Dharma: A Malicious Ransomware In The Skin of an Anti-Virus Software








A family of ransomware has been infecting organizations around the globe and now has a new trick up its sleeve. A file-locking malware is being distributed disguised as anti-virus software.

“Dharma” happens to be the name of the infamous ransomware which has been linked to tens of cyber-crime episodes.

Dharma’s "executive working team" is all about creating and fabricating state-of –the-art attacks that are lucrative to the highest extent.

And by way of the recent stunt they’ve pulled they stand a handsome chance of extorting ransom payments in exchange for decrypting files and locked networks on the Windows system.

Actually, the ransomware poses to be an anti-virus software and hence the users are tricked into downloading and installing it.

The attacks like many others begin with “phishing emails” that claim to be from Microsoft and stating that the victim’s PC is under some risk, threat or is corrupted.

Luring the user into downloading the anti-virus by assessing a download link, if the user goes through with it, two downloads are retrieved.

According to sources, they are Dharma ransomware payload and an old version of anti-virus software from cyber security company ESET.

After the self-extracting archive runs, Dharma starts the file encrypting process. The user is guided to follow the installation instructions for ESET AV remover.

The interface gets displayed on their desktop but still requires user interaction during the installation process all the while distracting the user from the actual con.

The victim would immediately be confronted with a ransom note, once the installation gets done with, demanding crypto-currency in exchange for unlocking the file.

Malware have usually been hidden under skins of actually legitimate applications and software, in the above scenario an official unmodified ESET AV Remover was made use of.

Any other potential application could be exploited and used in this way to fool the not so well cyber-educated and even tech savvy users.

The file-locking malware is relatively new in the market but powerful nonetheless and with the enhanced tendencies of tactic and work being done on it.

Various cyber-cons still try to upgrade old threats and make use of latest techniques to wreak as much havoc as possible.

Ransomware happens to be an especially costly and dynamic threat which could hit in more than one ways.

The only way to not fall prey to such devastating attacks is securing email gateways, embracing better cyber-security manoeuvres, backing up files and constantly patching and updating.


Attackers Exploiting Oracle Weblogic Server Vulnerability to Encrypt User Data



In order to install a new variant of a malware known as "Sodinokibi", con men are taking advantage of the remote code execution vulnerability in Oracle Weblogic Server.

The vulnerability which has been recently discovered on versions
10.3.6.0, 12.1.3.0 of Oracle WebLogic Server, allows people with HTTP access to execute the attack without any verification.
Reportedly, a patch has been issued by the computer sofyware company on April 26.

The foundation of the attacks was laid around April 25 and it was on the next day, i.e., April 26, the hackers secured connections with multiple HTTP servers which were vulnerable, as per the findings of Talos Investigation.

The vulnerability has been exploited by the hackers to download the malware copies from servers administered by con men and to corrupt various legitimate sources and make alterations to repurpose it.

“Cisco IR Services and Talos observed the attack requests originating from 130.61.54[.]136 and the attackers were ultimately successful at encrypting a number of customer systems.”

How does the ransomware infects?

It begins with the HTTP POST request which carries certutil command to execute the infectious files upon downloading.

As soon the malicious process starts, it triggers the vssadmin.exe utility, which on being executed assists Windows in generating some sort of backup, either automatic or manual.

After this, the ransomware attempts to hinder the recovery process by terminating backup mechanism.

Users can reach the security alert posted by Oracle and are advised to fix the forementioned (CVE-2019-2725) vulnerability.  

USA: Leading Servers Of Greenville Were Shutdown Owing It To A Ransomware Attack!



In the state of South Carolina, a city by the name of Greenville was attacked by a ransomware which blacked-out majority its servers.


The source of the ransomware and the infection is being conjectured upon by the help of the city staff and IT professionals.

As a basic ransomware works the organizations affected were asked for money. The IT team is working on getting the operation back online

The only servers that were separate and went unaffected were of the Greenville Utilities Commission and that of the emergency for and police department.

The infection first surfaced on the server of the Greenville Police Department. The IT division was immediately contacted and as result the servers were shutdown.

