Beware of CryptoWall Ransomware, victims reporting losses totaling over $18 million

FBI's Internet Crime Complaint Center's (IC3) data shows CryptoWall as the most current and significant Ransomware affecting millions of individuals and businesses in US.

CryptoWall and its variants have been targeting people since April 2014, between April 2014 and June 2015, the IC3 received 992 CryptoWall related complaints, with victims reporting losses totaling over $18 million.

The victims incurs ransom fees between $200 and $10,000, there are additional costs which includes network mitigation, network countermeasures, loss of productivity, legal fees, IT services, and/or the purchase of credit monitoring services for employees or customers.

The system becomes infected when the victim visits or clicks on the infected advertisement, email, attachment  or  infected websites- The malware encrypts the victim's file stored on the infected machine. Ransomware schemes demand payment in Bitcoin as  it is easy to use, fast, publicly available, decentralized, and provides a sense of heightened security/anonymity.

Victims can register the complaint to local FBI field office, or may also file a complaint with the IC3 at

Think twice before you open email attachments from unknown senders

Security researchers of Checkpoint have discovered a new ransom threat dubbed Troldesh, which is also known as Encoder.858 and Shade.

The Troldesh, which was created in Russia, has already affected numerous users across the world. The Troldesh ransomware typically encrypts the user’s personal files and extorts money for their decryption.

“Troldesh is based on so-called encryptors that encrypt all of the user’s personal data and extort money to decrypt the files. Troldesh encrypts a user’s files with an “.xtbl” extension. It is spread initially via e-mail spam,” Natalia Kolesova, anti-bot analyst at the Check Point, wrote in a blog.

She said that they found a distinctive characteristic in Troldesh besides the typical ransom features. 

The inventors of Troldesh directly communicate with the user by providing an email address, which is used to determine the payment method.

According to Kolesova, once a corrupted email is opened, the malicious threat is activated. Then, it will start encrypting the user’s files with the extension .xbtl.

Along with the files, users’ names are also encrypted. Once the encryption process is done, the affected user is displayed a ransom message and is being redirected to a ‘readme’ text for further information.

In a bid to stay safe, users are advised not to open anything suspicious by unknown senders.

“Many cases have been reported by the users paying the ransom without having their files decrypted. In order to avoid ransomware, it is important to back up important data previously on an external storage device or in a cloud,” she wrote.

The researcher said that the affected users have to download a powerful anti-malware tool to scan the system and remove the ransomware.

The researcher said she contacted the hackers via an email and asked for a discount.

“I was very interested to learn more about the ransom and tried to start a correspondence with the attackers. As required, I sent the specified code to the e-mail address provided, one that is registered on the most famous Russian domain,” the researcher wrote.

The crooks had demanded 250 euros to decrypt all of the files.

However, after the researcher asked to reduce the amount, the criminals agreed to lower the ransom to €118 / $131, payable via QIWI money transfer system.

Simplocker : First Android Ransomware that Encrypts files in Your Device

Ransomware is a type of malware that locks you out of your computer until you pay a ransom.  In some cases, it can actually cause more serious problems by encrypting the files on your system's hard drive.

Last year, Symantec discovered an android malware with hybrid characteristics of Fake AV and Ransomware. Last month, Bitdefender identified an android version of Ransomware which was being sold in the underground market.  The malware bluffed victims into paying a ransom but didn't actually encrypt the files.

Until now, there have been no reports of android malware that encrypts the files.

Security researchers at ESET say they have spotted the first variant of Ransomware that encrypts files in your Android Device.

The malware, dubbed as Simplocker, shows a ransom message written in Russian which informs victims that their device is locked for  viewing and distribution child porn.

It scans the SD card for certain file types such as image, document or videos, encrypts them using Advanced Encryption Standard(AES), and demands money in order to decrypt them.

It also gathers information about the infected device and sends to a command and control server.  The server is located in Tor ".onion" domain for purposes of anonymity.

Don't Pay:
"We strongly recommend against paying up – not only because that will only motivate other malware authors to continue these kinds of filthy operations, but also because there is no guarantee that the crook will keep their part of the deal and actually decrypt them" Researchers at ESET say. 

