Authors of GandCrab Ransomware Terminating their Operations after Making $2 Billion in Ransom Payments



The operators of Gandcrab ransomware are continuously maintaining and developing the ransomware and have released five different variants with no major difference between any two versions and the ransomware is known to be extra secured as it uses the “.bit” top-level domain which is not sanctioned by ICANN.

Gandcrab was distributed via various vectors that include exploit kits, spam mail, affiliated malware campaign and other social engineering methods. Along with plenty of malicious spam emails, attackers resort to ‘GrandSoft’ and ‘RIG’, two of the most popular exploit kits in order to distribute GandCrab. These spam emails are configured to befool users and make them download a script which further will download the ransomware and execute it.

Researchers have found that Gandcrab authors have made over $2billion from ransom payments, averaging around 2.5 million dollars per week. As per the observations made by David Montenegro and Damian, the owners of the ransomware told that they are to put their operations to an end now, after earning huge chunks of money (more than 150 million dollars a year) and cashing it out through legitimate sources.

The operators have discontinued the promotions of the ransomware and asked the concerned affiliates to terminate the distribution of the ransomware within the next 20 days. They have also asked the victims to pay the ransom; otherwise, the key will be deleted. However, it’s still a matter of question that whether the keys will be released after the authors shut down their operations.

Although, ransomware has been a constant threat in the field of cybersecurity for a long time but now it’s even deadlier due to the efforts invested by the threat actors in its development. Users are advised to stay equipped with products like ‘Acronis True Image 2019’ in order to stay protected against such ransomware attacks.




My SQL Servers on Windows Attacked by Hackers to Distribute GrandCrab Ransomware



One of the most widespread Ransomware, GrandCrab, which keeps on making headlines every now and then us being circulated via multiple kinds of attacks like exploit kit, compromised  websites, social media campaigns, and weaponized office documents. 

A new variant of GrandCrab Ransomware which is configured to attack Internet-facing MySQL servers on Windows has been detected by the researchers; the ransomware is also reported to hold around 40% share of the ransomware market. 

How does it attack?

The malicious operation begins with the injection of a corrupted DLL file into the database server with the help of SQL database commands.
As the attack proceeds, DLL is invoked in order to get hold of the ransomware payload which is hosted on the malicious server. 
Attacker secures a reliable connection with the database server and then advances to upload the corrupted helper DLL by employing set command; it is carried out in the form of hexadecimal characters. 
“Later they issued a command to concatenate binaries to a single file and them into the server’s plug-in directory. Also, they used several commands used to swap forward slash and backslash characters that seemed designed to make an end-run around security features,” researchers observed. 

Referencing from the study conducted by the Sophos researchers, "an intriguing attack this week from a machine based in the United States. We monitored both the behavior and network traffic generated by this honeypot and were surprised to see the honeypot (which runs under Linux) download a Windows executable.”

“What makes this interesting is that the IP address of this machine hosting the GrandCrab sample geolocates to Arizona, in the desert southwest region of the United States, and the user interface of the HFS installation on this machine is in simplified Chinese.”

Decoding the threat, they said, “it does pose a serious risk to MySQL server admins who have poked a hole through the firewall for port 3306 on their database server to be reachable by the outside world,”



NSA tool used for hacking in Baltimore ransomware attack






According to the reports of New York Times, An important component of the malware to disrupt U.S cities, paralyzing local governments and residents was developed by the National Security Agency (NSA).

Reportedly, NSA lost the control of the tool in 2017, it was called Eternal Blue.

Eternal Blue has been used around the world including countries like Russia,China,North Korea and it has affected huge numbers of ATMs, hospitals, Airports, shipping operators around the globe.

Recently there was high-profile ransomware attack on Baltimore in which computers were hacked and health alerts, water bills, real estate sales and other public services are disrupted. 

On May 7th, city’s workers computers screens were locked and were displayed a message of ransom demanding $100,000 to free city’s files. 

In the similar manner various U.S cities have been attacked. 

