Former Head of a Country as a Brand of Malware?




It is unusual for sure as it so occurred interestingly in the historical backdrop of Ransomware swarming the home systems of the users that the face of a former Leader of a nation was taken up as the brand of a malware.

Truly, first tweeted by the MalwareHunterTeam, this ransomware has the peculiar title of,

"Barack Obama's Everlasting Blue Blackmail Virus"

This Windows-based malware is distributed through spam and phishing efforts with the aim to initially examine an infected system for processes related with antivirus solutions.Whenever executed, this ransomware is capable of terminating different procedures related with antivirus programming, for example, Kaspersky, McAfee, and Rising Antivirus.

The Obama ransomware then scans for documents ending with .EXE, before encoding them. It’s done as such that the registry keys related with the executable records are likewise influenced which thusly helps for instigating the virus each time an .EXE document is introduced and launched.

The message in the ransomware interface is shown alongside a picture of the previous US President Obama which states that users should contact the attacker at the mail 2200287831@qq.com for payment related directions.

Hello, your computer is encrypted by me! Yeah, that means your EXE file isn't open! Because I encrypted it.
So you can decrypt it, but you have to tip it. This is a big thing. You can email this email: 2200287831@qq.com gets more information.

The Ransomware more often than not encodes content, like documents and media to force victims to pay a blackmail 'expense' to recover their records and files and is distinguished by 45 out of 68 antivirus solutions, as indicated by VirusTotal, a virus scanning service.

Cybersecurity firms however prescribe for the affected users to not surrender in and pay if their system is infected with ransomware and for that they have even begun releasing free decoding keys consistently.




New SamSam Ransomware Variant Requires Password from Hacker Before Execution


Researchers at Malwarebytes have found that a new variant to the SamSam ransomware has been hitting users wherein the attacker has to put in a password before the malware could be executed.

“In its time being active, SamSam has gone through a slight evolution, adding more features and alterations into the mix,” read the blog post by Malwarebytes Labs. “These changes do not necessarily make the ransomware more dangerous, but they are added to make it just a bit more tricky to detect or track as it is constantly changing.”

According to researchers, this variant does not go into effect without the password, even if the malware is already present in the system. This makes for a more “targeted” attack as the attackers can decide which computers to execute the ransomware on.

Aside from targeted attacks, it also means that only those who know the password can access the ransomware code or execute the attack, making it a tricky malware to understand.

“As analysts, without knowing the password, we cannot analyze the ransomware code. But what’s more important to note is that we can’t even execute the ransomware on a victim or test machine. This means that only the author (or someone who has intercepted the author’s password) can run this attack,” the blog post said on the issue.

“This is a major difference from the vast majority of ransomware, or even malware, out there,” the post went on to say. “SamSam is not the type of ransomware that spreads like wildfire. In fact, this ransomware quite literally cannot spread automatically and naturally.”

SamSam has been a part of several massive cyber attacks since early 2018 and has led to severe damages worldwide. This new variant has only made it more elusive, as the code is inaccessible even to security researchers, which might be another reason for the password requirement.

The ransomware has in the past targeted hospitals, state agencies, city councils, and other enterprises, and caused huge losses when it hit the IT network of Atlanta earlier this year.


Author of Sigrun Ransomware helps Russian victims for free, charges other countries

The author of Sigrun ransomware is offering to decrypt computers of victims from Russia and some former USSR countries for free, while asking for payment in Bitcoin or Dash to citizens of other countries.

The ransomware already tries to avoid attacking computers of Russians by checking the keyboard layout of the computer. If it detects a Russian layout, it deletes itself and does not encrypt the computer. However, the ransomware has no provision for those computers who do not use a Russian layout, so some people from former USSR countries who choose not to use that layout can still be affected.

This is a common practice amongst Russian hackers and malware developers, who try to prevent from infecting Russian victims as they are concerned that the authorities will apprehend them, unlike when they are attacking victims from other countries.

This instance was first reported by Twitter user and security researcher Alex Svirid.


Another malware researcher, S!Ri, replied to the tweet with two pictures from ransomware victims of another attack.