Hackers lock iPhones remotely and demanding $100 to unlock it

In recent hours, a number of users from Australia had a nightmare as cyber criminals locked their devices and demanding payment of a ransom.

The locked devices show the following message "Device Hacked by Oleg Pliss" and instructs victims to send $100 dollars to to unlock their devices.

The cyber attack came to light, after one user from Melbourne shared his experience in Apple support forum and asked help to fix the problem.  Following his post, several users have reported of being affected by this attack.

It appears hackers used stolen Apple IDs and passwords to access iCloud account that allowed them to lock victim's devices and display a message.

What you should do? Don't pay the Ransom !
Affected users are advised to contact Apple directly to regain access to their account.  

Once you have access to your account, change the password immediately and enable two step authentication feature for your account.

Power Locker - Cybercriminals attempt to sell New Ransomware called Prison Locker

MalwareMustDie(MMD) Team came across an advertisement in an underground forum where an Individual is trying to sell his new Ransomware, called Power Locker also known as Prison Locker.

The Cybercriminal goes by online moniker "gyx" coded the malware in C/C++ and advertizing the ransomware in various underground forums. 

The ransomware in question is said to have many features such as "detecting the Debugger and Virtual Machines in order to avoid being analyzed by security researchers", "Displaying warning window in a new desktop".

At the starting, "gyx" asked others to help him to code the GUI part of the malware and promised to pay them.  Member of MalwareMustDie Team disguised himself as malware coder and had an IRC chat with him. He also managed to get the source code of the malware.  You can find the full conversation here.

MMD Team has doxed the Gyx and collected some interesting info about the identity of the malware author.  The dox leads to a person claimed to be a security researcher who is blogging about security  ("").  They also identified the twitter account of him(@wenhsl).

The fun fact is that he was also trying to communicate with MalwareMustdie from his twitter account.

New Cryptolocker Ransomware capable of spreading via Pen Drive

CryptoLocker Ransomware, to date, generally spread via various online method such as fake emails containing the malware, drive-by downloads or via any other already infected malware. So far, the malware has been successful in infecting more users.

It appears the cyber criminals behind the cryptolocker malware are not satisfied with the infection ratio.  So, they have added new features in their new version.

A new variant of cryptolocker has been detected by Trend Labs that comes with new features to spread from victim's machines. This variant has the ability to spread via Removable drives.

"This update is considered significant because this routine was unheard of in other CRILOCK variants. The addition of propagation routines means that the malware can easily spread, unlike other known CRILOCK variants." Researchers say.

Unlike the previous variants, the malware now uploaded in Peer to Peer (P2P) file sharing site, pretends to a cracker for various software such as Adobe Photoshop, Microsoft Office. This helps the attackers to easily infect systems without the need of spending time in sending spam mails.

However, the malware is failed to use a Domain generation algorithm(DGA), feature that enable the malware to evade detection as it use a large number of random domain names.

"This could mean that the malware is still in the process of being refined and improved upon. Thus, we can expect latter variants to have the DGA capability." Researchers said.

Antivirus that will alert about Criminal and Illegal content for $500

Isn't the title interesting?! There is no such Antivirus that will alert about criminal and illegal content.  It is being advertised in recently discovered ransomware.

Ransomware usually lock the victim's system or browser and displays a warning message pretending be from FBI or any other authority.  It will inform victims that their system is locked because of their illegal activities and asks them to pay money to unlock  it.

A new ransomware spotted by Malwarebytes team interestingly informs the victims that "Your criminal records have been deleted". 

The malware also suggest the victims to buy an Antivirus for $500 from them in order to unlock the system and avoid other legal consequences.

Those who fall for this scam end up in paying around $1200 dollars.  As i said earlier,  there is no such kind of antivirus exist.  After paying ransom, you will just receive a message "your browser will be unlocked within 12 hours" nothing else.

CryptoLocker ransomware reduce the price for decrypting files

As a bitcoin value continuous its climb, now it is more than $800, the criminals behind cryptolocker ransomware have also come with up an idea to reduce the price for decrypting files to 0.5 Bitcoins.