The NSA and FBI declined to comment to the Times, but according to the reports the theft of the EternalBlue was carried out by group, which calls itself the Shadow Brokers.


The group is either made up of disgruntled federal employees or foreign spies.

Ransomware tool causing chaos in Baltimore was developed by NSA



A recent spate of ransomware attacks in Baltimore and other U.S. cities has been executed using a tool developed by the National Security Agency (NSA). Thousands of people in Baltimore have been locked out of their computers in the past three weeks, causing disruption across the city. And this has been enabled by a piece of software created by the NSA, according to a report in the New York Times.
The EternalBlue exploit takes advantage of a vulnerability in Microsoft Windows machines to infiltrate target computers. The software was stolen from the NSA and leaked by hackers in 2017, and since then has been used in a wide variety of cybercrinimal schemes. 2017’s WannaCry attack used the software, as did Russia’s NotPetya attack on Ukraine last year.
Now the same software is being used against U.S. citizens, causing particular problems for local governments with machines which have been disrupted. Many local governments do not regularly update their computers, leaving them vulnerable to exploits. In Baltimore, hospitals, airports, ATMs, shipping operators, and vaccine-producing factories have all been effected in the last few weeks.
The software locks the target computer’s screen, then shows a message demanding a payment of around $100,000 in Bitcoin for the target to regain access to their files. “We’ve watching you for days,” the message says, according to The Baltimore Sun. “We won’t talk more, all we know is MONEY! Hurry up!”
The NSA has never acknowledged the theft of the software or its responsibility for the cyberattacks conducted using it.
“The government has refused to take responsibility, or even to answer the most basic questions,” Thomas Rid, a cybersecurity expert at Johns Hopkins University, said to the Times. “Congressional oversight appears to be failing. The American people deserve an answer.”
EternalBlue may have been developed with good intentions to protect national security, but this event shows the problems with law enforcement or intelligence agencies having tools which allow them access to computers and phones. When such a tool is leaked, it can no longer be controlled.


GetCrypt Ransomware: Modus Operandi and Solutions




A new ransomware is in the dark market which encrypts all the files on the device and redirects victims to the RIG exploit kit. It’s being installed via “Malvertising” campaigns.


Securoty researchers found it while it was being installed by way of a RIG exploit kit in the “Popcash malvertising" campaigns.

First the victim is redirected to a page hosting the exploit kit, and then the malicious scripts on it would try to exploit vulnerabilities on the device.

If all goes well it will download and install GetCrypt into Windows.

How GetCrypt Works
Reportedly, when the exploit kit executes the ransomware, GetCrypt checks if the Windows language is set to Russian, Ukranian, Kazakh or Belarusian.

If so the ransomware immediately terminates and no encryption happens. If not, the ransomware examines the CPUID of the computer.

The Id is used to create a 4 character string which is used as an extension for encrypted files.

The four character extension that was created is appended while the files are encrypted. The files’ names are changed after they are encrypted

Later on the Shadow Volume Copies are cleared by running the vssadmin.exedeleteshadows/all/quiet command.

Then, the ransomware starts to scan the computer for the files to encrypt. No particular files types are targeted, except for files located under the following folders:
·       :\$Recycle.Bin
·       :\ProgramData
·       :\Users\All Users
·       :\Program Files
·       :\Local Settings
·       :\Windows
·       :\Boot
·       :\System Volume Information
·       :\Recovery
·       AppData

According to the sources, GetCrypt makes use of the Salsa20 and RSA-4096 algorithms for encryptions.

GetCrypt also creates a ransom note in each folder while it encrypts the files, named #decrypt my files#.txt

The aforementioned ransom note commands the victim to contact getcrypt@cook.li for payment instructions.

GetCrypt would also change the victim’s desktop background to an image with the ransom note written all over it which is stored at %LocalAppData%\Tempdesk.bmp

In addition to all the other things GetCrypt does, it will also try to encrypt files on network shares. When encrypting, it would also attempt to brute force the network account credentials.