The shutdown hasn’t affected many of the operations and functions, just that the way things go about needed some adjusting.

Thanks to people not being too dependent on computers not much has been affected in the city except for people willing to do payments would need to do so in cash.

After CIRA’s free parking accident and the shutdown of Norsk Hydro, it’s evident that ransomware is an emerging hazard to cyber-security.


PewDiePie fan releases ransomware to increase the YouTuber’s subscriber count

The existence of malware is hardly a new thing. In the last few years, however, the more malicious trend of ransomware has become more and more common.

PewDiePie, the famous Swedish Youtuber, is no stranger to controversy. This time he is in the news again for the wrong reason after a user, who claims to be his fan, released ransomware with a note that reads ‘Subscribe to PewDiePie’.

This is not the first time PewDiePie's fans have pulled an extreme stunt to keep the Swedish vlogger as the most popular YouTuber.

According to The Independent, the ransomware PewCrypt is designed in such a way that it locks people from accessing their data. The ransomware claims that users will not get back their data until PewDiePie gets 100 million subscribers on YouTube.

Rather than destroying a computer per-say, ransomware generally locks out the user's files via encryption. The only way to get them back is to pay a ‘ranson’ (usually in bitcoin) and even then, it’s hardly a guarantee.

In a report via TheStar, it seems that the latest ransomware trending has bizarre links to the current subscriber battle between Pewdiepie and T-Series. It is unclear how the ransomware is distributed or how many victims it has claimed so far.

“If T-Series beats PewDiePie the private key will be deleted and your files are gone forever!” the report said quoting the threat that appears on the ransomware.

This, in itself, is a questionable target. While the two have been swapping the top spot for about 2 months now, T-Series has taken a pretty strong (but not overwhelming lead).

The developer backtracked on their threat and released a decryption tool but not before posting the open-sourced ransomware on Twitter under the username JustMe – the account is disabled at the moment – potentially allowing others to modify and use PewCrypt freely.

Canadian Internet Registration Authority’s Car Parking System Struck By Ransomware!








Reportedly, CIRA’s car parking system was infected via a ransomware and was hacked into to let people park for free.


Canadian Internet Registration Authority is a gigantic internet domain which has 2.8 million, under its wings with a .ca domain.

The yet anonymous cyber-cons compromised CIRA’s car parking system, aiding people to park without getting their parking passes scanned.

Allegedly, some other company manages the car parking under CIRA.

Initially the cause which was thought to be a power failure or mechanical system crash, turned out to be a ransomware attack.



The database which was used by the car parking system for management was specifically compromised.

That very database also holds tens and tens of employee credit cards which if in wrong hands could wreak serious havoc.

After further analysis it was discovered that the ransomware in question could possibly be “Darma”.

This ransomware goes about infecting computers by way of RDP connections restricting to system that run on RDP (Remote Desktop Protocol) online.

These cyber-cons target the RDP protocol which runs on 3389. After performing a brute force attack they tried to harvest administrative credentials.


Later on an attempt at performing malicious activities on the system as made.

The silver lining happens to be that the stored card details would reclaim all the damage done by the free parking.

According to CIRA’s security survey, 37% of businesses don’t employ anti-malware protections.

CIRA also cited that they have no way whatsoever of knowing what sort of security measures are employed by the car parking in question.


Crypto-jacking: A New Vector of the Cyber-Cons after Ransomware!




Apparently, according to the records of 2018, after getting bored with ransomware attacks, crypto-jacking has become the new tool of cyber-cons for harvesting crypto-currency.



Crypto-jacking by nature is more insidious and stealthy and hence in the past year has emerged as a better way of harvesting crypto-currency.

Initially, the best choice for doing the same was ransomware, but having surpassed it, Crypto-jacking is now cyber-cons’ favorite option.

2018, unlike any other year in the cyber-crime history saw a lot of cyber-attacks, wherein the crypto-jacking attacks constituted to be amongst the most.

The report of IBM strictly mentioned that the crypto-currency attacks hiked by quite a large number.

Whereas, ransomware attacks plummeted by 45% including both mobile and desktop platforms.

