State of Texas Hit By a Ransomware Attack; 23 Agencies Shut Down!





The state of Texas got hit recently by a cyber-attack as a result of which 23 government agencies were taken down offline.

Per the DIR (Department of Information Resources) of Texas most of the aggrieved parties were small local government agencies which are unnamed so far.

The Texas state networks however are still unharmed. The State Operations center of the state has been rigorously working towards the problem.

Sources mention that all the state and federal agencies handling the case hint at the fact that the attack was coordinated by a single actor.

The attack has been categorized as a sure shot ransomware attack. Per sources in it was a stain which was identified as “Nemucod”.

The aforemetioned ransomware generally “encrypts files and then at the end adds the .JSE extension”, a researcher mentioned.

Allegedly, the US have been the target for a lot of cyber-attacks of late. With an apparent total of 53% of the entire global number, the US have been victimized the most by cyber-attacks.

A state emergency was declared on Louisiana in July this year in response to a ransomware attack on school computer systems.

The situation is very critical from the point of cyber-security as municipalities falling prey to such attacks and ransomware in particular is not a good sign at all.

Mass scale attacks and their increase in number are disconcerting on so many levels. Because threat actors willing to put so many efforts, like the researchers like to say, are numerous.


Texas Hit with a Series of Coordinated Ransomware Attack




Texas is currently hit with an 'unprecedented' of ransomware attacks that has significantly focused on local government entities in the state, with at least 23 impacted by the attacks.

The attacks which seem to have been led by a single threat actor are said to have of begun in the morning of August 16. It is additionally presumed that 23 may not be the final count considering that right now the details are at 'a minimum' with the Department of Information Resources (DIR), who is leading the investigation into the attacks.

The local Texas authorities, like the DIR, Texas Division of Emergency Management, and Texas Military Department are still investigating the origin of the attack, also involved are the federal agencies such as the Department of Homeland Security, Federal Bureau of Investigation – Cyber, and Federal Emergency Management Agency (FEMA).

In its original statement released on late Friday, DIR says that while investigations regarding the origins of the attack are continuous, their principle need is to aid the response and recuperation of 'affected entities'.

DIR is driving the reaction to what it calls a "coordinated ransomware attack" however does not unveil which organizations are affected. This is a result of security concerns involving the matter.

In an updated statement on Saturday, DIR said that the frameworks and systems of the State of Texas have not been influenced by this attack. Until more details rise, the strain of file-encrypting malware, which is said to be the one responsible for the attack as well as the perpetrator(s) ransom demand, still remains very unclear.


Cyber security Team Identified Ransomware Utilized to Compromise City Power



Residents of Johannesburg using pre-paid electricity meters were not able to load the electricity purchased from City Power and were also unable to purchase further electricity due to a ransomware attack which compromised City Power's database.

Earlier, City Power said while the variant of ransomware utilized to carry out the attack remains unknown, they have the encrypted network, applications, and database being restored and rebuilt by their ICT department.

Easing off the customers, Isaac Mangena, the utility's spokesperson, said, "We want to assure residents of Johannesburg that City Power systems were able to proactively intercept this and managed to deal with it quicker."

"Customers should also not panic, as none of their details were compromised," Mangena assured.

On Friday, City Power announced that their cybersecurity team identified the variant of malware which temporarily paralyzed the city's computer systems.

Reportedly, the email systems took the hardest hit by the ransomware and were taking a while to recover and be functional again.

While giving updates, Mangena said “The virus samples have been taken to the external labs for analysis and testing,”

“Our IT technicians have also recovered and, in [a] few instances, reconstructed most of the systems,, applications, and data that was threatened, using backup files.”

Victims of the cyber power attack along with the customers, have been raging since the incident happened and encrypted the computer databases, applications and network.

City Power turned to external cyber security experts who worked in association with their team to tackle the issue.



Ransomware Attack Leaves Johannesburg without Power




A key electricity supplier for the largest South African city, Johannesburg, experienced a massive ransomware attack which led to the shutdown of the city's computer systems on Thursday.

In a series of tweets, City Power announced that the ransomware virus encrypted all their databases, applications and networks; all of which is being reconstructed by their ICT department.