It would use an embedded list of usernames and passwords to connect to the network shares using the WNetEnumResourceW function.

It could also try to brute force the credentials and mount them using the WNetAddConnection2W function.

Solution
All you need to get your files decrypted for free is an unencrypted copy of your encrypted file.

Simply download the decrypt_GetCrypt.exe program from the following link and save it on your desktop:
https://www.emsisoft.com/decrypter/getcrypt

Once downloaded, run the decryptor and select an encrypted file you wish to decrypt and its unencrypted version.

Click on the start button. The decyptor will now brute force your decryption key and VOILA! Your files will get decrypted.


Dharma: A Malicious Ransomware In The Skin of an Anti-Virus Software








A family of ransomware has been infecting organizations around the globe and now has a new trick up its sleeve. A file-locking malware is being distributed disguised as anti-virus software.

“Dharma” happens to be the name of the infamous ransomware which has been linked to tens of cyber-crime episodes.

Dharma’s "executive working team" is all about creating and fabricating state-of –the-art attacks that are lucrative to the highest extent.

And by way of the recent stunt they’ve pulled they stand a handsome chance of extorting ransom payments in exchange for decrypting files and locked networks on the Windows system.

Actually, the ransomware poses to be an anti-virus software and hence the users are tricked into downloading and installing it.

The attacks like many others begin with “phishing emails” that claim to be from Microsoft and stating that the victim’s PC is under some risk, threat or is corrupted.

Luring the user into downloading the anti-virus by assessing a download link, if the user goes through with it, two downloads are retrieved.

According to sources, they are Dharma ransomware payload and an old version of anti-virus software from cyber security company ESET.

After the self-extracting archive runs, Dharma starts the file encrypting process. The user is guided to follow the installation instructions for ESET AV remover.

The interface gets displayed on their desktop but still requires user interaction during the installation process all the while distracting the user from the actual con.

The victim would immediately be confronted with a ransom note, once the installation gets done with, demanding crypto-currency in exchange for unlocking the file.

Malware have usually been hidden under skins of actually legitimate applications and software, in the above scenario an official unmodified ESET AV Remover was made use of.

Any other potential application could be exploited and used in this way to fool the not so well cyber-educated and even tech savvy users.

The file-locking malware is relatively new in the market but powerful nonetheless and with the enhanced tendencies of tactic and work being done on it.

Various cyber-cons still try to upgrade old threats and make use of latest techniques to wreak as much havoc as possible.

Ransomware happens to be an especially costly and dynamic threat which could hit in more than one ways.

The only way to not fall prey to such devastating attacks is securing email gateways, embracing better cyber-security manoeuvres, backing up files and constantly patching and updating.


Attackers Exploiting Oracle Weblogic Server Vulnerability to Encrypt User Data



In order to install a new variant of a malware known as "Sodinokibi", con men are taking advantage of the remote code execution vulnerability in Oracle Weblogic Server.

The vulnerability which has been recently discovered on versions
10.3.6.0, 12.1.3.0 of Oracle WebLogic Server, allows people with HTTP access to execute the attack without any verification.
Reportedly, a patch has been issued by the computer sofyware company on April 26.

The foundation of the attacks was laid around April 25 and it was on the next day, i.e., April 26, the hackers secured connections with multiple HTTP servers which were vulnerable, as per the findings of Talos Investigation.

The vulnerability has been exploited by the hackers to download the malware copies from servers administered by con men and to corrupt various legitimate sources and make alterations to repurpose it.

“Cisco IR Services and Talos observed the attack requests originating from 130.61.54[.]136 and the attackers were ultimately successful at encrypting a number of customer systems.”

How does the ransomware infects?

It begins with the HTTP POST request which carries certutil command to execute the infectious files upon downloading.

As soon the malicious process starts, it triggers the vssadmin.exe utility, which on being executed assists Windows in generating some sort of backup, either automatic or manual.

After this, the ransomware attempts to hinder the recovery process by terminating backup mechanism.

