Simplocker : First Android Ransomware that Encrypts files in Your Device

Ransomware is a type of malware that locks you out of your computer until you pay a ransom.  In some cases, it can actually cause more serious problems by encrypting the files on your system's hard drive.

Last year, Symantec discovered an android malware with hybrid characteristics of Fake AV and Ransomware. Last month, Bitdefender identified an android version of Ransomware which was being sold in the underground market.  The malware bluffed victims into paying a ransom but didn't actually encrypt the files.

Until now, there have been no reports of android malware that encrypts the files.

Security researchers at ESET say they have spotted the first variant of Ransomware that encrypts files in your Android Device.

The malware, dubbed as Simplocker, shows a ransom message written in Russian which informs victims that their device is locked for  viewing and distribution child porn.

It scans the SD card for certain file types such as image, document or videos, encrypts them using Advanced Encryption Standard(AES), and demands money in order to decrypt them.

It also gathers information about the infected device and sends to a command and control server.  The server is located in Tor ".onion" domain for purposes of anonymity.

Don't Pay:
"We strongly recommend against paying up – not only because that will only motivate other malware authors to continue these kinds of filthy operations, but also because there is no guarantee that the crook will keep their part of the deal and actually decrypt them" Researchers at ESET say. 

Hackers lock iPhones remotely and demanding $100 to unlock it

In recent hours, a number of users from Australia had a nightmare as cyber criminals locked their devices and demanding payment of a ransom.

The locked devices show the following message "Device Hacked by Oleg Pliss" and instructs victims to send $100 dollars to to unlock their devices.

The cyber attack came to light, after one user from Melbourne shared his experience in Apple support forum and asked help to fix the problem.  Following his post, several users have reported of being affected by this attack.

It appears hackers used stolen Apple IDs and passwords to access iCloud account that allowed them to lock victim's devices and display a message.

What you should do? Don't pay the Ransom !
Affected users are advised to contact Apple directly to regain access to their account.  

Once you have access to your account, change the password immediately and enable two step authentication feature for your account.

Power Locker - Cybercriminals attempt to sell New Ransomware called Prison Locker

MalwareMustDie(MMD) Team came across an advertisement in an underground forum where an Individual is trying to sell his new Ransomware, called Power Locker also known as Prison Locker.

The Cybercriminal goes by online moniker "gyx" coded the malware in C/C++ and advertizing the ransomware in various underground forums. 

The ransomware in question is said to have many features such as "detecting the Debugger and Virtual Machines in order to avoid being analyzed by security researchers", "Displaying warning window in a new desktop".

At the starting, "gyx" asked others to help him to code the GUI part of the malware and promised to pay them.  Member of MalwareMustDie Team disguised himself as malware coder and had an IRC chat with him. He also managed to get the source code of the malware.  You can find the full conversation here.

MMD Team has doxed the Gyx and collected some interesting info about the identity of the malware author.  The dox leads to a person claimed to be a security researcher who is blogging about security  ("").  They also identified the twitter account of him(@wenhsl).

The fun fact is that he was also trying to communicate with MalwareMustdie from his twitter account.

New Cryptolocker Ransomware capable of spreading via Pen Drive

CryptoLocker Ransomware, to date, generally spread via various online method such as fake emails containing the malware, drive-by downloads or via any other already infected malware. So far, the malware has been successful in infecting more users.

It appears the cyber criminals behind the cryptolocker malware are not satisfied with the infection ratio.  So, they have added new features in their new version.

A new variant of cryptolocker has been detected by Trend Labs that comes with new features to spread from victim's machines. This variant has the ability to spread via Removable drives.

"This update is considered significant because this routine was unheard of in other CRILOCK variants. The addition of propagation routines means that the malware can easily spread, unlike other known CRILOCK variants." Researchers say.

Unlike the previous variants, the malware now uploaded in Peer to Peer (P2P) file sharing site, pretends to a cracker for various software such as Adobe Photoshop, Microsoft Office. This helps the attackers to easily infect systems without the need of spending time in sending spam mails.