They further told that the customers may not be able to access their website and may not be able to purchase electricity units until the issue has been sorted out by their ICT department.

As the website continued to be offline, the victims resorted to social media in order to report the issues occuring with their electricity supplies.

The type of ransomware employed in the attack is still a matter of question, however, with the magnitude, the power of this cyber power attack can be gauged. Besides, restricting customers from buying pre-paid electricity, it also affected the attempts made by City Power to respond to localized blackouts.

Commenting on the matter, a spokesman for City Power said, for the people affected, "These are the people on the pre-paid system[s] and would at any given day buy electricity,"

"Those people were not able to access the system." he added.





Sonicwall Cyber Threat Report 2019 Finds Escalation in Ransomware Attacks-As-A-Service


Based on the real world data from more than 1 million international security sensors in more than 200 nations, SonicWall made public the discoveries from its mid-year update of the 2019 through the 'SonicWall Cyber Threat Report'.

With the global malware volume going down by 20%, researchers found a 15% increment in ransomware attacks comprehensively.

This expansion in ransomware-as-a service, open-source malware kits and cryptojacking utilized by cybercriminals comprised of the major highlights of the new data found.

"Organizations continue to struggle to track the evolving patterns of cyber-attacks — the shift to malware cocktails and evolving threat vectors — which makes it extremely difficult for them to defend themselves," said SonicWall President and CEO Bill Conner.

"In the first half of 2019, SonicWall Real-Time Deep Memory Inspection (RTDMI) technology unveiled 74,360 'never-before-seen' malware variants. To be effective, companies must harness innovative technology, such as machine learning, to be proactive against constantly-changing attack strategies,” he added later.

In the first part of 2019, SonicWall also observed a 55% increase in IoT attacks, a number that outpaces the initial two quarters of the previous year, all because organizations and purchasers keep on connecting devices to the web without appropriate safety measures.




Free Scheme, 'The No More Ransom Project' Saving Thousands from Ransomware Attacks


A free scheme known as, 'The No More Ransom project' which was founded by Europol, police in the Netherlands, and McAfee is recorded to have prevented cyber-attack victims from paying heavy ransoms and assisted over 200,000 people in saving approximately $108m (£86m).

Along with advice and recommendations, the project delivers software which is configured to recover computer files that get encrypted during ransomware attacks.

With the introduction of 14 new tools in the year 2019 itself, the project having over 150 global partners can now decrypt a total of 109 variants of infection.

Referencing from the explanation given by, Steven Wilson, head of Europol's European Cybercrime Centre (EC3), “When we take a close look at ransomware, we see how easy a device can be infected in a matter of seconds. A wrong click and databases, pictures and a life of memories can disappear forever. No More Ransom brings hope to the victims, a real window of opportunity, but also delivers a clear message to the criminals: the international community stands together with a common goal, operational successes are and will continue to bring the offenders to justice.”

The project made determined and successful efforts to take down various ransomware campaigns including  GandCrab, which is amongst one of the most hostile ransomware campaigns of all time.

GandCrab continued making headlines in 2018 and in 2019, the cyber world saw an upsurge in the number of ransomware attacks targeting large organizations.

Commenting on the matter, Mr. Woser told BBC, "Projects like No More Ransom have been crucial when it comes to fighting ransomware on a global level, with pretty much all major parties cooperating on a global and daily basis, sharing intel[igence] in real-time - except for the US.

"The US should consider the success of the No More Ransom Project to be a call to action.

"Better cooperation between the private sector and law enforcement could result in fewer ransom demands being paid.

"That would make cyber-crime less profitable and, consequently, reduce the financial incentive for groups to commit cyber-crime."





Cyber-Crime On Rise; One of A Kind Ransomware Hits Cloud Computing Giant iNSYNQ!







iNSYNQ, the cloud hosting giant recently was targeted by a ransomware attack which led to the company’s servers being shut down to confine the damage.

The Microsoft, Sage, and Intuit host provides customers with cloud-based virtual desktops aimed at hosting business applications.

The attack was executed by an unknown party and affected the iNSYNQ clients making the data inaccessible, as was mentioned in a citing from the sources.

The servers of the infected organization were immediately shut down and the next step was to safeguard the clients’ data and backup.