Initially, the ransomware were asking victims to pay 2 Bitcoins as ransom in order to decrypt their files.

The victims who failed to pay the ransom within a particular time will be asked to use their decryption service if they want to get back their encrypted files.  However, victims need to pay more than before.

The new variant of CryptoLocker ransomware spotted by F-Secure security team on November 20 is asking users to pay 0.5 Bitcoins instead.

Cybercriminals capture Images of people watching porn to trick them to pay ransom

Image Credits: WAToday - Illustration: Matt Golding.
A New Ransomware that poses as Australian Federal Police attempts to turn on the webcams of people watching porn and captures images of them.

Once the image of the user is captured, the malware locks the desktop and shows a warning message saying that "they have breached federal laws relating to child pornography, copyright or privacy".

The warning message includes the image of the victim. This will certainly horrify the victims.

According to WAToday report, the victims are then told to pay a ransom of $100 to $199 within 72 hours. The malware claims that if they failed to, the data in their disk will be wiped.

''We've taken some very interesting calls; some people are very open, while others swear they have been hacked while using Facebook" The WAToday quoted AFP as saying.

New Ransomware Shadowlock demands to fill out Survey to unlock the Infected system

Ransomware is a malware which is designed to trick the victims into believing their computer is locked for illegal activities and demands money to unlock it.

However, the new ransomware variant spotted by Symantec researchers demands victims to complete survey in order to unlock their system instead of demanding money.

Once the system get infected, it displays a popup box in which victims will be asked to enter an unlock code that you will get, when you complete the survey offered by the malware.

Shadowlock Ransoware popup -  Image Credits : Symantec

You can't close the pop-up box and you will not be allowed to close the trojan with Task Manager, CMD, RegEdit or MSConfig , you will also be denied to access the Restore point facility.

According to Symantec's malware report, the threat is capable of closing popular browsers, disabling the certain system tools and disabling windows firewall.

This new variant has the greatest possibilities for success in making money for the cybercriminals because victims will be ready to do the survey instead of paying money.

Reveton Ransomware upgraded , now it speaks to victims

Do you ever think a virus can speak to you? It seems like the Ransomware does.  The Reveton Ransomware that prevents victims from using their computers and displays rogue message , has been upgraded - now it speaks to victim, according to TrendMicro.

Ransomware, also referred as cryptotrojans, is a kind of malware that restricts access to the computer system that it infects. Usually it will display a fake message in full screen (victims can't close or access anything) , purporting to come from law enforcement agencies in various countries and instruct victims to pay a fine for allegedly accessing or storing illegal content on their computers.

Interestingly , The latest variant also plays a audio message urging users to pay ransom.

"The user won’t need a translator to understand what the malware is saying – it speaks the language of the country where the victim is located." The researcher says.

Unlike the previous variants, this variant also connects to specific url to send and receive information from a remote user , downloads an encrypted .dll and WAVE file.

New Ransomware use Anonymous name, "Your computer has been hacked by the Anonymous"

Now a days, the number of ransomware attack is increasing.  Usually, the ransomware claim that victim has violated the law and names law enforcement (such as the CIA or FBI) to scare victims. Then , it will ask user to pay some ransom for unlocking thier computer.

Interestingly, new ransomware has been discovered by the Swiss security blog that names the Anonymous Hackers instead of law enforcement.

In a tweet, Researcher posted about the Ransomware " #Ransomware: "Your computer has been hacked by the Anonymous Hackers Group and locked for the moment.""

The new ransomware displays the following message instead:

We are Anonymous. We are Legion. We do not forgive. We do not forget. Expect us.

 Tango down!

    Your computer has been hacked by the Anonymous Hackers Group and locked for the moment. All files have been encrypted. You need to pay a ransom of £100 within 24 hours to restore the computer back to normal. If the ransom is not paid on time all the contents of your computer will be deleted and all your personal information such as your name, address, D.O.B., etc. will be published online, after this has been done the process, ram and motherboard will be fried. Any attempts to remove this virus will result in the consequences mentioned.