However, the malware is failed to use a Domain generation algorithm(DGA), feature that enable the malware to evade detection as it use a large number of random domain names.

"This could mean that the malware is still in the process of being refined and improved upon. Thus, we can expect latter variants to have the DGA capability." Researchers said.

Antivirus that will alert about Criminal and Illegal content for $500

Isn't the title interesting?! There is no such Antivirus that will alert about criminal and illegal content.  It is being advertised in recently discovered ransomware.

Ransomware usually lock the victim's system or browser and displays a warning message pretending be from FBI or any other authority.  It will inform victims that their system is locked because of their illegal activities and asks them to pay money to unlock  it.

A new ransomware spotted by Malwarebytes team interestingly informs the victims that "Your criminal records have been deleted". 

The malware also suggest the victims to buy an Antivirus for $500 from them in order to unlock the system and avoid other legal consequences.

Those who fall for this scam end up in paying around $1200 dollars.  As i said earlier,  there is no such kind of antivirus exist.  After paying ransom, you will just receive a message "your browser will be unlocked within 12 hours" nothing else.

CryptoLocker ransomware reduce the price for decrypting files

As a bitcoin value continuous its climb, now it is more than $800, the criminals behind cryptolocker ransomware have also come with up an idea to reduce the price for decrypting files to 0.5 Bitcoins.

Initially, the ransomware were asking victims to pay 2 Bitcoins as ransom in order to decrypt their files.

The victims who failed to pay the ransom within a particular time will be asked to use their decryption service if they want to get back their encrypted files.  However, victims need to pay more than before.

The new variant of CryptoLocker ransomware spotted by F-Secure security team on November 20 is asking users to pay 0.5 Bitcoins instead.

Cybercriminals capture Images of people watching porn to trick them to pay ransom

Image Credits: WAToday - Illustration: Matt Golding.
A New Ransomware that poses as Australian Federal Police attempts to turn on the webcams of people watching porn and captures images of them.

Once the image of the user is captured, the malware locks the desktop and shows a warning message saying that "they have breached federal laws relating to child pornography, copyright or privacy".

The warning message includes the image of the victim. This will certainly horrify the victims.

According to WAToday report, the victims are then told to pay a ransom of $100 to $199 within 72 hours. The malware claims that if they failed to, the data in their disk will be wiped.

''We've taken some very interesting calls; some people are very open, while others swear they have been hacked while using Facebook" The WAToday quoted AFP as saying.

New Ransomware Shadowlock demands to fill out Survey to unlock the Infected system

Ransomware is a malware which is designed to trick the victims into believing their computer is locked for illegal activities and demands money to unlock it.

However, the new ransomware variant spotted by Symantec researchers demands victims to complete survey in order to unlock their system instead of demanding money.

Once the system get infected, it displays a popup box in which victims will be asked to enter an unlock code that you will get, when you complete the survey offered by the malware.

Shadowlock Ransoware popup -  Image Credits : Symantec

You can't close the pop-up box and you will not be allowed to close the trojan with Task Manager, CMD, RegEdit or MSConfig , you will also be denied to access the Restore point facility.

According to Symantec's malware report, the threat is capable of closing popular browsers, disabling the certain system tools and disabling windows firewall.

This new variant has the greatest possibilities for success in making money for the cybercriminals because victims will be ready to do the survey instead of paying money.

Reveton Ransomware upgraded , now it speaks to victims

Do you ever think a virus can speak to you? It seems like the Ransomware does.  The Reveton Ransomware that prevents victims from using their computers and displays rogue message , has been upgraded - now it speaks to victim, according to TrendMicro.

Ransomware, also referred as cryptotrojans, is a kind of malware that restricts access to the computer system that it infects. Usually it will display a fake message in full screen (victims can't close or access anything) , purporting to come from law enforcement agencies in various countries and instruct victims to pay a fine for allegedly accessing or storing illegal content on their computers.

Interestingly , The latest variant also plays a audio message urging users to pay ransom.

"The user won’t need a translator to understand what the malware is saying – it speaks the language of the country where the victim is located." The researcher says.

Unlike the previous variants, this variant also connects to specific url to send and receive information from a remote user , downloads an encrypted .dll and WAVE file.