Cyber-security experts have been hired by the organization to help restore the infected data and eradicate any further possibility of such attacks.

The backups aren’t yet available to the customers despite repeated requests for them. The company’s doing everything in their control to mitigate the situation.


The clients’ data backups were on the unaffected servers but on the same network nevertheless.

The problem is not related with stolen data it is actually about the data being encrypted and hence being inaccessible.

On a mysterious note, the twitter account of iNSYNQ seems to have disappeared and is no longer accessible.

The data will take a good amount of time to reach the clients’ because after it’s retrieved it will be needed to be checked for any residual traces of the malware.

The company though, did not forget to mention that the kind of malware that hit them was of a new kind and had never been detected before.

Due to security reasons the organization can’t reveal much about the complexities of the attack and the entire situation because it might lead to the customers’ data being in danger.

With the help of leading experts the process of backing the data up is on full speed and the organization’s trying their hardest to get their clients’ data back to them.


Ransomware and their Proliferation; Major Cyber-Crime Hazards In View





Per latest reports, all around the globe, only last year we faced a hike in losses that occur due to malicious activities or cyber-crime.

Only earlier this year, cities Baltimore and Maryland of U.S. were attacked by a ransomware where computer networks got locked up and made making transactions impossible.

The administrators denied the demands for a ransom of $76,000 in exchange for unlocking systems but now have been encumbered with an estimate of $18 million to rebuild and/or restore the city’s’ computer networks.

Usually when hit by ransomware or any other malicious agent there are some pretty hard-hitting choices that the victim organizations have to face.

Two Florida cities had to pay a sum total of $1 million as ransom this year after which the same malicious group attacked the state court of Georgia.

The above data of losses generating from ransomware attacks rising by 60% was cited by the Internet Society’s Online Trust Alliance.

Since 2013, around 170 county, city and state government networks have been victims with 22 incidents being only this year.

The cities are not prepared against cyber-crime and hence are being repeatedly attacked as mentioned by a researcher at Stanford.

To pay or not to pay? This is a raging question when it comes to ransoms. FBI warns against it but researchers say that there is no clear side that could be chosen by victims who have their important data locked.

It hence becomes obvious that what needs to be done is what happens to be the best for the organization which means considering paying ransom in some cases.

To or not to pay is secondary where primary issue still happens to be with the software updates and lack of backups and security measures the users take.



Ransomware found exploiting former Windows flaw

Researchers at cybersecurity firm Kaspersky have uncovered new encryption ransomware named Sodin (Sodinokibi or REvil) that exploits a recently discovered Windows vulnerability to get elevated privileges in an infected system. The ransomware takes advantage of the architecture of the central processing unit (CPU) to avoid detection - functionality that is not often seen in ransomware.

"Ransomware is a very popular type of malware, yet it's not often that we see such an elaborate and sophisticated version: using the CPU architecture to fly under the radar is not a common practice for encryptors," said Fedor Sinitsyn, a security researcher at Kaspersky.

"We expect a rise in the number of attacks involving the Sodin encryptor, since the amount of resources that are required to build such malware is significant. Those who invested in the malware's development definitely expect if to pay off handsomely," Sinitsyn added.

The researchers found that most targets of Sodin ransomware were found in the Asian region: 17.6 percent of attacks have been detected in Taiwan, 9.8 percent in Hong Kong and 8.8 percent in the Republic of Korea.

However, attacks have also been observed in Europe, North America and Latin America, Kaspersky said, adding that the ransomware note left on infected PCs demands $2500 worth of Bitcoin from each victim.

The vulnerability CVE-2018-8453 that the ransomware uses was earlier found to be exploited by the FruityArmor hacking group. The vulnerability was patched on October 10, 2018, Kaspersky said.

To avoid falling victim to Sodin threats, make sure that the software used in your company is regularly updated to the most recent versions, said Kaspersky researchers.

Security products with vulnerability assessment and patch management capabilities may help to automate these processes, they added.

Florida city to pay $600,000 to a ransomware gang





The city council of  Riviera Beach, Florida, have voted unanimously to pay more than $600,000 in Bitcoins to a ransomware gang who had held its computer systems hostage for three weeks. 