Users can reach the security alert posted by Oracle and are advised to fix the forementioned (CVE-2019-2725) vulnerability.  

USA: Leading Servers Of Greenville Were Shutdown Owing It To A Ransomware Attack!



In the state of South Carolina, a city by the name of Greenville was attacked by a ransomware which blacked-out majority its servers.


The source of the ransomware and the infection is being conjectured upon by the help of the city staff and IT professionals.

As a basic ransomware works the organizations affected were asked for money. The IT team is working on getting the operation back online

The only servers that were separate and went unaffected were of the Greenville Utilities Commission and that of the emergency for and police department.

The infection first surfaced on the server of the Greenville Police Department. The IT division was immediately contacted and as result the servers were shutdown.

The shutdown hasn’t affected many of the operations and functions, just that the way things go about needed some adjusting.

Thanks to people not being too dependent on computers not much has been affected in the city except for people willing to do payments would need to do so in cash.

After CIRA’s free parking accident and the shutdown of Norsk Hydro, it’s evident that ransomware is an emerging hazard to cyber-security.


PewDiePie fan releases ransomware to increase the YouTuber’s subscriber count

The existence of malware is hardly a new thing. In the last few years, however, the more malicious trend of ransomware has become more and more common.

PewDiePie, the famous Swedish Youtuber, is no stranger to controversy. This time he is in the news again for the wrong reason after a user, who claims to be his fan, released ransomware with a note that reads ‘Subscribe to PewDiePie’.

This is not the first time PewDiePie's fans have pulled an extreme stunt to keep the Swedish vlogger as the most popular YouTuber.

According to The Independent, the ransomware PewCrypt is designed in such a way that it locks people from accessing their data. The ransomware claims that users will not get back their data until PewDiePie gets 100 million subscribers on YouTube.

Rather than destroying a computer per-say, ransomware generally locks out the user's files via encryption. The only way to get them back is to pay a ‘ranson’ (usually in bitcoin) and even then, it’s hardly a guarantee.

In a report via TheStar, it seems that the latest ransomware trending has bizarre links to the current subscriber battle between Pewdiepie and T-Series. It is unclear how the ransomware is distributed or how many victims it has claimed so far.

“If T-Series beats PewDiePie the private key will be deleted and your files are gone forever!” the report said quoting the threat that appears on the ransomware.

This, in itself, is a questionable target. While the two have been swapping the top spot for about 2 months now, T-Series has taken a pretty strong (but not overwhelming lead).

The developer backtracked on their threat and released a decryption tool but not before posting the open-sourced ransomware on Twitter under the username JustMe – the account is disabled at the moment – potentially allowing others to modify and use PewCrypt freely.

Canadian Internet Registration Authority’s Car Parking System Struck By Ransomware!








Reportedly, CIRA’s car parking system was infected via a ransomware and was hacked into to let people park for free.


Canadian Internet Registration Authority is a gigantic internet domain which has 2.8 million, under its wings with a .ca domain.

The yet anonymous cyber-cons compromised CIRA’s car parking system, aiding people to park without getting their parking passes scanned.

Allegedly, some other company manages the car parking under CIRA.

Initially the cause which was thought to be a power failure or mechanical system crash, turned out to be a ransomware attack.



The database which was used by the car parking system for management was specifically compromised.

That very database also holds tens and tens of employee credit cards which if in wrong hands could wreak serious havoc.

After further analysis it was discovered that the ransomware in question could possibly be “Darma”.

This ransomware goes about infecting computers by way of RDP connections restricting to system that run on RDP (Remote Desktop Protocol) online.

These cyber-cons target the RDP protocol which runs on 3389. After performing a brute force attack they tried to harvest administrative credentials.


Later on an attempt at performing malicious activities on the system as made.

The silver lining happens to be that the stored card details would reclaim all the damage done by the free parking.

According to CIRA’s security survey, 37% of businesses don’t employ anti-malware protections.

CIRA also cited that they have no way whatsoever of knowing what sort of security measures are employed by the car parking in question.