Russian victim

U.S. victim

According to the Bleeping Computer, the ransomware author has added the Ukranian layout as well to be avoided during encryption.

"Ukranian users don't use Russian layout because of political reasons. So we decided to help them if they was infected," the author told them via email. "We have already added avoiding Ukrainian layout like was in Sage ransomware before."

They also reportedly said that they are not from former USSR republics, but rather added the condition “because of his Belarus partners”.


StalinLocker: ransomeware deletes data if correct code is not put in time

A new ransomware has been discovered called StalinLocker, or StalinScreamer, that gives victims of the attack 10 minutes to put in the correct unlock code and if they’re not able to do that, erases all the data on the infected device.

The ransomware does not actually demand any ransom, other than the condition given to unlock the victim’s device.

Named after Joseph Stalin, the late leader of the Soviet Union, the malware pays tribute to him by showing a red screen with a picture of Stalin, along with the USSR anthem playing in the background, when StalinLocker takes over the computer and the 10 minute countdown begins.



The ransomware was discovered by MalwareHunterTeam, which on Twitter explained how the malware worked and how to know the code to unlock your locked device.


According to them, the code can be guessed by subtracting the date the malware was run by 30/12/1922, which is the date that represents the foundation of the USSR.


This ransomware, unlike others, seems to purely focus on destroying user data as it does not demand any ransom in Bitcoin or other ways but simply attempts to erase all data if conditions are not met. If the user correctly enters the code, however, the files are unlocked with no problem.

The malware is similar to a previous one that forced victims to PlayerUnknown’s Battlegrounds game for an hour to get their device unlocked, but unlike StalinLocker, it did not threaten the erasure of the victim’s data.

Currently, StalinLocker is in a testing stage but it could turn out to be a major problem for Windows users once it is out for good.


Author of Three Critical Ransomware Families Arrested in Poland




A well-known cyber-criminal believed to be the author of the Polski, Vortex, and Flotera ransomware strains, Tomasz T. was arrested in Poland on Wednesday, but the announcement was made by the Polish Law Enforcement on Friday.

They had been tracking him for quite some time and were ready this time to go ahead with the arrest.
Tomasz T. a.k.a. Thomas or Armaged0n - a Polish citizen who lives permanently in Belgium is responsible for conducting cybercrime such as DDOS attacks, sending malicious software to compromise several computers and using ransomware to encrypt the files.

While working through Europol, the Polish police had alerted their Belgium counterparts, who thusly searched his house and seized the computer equipment, laptop and remote servers also including encryption keys.

 “Apparently, the suspect has been active since 2013, when he first started targeting users via a banking trojan that would replace bank account numbers in users' clipboards with one of his own, so to receive undeserved bank transfers.”
-          according to the Prosecutors.

He was able to spread this ransomware through the means of email by pretending to impersonate official correspondence from well-known companies such as DHL, Zara, Cinema City, PAY U, WizzAir and many more. While utilizing the Online portal, Tomasz operated under the epithet "Armaged0n," which he used on the infamous Hack Forums cybercrime portal too.

The Polish tech news site Zaufana Trzecia Strona (ZTS) was the first to draw the lines between the three ransomware strains to the Armaged0n persona and later tracked down an extensive email spear-phishing operation.

Armaged0n Hack forum profile

The police suspects that Tomasz infected thousands of users with ransomware and made over $145,000 from his criminal undertakings. ZTS, CERT Poland, security analysts, police, and the impersonated companies all worked together to track him down.

Polish Cybercriminal has been accused with various complaints such as accepting and transferring funds from crimes, infecting computer systems with malware such as the Polish Ransomware, Vortex or Floter and for influencing automatic data processing for financial benefits. All these ransomware’s Decryption keys have likewise been collected from his system.

The suspect, questioned by the prosecutor, conceded to the 181 different crimes that he was charged with.

Nonetheless, after performing the procedural steps, the prosecutor filed a motion to apply to him a temporary detention for a period of three months.


Password Theft Becomes The New Goal For Hackers

Barracuda Networks a month ago hailed a "critical alert" when it discerned an attack that endeavoured to steal user's passwords. This risk baits victims with Microsoft 365 Office files asserting to be tax documents or other official reports; assailants utilize dire dialect to persuade people to open the attachment.