New Ransomware use Anonymous name, "Your computer has been hacked by the Anonymous"

Now a days, the number of ransomware attack is increasing.  Usually, the ransomware claim that victim has violated the law and names law enforcement (such as the CIA or FBI) to scare victims. Then , it will ask user to pay some ransom for unlocking thier computer.

Interestingly, new ransomware has been discovered by the Swiss security blog that names the Anonymous Hackers instead of law enforcement.

In a tweet, Researcher posted about the Ransomware " #Ransomware: "Your computer has been hacked by the Anonymous Hackers Group and locked for the moment.""

The new ransomware displays the following message instead:

We are Anonymous. We are Legion. We do not forgive. We do not forget. Expect us.

 Tango down!

    Your computer has been hacked by the Anonymous Hackers Group and locked for the moment. All files have been encrypted. You need to pay a ransom of £100 within 24 hours to restore the computer back to normal. If the ransom is not paid on time all the contents of your computer will be deleted and all your personal information such as your name, address, D.O.B., etc. will be published online, after this has been done the process, ram and motherboard will be fried. Any attempts to remove this virus will result in the consequences mentioned.

To unlock the computer, the ransomware ask user to  pay the money through ukash.  "When you pay the ransom your pc will get unlocked in 1 to 3 hours" The ransomware statement reads.

The strong reasons why it was not created by Anonymous:
  •  Anonymous never harm Individual users(i believe), Anonymous is activist who hack governments not innocent users
  •  Anonymous calls itself just "Anonymous" not "Anonymous Hackers Group."
  •  Anonymous never concerned about money.
  • *"Tango down" is the word used for DDoS attack not for malware attack.

1,100 UK computers infected by Police Ransomware

Cyber Criminals have managed to infect more than 1,100 computers with Ransomware to extort money from unsuspecting members of the public by impersonating the Met’s Police Central e-Crime Unit (PCeU).

According to press release, Police have received 1,100 reports from the public of the malware affecting their computers. 36 people in the UK have paid money, each losing £100.

The ransomware infects PCs after people accessed infected websites, and caused the PCs to freeze and lock, with a message purporting to be from the e-crime Unit advising the user they are required to pay a fine to unlock the computer.

"This is a fraud and users are advised NOT to pay out any monies or hand out any bank details. "Police representatives said. "This scam is now affecting many countries in Europe and further afield, with each email tailored to include the branding of that country's law enforcement agency. Europol are coordinating with Europe's law enforcement agencies on this matter."

Users are advised to install Internet Security software. You can also use Comodo IceDragon browser that will block malicious domains.

IC3 warns about 'Reveton' Ransomware attack

Internet Crime Complaint Center (IC3) warns about a new Citadel malware platform that used to deliver ransomware, named Reveton.

The malware lures the victim to a drive-by download website, at which time the ransomware is installed on the user's computer. Once installed, the computer freezes and a screen is displayed warning the user they have violated United States Federal Law.

As usual, the malware threatens users by claiming user's IP address was identified by the Computer Crime & Intellectual Property Section as visiting child pornography and other illegal content.

To unlock their computer the user is instructed to pay a $100 fine to the US Department of Justice, using prepaid money card services. The geographic location of the user's IP address determines what payment services are offered. 

In addition to the ransomware, the Citadel malware continues to operate on the compromised computer and can be used to commit online banking and credit card fraud.

This is an attempt to extort money with the additional possibility of the victim’s computer being used to participate in online bank fraud. If you have received this or something similar do not follow payment instructions.

Earlier this month, Trusteer researchers has discovered the same piece of malware and report it. 

ZeuS 2.x comes with Ransomware Feature

The recent popularity of ransomware has resulted in an unexpected malware combination. F-Secure researchers have recently spotted a new Zeus 2.x variant that includes a ransomware feature.

When this particular variant is executed, it opens Internet Explorer with a specific page ( and prevents the user from doing anything else with the infected system. The webpage that was opened presumably showed some type of extortion message, but it's currently unavailable because the site is offline.