Crypto-jacking: A New Vector of the Cyber-Cons after Ransomware!




Apparently, according to the records of 2018, after getting bored with ransomware attacks, crypto-jacking has become the new tool of cyber-cons for harvesting crypto-currency.



Crypto-jacking by nature is more insidious and stealthy and hence in the past year has emerged as a better way of harvesting crypto-currency.

Initially, the best choice for doing the same was ransomware, but having surpassed it, Crypto-jacking is now cyber-cons’ favorite option.

2018, unlike any other year in the cyber-crime history saw a lot of cyber-attacks, wherein the crypto-jacking attacks constituted to be amongst the most.

The report of IBM strictly mentioned that the crypto-currency attacks hiked by quite a large number.

Whereas, ransomware attacks plummeted by 45% including both mobile and desktop platforms.

The major reason behind this shift of inclination towards crypto-jacking happens to be the less-disruptive and furtive disposition.

After a ransomware is introduced to the victim, the attack weapon goes waste after just one attack, leaving no chances for a recurrence.

Meanwhile, in the case of crypto-jacking, a recurrence is almost ensured, making it possible for more profits from a single weapon.

Somehow, crypto-jacking appears to be the more malicious of the two, which if ignored could lead to serious ramifications.

Reportedly, crypto-jacking could soon transform from currency mining to fabrication its own botnets to function spyware attacks.

Leaving the users with the only advice and option; to use the latest versions of anti-viruses and keep the systems updated.


Ransomware, RDP Logins and Credit Card Details being sold on the Dark Web



Offered at various rates on the dark web markets, there are various hacking tools which can be employed to assist and propel cybercrime, these tools are traded illicitly in the form of Cybercrime as a service.

Empire Market, DreamPoint, Wall Street Market and Berlusconi Market are some of the dark web markets known to have been hosting the hacking tools.

Referring to the findings of Eset, an array of ransomware packages has been put up for sale along with hackers providing updates, technical assistance and permit to C&C servers.

RaaS (ransomware-as-as-service) is a service which lets hackers host their product on the dark web, which further allows individuals to avail the services with their own customization and requirement. 

Besides RaaS, there are RDP logins which are traded on the dark web markets to provide access to RDP servers across the world. Notably, it is priced between the US $8-15 per server on the basis of country and operating system.

The third variant is DDoS attacks, attackers have placed botnets out for sale in order to launch DDoS attacks or to send spam emails and the price for this one depends upon the time duration for which one avails the botnet service.

Though some hackers display the tools which they employed while carrying out malicious activities, the majority of them are hidden behind tools which shield them with anonymity as they continue building up a profitable cybercrime industry which is an amalgamation of marketing, advertising, updations, customer care, and user manual.





A Malware Program That Hobbled Newspapers Nationwide Makes a Comeback


Ryuk Malware has made a rebound once more and this time it focused on the Tribune publishing Newspaper operations. The Malware program, a refined curve on an extortionate exemplary, is believed to have been utilized in an attack that has maimed newspapers across the nation.

The Malware is such that it automatically spreads from one computer to another, enciphering essential documents en route with an unbreakable code. Endeavors to gain access to the enciphered information, and the malware displays a ransom note, to deposit bitcoin into an unidentified wallet and receive a  key to decode the user's entire system , the refusal for which will result in the documents remaining 'locked for good'.

The issue notwithstanding, surfaced near midnight Thursday and spread quickly over the next day, when sports editors at the Union-Tribune attempted to transmit the completed pages to the printing office. Thusly hindering the distribution of the Saturday editions of The Times and Union-Tribune papers in Florida, Chicago and Connecticut, as well as the West Coast editions of the Wall Street Journal along with the New York Times.

Ryuk showed up on the radar of cybersecurity specialists in August, when the security scientists MalwareHunterTeam rumored five unfortunate casualties. An investigation with Check Point Research was published soon thereafter, assessing that it had officially gotten the attackers more than $640,000, and that much of its code coordinated with that of a ransomware program called Hermes, which has been connected with the North Korean hacking group that was behind the famous WannaCry attack.