To unlock the computer, the ransomware ask user to  pay the money through ukash.  "When you pay the ransom your pc will get unlocked in 1 to 3 hours" The ransomware statement reads.

The strong reasons why it was not created by Anonymous:
  •  Anonymous never harm Individual users(i believe), Anonymous is activist who hack governments not innocent users
  •  Anonymous calls itself just "Anonymous" not "Anonymous Hackers Group."
  •  Anonymous never concerned about money.
  • *"Tango down" is the word used for DDoS attack not for malware attack.

1,100 UK computers infected by Police Ransomware

Cyber Criminals have managed to infect more than 1,100 computers with Ransomware to extort money from unsuspecting members of the public by impersonating the Met’s Police Central e-Crime Unit (PCeU).

According to press release, Police have received 1,100 reports from the public of the malware affecting their computers. 36 people in the UK have paid money, each losing £100.

The ransomware infects PCs after people accessed infected websites, and caused the PCs to freeze and lock, with a message purporting to be from the e-crime Unit advising the user they are required to pay a fine to unlock the computer.

"This is a fraud and users are advised NOT to pay out any monies or hand out any bank details. "Police representatives said. "This scam is now affecting many countries in Europe and further afield, with each email tailored to include the branding of that country's law enforcement agency. Europol are coordinating with Europe's law enforcement agencies on this matter."

Users are advised to install Internet Security software. You can also use Comodo IceDragon browser that will block malicious domains.

IC3 warns about 'Reveton' Ransomware attack

Internet Crime Complaint Center (IC3) warns about a new Citadel malware platform that used to deliver ransomware, named Reveton.

The malware lures the victim to a drive-by download website, at which time the ransomware is installed on the user's computer. Once installed, the computer freezes and a screen is displayed warning the user they have violated United States Federal Law.

As usual, the malware threatens users by claiming user's IP address was identified by the Computer Crime & Intellectual Property Section as visiting child pornography and other illegal content.

To unlock their computer the user is instructed to pay a $100 fine to the US Department of Justice, using prepaid money card services. The geographic location of the user's IP address determines what payment services are offered. 

In addition to the ransomware, the Citadel malware continues to operate on the compromised computer and can be used to commit online banking and credit card fraud.

This is an attempt to extort money with the additional possibility of the victim’s computer being used to participate in online bank fraud. If you have received this or something similar do not follow payment instructions.

Earlier this month, Trusteer researchers has discovered the same piece of malware and report it. 

ZeuS 2.x comes with Ransomware Feature

The recent popularity of ransomware has resulted in an unexpected malware combination. F-Secure researchers have recently spotted a new Zeus 2.x variant that includes a ransomware feature.

When this particular variant is executed, it opens Internet Explorer with a specific page ( and prevents the user from doing anything else with the infected system. The webpage that was opened presumably showed some type of extortion message, but it's currently unavailable because the site is offline.

The most straightforward way to unlock the system is to simply delete the trojan. This can be a bit tricky since the trojan prevents doing anything with the infected system, luckily the locking itself can be easily disabled first.

After disassembling the malware, researcher found that the unlock information is stored to the registry. So it is possible to unlock without paying the ransom.

part of Disassembled code

 Unlocking can be performed quite easily with a registry editor:

1. boot the system in safe mode
2. add a new key named syscheck under HKEY_CURRENT_USER
3. create a new DWORD value under the syscheck key
4. set the name of the new DWORD value to Checked
5. set the data for the Checked value to 1
6. reboot

Ransomware encrypts users files and demands 50-Euro Ransom

A malware Encrypting user files and demanding money is not new one, known as Ransomware. Recently, BitDefender security researchers come across a ransomware.  As usual, the malware encrypts the user file and demanding 50 euros in exchange to unlock.

Once the malware infects the victim, it encrypts all extensions pertaining to movies, music, photos, shortcuts, PDF, text and html files by adding .EnCiPhErEd to the valid file extension. It also changes the default icons of all the files with modified extensions to a pink common icon.

In each folder it finds on the infected system, the scareware adds a file named "HOW TO DECRYPT FILES.txt" and the following warning message:

“Attention! All your files are encrypted!