The ransomware spread throughout the city’s computer network, after an employee clicked on a malicious link in an email. 

"Ransomware is commonly delivered through phishing emails or via 'drive-by downloads,'" according to Homeland Security. "Phishing emails often appear as though they have been sent from a legitimate organization or someone known to the victim and entice the user to click on a malicious link or open a malicious attachment."

The attack has locked all files and shut down all the city's services. Operations have been down ever since, with the exception of 911 services, which were able to continue to operate, although limited.

According to the Palm Beach Post’s report the ransomware affected the city’s email, 911 calls couldn't enter into computer records, and systems that controlled the water utility were offline.

The city council first decided to resolve the issue by paying $941,000 for new computers, but now they have decided to pay the ransom.

The amount of money would be paid from the city's insurer, although it's unclear wether hackers will decrypt the locked files afterward or not. 

The city council refused to comment.  




Authors of GandCrab Ransomware Terminating their Operations after Making $2 Billion in Ransom Payments



The operators of Gandcrab ransomware are continuously maintaining and developing the ransomware and have released five different variants with no major difference between any two versions and the ransomware is known to be extra secured as it uses the “.bit” top-level domain which is not sanctioned by ICANN.

Gandcrab was distributed via various vectors that include exploit kits, spam mail, affiliated malware campaign and other social engineering methods. Along with plenty of malicious spam emails, attackers resort to ‘GrandSoft’ and ‘RIG’, two of the most popular exploit kits in order to distribute GandCrab. These spam emails are configured to befool users and make them download a script which further will download the ransomware and execute it.

Researchers have found that Gandcrab authors have made over $2billion from ransom payments, averaging around 2.5 million dollars per week. As per the observations made by David Montenegro and Damian, the owners of the ransomware told that they are to put their operations to an end now, after earning huge chunks of money (more than 150 million dollars a year) and cashing it out through legitimate sources.

The operators have discontinued the promotions of the ransomware and asked the concerned affiliates to terminate the distribution of the ransomware within the next 20 days. They have also asked the victims to pay the ransom; otherwise, the key will be deleted. However, it’s still a matter of question that whether the keys will be released after the authors shut down their operations.

Although, ransomware has been a constant threat in the field of cybersecurity for a long time but now it’s even deadlier due to the efforts invested by the threat actors in its development. Users are advised to stay equipped with products like ‘Acronis True Image 2019’ in order to stay protected against such ransomware attacks.




My SQL Servers on Windows Attacked by Hackers to Distribute GrandCrab Ransomware



One of the most widespread Ransomware, GrandCrab, which keeps on making headlines every now and then us being circulated via multiple kinds of attacks like exploit kit, compromised  websites, social media campaigns, and weaponized office documents. 

A new variant of GrandCrab Ransomware which is configured to attack Internet-facing MySQL servers on Windows has been detected by the researchers; the ransomware is also reported to hold around 40% share of the ransomware market. 

How does it attack?

The malicious operation begins with the injection of a corrupted DLL file into the database server with the help of SQL database commands.
As the attack proceeds, DLL is invoked in order to get hold of the ransomware payload which is hosted on the malicious server. 
Attacker secures a reliable connection with the database server and then advances to upload the corrupted helper DLL by employing set command; it is carried out in the form of hexadecimal characters. 
“Later they issued a command to concatenate binaries to a single file and them into the server’s plug-in directory. Also, they used several commands used to swap forward slash and backslash characters that seemed designed to make an end-run around security features,” researchers observed. 

Referencing from the study conducted by the Sophos researchers, "an intriguing attack this week from a machine based in the United States. We monitored both the behavior and network traffic generated by this honeypot and were surprised to see the honeypot (which runs under Linux) download a Windows executable.”

“What makes this interesting is that the IP address of this machine hosting the GrandCrab sample geolocates to Arizona, in the desert southwest region of the United States, and the user interface of the HFS installation on this machine is in simplified Chinese.”

Decoding the threat, they said, “it does pose a serious risk to MySQL server admins who have poked a hole through the firewall for port 3306 on their database server to be reachable by the outside world,”



NSA tool used for hacking in Baltimore ransomware attack






According to the reports of New York Times, An important component of the malware to disrupt U.S cities, paralyzing local governments and residents was developed by the National Security Agency (NSA).