The major reason behind this shift of inclination towards crypto-jacking happens to be the less-disruptive and furtive disposition.

After a ransomware is introduced to the victim, the attack weapon goes waste after just one attack, leaving no chances for a recurrence.

Meanwhile, in the case of crypto-jacking, a recurrence is almost ensured, making it possible for more profits from a single weapon.

Somehow, crypto-jacking appears to be the more malicious of the two, which if ignored could lead to serious ramifications.

Reportedly, crypto-jacking could soon transform from currency mining to fabrication its own botnets to function spyware attacks.

Leaving the users with the only advice and option; to use the latest versions of anti-viruses and keep the systems updated.


Ransomware, RDP Logins and Credit Card Details being sold on the Dark Web



Offered at various rates on the dark web markets, there are various hacking tools which can be employed to assist and propel cybercrime, these tools are traded illicitly in the form of Cybercrime as a service.

Empire Market, DreamPoint, Wall Street Market and Berlusconi Market are some of the dark web markets known to have been hosting the hacking tools.

Referring to the findings of Eset, an array of ransomware packages has been put up for sale along with hackers providing updates, technical assistance and permit to C&C servers.

RaaS (ransomware-as-as-service) is a service which lets hackers host their product on the dark web, which further allows individuals to avail the services with their own customization and requirement. 

Besides RaaS, there are RDP logins which are traded on the dark web markets to provide access to RDP servers across the world. Notably, it is priced between the US $8-15 per server on the basis of country and operating system.

The third variant is DDoS attacks, attackers have placed botnets out for sale in order to launch DDoS attacks or to send spam emails and the price for this one depends upon the time duration for which one avails the botnet service.

Though some hackers display the tools which they employed while carrying out malicious activities, the majority of them are hidden behind tools which shield them with anonymity as they continue building up a profitable cybercrime industry which is an amalgamation of marketing, advertising, updations, customer care, and user manual.





A Malware Program That Hobbled Newspapers Nationwide Makes a Comeback


Ryuk Malware has made a rebound once more and this time it focused on the Tribune publishing Newspaper operations. The Malware program, a refined curve on an extortionate exemplary, is believed to have been utilized in an attack that has maimed newspapers across the nation.

The Malware is such that it automatically spreads from one computer to another, enciphering essential documents en route with an unbreakable code. Endeavors to gain access to the enciphered information, and the malware displays a ransom note, to deposit bitcoin into an unidentified wallet and receive a  key to decode the user's entire system , the refusal for which will result in the documents remaining 'locked for good'.

The issue notwithstanding, surfaced near midnight Thursday and spread quickly over the next day, when sports editors at the Union-Tribune attempted to transmit the completed pages to the printing office. Thusly hindering the distribution of the Saturday editions of The Times and Union-Tribune papers in Florida, Chicago and Connecticut, as well as the West Coast editions of the Wall Street Journal along with the New York Times.

Ryuk showed up on the radar of cybersecurity specialists in August, when the security scientists MalwareHunterTeam rumored five unfortunate casualties. An investigation with Check Point Research was published soon thereafter, assessing that it had officially gotten the attackers more than $640,000, and that much of its code coordinated with that of a ransomware program called Hermes, which has been connected with the North Korean hacking group that was behind the famous WannaCry attack.

Ben Herzog, a security specialist with Check Point says that Ryuk is different as it is a relatively  'artisanal' malware, used to target explicit organizations with little resilience for disturbance, such like hospitals and other healing facilities, ports and now obviously, the newspapers.

Despite the fact that their analysis till now has not prevailed with regards to determining if Ryuk had a technique for consequently spreading among a system or not, which Itay Cohen, another security analyst with Check Point, said may specify "prior, manual work that was done by the attackers in order to take these networks as a hostage.”


New Ransomware Strain Hits the Chinese Web; Infects 100K PCs




More than 100,000 Chinese users have had their Windows PCs infected with yet another strain of ransomware that encodes their records and files all the while requesting a 110 yuan (~$16) ransom. The inadequately composed ransomware is known to have been scrambling local documents and taking credentials for various Chinese online services.

