We have noticed a change of behaviour in the latest spam email campaigns used by Locky. Since its first release Locky took advantage of compromised domains to download the dropper binary, while recently Locky dropper is being delivered embedded into the loader code itself. By tracking these campaigns we have also noticed that Locky’s authors have made several attempts at embedding the dropper into the loader.
Dridex is currently one of the most active and widespread banking malwares. Like Locky ransomware also Dridex is dispatched through a massive spam mail campaign that uses the Necurs botnet. Our sensors have long been tracking these spam campaigns and recent captured emails contain a Word document that drops Dridex. In our latest samples we have observed a delay on execution of the downloader stage that wasn’t present before, we have further investigated to figure out whether Dridex’s authors were experimenting with new, even if basic, anti-sandbox techniques.
We have already written about Nemucod downloader when it was paired with 7-Zip, this time we have spotted a new variant in the wild that appears to be a further evolution from previous versions. Before we dig into the analysis part, let’s take a quick look at the most recent history of Nemucod:
Continue reading “Nemucod meets a new buddy: PHP”
In Part 1 we’ve analyzed a vast Crypt0L0cker ransomware distribution operation currently affecting continental Europe and ready to jump to new countries. In this second post we’ll analyze in detail the server side code used to dispatch the victims towards the correct websites, up to the ransomware itself. We’ll also analyze the ransomware behaviour and how it infects the victim’s computer.
Continue reading “Uncovering a ransomware distribution operation – Part 2”
Recently we uncovered a ransomware distribution operation targeting European users and carried out via phishing scams. In this post we will show how we have conducted the research: from the initial infection stage back to the person that is orchestrating the whole operation. These campaigns are targeting Italy, Denmark and Spain, although we have detected two new campaigns about to be started by the same author. The ransomware delivered is the infamous Crypt0L0cker, a descendant of TorrentLocker ransomware.
Continue reading “Uncovering a ransomware distribution operation – Part 1”
Bandarchor is a ransomware identified for the first time at the end of 2014 that seemed almost to disappear halfway through 2015. With some surprise we’ve found it to still be alive, well and with a very low detection rate: in fact lately we have been receiving help requests from companies infected by a ransomware that didn’t appear to belong to the known triad: CryptoLocker, CryptoWall or TeslaCrypt and we decided to investigate what appears to be a new campaign using a new variant.
Continue reading “Bandarchor Ransomware Still Active”
On the 2nd of January Joe Security research team uncovered a new threat dubbed HydraCrypt ransomware. We gave it a quick test run to understand if our customers are already protected from the threat or not, and what damage this new ransomware can cause to the infected systems. For what we have seen so far this ransomware appears to be less sophisticated than Cryptolocker, CTB-Locker or Cryptowall, but it’s certainly not less dangerous.
Continue reading “Hydracrypt Ransomware Analysis”