Reportedly, NSA lost the control of the tool in 2017, it was called Eternal Blue.

Eternal Blue has been used around the world including countries like Russia,China,North Korea and it has affected huge numbers of ATMs, hospitals, Airports, shipping operators around the globe.

Recently there was high-profile ransomware attack on Baltimore in which computers were hacked and health alerts, water bills, real estate sales and other public services are disrupted. 

On May 7th, city’s workers computers screens were locked and were displayed a message of ransom demanding $100,000 to free city’s files. 

In the similar manner various U.S cities have been attacked. 

The NSA and FBI declined to comment to the Times, but according to the reports the theft of the EternalBlue was carried out by group, which calls itself the Shadow Brokers.


The group is either made up of disgruntled federal employees or foreign spies.

Ransomware tool causing chaos in Baltimore was developed by NSA



A recent spate of ransomware attacks in Baltimore and other U.S. cities has been executed using a tool developed by the National Security Agency (NSA). Thousands of people in Baltimore have been locked out of their computers in the past three weeks, causing disruption across the city. And this has been enabled by a piece of software created by the NSA, according to a report in the New York Times.
The EternalBlue exploit takes advantage of a vulnerability in Microsoft Windows machines to infiltrate target computers. The software was stolen from the NSA and leaked by hackers in 2017, and since then has been used in a wide variety of cybercrinimal schemes. 2017’s WannaCry attack used the software, as did Russia’s NotPetya attack on Ukraine last year.
Now the same software is being used against U.S. citizens, causing particular problems for local governments with machines which have been disrupted. Many local governments do not regularly update their computers, leaving them vulnerable to exploits. In Baltimore, hospitals, airports, ATMs, shipping operators, and vaccine-producing factories have all been effected in the last few weeks.
The software locks the target computer’s screen, then shows a message demanding a payment of around $100,000 in Bitcoin for the target to regain access to their files. “We’ve watching you for days,” the message says, according to The Baltimore Sun. “We won’t talk more, all we know is MONEY! Hurry up!”
The NSA has never acknowledged the theft of the software or its responsibility for the cyberattacks conducted using it.
“The government has refused to take responsibility, or even to answer the most basic questions,” Thomas Rid, a cybersecurity expert at Johns Hopkins University, said to the Times. “Congressional oversight appears to be failing. The American people deserve an answer.”
EternalBlue may have been developed with good intentions to protect national security, but this event shows the problems with law enforcement or intelligence agencies having tools which allow them access to computers and phones. When such a tool is leaked, it can no longer be controlled.


GetCrypt Ransomware: Modus Operandi and Solutions




A new ransomware is in the dark market which encrypts all the files on the device and redirects victims to the RIG exploit kit. It’s being installed via “Malvertising” campaigns.


Securoty researchers found it while it was being installed by way of a RIG exploit kit in the “Popcash malvertising" campaigns.

First the victim is redirected to a page hosting the exploit kit, and then the malicious scripts on it would try to exploit vulnerabilities on the device.

If all goes well it will download and install GetCrypt into Windows.

How GetCrypt Works
Reportedly, when the exploit kit executes the ransomware, GetCrypt checks if the Windows language is set to Russian, Ukranian, Kazakh or Belarusian.

If so the ransomware immediately terminates and no encryption happens. If not, the ransomware examines the CPUID of the computer.

The Id is used to create a 4 character string which is used as an extension for encrypted files.

The four character extension that was created is appended while the files are encrypted. The files’ names are changed after they are encrypted

Later on the Shadow Volume Copies are cleared by running the vssadmin.exedeleteshadows/all/quiet command.

Then, the ransomware starts to scan the computer for the files to encrypt. No particular files types are targeted, except for files located under the following folders:
·       :\$Recycle.Bin
·       :\ProgramData
·       :\Users\All Users
·       :\Program Files
·       :\Local Settings
·       :\Windows
·       :\Boot
·       :\System Volume Information
·       :\Recovery
·       AppData

According to the sources, GetCrypt makes use of the Salsa20 and RSA-4096 algorithms for encryptions.