As of now there has been no threat made to international users as the ransomware is only determined to focusing on the Chinese web only.

The individual or the group behind the activity are only utilizing Chinese-themed applications to appropriate the ransomware by means of local sites and discussions at the same time asking for ransom payments through the WeChat payment service, just accessible in China and the contiguous areas.


A report from Chinese security firm Huorong, the malware, named 'WeChat Ransom' in a few reports, came into existence on December 1 and the quantity of infected systems has developed to more than 100,000 as of December 4.

Security specialists who analysed the attack said that other than encoding records, the ransomware additionally incorporated an information-stealing component that collected login credentials for a few Chinese online services, like Alipay, Baidu Cloud, NetEase 163, Tencent QQ, and Taobao, Tmall, and Jingdong.

Chinese security organizations examining the malware concur that it is a long way from a complex risk that can be effortlessly defeated. Although it professes to delete the decryption key if the victim neglects to pay the ransom by a specific date, document recuperation is as yet conceivable in light of the fact that the key is hardcoded in the malware.

Specialists from Huorong examining this ransomware string have found a name, a cell phone number, a QQ account, and an email address that could enable police to identify and catch the thief.

This most recent ransomware campaign anyway is additionally not the first occasion when those Chinese-based ransomware creators have utilized WeChat as a ransom payment dealing strategy. The ones who committed this deadly error in the past have been captured by the officials within months.

The Chinese police, in general, have a decent reputation of capturing the hackers within weeks or months after a specific malware crusade stands out as truly newsworthy.


Moscow’s First Cable Car System Hacked a Day after Launch




Moscow's Mayor Sergei Sobyanin in an extravagant ceremony propelled Moscow's first cable car service promising free rides for the first month. In any case, tragically, just 2 days after the service was made accessible, hackers apparently hacked into the cable car system and tainted them with ransomware.

As per the local news outlets, who previously reported the incident and Moscow's Mayor, the main computer for the cable car system was tainted with ransomware and was requesting a payoff installment in bitcoins to unscramble the documents required for the operation of the cable car.

"According to the agency interlocutor, a message was received from an unknown person on the head computer of the Moscow Cable Cars operating company requesting to transfer bitcoins to him in exchange for decrypting all the electronic files of the computer that is responsible for the cable car operation. The amount of the ransom, said in the letter, depends "on the speed of response to the letter." As a result, there was a failure in the cable car."

The attack or rather the infection happened on Wednesday, November 28, at around 14:00, local time.

The attack was severe to the point that it had its effect on even the servers of the Moscow Ropeway (MKD), which apparently halted the majority of its task when it was informed about it.

The office's servers were exposed to a security review on November 29, and the infection was fortunately removed. Cable Car transports continued on the 30th, as per a message posted on the MKD's official website.

As of yet there are no points of interest thought about the kind of ransom ware that tainted the MKD's servers, or even the amount of the Bitcoin ransom demanded.


Former Head of a Country as a Brand of Malware?




It is unusual for sure as it so occurred interestingly in the historical backdrop of Ransomware swarming the home systems of the users that the face of a former Leader of a nation was taken up as the brand of a malware.

Truly, first tweeted by the MalwareHunterTeam, this ransomware has the peculiar title of,

"Barack Obama's Everlasting Blue Blackmail Virus"

This Windows-based malware is distributed through spam and phishing efforts with the aim to initially examine an infected system for processes related with antivirus solutions.Whenever executed, this ransomware is capable of terminating different procedures related with antivirus programming, for example, Kaspersky, McAfee, and Rising Antivirus.

The Obama ransomware then scans for documents ending with .EXE, before encoding them. It’s done as such that the registry keys related with the executable records are likewise influenced which thusly helps for instigating the virus each time an .EXE document is introduced and launched.

The message in the ransomware interface is shown alongside a picture of the previous US President Obama which states that users should contact the attacker at the mail 2200287831@qq.com for payment related directions.

Hello, your computer is encrypted by me! Yeah, that means your EXE file isn't open! Because I encrypted it.
So you can decrypt it, but you have to tip it. This is a big thing. You can email this email: 2200287831@qq.com gets more information.