Ben Herzog, a security specialist with Check Point says that Ryuk is different as it is a relatively  'artisanal' malware, used to target explicit organizations with little resilience for disturbance, such like hospitals and other healing facilities, ports and now obviously, the newspapers.

Despite the fact that their analysis till now has not prevailed with regards to determining if Ryuk had a technique for consequently spreading among a system or not, which Itay Cohen, another security analyst with Check Point, said may specify "prior, manual work that was done by the attackers in order to take these networks as a hostage.”


New Ransomware Strain Hits the Chinese Web; Infects 100K PCs




More than 100,000 Chinese users have had their Windows PCs infected with yet another strain of ransomware that encodes their records and files all the while requesting a 110 yuan (~$16) ransom. The inadequately composed ransomware is known to have been scrambling local documents and taking credentials for various Chinese online services.

As of now there has been no threat made to international users as the ransomware is only determined to focusing on the Chinese web only.

The individual or the group behind the activity are only utilizing Chinese-themed applications to appropriate the ransomware by means of local sites and discussions at the same time asking for ransom payments through the WeChat payment service, just accessible in China and the contiguous areas.


A report from Chinese security firm Huorong, the malware, named 'WeChat Ransom' in a few reports, came into existence on December 1 and the quantity of infected systems has developed to more than 100,000 as of December 4.

Security specialists who analysed the attack said that other than encoding records, the ransomware additionally incorporated an information-stealing component that collected login credentials for a few Chinese online services, like Alipay, Baidu Cloud, NetEase 163, Tencent QQ, and Taobao, Tmall, and Jingdong.

Chinese security organizations examining the malware concur that it is a long way from a complex risk that can be effortlessly defeated. Although it professes to delete the decryption key if the victim neglects to pay the ransom by a specific date, document recuperation is as yet conceivable in light of the fact that the key is hardcoded in the malware.

Specialists from Huorong examining this ransomware string have found a name, a cell phone number, a QQ account, and an email address that could enable police to identify and catch the thief.

This most recent ransomware campaign anyway is additionally not the first occasion when those Chinese-based ransomware creators have utilized WeChat as a ransom payment dealing strategy. The ones who committed this deadly error in the past have been captured by the officials within months.

The Chinese police, in general, have a decent reputation of capturing the hackers within weeks or months after a specific malware crusade stands out as truly newsworthy.


Moscow’s First Cable Car System Hacked a Day after Launch




Moscow's Mayor Sergei Sobyanin in an extravagant ceremony propelled Moscow's first cable car service promising free rides for the first month. In any case, tragically, just 2 days after the service was made accessible, hackers apparently hacked into the cable car system and tainted them with ransomware.

As per the local news outlets, who previously reported the incident and Moscow's Mayor, the main computer for the cable car system was tainted with ransomware and was requesting a payoff installment in bitcoins to unscramble the documents required for the operation of the cable car.

"According to the agency interlocutor, a message was received from an unknown person on the head computer of the Moscow Cable Cars operating company requesting to transfer bitcoins to him in exchange for decrypting all the electronic files of the computer that is responsible for the cable car operation. The amount of the ransom, said in the letter, depends "on the speed of response to the letter." As a result, there was a failure in the cable car."

The attack or rather the infection happened on Wednesday, November 28, at around 14:00, local time.

The attack was severe to the point that it had its effect on even the servers of the Moscow Ropeway (MKD), which apparently halted the majority of its task when it was informed about it.

The office's servers were exposed to a security review on November 29, and the infection was fortunately removed. Cable Car transports continued on the 30th, as per a message posted on the MKD's official website.

As of yet there are no points of interest thought about the kind of ransom ware that tainted the MKD's servers, or even the amount of the Bitcoin ransom demanded.


Former Head of a Country as a Brand of Malware?