GetCrypt also creates a ransom note in each folder while it encrypts the files, named #decrypt my files#.txt

The aforementioned ransom note commands the victim to contact getcrypt@cook.li for payment instructions.

GetCrypt would also change the victim’s desktop background to an image with the ransom note written all over it which is stored at %LocalAppData%\Tempdesk.bmp

In addition to all the other things GetCrypt does, it will also try to encrypt files on network shares. When encrypting, it would also attempt to brute force the network account credentials.

It would use an embedded list of usernames and passwords to connect to the network shares using the WNetEnumResourceW function.

It could also try to brute force the credentials and mount them using the WNetAddConnection2W function.

Solution
All you need to get your files decrypted for free is an unencrypted copy of your encrypted file.

Simply download the decrypt_GetCrypt.exe program from the following link and save it on your desktop:

Once downloaded, run the decryptor and select an encrypted file you wish to decrypt and its unencrypted version.

Click on the start button. The decyptor will now brute force your decryption key and VOILA! Your files will get decrypted.


Dharma: A Malicious Ransomware In The Skin of an Anti-Virus Software








A family of ransomware has been infecting organizations around the globe and now has a new trick up its sleeve. A file-locking malware is being distributed disguised as anti-virus software.

“Dharma” happens to be the name of the infamous ransomware which has been linked to tens of cyber-crime episodes.

Dharma’s "executive working team" is all about creating and fabricating state-of –the-art attacks that are lucrative to the highest extent.

And by way of the recent stunt they’ve pulled they stand a handsome chance of extorting ransom payments in exchange for decrypting files and locked networks on the Windows system.

Actually, the ransomware poses to be an anti-virus software and hence the users are tricked into downloading and installing it.

The attacks like many others begin with “phishing emails” that claim to be from Microsoft and stating that the victim’s PC is under some risk, threat or is corrupted.

Luring the user into downloading the anti-virus by assessing a download link, if the user goes through with it, two downloads are retrieved.

According to sources, they are Dharma ransomware payload and an old version of anti-virus software from cyber security company ESET.

After the self-extracting archive runs, Dharma starts the file encrypting process. The user is guided to follow the installation instructions for ESET AV remover.

The interface gets displayed on their desktop but still requires user interaction during the installation process all the while distracting the user from the actual con.

The victim would immediately be confronted with a ransom note, once the installation gets done with, demanding crypto-currency in exchange for unlocking the file.

Malware have usually been hidden under skins of actually legitimate applications and software, in the above scenario an official unmodified ESET AV Remover was made use of.

Any other potential application could be exploited and used in this way to fool the not so well cyber-educated and even tech savvy users.

The file-locking malware is relatively new in the market but powerful nonetheless and with the enhanced tendencies of tactic and work being done on it.

Various cyber-cons still try to upgrade old threats and make use of latest techniques to wreak as much havoc as possible.

Ransomware happens to be an especially costly and dynamic threat which could hit in more than one ways.

The only way to not fall prey to such devastating attacks is securing email gateways, embracing better cyber-security manoeuvres, backing up files and constantly patching and updating.


Attackers Exploiting Oracle Weblogic Server Vulnerability to Encrypt User Data



In order to install a new variant of a malware known as "Sodinokibi", con men are taking advantage of the remote code execution vulnerability in Oracle Weblogic Server.

The vulnerability which has been recently discovered on versions
10.3.6.0, 12.1.3.0 of Oracle WebLogic Server, allows people with HTTP access to execute the attack without any verification.
Reportedly, a patch has been issued by the computer sofyware company on April 26.

The foundation of the attacks was laid around April 25 and it was on the next day, i.e., April 26, the hackers secured connections with multiple HTTP servers which were vulnerable, as per the findings of Talos Investigation.

The vulnerability has been exploited by the hackers to download the malware copies from servers administered by con men and to corrupt various legitimate sources and make alterations to repurpose it.

“Cisco IR Services and Talos observed the attack requests originating from 130.61.54[.]136 and the attackers were ultimately successful at encrypting a number of customer systems.”

How does the ransomware infects?

It begins with the HTTP POST request which carries certutil command to execute the infectious files upon downloading.