The Ransomware more often than not encodes content, like documents and media to force victims to pay a blackmail 'expense' to recover their records and files and is distinguished by 45 out of 68 antivirus solutions, as indicated by VirusTotal, a virus scanning service.

Cybersecurity firms however prescribe for the affected users to not surrender in and pay if their system is infected with ransomware and for that they have even begun releasing free decoding keys consistently.




New SamSam Ransomware Variant Requires Password from Hacker Before Execution


Researchers at Malwarebytes have found that a new variant to the SamSam ransomware has been hitting users wherein the attacker has to put in a password before the malware could be executed.

“In its time being active, SamSam has gone through a slight evolution, adding more features and alterations into the mix,” read the blog post by Malwarebytes Labs. “These changes do not necessarily make the ransomware more dangerous, but they are added to make it just a bit more tricky to detect or track as it is constantly changing.”

According to researchers, this variant does not go into effect without the password, even if the malware is already present in the system. This makes for a more “targeted” attack as the attackers can decide which computers to execute the ransomware on.

Aside from targeted attacks, it also means that only those who know the password can access the ransomware code or execute the attack, making it a tricky malware to understand.

“As analysts, without knowing the password, we cannot analyze the ransomware code. But what’s more important to note is that we can’t even execute the ransomware on a victim or test machine. This means that only the author (or someone who has intercepted the author’s password) can run this attack,” the blog post said on the issue.

“This is a major difference from the vast majority of ransomware, or even malware, out there,” the post went on to say. “SamSam is not the type of ransomware that spreads like wildfire. In fact, this ransomware quite literally cannot spread automatically and naturally.”

SamSam has been a part of several massive cyber attacks since early 2018 and has led to severe damages worldwide. This new variant has only made it more elusive, as the code is inaccessible even to security researchers, which might be another reason for the password requirement.

The ransomware has in the past targeted hospitals, state agencies, city councils, and other enterprises, and caused huge losses when it hit the IT network of Atlanta earlier this year.


Author of Sigrun Ransomware helps Russian victims for free, charges other countries

The author of Sigrun ransomware is offering to decrypt computers of victims from Russia and some former USSR countries for free, while asking for payment in Bitcoin or Dash to citizens of other countries.

The ransomware already tries to avoid attacking computers of Russians by checking the keyboard layout of the computer. If it detects a Russian layout, it deletes itself and does not encrypt the computer. However, the ransomware has no provision for those computers who do not use a Russian layout, so some people from former USSR countries who choose not to use that layout can still be affected.

This is a common practice amongst Russian hackers and malware developers, who try to prevent from infecting Russian victims as they are concerned that the authorities will apprehend them, unlike when they are attacking victims from other countries.

This instance was first reported by Twitter user and security researcher Alex Svirid.


Another malware researcher, S!Ri, replied to the tweet with two pictures from ransomware victims of another attack.


Russian victim

U.S. victim

According to the Bleeping Computer, the ransomware author has added the Ukranian layout as well to be avoided during encryption.

"Ukranian users don't use Russian layout because of political reasons. So we decided to help them if they was infected," the author told them via email. "We have already added avoiding Ukrainian layout like was in Sage ransomware before."

They also reportedly said that they are not from former USSR republics, but rather added the condition “because of his Belarus partners”.


StalinLocker: ransomeware deletes data if correct code is not put in time

A new ransomware has been discovered called StalinLocker, or StalinScreamer, that gives victims of the attack 10 minutes to put in the correct unlock code and if they’re not able to do that, erases all the data on the infected device.

The ransomware does not actually demand any ransom, other than the condition given to unlock the victim’s device.

Named after Joseph Stalin, the late leader of the Soviet Union, the malware pays tribute to him by showing a red screen with a picture of Stalin, along with the USSR anthem playing in the background, when StalinLocker takes over the computer and the 10 minute countdown begins.



The ransomware was discovered by MalwareHunterTeam, which on Twitter explained how the malware worked and how to know the code to unlock your locked device.


