Bandarchor ransomware

Bandarchor Ransomware Still Active

Bandarchor is a ransomware identified for the first time at the end of 2014 that seemed almost to disappear halfway through 2015. With some surprise we’ve found it to still be alive, well and with a very low detection rate: in fact lately we have been receiving help requests from companies infected by a ransomware that didn’t appear to belong to the known triad: CryptoLocker, CryptoWall or TeslaCrypt and we decided to investigate what appears to be a new campaign using a new variant.
Continue reading “Bandarchor Ransomware Still Active”

Hydracrypt Ransomware Analysis

On the 2nd of January Joe Security research team uncovered a new threat dubbed HydraCrypt ransomware. We gave it a quick test run to understand if our customers are already protected from the threat or not, and what damage this new ransomware can cause to the infected systems. For what we have seen so far this ransomware appears to be less sophisticated than Cryptolocker, CTB-Locker or Cryptowall, but it’s certainly not less dangerous.
Continue reading “Hydracrypt Ransomware Analysis”

poweliks persistence registry

Poweliks File-less Malware Keeps Evolving – Update 1

Poweliks (actually we should say Kovter) is a well-known and studied click-fraud malware that made its first appearance in early August 2014, it became famous very quickly due the fact that it used a persistence mechanism that allowed it to be fileless on disk, taking advantage of the Windows Registry and also because it adopted new techniques to stay persistent on the system. Its evolution apparently never stopped, in this post we will analyze what appears to be a new strain of the malware with an incredibly low detection rate.

Continue reading “Poweliks File-less Malware Keeps Evolving – Update 1”

Must Know Before Buying Endpoint Protection

Must know before buying an endpoint security system

Cyber security is a hot topic. Quite frankly it always was an interesting subject, though today threats have been advancing at an alarming rate, companies are increasingly more concerned about their data, especially after the amount of data breaches reported this year and actively pursuing strategies to build better guards for their intellectual property.
Continue reading “Must know before buying an endpoint security system”

Ransomware Ransom Request

Ransomware – A Quick Overview

Ransomware is a type of malicious software (known as malware) that restricts, using encryption, access to data on your computer. Once the restriction takes place, a ransom is requested to unblock your data and if paid the restriction is removed, in theory. In principle, ransomware is a simple threat, yet one that has caused a lot of pain and expense in recent months due to its increasing popularity. The purpose of this article is to give a quick overview of ransomware, keeping it as simple as possible.
Continue reading “Ransomware – A Quick Overview”

Analysis of an Undetected Dridex Sample

Analysis of an Undetected Dridex Sample

On the 4th of August one of our customers reported an infection attempt on one of their machines. In their deployment ReaQta-core is used to augment the security of their signature-based enterprise endpoint protection system, so an infection attempt detected by our solution is a sign that the AV missed the threat. Usually this either means that the attack is targeted or that the malware is brand new, let’s find out together the result of our investigation.
Continue reading “Analysis of an Undetected Dridex Sample”

Analysis Adobe Flash 0day

Adobe Flash CVE-2015-3113 0-day

Adobe released in April 2015 an update to patch CVE-2015-3043 that was being exploited actively in the wild by (but not only) threat actor APT28 during the operation RussianDoll. The vulnerability was a heap overflow in the FLV audio parsing engine, in particular the culprit was a hardcoded heap buffer length of 0x2000 bytes, the attackers simply had to provide a source capable of bypassing the length check and overwrite a buffer with more than 0x2000 bytes.

Continue reading “Adobe Flash CVE-2015-3113 0-day”