The most straightforward way to unlock the system is to simply delete the trojan. This can be a bit tricky since the trojan prevents doing anything with the infected system, luckily the locking itself can be easily disabled first.

After disassembling the malware, researcher found that the unlock information is stored to the registry. So it is possible to unlock without paying the ransom.

part of Disassembled code

 Unlocking can be performed quite easily with a registry editor:

1. boot the system in safe mode
2. add a new key named syscheck under HKEY_CURRENT_USER
3. create a new DWORD value under the syscheck key
4. set the name of the new DWORD value to Checked
5. set the data for the Checked value to 1
6. reboot

Ransomware encrypts users files and demands 50-Euro Ransom

A malware Encrypting user files and demanding money is not new one, known as Ransomware. Recently, BitDefender security researchers come across a ransomware.  As usual, the malware encrypts the user file and demanding 50 euros in exchange to unlock.

Once the malware infects the victim, it encrypts all extensions pertaining to movies, music, photos, shortcuts, PDF, text and html files by adding .EnCiPhErEd to the valid file extension. It also changes the default icons of all the files with modified extensions to a pink common icon.

In each folder it finds on the infected system, the scareware adds a file named "HOW TO DECRYPT FILES.txt" and the following warning message:

“Attention! All your files are encrypted!

You are using unlicensed programms!

To restore your files and access them,

send code Ukash or Paysafecard nominal value of EUR 50 to the e-mail

During the day you receive the answer with the code.

You have 5 attempts to enter the code. If you exceed this date all data is irretrievably spoiled. Be careful when you enter the code!”

Bitdefender security solutions detect the malware as Trojan.Ransom.HM.

Recently, TrendMicro researcher come across a ransomware that works differently from the usual ransomware;Modifies the MBR record instead. (read the full article here).

Security Tips:
To stay secure, users are advised to pay great attention to the files you choose to download from your favorite peer-to-peer network.

New Ransomware compromises Master Boot Record (MBR)

New Ransomware compromises Master Boot Record (MBR) and demands 920 hryvnia($114) to unlock the system. This is completely different from the previous ransomwares.Usually, ransomware encrypts files or restricts user access to the infected system.

After analyzing the malware sample , TrendMicro researcher found that the malwares copies the original MBR and overwrites it with its own malicious code.
This prevents the victim's Operating system from loading.

Once it modifies the MBR ,it automatically restarts the system for the infection take effect. When the system restarts, the ransomware informs the victim's system is blocked and demands 920 hryvnia (UAH) via QIWI to a purse number (12 digits) – 380682699268.

Once paid,they will receive a code that will unlock the system. This code will supposedly resume operating system to load and remove the infection. This particular variant has the “unlock code” in its body. When the unlock code is used, the MBR routine is removed.

Trend Micro detects this ransomware as TROJ_RANSOM.AQB and the infected MBR as BOOT_RANSOM.AQB.

Europeans targeted with new Ransomware

The last coulple of years, Malware that holds hostage an infected machine and demands money to release ,has become an often encountered threat. This threat type is called as 'Ransomware'.

Usually, the Ransomware impersonates law enforcement agencies and accuse the user for committing network crime .

In a recent attack , an infected user is accused of illegally downloading music. Ransomware authors attempt to add an air of legitimacy to their creation by using the HTML style sheets and image content for the actual organization GEMA (German music copyright organization). website compromised to serve Ransomware, money-stealing malware

If you are reading EHN's malware report daily, then you may aware of money-stealing malware namely Ransomware. It seems that Ransomware's authors are interested in French Cake and Pastry lovers.

The website of a well-known confectionery company based in France, has been compromised in order to infect the visitors' system.

The TrendMicro security solution detect the ransomware as TROJ_RANSOM.BOV.  This time, ransomware impersonates National Gendarmerie (French: Gendarmerie nationale), commonly known as the French Police Force.  (In the past, ransomware impersonate the Italian, UK police)

As usual, it asks victims to pay the fine of 200Euros(the amount is increased from 100Euros?!).