It is unusual for sure as it so occurred interestingly in the historical backdrop of Ransomware swarming the home systems of the users that the face of a former Leader of a nation was taken up as the brand of a malware.

Truly, first tweeted by the MalwareHunterTeam, this ransomware has the peculiar title of,

"Barack Obama's Everlasting Blue Blackmail Virus"

This Windows-based malware is distributed through spam and phishing efforts with the aim to initially examine an infected system for processes related with antivirus solutions.Whenever executed, this ransomware is capable of terminating different procedures related with antivirus programming, for example, Kaspersky, McAfee, and Rising Antivirus.

The Obama ransomware then scans for documents ending with .EXE, before encoding them. It’s done as such that the registry keys related with the executable records are likewise influenced which thusly helps for instigating the virus each time an .EXE document is introduced and launched.

The message in the ransomware interface is shown alongside a picture of the previous US President Obama which states that users should contact the attacker at the mail 2200287831@qq.com for payment related directions.

Hello, your computer is encrypted by me! Yeah, that means your EXE file isn't open! Because I encrypted it.
So you can decrypt it, but you have to tip it. This is a big thing. You can email this email: 2200287831@qq.com gets more information.

The Ransomware more often than not encodes content, like documents and media to force victims to pay a blackmail 'expense' to recover their records and files and is distinguished by 45 out of 68 antivirus solutions, as indicated by VirusTotal, a virus scanning service.

Cybersecurity firms however prescribe for the affected users to not surrender in and pay if their system is infected with ransomware and for that they have even begun releasing free decoding keys consistently.




New SamSam Ransomware Variant Requires Password from Hacker Before Execution


Researchers at Malwarebytes have found that a new variant to the SamSam ransomware has been hitting users wherein the attacker has to put in a password before the malware could be executed.

“In its time being active, SamSam has gone through a slight evolution, adding more features and alterations into the mix,” read the blog post by Malwarebytes Labs. “These changes do not necessarily make the ransomware more dangerous, but they are added to make it just a bit more tricky to detect or track as it is constantly changing.”

According to researchers, this variant does not go into effect without the password, even if the malware is already present in the system. This makes for a more “targeted” attack as the attackers can decide which computers to execute the ransomware on.

Aside from targeted attacks, it also means that only those who know the password can access the ransomware code or execute the attack, making it a tricky malware to understand.

“As analysts, without knowing the password, we cannot analyze the ransomware code. But what’s more important to note is that we can’t even execute the ransomware on a victim or test machine. This means that only the author (or someone who has intercepted the author’s password) can run this attack,” the blog post said on the issue.

“This is a major difference from the vast majority of ransomware, or even malware, out there,” the post went on to say. “SamSam is not the type of ransomware that spreads like wildfire. In fact, this ransomware quite literally cannot spread automatically and naturally.”

SamSam has been a part of several massive cyber attacks since early 2018 and has led to severe damages worldwide. This new variant has only made it more elusive, as the code is inaccessible even to security researchers, which might be another reason for the password requirement.

The ransomware has in the past targeted hospitals, state agencies, city councils, and other enterprises, and caused huge losses when it hit the IT network of Atlanta earlier this year.


Author of Sigrun Ransomware helps Russian victims for free, charges other countries

The author of Sigrun ransomware is offering to decrypt computers of victims from Russia and some former USSR countries for free, while asking for payment in Bitcoin or Dash to citizens of other countries.

The ransomware already tries to avoid attacking computers of Russians by checking the keyboard layout of the computer. If it detects a Russian layout, it deletes itself and does not encrypt the computer. However, the ransomware has no provision for those computers who do not use a Russian layout, so some people from former USSR countries who choose not to use that layout can still be affected.

This is a common practice amongst Russian hackers and malware developers, who try to prevent from infecting Russian victims as they are concerned that the authorities will apprehend them, unlike when they are attacking victims from other countries.

This instance was first reported by Twitter user and security researcher Alex Svirid.


Another malware researcher, S!Ri, replied to the tweet with two pictures from ransomware victims of another attack.