Files named "taxletter.doc" and phrases like ""We are apprising you upon the arisen tax arrears in the number of 2300CAD" are a major example of the strategy utilized by hackers. Users, when they download and open the malignant record are hit with the password stealer. At the point when the report opens, a macro inside launches PowerShell, which acts out of sight in the background while the victim views the document.

Fleming Shi, senior vice president of technology at Barracuda, comparing this threat with phishing attacks of the past, says "Today's documents are far more active … you're putting in a lot of content, media, links," he further added in this context "Bad guys are leveraging the dynamic, active manner of the documents today to weaponized their files."

Millions of individuals have known to be affected by these phishing emails as attackers figure out how to dodge detection by creating different emails. While Exchange server makes up an extensive segment of individuals affected the alternate sorts of email accounts are additionally focused with the malevolent records.

This password theft is expanding in general, an indication of attackers moving their objectives and procedures, Shi clarifies further. Ransomware was huge a year ago; but this year, password stealers are showing up in phishing emails, browser extensions, and different programs as hoodlums chase the login information.
The real reason however, concerning why usernames and passwords have been focused on is on the grounds that they are equipped for giving access to numerous frameworks and applications that a specific user is attached to and operates at a regular schedule.

"Some attackers try to be like a sleeper cell on your system," Shi notes. The subtle signs that slowly bring it to the users focus and lets them know that their system has now been compromised and that they’ve lost control over all their applications is the conventional slowing down of their systems and the sudden upsurge in the pop-ups displayed.

"Some attackers try to be like a sleeper cell on your system," Shi notes.

A month ago, the IRS Online Fraud Detection & Prevention Centre (OFDP) reported an ascent of compromised emails in the beginning of January 2017 as the IRS authorities are also prescribing alert in the midst of an expansion of tax related phishing emails.
Here and now the cybercriminals are going for mass information burglary, and it's a timely opportunity for assailants to exploit users' wariness of tax season and make their crusades more compelling. In this way, it is smarter to be mindful and watchful while opening any business related or official looking report got by means of mail or some other online medium on the grounds that around here, it's better to be as careful as possible.

Advancing Ransomware Attacks and Creation of New Cyber Security Strategies

As ransomware is on the rise, the organisations are focusing too much on the anti-virus softwares rather than proactively forming strategies to deal with cyber-attacks which could pose as an indefinite threat to the users. Nevertheless one of the good advices to deal with this issue is the creation of the air-gaps, as through these it becomes quite easy to store and protect critical data. It even allows the offline storage of data. So, when a ransomware attack occurs, it should be possible to restore your data without much downtime – if any at all.

But it usually happens so that organisations more often than not find themselves taking one step forward and then one step back. As traditionally, the ransomware is more focused on backup programs and their associated storage but on the other hand it seems very keen on perpetually targeting the storage subsystems which has spurred organisations into having robust backup procedures in place to counter the attack if it gets through.

So in order for the organisations to be proactive it is recommended that they should resort to different ways to protecting data that allows it to be readily recovered whenever a ransomware attack, or some other cyber security issue, threatens to disrupt day-to-day business operations and activities.

Clive Longbottom, client services director at analyst firm Quocirca explains: “If your backup software can see the back-up, so can the ransomware. Therefore, it is a waste of time arguing about on-site v off-site – it comes down to how well air locked the source and target data locations are.”

However, to defend against any cyber-attack there needs to be several layers of defence which may or may not consist of a firewall, anti-virus software or backup. The last layer of defence that is to be used by the user though, must be the most robust of them all to stop any potential costly disruption in its track before it’s too late. So, anti-virus software must still play a key defensive role.

A ransomware attack is pretty brutal, warns Longbottom, “It requires a lot of CPU and disk activity. It should be possible for a system to pick up this type of activity and either block it completely, throttles it, or prevents it from accessing any storage system other than ones that are directly connected physically to the system.”

Now coming down to the traditional approach, it is often observed that data centres are in position in close proximity to each other in order to easily tackle the impact of latency, but for the fact they are all too often situated within the same circles of disruption increases the financial, operational and reputational risks associated with downtime.

