot. In order to execute the Ransomware, it will display a phony checkdisk (CHKDSK) operation. During this process, the Malware will encrypt master file table. Master File table (MFT) is a database in which information about every file and directory on an NTFS volume is stored. Once MFT is encrypted, the system does not know where files are located, or if they even exist, as it is inaccessible. After successful encryption of MFT is carried out, Ransomware displays a ransom message to victim, instructing them to connect to TOR site and pay 9 Bitcoin to make ransom payment. The cyber crooks intentionally choose Tor to maintain anonymity.

What makes this Ransomware is unique?

Typical Ransomware usually encrypts files of certain types like pictures, office documents and so on. The OS is untouched by the Malware as cyber-crook expects the victim to use the pc for ransom payment. However, in this case, it does not happen likewise since access to the whole hard drive is blocked.

How to safeguard?

  • Update your antivirus software (eScan) on regular basis, which will protect your system from all kinds of Malware attacks.
  • Ensure that all software’s installed in your system are updated frequently, including Oracle Java and Adobe.
  • Implement a three dimensional security policy in your organization, i.e. firstly understand your requirement based on which IT Security policy would be prepared accordingly. Secondly, educate your staff about the policy and finally enforce the policy.
  • Make sure you either implement MailScan at gateway level or enable Mail Anti-virus on endpoint in order to block extensions such as *.EXE, *.SCR, *.JS, *.VBE etc. These attachments would infect your system.
  • Open emails only if you are positive about the source.
  • Regularly backup your important files.
Posted in eScan 11, eScan 14, MailScan, Security | Tagged , , , , , , | Leave a comment

Mandiant Virus: the Adversities and Dangers

We have found lot of questions online regarding Mandiant virus. Keeping those in mind, we thought of enlightening our readers and users regarding the same.

What is Mandiant Virus?

It is a Ransomware belonging to the family of Urausy, which locks victim computer and demands to pay $300 fine for allegedly violating several laws through their online activity. It locks the computers and asks the respective owners to pay fines for violating cyber laws during their online activities. These transactions are generally non-reversible and hard to trace.

How does it work?

The Mandiant virus is transmitted through spam with shipment notification of delivery attachment. The purpose of cyber-crook is to lure many innocent users, who instinctively gets inclined towards it or when the user browses compromised websites. The malware with the help of exploit kit takes the advantage of the vulnerabilities of the system and install it without the knowledge of the user. Once the system is affected with this ransomware, the infection displays a localized webpage that curtains the whole desktop and asks for the required payment for keeping illegal material. An alert message is displayed on the computer screen demanding ransom amount to be paid.

What should you do?

If you are using anti-virus other than eScan, we advise you to make use of Rescue Disk. Rescue Disk provides a Windows based clean environment that not only helps to scan and clean the system but also to fix the Windows registry changes done by destructive viruses like Mandiant. To know more about Rescue Disk, click: http://bit.ly/1QZVKfc Users can also make use of free toolkit offered by eScan which checks system registry, cleans Viruses, Spyware, Adware and any other Malware that could have infected your system. To download MWAV toolkit, click: http://bit.ly/1UihRQo.

Alternatively, use eScan antivirus which protects your system from all kinds of Malware attack.

Posted in eScan 11, eScan 14, Security | Tagged , , , , , , , | Leave a comment

New First OS X Ransomware Appears

eScan’s Threat predictions for 2016 proved to be correct! As we stated, “Ransomware creators would be looking to target new operating system such as Mac”, now we can see a new Ransomware known as KeRanger (Trojan.MAC.KeRangerRansom.A) was detected on Mac OS X by eScan researchers. The Ransomware was distributed by popular Bit Torrent client called Transmission for OS X users who downloaded Transmission on March 4 and March 5 2016.

How does the Trojan Work?

According to eScan research team, Windows Ransomware enters the system with word files as attachment. However, in this scenario, the cyber-criminals hacked the most popular Bit Torrent client and created a fake version number 2.90 and published it in Transmissions official website. Infected Transmission installers include an extra file General.rtf, which looks like a regular OX executable file but is actually a Mach-O format executable.Mach-O is a file format for executables, object code, shared libraries for OS X, Mach Kernel systems. The file gets executed because the KeRanger application was signed with a valid Mac app development certificate. As a result it could bypass Apple’s Gatekeeper protection and it changes the entries in Kernel following which it encrypts the files along with wide range of extensions such as *.zip, *.doc, *.jpg, *.mp3, .db etc. and it also encrypts the file found in users directory and its associated sub-directories. The Malware connects to CnC server through Tor anonymiser network and downloads the payload, following which it displays a ransom note demanding victims to pay a bitcoin to retrieve their files.  

If you happen to download Transmission installer from their official website from March 4 to March 5 2016 you might have been infected by the Malware and eScan advises you to download updated version 2.92 of Transmission and follow the steps given below:

  • Update your eScan antivirus on regular basis, which will protect your system from all kinds of Malware attacks.
  • Regularly backup your important files.
  • Ensure your operating system and other software installed are up-to-date.
  • Open emails only if you are positive about the source.

Ransomware2

Posted in eScan 11, eScan 14, Security | Tagged , , , , , | Leave a comment