According to them, the code can be guessed by subtracting the date the malware was run by 30/12/1922, which is the date that represents the foundation of the USSR.


This ransomware, unlike others, seems to purely focus on destroying user data as it does not demand any ransom in Bitcoin or other ways but simply attempts to erase all data if conditions are not met. If the user correctly enters the code, however, the files are unlocked with no problem.

The malware is similar to a previous one that forced victims to PlayerUnknown’s Battlegrounds game for an hour to get their device unlocked, but unlike StalinLocker, it did not threaten the erasure of the victim’s data.

Currently, StalinLocker is in a testing stage but it could turn out to be a major problem for Windows users once it is out for good.


Author of Three Critical Ransomware Families Arrested in Poland




A well-known cyber-criminal believed to be the author of the Polski, Vortex, and Flotera ransomware strains, Tomasz T. was arrested in Poland on Wednesday, but the announcement was made by the Polish Law Enforcement on Friday.

They had been tracking him for quite some time and were ready this time to go ahead with the arrest.
Tomasz T. a.k.a. Thomas or Armaged0n - a Polish citizen who lives permanently in Belgium is responsible for conducting cybercrime such as DDOS attacks, sending malicious software to compromise several computers and using ransomware to encrypt the files.

While working through Europol, the Polish police had alerted their Belgium counterparts, who thusly searched his house and seized the computer equipment, laptop and remote servers also including encryption keys.

 “Apparently, the suspect has been active since 2013, when he first started targeting users via a banking trojan that would replace bank account numbers in users' clipboards with one of his own, so to receive undeserved bank transfers.”
-          according to the Prosecutors.

He was able to spread this ransomware through the means of email by pretending to impersonate official correspondence from well-known companies such as DHL, Zara, Cinema City, PAY U, WizzAir and many more. While utilizing the Online portal, Tomasz operated under the epithet "Armaged0n," which he used on the infamous Hack Forums cybercrime portal too.

The Polish tech news site Zaufana Trzecia Strona (ZTS) was the first to draw the lines between the three ransomware strains to the Armaged0n persona and later tracked down an extensive email spear-phishing operation.

Armaged0n Hack forum profile

The police suspects that Tomasz infected thousands of users with ransomware and made over $145,000 from his criminal undertakings. ZTS, CERT Poland, security analysts, police, and the impersonated companies all worked together to track him down.

Polish Cybercriminal has been accused with various complaints such as accepting and transferring funds from crimes, infecting computer systems with malware such as the Polish Ransomware, Vortex or Floter and for influencing automatic data processing for financial benefits. All these ransomware’s Decryption keys have likewise been collected from his system.

The suspect, questioned by the prosecutor, conceded to the 181 different crimes that he was charged with.

Nonetheless, after performing the procedural steps, the prosecutor filed a motion to apply to him a temporary detention for a period of three months.


Password Theft Becomes The New Goal For Hackers

Barracuda Networks a month ago hailed a "critical alert" when it discerned an attack that endeavoured to steal user's passwords. This risk baits victims with Microsoft 365 Office files asserting to be tax documents or other official reports; assailants utilize dire dialect to persuade people to open the attachment.

Files named "taxletter.doc" and phrases like ""We are apprising you upon the arisen tax arrears in the number of 2300CAD" are a major example of the strategy utilized by hackers. Users, when they download and open the malignant record are hit with the password stealer. At the point when the report opens, a macro inside launches PowerShell, which acts out of sight in the background while the victim views the document.

Fleming Shi, senior vice president of technology at Barracuda, comparing this threat with phishing attacks of the past, says "Today's documents are far more active … you're putting in a lot of content, media, links," he further added in this context "Bad guys are leveraging the dynamic, active manner of the documents today to weaponized their files."

Millions of individuals have known to be affected by these phishing emails as attackers figure out how to dodge detection by creating different emails. While Exchange server makes up an extensive segment of individuals affected the alternate sorts of email accounts are additionally focused with the malevolent records.