Therefore there are a few certain tips that could allow the user to successfully migrate data to prevent ransomware attacks:
• The more layers you can add the better.
• User education.
• Update your Back-up regularly - it can be the last layer of defence.
• Have a copy off site – tape or cloud but don’t leave the drawbridge down.
• Planning of your backup process for your recovery requirement.

By following these one could successfully prevent cyber-attacks with ease and precision.

Unknown Hackers demand Ransom in Bitcoin

Recently the news came out of a ransomware attack in Old Delhi after three of the hacked victims came forward to uncover more about the attack. The victims i.e. the traders were demanded ransom in Bitcoin from the unknown hackers.

Although it is believed that the hackers are supposedly from either Nigeria or Pakistan, they were responsible for encrypting files on the computers of the businessmen which comprised of key records. The hackers at that point, as indicated by the police coerced the victims, gave them the links to purchase bitcoins through which they needed to make payments for the release of critical documents.

 “Some traders paid in Bitcoins and got their data back. Some deposited the money from abroad. When my data was hacked, I spoke to fellow traders and learnt that there were other such cases. I wrote to the hackers and they agreed to decrypt the files for $1,750 (around Rs 1.11 lakh),” Mohan Goyal, one of the victims was quoted saying in the report.

According to reports, the hacked traders found the message that said there was a 'security issue' in the system displayed on their computers. The traders were then given case numbers and email addresses for correspondence. They were then at first offered decryption of five of their documents and files for free by the hackers, who later demanded the payment of ransom for the rest of the records.

While one of the IP address utilized by hackers was purportedly traced back to a system in Germany, but the fingers remain pointed towards hackers from Nigeria and Pakistan.

Experts say that for making it difficult to trace the money, getting the money in bitcoin works for the hackers. The Delhi crime branch which registered the FIR has already sent the hard disks of the complainants for further forensic tests. As of not long ago, three complaints already have been registered by the police and it is believed that the number of victims could be much higher.

Ukrainian CyberPolice arrest the Hacker accused of spreading "Petya.A" virus



Ukrainian officers from cyber crime department have arrested a 51-year-old resident of Nikopol (Ukraine, Dnipropetrovsk region), who is suspected of spreading computer virus "Petya.A".

Petya is a ransomware that infects the Master boot Record(MBR). If the malware successfully infectes the MBR, it will encrypt the whole hard drive. Otherwise, it encrypts all files.

According to the local news report, the suspect published an online tutorial video explaining how to use the "Petya.A" malware to infect victim's computers. In the comments section, he also shared a link to social network on which he has uploaded the malware and distributed.

The police have conducted a search at the residence of the suspect. They have seized the computer equipments and found malicious software which is similare to the "Petya.A".

The malware is said to be infected more than 400 computers. Also a number of companies intentionally used this virus to conceal criminal activity and evasion from the payments of penalties to the state.

In June 2017, ESet reported that large number of infections happened in the Ukraine. The affected Ukrainian industries includes financial sector, energy sector.

- Christina

WannaCry Ransomware in simultaneous attack on firms and organizations around the world


To their utter dismay, May 12, 2017 saw firms and organizations in many countries around the world, including geopolitical rivals Russia and the US, suffer from mass attacks of the Malware WannaCry. This ransom malware appropriately also goes by the names of WCry, WannaCry, WannaCrypt0r and WannaCrypt – it did make some cry.

In a few hours WannaCry infected tens of thousands of devices. Experts from Avast have indicated that upwards of 57000 devices have already been infected. It is understood that Taiwan, Russia and Ukraine were the main targets of the Malware – quite a strange mix. Quoting specialists from Kaspersky, a Russian news agency reported about 45,000 WannaCry attacks in 74 countries around the world, with Russia being the most affected.

Corporate victims include the likes of Fedex, Spanish majors such as Telefonica, Gas Natural, Iberdrola and Santander Bank, and KPMG. The health care sector, already amongst the most vulnerable, was also hit. Targets here included UK’s National Health Service and other medical institutions in the UK

According of journalists of "Medusa", Russian targets included MegaFon, the Ministry of Internal Affairs and the Investigative Committee of the Russian Federation.