As soon the malicious process starts, it triggers the vssadmin.exe utility, which on being executed assists Windows in generating some sort of backup, either automatic or manual.

After this, the ransomware attempts to hinder the recovery process by terminating backup mechanism.

Users can reach the security alert posted by Oracle and are advised to fix the forementioned (CVE-2019-2725) vulnerability.  

USA: Leading Servers Of Greenville Were Shutdown Owing It To A Ransomware Attack!



In the state of South Carolina, a city by the name of Greenville was attacked by a ransomware which blacked-out majority its servers.


The source of the ransomware and the infection is being conjectured upon by the help of the city staff and IT professionals.

As a basic ransomware works the organizations affected were asked for money. The IT team is working on getting the operation back online

The only servers that were separate and went unaffected were of the Greenville Utilities Commission and that of the emergency for and police department.

The infection first surfaced on the server of the Greenville Police Department. The IT division was immediately contacted and as result the servers were shutdown.

The shutdown hasn’t affected many of the operations and functions, just that the way things go about needed some adjusting.

Thanks to people not being too dependent on computers not much has been affected in the city except for people willing to do payments would need to do so in cash.

After CIRA’s free parking accident and the shutdown of Norsk Hydro, it’s evident that ransomware is an emerging hazard to cyber-security.


PewDiePie fan releases ransomware to increase the YouTuber’s subscriber count

The existence of malware is hardly a new thing. In the last few years, however, the more malicious trend of ransomware has become more and more common.

PewDiePie, the famous Swedish Youtuber, is no stranger to controversy. This time he is in the news again for the wrong reason after a user, who claims to be his fan, released ransomware with a note that reads ‘Subscribe to PewDiePie’.

This is not the first time PewDiePie's fans have pulled an extreme stunt to keep the Swedish vlogger as the most popular YouTuber.

According to The Independent, the ransomware PewCrypt is designed in such a way that it locks people from accessing their data. The ransomware claims that users will not get back their data until PewDiePie gets 100 million subscribers on YouTube.

Rather than destroying a computer per-say, ransomware generally locks out the user's files via encryption. The only way to get them back is to pay a ‘ranson’ (usually in bitcoin) and even then, it’s hardly a guarantee.

In a report via TheStar, it seems that the latest ransomware trending has bizarre links to the current subscriber battle between Pewdiepie and T-Series. It is unclear how the ransomware is distributed or how many victims it has claimed so far.

“If T-Series beats PewDiePie the private key will be deleted and your files are gone forever!” the report said quoting the threat that appears on the ransomware.

This, in itself, is a questionable target. While the two have been swapping the top spot for about 2 months now, T-Series has taken a pretty strong (but not overwhelming lead).

The developer backtracked on their threat and released a decryption tool but not before posting the open-sourced ransomware on Twitter under the username JustMe – the account is disabled at the moment – potentially allowing others to modify and use PewCrypt freely.

Canadian Internet Registration Authority’s Car Parking System Struck By Ransomware!








Reportedly, CIRA’s car parking system was infected via a ransomware and was hacked into to let people park for free.


Canadian Internet Registration Authority is a gigantic internet domain which has 2.8 million, under its wings with a .ca domain.

The yet anonymous cyber-cons compromised CIRA’s car parking system, aiding people to park without getting their parking passes scanned.

Allegedly, some other company manages the car parking under CIRA.

Initially the cause which was thought to be a power failure or mechanical system crash, turned out to be a ransomware attack.



The database which was used by the car parking system for management was specifically compromised.

That very database also holds tens and tens of employee credit cards which if in wrong hands could wreak serious havoc.

After further analysis it was discovered that the ransomware in question could possibly be “Darma”.

This ransomware goes about infecting computers by way of RDP connections restricting to system that run on RDP (Remote Desktop Protocol) online.

These cyber-cons target the RDP protocol which runs on 3389. After performing a brute force attack they tried to harvest administrative credentials.


Later on an attempt at performing malicious activities on the system as made.

The silver lining happens to be that the stored card details would reclaim all the damage done by the free parking.

According to CIRA’s security survey, 37% of businesses don’t employ anti-malware protections.

CIRA also cited that they have no way whatsoever of knowing what sort of security measures are employed by the car parking in question.