This password theft is expanding in general, an indication of attackers moving their objectives and procedures, Shi clarifies further. Ransomware was huge a year ago; but this year, password stealers are showing up in phishing emails, browser extensions, and different programs as hoodlums chase the login information.
The real reason however, concerning why usernames and passwords have been focused on is on the grounds that they are equipped for giving access to numerous frameworks and applications that a specific user is attached to and operates at a regular schedule.

"Some attackers try to be like a sleeper cell on your system," Shi notes. The subtle signs that slowly bring it to the users focus and lets them know that their system has now been compromised and that they’ve lost control over all their applications is the conventional slowing down of their systems and the sudden upsurge in the pop-ups displayed.

"Some attackers try to be like a sleeper cell on your system," Shi notes.

A month ago, the IRS Online Fraud Detection & Prevention Centre (OFDP) reported an ascent of compromised emails in the beginning of January 2017 as the IRS authorities are also prescribing alert in the midst of an expansion of tax related phishing emails.
Here and now the cybercriminals are going for mass information burglary, and it's a timely opportunity for assailants to exploit users' wariness of tax season and make their crusades more compelling. In this way, it is smarter to be mindful and watchful while opening any business related or official looking report got by means of mail or some other online medium on the grounds that around here, it's better to be as careful as possible.

Advancing Ransomware Attacks and Creation of New Cyber Security Strategies

As ransomware is on the rise, the organisations are focusing too much on the anti-virus softwares rather than proactively forming strategies to deal with cyber-attacks which could pose as an indefinite threat to the users. Nevertheless one of the good advices to deal with this issue is the creation of the air-gaps, as through these it becomes quite easy to store and protect critical data. It even allows the offline storage of data. So, when a ransomware attack occurs, it should be possible to restore your data without much downtime – if any at all.

But it usually happens so that organisations more often than not find themselves taking one step forward and then one step back. As traditionally, the ransomware is more focused on backup programs and their associated storage but on the other hand it seems very keen on perpetually targeting the storage subsystems which has spurred organisations into having robust backup procedures in place to counter the attack if it gets through.

So in order for the organisations to be proactive it is recommended that they should resort to different ways to protecting data that allows it to be readily recovered whenever a ransomware attack, or some other cyber security issue, threatens to disrupt day-to-day business operations and activities.

Clive Longbottom, client services director at analyst firm Quocirca explains: “If your backup software can see the back-up, so can the ransomware. Therefore, it is a waste of time arguing about on-site v off-site – it comes down to how well air locked the source and target data locations are.”

However, to defend against any cyber-attack there needs to be several layers of defence which may or may not consist of a firewall, anti-virus software or backup. The last layer of defence that is to be used by the user though, must be the most robust of them all to stop any potential costly disruption in its track before it’s too late. So, anti-virus software must still play a key defensive role.

A ransomware attack is pretty brutal, warns Longbottom, “It requires a lot of CPU and disk activity. It should be possible for a system to pick up this type of activity and either block it completely, throttles it, or prevents it from accessing any storage system other than ones that are directly connected physically to the system.”

Now coming down to the traditional approach, it is often observed that data centres are in position in close proximity to each other in order to easily tackle the impact of latency, but for the fact they are all too often situated within the same circles of disruption increases the financial, operational and reputational risks associated with downtime.

Therefore there are a few certain tips that could allow the user to successfully migrate data to prevent ransomware attacks:
• The more layers you can add the better.
• User education.
• Update your Back-up regularly - it can be the last layer of defence.
• Have a copy off site – tape or cloud but don’t leave the drawbridge down.
• Planning of your backup process for your recovery requirement.

By following these one could successfully prevent cyber-attacks with ease and precision.

Unknown Hackers demand Ransom in Bitcoin

Recently the news came out of a ransomware attack in Old Delhi after three of the hacked victims came forward to uncover more about the attack. The victims i.e. the traders were demanded ransom in Bitcoin from the unknown hackers.

Although it is believed that the hackers are supposedly from either Nigeria or Pakistan, they were responsible for encrypting files on the computers of the businessmen which comprised of key records. The hackers at that point, as indicated by the police coerced the victims, gave them the links to purchase bitcoins through which they needed to make payments for the release of critical documents.