Russian victim

U.S. victim

According to the Bleeping Computer, the ransomware author has added the Ukranian layout as well to be avoided during encryption.

"Ukranian users don't use Russian layout because of political reasons. So we decided to help them if they was infected," the author told them via email. "We have already added avoiding Ukrainian layout like was in Sage ransomware before."

They also reportedly said that they are not from former USSR republics, but rather added the condition “because of his Belarus partners”.


StalinLocker: ransomeware deletes data if correct code is not put in time

A new ransomware has been discovered called StalinLocker, or StalinScreamer, that gives victims of the attack 10 minutes to put in the correct unlock code and if they’re not able to do that, erases all the data on the infected device.

The ransomware does not actually demand any ransom, other than the condition given to unlock the victim’s device.

Named after Joseph Stalin, the late leader of the Soviet Union, the malware pays tribute to him by showing a red screen with a picture of Stalin, along with the USSR anthem playing in the background, when StalinLocker takes over the computer and the 10 minute countdown begins.



The ransomware was discovered by MalwareHunterTeam, which on Twitter explained how the malware worked and how to know the code to unlock your locked device.


According to them, the code can be guessed by subtracting the date the malware was run by 30/12/1922, which is the date that represents the foundation of the USSR.


This ransomware, unlike others, seems to purely focus on destroying user data as it does not demand any ransom in Bitcoin or other ways but simply attempts to erase all data if conditions are not met. If the user correctly enters the code, however, the files are unlocked with no problem.

The malware is similar to a previous one that forced victims to PlayerUnknown’s Battlegrounds game for an hour to get their device unlocked, but unlike StalinLocker, it did not threaten the erasure of the victim’s data.

Currently, StalinLocker is in a testing stage but it could turn out to be a major problem for Windows users once it is out for good.


Author of Three Critical Ransomware Families Arrested in Poland




A well-known cyber-criminal believed to be the author of the Polski, Vortex, and Flotera ransomware strains, Tomasz T. was arrested in Poland on Wednesday, but the announcement was made by the Polish Law Enforcement on Friday.

They had been tracking him for quite some time and were ready this time to go ahead with the arrest.
Tomasz T. a.k.a. Thomas or Armaged0n - a Polish citizen who lives permanently in Belgium is responsible for conducting cybercrime such as DDOS attacks, sending malicious software to compromise several computers and using ransomware to encrypt the files.

While working through Europol, the Polish police had alerted their Belgium counterparts, who thusly searched his house and seized the computer equipment, laptop and remote servers also including encryption keys.

 “Apparently, the suspect has been active since 2013, when he first started targeting users via a banking trojan that would replace bank account numbers in users' clipboards with one of his own, so to receive undeserved bank transfers.”
-          according to the Prosecutors.

He was able to spread this ransomware through the means of email by pretending to impersonate official correspondence from well-known companies such as DHL, Zara, Cinema City, PAY U, WizzAir and many more. While utilizing the Online portal, Tomasz operated under the epithet "Armaged0n," which he used on the infamous Hack Forums cybercrime portal too.

The Polish tech news site Zaufana Trzecia Strona (ZTS) was the first to draw the lines between the three ransomware strains to the Armaged0n persona and later tracked down an extensive email spear-phishing operation.

Armaged0n Hack forum profile

The police suspects that Tomasz infected thousands of users with ransomware and made over $145,000 from his criminal undertakings. ZTS, CERT Poland, security analysts, police, and the impersonated companies all worked together to track him down.

Polish Cybercriminal has been accused with various complaints such as accepting and transferring funds from crimes, infecting computer systems with malware such as the Polish Ransomware, Vortex or Floter and for influencing automatic data processing for financial benefits. All these ransomware’s Decryption keys have likewise been collected from his system.

The suspect, questioned by the prosecutor, conceded to the 181 different crimes that he was charged with.

Nonetheless, after performing the procedural steps, the prosecutor filed a motion to apply to him a temporary detention for a period of three months.