"We noticed that the domain name of the URL used to host the exploit kit has been suspended. Based on the logs, it was created on February 9, 2012 and last updated on February 14. The domain’s registrant shows a .ru email address which might help in identifying a possible suspect, but this might just be a compromised email account." Trend Micro researchers said.

Ransomware(Money-stealing malware) now impersonates the Italian Police

Few days back, we report about a computer virus that impersonates UK's e-crime unit in an effort to steal money(£100) from unsuspecting users. Now the malware change the target from UK users to Italians.

A new Ransomware  circulating among Italian users poses as an official statement from Italian Police, warns Total Defense Research Team.

This malware exactly use the same method to threaten the victims, it displays an official message with victim's IP address .  The fake message says illegal activity detected related to child pornography.  Additionally, it states that the computer is also spreading illegal spam with terrorist intent.

Interestingly , the fake message asks the user to pay the same amount( £100)  to unlock the user system.  Different methods of payment are showed to the user such as “paysafecard”, “ukash”, and “sisal."

According to Researcher's investigation, the ransomware disables the Task Manager and compromising the registry of the Windows operating system.

The malware adds the following registry value in registry DB:
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" value="vasja"

Total Defense Security products detected the malware as “Ransom.ZAAC” by our anti-malware

The same malware attack targeted German, Swiss, Spanish and Dutch users in the past.

Beware of money-stealing malware(ransomware) attack, Police warns

The UK's Metropolitan Police has warned the public to be aware of a malware attack that poses as a message from e-crime unit.

The malware infects user's system when they visit certain sites , once infected, ransomware lock the computer and a message (pictured) claiming to be from the Metropolitan Police Central e-crime Unit (PCeU) accuses the user of accessing pornographic websites.

 It ask the victim to pay the fine in order to release the lock of their computer.

"This is a fraud and users are advised not to pay out any monies or hand out any bank details.  Genuine law enforcement agencies would never contact members of the public via this method and demand funds in this way," computerworlduk quoted as saying the police .

The Police recommends victims who have fallen for the scam and handed over money should contact their credit card company immediately.

The police recommend that anyone who is duped by the scam should contact their credit card company immediately, and underline that they would never use such tactics to make contact with the public or demand funds and report the offence to their local police by dialling '101' or the local non-emergency police number..

Ransomware encrypts files and demands $69 for unlocking : Malware Report

A New malware(also called as Ransomwares) that encrypts all files in your system and demands $69 for unlocking the files. CyberCriminals offers a free trial version of unlocking tool to recover three important files.

Some versions of this Trojan start locking files once on the system, while other variants start wreaking havoc only after the system is rebooted. This Trojan works silently, in the background.

This Ransomware doesn't encrypt the system files so that victims can pay the demand . This Trojan use simple method to encrypt the files. Once the virus infect the system, it will open the a webpage to tell the victims they are about to be ripped off.

From Malware City report:
The ransomware has a folder icon with a double extension: ".zip.exe" that the Trojan desperately tries to hide so as to pass undetected. For that to happen, Trojan.Crypt.VB.U regularly checks the Registry and performs the necessary operations to hide the extensions for known file types (the file appears thus to be a mere archive, since only the .zip extension will be visible to the user), should users change this setting in the meantime.

On the system drive, the ransomware saves in a hidden folder called "rootsetup" the following files:

- eve.ini -> storing the flag used by the two dropped files to synchronize;

- mafw.dat -> a copy of the malware, because the original one is deleted;

- setdat.dat -> contains configuration details including the website to be opened when the user is notified about his locked files;

- setupc.exe -> one of the two dropped files, responsible with maintaining a system configuration and with creating initialization files for the ransomware;

- setupp.exe -> one of the two dropped files, responsible for encrypting files;

Setupp.exe and setupc.exe keep each other running, an approach commonly known as watchdog safeguarding. To stop the ransomware, the two files must be killed simultaneously, otherwise the remaining running process will open the other.

Trojan.Crypt.VB.U creates a hidden file called _galaxy.exe on the system drive (which is a copy of itself) when it finishes encrypting/locking files. The dropper (which saves all these files) starts setupc.exe and setupp.exe. The system is instructed to run these two files at system start.