You are using unlicensed programms!

To restore your files and access them,

send code Ukash or Paysafecard nominal value of EUR 50 to the e-mail

During the day you receive the answer with the code.

You have 5 attempts to enter the code. If you exceed this date all data is irretrievably spoiled. Be careful when you enter the code!”

Bitdefender security solutions detect the malware as Trojan.Ransom.HM.

Recently, TrendMicro researcher come across a ransomware that works differently from the usual ransomware;Modifies the MBR record instead. (read the full article here).

Security Tips:
To stay secure, users are advised to pay great attention to the files you choose to download from your favorite peer-to-peer network.

New Ransomware compromises Master Boot Record (MBR)

New Ransomware compromises Master Boot Record (MBR) and demands 920 hryvnia($114) to unlock the system. This is completely different from the previous ransomwares.Usually, ransomware encrypts files or restricts user access to the infected system.

After analyzing the malware sample , TrendMicro researcher found that the malwares copies the original MBR and overwrites it with its own malicious code.
This prevents the victim's Operating system from loading.

Once it modifies the MBR ,it automatically restarts the system for the infection take effect. When the system restarts, the ransomware informs the victim's system is blocked and demands 920 hryvnia (UAH) via QIWI to a purse number (12 digits) – 380682699268.

Once paid,they will receive a code that will unlock the system. This code will supposedly resume operating system to load and remove the infection. This particular variant has the “unlock code” in its body. When the unlock code is used, the MBR routine is removed.

Trend Micro detects this ransomware as TROJ_RANSOM.AQB and the infected MBR as BOOT_RANSOM.AQB.

Europeans targeted with new Ransomware

The last coulple of years, Malware that holds hostage an infected machine and demands money to release ,has become an often encountered threat. This threat type is called as 'Ransomware'.

Usually, the Ransomware impersonates law enforcement agencies and accuse the user for committing network crime .

In a recent attack , an infected user is accused of illegally downloading music. Ransomware authors attempt to add an air of legitimacy to their creation by using the HTML style sheets and image content for the actual organization GEMA (German music copyright organization). website compromised to serve Ransomware, money-stealing malware

If you are reading EHN's malware report daily, then you may aware of money-stealing malware namely Ransomware. It seems that Ransomware's authors are interested in French Cake and Pastry lovers.

The website of a well-known confectionery company based in France, has been compromised in order to infect the visitors' system.

The TrendMicro security solution detect the ransomware as TROJ_RANSOM.BOV.  This time, ransomware impersonates National Gendarmerie (French: Gendarmerie nationale), commonly known as the French Police Force.  (In the past, ransomware impersonate the Italian, UK police)

As usual, it asks victims to pay the fine of 200Euros(the amount is increased from 100Euros?!).

"We noticed that the domain name of the URL used to host the exploit kit has been suspended. Based on the logs, it was created on February 9, 2012 and last updated on February 14. The domain’s registrant shows a .ru email address which might help in identifying a possible suspect, but this might just be a compromised email account." Trend Micro researchers said.

Ransomware(Money-stealing malware) now impersonates the Italian Police

Few days back, we report about a computer virus that impersonates UK's e-crime unit in an effort to steal money(£100) from unsuspecting users. Now the malware change the target from UK users to Italians.

A new Ransomware  circulating among Italian users poses as an official statement from Italian Police, warns Total Defense Research Team.

This malware exactly use the same method to threaten the victims, it displays an official message with victim's IP address .  The fake message says illegal activity detected related to child pornography.  Additionally, it states that the computer is also spreading illegal spam with terrorist intent.

Interestingly , the fake message asks the user to pay the same amount( £100)  to unlock the user system.  Different methods of payment are showed to the user such as “paysafecard”, “ukash”, and “sisal."

According to Researcher's investigation, the ransomware disables the Task Manager and compromising the registry of the Windows operating system.

The malware adds the following registry value in registry DB:
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" value="vasja"

Total Defense Security products detected the malware as “Ransom.ZAAC” by our anti-malware

The same malware attack targeted German, Swiss, Spanish and Dutch users in the past.