This malware, WCry, was first discovered in February 2017. It has evolved and “mutated” over the last few months, and the more potent Vesion 2.0 uses an SMB-exploit of the NSA from a toolkit published earlier by hacker group The Shadow Brokers.

It is believed that “Kafeine”, a French expert, was one of the first to discover the new mutation of Trojan. Kafeine realised that WannaCry was updated and adopted exploit EternalBlue. This exploit was written by NSA whiz kids to use vulnerabilities in SMBV1. A few other security specialists confirmed the discoveries of Kafeine.

Microsoft, in March 2017, developed a fix for ETERNALBLUE. However, paranoia is yet to set in amongst many computer users, and thus many did not make use of the fix. This lackadaisical attitude has now been exploited. As always, a sense of déjà vu prevails amongst cyber security pros.

For those interested, please click below to observe the spread of WannaCry in real-time - . https://intel.malwaretech.com/WannaCrypt.html

A Threat that encrypts data on offline mode

Researchers at Check Point Technologies have discovered an ‘offline’ ransomware that encrypts files on the infected machine without communicating with a command and control (C&C) server.

The ransomware which mainly targets Russian users, has been in existence since around June 2014. Since then, a dozen files have been released and the latest among them is CL 1.1.0.0 which was made available in mid-August.

Security products detect various versions of the threat as Ransomcrypt.U(Symantec),Win32.VBKryjetor.wfa (Kaspersky) and Troj/Ransom-AZT (Sophos).
After the threat infects a computer, it encrypts important files after which it changes the desktop background to a message in native language, ‘Russian’ informing the users about their encryption of files.

Victims are then asked to pay between $300 and $380; depending on how fast they pay up, to receive a decryption tool and the key needed to recover their files.

Due to its offline feature and detachment from C&C server, it becomes more difficult for security solutions that identify threats based on their communications to detect and neutralize the malware.

According to Check point researchers, the malware is designed only to encrypt files and it does not have much other functionality. However, its efficiency on its function is high enough which makes it impossible to recover files without paying the ransom.

The beginning (first 30000 bytes) of each file is encrypted using two buffers of digits and letters that are randomly generated on the infected machine. The encryption process includes taking each original byte along with one byte from each of the randomly generated buffers and performing mathematical operations on them.

The remainder of each file (if it exists) is encrypted using an RSA public key (“local”) that is randomly generated on the infected machine, along with the matching local RSA private key required for decryption of the data.

The randomly generated buffers and the local RSA private key that are required for decryption are added as metadata to each encrypted file, and are then encrypted using three hardcoded RSA 768 public keys that the offender created in advance (“remote”). The matching remote RSA private keys required to unlock the metadata are located on the attacker’s side.”

Ransomware campaigns are highly profitable for cyber criminals who can make huge amounts of cash by encrypting files of Russian users. 

Beware of CryptoWall Ransomware, victims reporting losses totaling over $18 million


FBI's Internet Crime Complaint Center's (IC3) data shows CryptoWall as the most current and significant Ransomware affecting millions of individuals and businesses in US.

CryptoWall and its variants have been targeting people since April 2014, between April 2014 and June 2015, the IC3 received 992 CryptoWall related complaints, with victims reporting losses totaling over $18 million.

The victims incurs ransom fees between $200 and $10,000, there are additional costs which includes network mitigation, network countermeasures, loss of productivity, legal fees, IT services, and/or the purchase of credit monitoring services for employees or customers.

The system becomes infected when the victim visits or clicks on the infected advertisement, email, attachment  or  infected websites- The malware encrypts the victim's file stored on the infected machine. Ransomware schemes demand payment in Bitcoin as  it is easy to use, fast, publicly available, decentralized, and provides a sense of heightened security/anonymity.

Victims can register the complaint to local FBI field office, or may also file a complaint with the IC3 at www.IC3.gov.

Think twice before you open email attachments from unknown senders


Security researchers of Checkpoint have discovered a new ransom threat dubbed Troldesh, which is also known as Encoder.858 and Shade.