 “Some traders paid in Bitcoins and got their data back. Some deposited the money from abroad. When my data was hacked, I spoke to fellow traders and learnt that there were other such cases. I wrote to the hackers and they agreed to decrypt the files for $1,750 (around Rs 1.11 lakh),” Mohan Goyal, one of the victims was quoted saying in the report.

According to reports, the hacked traders found the message that said there was a 'security issue' in the system displayed on their computers. The traders were then given case numbers and email addresses for correspondence. They were then at first offered decryption of five of their documents and files for free by the hackers, who later demanded the payment of ransom for the rest of the records.

While one of the IP address utilized by hackers was purportedly traced back to a system in Germany, but the fingers remain pointed towards hackers from Nigeria and Pakistan.

Experts say that for making it difficult to trace the money, getting the money in bitcoin works for the hackers. The Delhi crime branch which registered the FIR has already sent the hard disks of the complainants for further forensic tests. As of not long ago, three complaints already have been registered by the police and it is believed that the number of victims could be much higher.

Ukrainian CyberPolice arrest the Hacker accused of spreading "Petya.A" virus



Ukrainian officers from cyber crime department have arrested a 51-year-old resident of Nikopol (Ukraine, Dnipropetrovsk region), who is suspected of spreading computer virus "Petya.A".

Petya is a ransomware that infects the Master boot Record(MBR). If the malware successfully infectes the MBR, it will encrypt the whole hard drive. Otherwise, it encrypts all files.

According to the local news report, the suspect published an online tutorial video explaining how to use the "Petya.A" malware to infect victim's computers. In the comments section, he also shared a link to social network on which he has uploaded the malware and distributed.

The police have conducted a search at the residence of the suspect. They have seized the computer equipments and found malicious software which is similare to the "Petya.A".

The malware is said to be infected more than 400 computers. Also a number of companies intentionally used this virus to conceal criminal activity and evasion from the payments of penalties to the state.

In June 2017, ESet reported that large number of infections happened in the Ukraine. The affected Ukrainian industries includes financial sector, energy sector.

- Christina

WannaCry Ransomware in simultaneous attack on firms and organizations around the world


To their utter dismay, May 12, 2017 saw firms and organizations in many countries around the world, including geopolitical rivals Russia and the US, suffer from mass attacks of the Malware WannaCry. This ransom malware appropriately also goes by the names of WCry, WannaCry, WannaCrypt0r and WannaCrypt – it did make some cry.

In a few hours WannaCry infected tens of thousands of devices. Experts from Avast have indicated that upwards of 57000 devices have already been infected. It is understood that Taiwan, Russia and Ukraine were the main targets of the Malware – quite a strange mix. Quoting specialists from Kaspersky, a Russian news agency reported about 45,000 WannaCry attacks in 74 countries around the world, with Russia being the most affected.

Corporate victims include the likes of Fedex, Spanish majors such as Telefonica, Gas Natural, Iberdrola and Santander Bank, and KPMG. The health care sector, already amongst the most vulnerable, was also hit. Targets here included UK’s National Health Service and other medical institutions in the UK

According of journalists of "Medusa", Russian targets included MegaFon, the Ministry of Internal Affairs and the Investigative Committee of the Russian Federation.

This malware, WCry, was first discovered in February 2017. It has evolved and “mutated” over the last few months, and the more potent Vesion 2.0 uses an SMB-exploit of the NSA from a toolkit published earlier by hacker group The Shadow Brokers.

It is believed that “Kafeine”, a French expert, was one of the first to discover the new mutation of Trojan. Kafeine realised that WannaCry was updated and adopted exploit EternalBlue. This exploit was written by NSA whiz kids to use vulnerabilities in SMBV1. A few other security specialists confirmed the discoveries of Kafeine.

Microsoft, in March 2017, developed a fix for ETERNALBLUE. However, paranoia is yet to set in amongst many computer users, and thus many did not make use of the fix. This lackadaisical attitude has now been exploited. As always, a sense of déjà vu prevails amongst cyber security pros.

For those interested, please click below to observe the spread of WannaCry in real-time - . https://intel.malwaretech.com/WannaCrypt.html