The Troldesh, which was created in Russia, has already affected numerous users across the world. The Troldesh ransomware typically encrypts the user’s personal files and extorts money for their decryption.

“Troldesh is based on so-called encryptors that encrypt all of the user’s personal data and extort money to decrypt the files. Troldesh encrypts a user’s files with an “.xtbl” extension. It is spread initially via e-mail spam,” Natalia Kolesova, anti-bot analyst at the Check Point, wrote in a blog.

She said that they found a distinctive characteristic in Troldesh besides the typical ransom features. 

The inventors of Troldesh directly communicate with the user by providing an email address, which is used to determine the payment method.

According to Kolesova, once a corrupted email is opened, the malicious threat is activated. Then, it will start encrypting the user’s files with the extension .xbtl.

Along with the files, users’ names are also encrypted. Once the encryption process is done, the affected user is displayed a ransom message and is being redirected to a ‘readme’ text for further information.

In a bid to stay safe, users are advised not to open anything suspicious by unknown senders.

“Many cases have been reported by the users paying the ransom without having their files decrypted. In order to avoid ransomware, it is important to back up important data previously on an external storage device or in a cloud,” she wrote.

The researcher said that the affected users have to download a powerful anti-malware tool to scan the system and remove the ransomware.

The researcher said she contacted the hackers via an email and asked for a discount.

“I was very interested to learn more about the ransom and tried to start a correspondence with the attackers. As required, I sent the specified code to the e-mail address provided, one that is registered on the most famous Russian domain,” the researcher wrote.

The crooks had demanded 250 euros to decrypt all of the files.

However, after the researcher asked to reduce the amount, the criminals agreed to lower the ransom to €118 / $131, payable via QIWI money transfer system.

Simplocker : First Android Ransomware that Encrypts files in Your Device

Ransomware is a type of malware that locks you out of your computer until you pay a ransom.  In some cases, it can actually cause more serious problems by encrypting the files on your system's hard drive.

Last year, Symantec discovered an android malware with hybrid characteristics of Fake AV and Ransomware. Last month, Bitdefender identified an android version of Ransomware which was being sold in the underground market.  The malware bluffed victims into paying a ransom but didn't actually encrypt the files.

Until now, there have been no reports of android malware that encrypts the files.

Security researchers at ESET say they have spotted the first variant of Ransomware that encrypts files in your Android Device.

The malware, dubbed as Simplocker, shows a ransom message written in Russian which informs victims that their device is locked for  viewing and distribution child porn.

It scans the SD card for certain file types such as image, document or videos, encrypts them using Advanced Encryption Standard(AES), and demands money in order to decrypt them.


It also gathers information about the infected device and sends to a command and control server.  The server is located in Tor ".onion" domain for purposes of anonymity.

Don't Pay:
"We strongly recommend against paying up – not only because that will only motivate other malware authors to continue these kinds of filthy operations, but also because there is no guarantee that the crook will keep their part of the deal and actually decrypt them" Researchers at ESET say. 

Hackers lock iPhones remotely and demanding $100 to unlock it


In recent hours, a number of users from Australia had a nightmare as cyber criminals locked their devices and demanding payment of a ransom.

The locked devices show the following message "Device Hacked by Oleg Pliss" and instructs victims to send $100 dollars to lock404@hotmail.com to unlock their devices.

The cyber attack came to light, after one user from Melbourne shared his experience in Apple support forum and asked help to fix the problem.  Following his post, several users have reported of being affected by this attack.

It appears hackers used stolen Apple IDs and passwords to access iCloud account that allowed them to lock victim's devices and display a message.

What you should do? Don't pay the Ransom !
Affected users are advised to contact Apple directly to regain access to their account.  

Once you have access to your account, change the password immediately and enable two step authentication feature for your account.

Power Locker - Cybercriminals attempt to sell New Ransomware called Prison Locker

MalwareMustDie(MMD) Team came across an advertisement in an underground forum where an Individual is trying to sell his new Ransomware, called Power Locker also known as Prison Locker.

The Cybercriminal goes by online moniker "gyx" coded the malware in C/C++ and advertizing the ransomware in various underground forums. 

The ransomware in question is said to have many features such as "detecting the Debugger and Virtual Machines in order to avoid being analyzed by security researchers", "Displaying warning window in a new desktop".

At the starting, "gyx" asked others to help him to code the GUI part of the malware and promised to pay them.  Member of MalwareMustDie Team disguised himself as malware coder and had an IRC chat with him. He also managed to get the source code of the malware.  You can find the full conversation here.

MMD Team has doxed the Gyx and collected some interesting info about the identity of the malware author.  The dox leads to a person claimed to be a security researcher who is blogging about security  ("wenhsl.blogspot.in/").  They also identified the twitter account of him(@wenhsl).


The fun fact is that he was also trying to communicate with MalwareMustdie from his twitter account.

New Cryptolocker Ransomware capable of spreading via Pen Drive


CryptoLocker Ransomware, to date, generally spread via various online method such as fake emails containing the malware, drive-by downloads or via any other already infected malware. So far, the malware has been successful in infecting more users.

It appears the cyber criminals behind the cryptolocker malware are not satisfied with the infection ratio.  So, they have added new features in their new version.

A new variant of cryptolocker has been detected by Trend Labs that comes with new features to spread from victim's machines. This variant has the ability to spread via Removable drives.

"This update is considered significant because this routine was unheard of in other CRILOCK variants. The addition of propagation routines means that the malware can easily spread, unlike other known CRILOCK variants." Researchers say.

Unlike the previous variants, the malware now uploaded in Peer to Peer (P2P) file sharing site, pretends to a cracker for various software such as Adobe Photoshop, Microsoft Office. This helps the attackers to easily infect systems without the need of spending time in sending spam mails.

However, the malware is failed to use a Domain generation algorithm(DGA), feature that enable the malware to evade detection as it use a large number of random domain names.

"This could mean that the malware is still in the process of being refined and improved upon. Thus, we can expect latter variants to have the DGA capability." Researchers said.

Antivirus that will alert about Criminal and Illegal content for $500

Isn't the title interesting?! There is no such Antivirus that will alert about criminal and illegal content.  It is being advertised in recently discovered ransomware.

Ransomware usually lock the victim's system or browser and displays a warning message pretending be from FBI or any other authority.  It will inform victims that their system is locked because of their illegal activities and asks them to pay money to unlock  it.

A new ransomware spotted by Malwarebytes team interestingly informs the victims that "Your criminal records have been deleted". 


The malware also suggest the victims to buy an Antivirus for $500 from them in order to unlock the system and avoid other legal consequences.

Those who fall for this scam end up in paying around $1200 dollars.  As i said earlier,  there is no such kind of antivirus exist.  After paying ransom, you will just receive a message "your browser will be unlocked within 12 hours" nothing else.

CryptoLocker ransomware reduce the price for decrypting files

As a bitcoin value continuous its climb, now it is more than $800, the criminals behind cryptolocker ransomware have also come with up an idea to reduce the price for decrypting files to 0.5 Bitcoins.

Initially, the ransomware were asking victims to pay 2 Bitcoins as ransom in order to decrypt their files.

The victims who failed to pay the ransom within a particular time will be asked to use their decryption service if they want to get back their encrypted files.  However, victims need to pay more than before.


The new variant of CryptoLocker ransomware spotted by F-Secure security team on November 20 is asking users to pay 0.5 Bitcoins instead.

Cybercriminals capture Images of people watching porn to trick them to pay ransom

Image Credits: WAToday - Illustration: Matt Golding.
A New Ransomware that poses as Australian Federal Police attempts to turn on the webcams of people watching porn and captures images of them.

Once the image of the user is captured, the malware locks the desktop and shows a warning message saying that "they have breached federal laws relating to child pornography, copyright or privacy".

The warning message includes the image of the victim. This will certainly horrify the victims.

According to WAToday report, the victims are then told to pay a ransom of $100 to $199 within 72 hours. The malware claims that if they failed to, the data in their disk will be wiped.

''We've taken some very interesting calls; some people are very open, while others swear they have been hacked while using Facebook" The WAToday quoted AFP as saying.