Recently we uncovered a ransomware distribution operation targeting European users and carried out via phishing scams. In this post we will show how we have conducted the research: from the initial infection stage back to the person that is orchestrating the whole operation. These campaigns are targeting Italy, Denmark and Spain, although we have detected two new campaigns about to be started by the same author. The ransomware delivered is the infamous Crypt0L0cker, a descendant of TorrentLocker ransomware.
Continue reading “Uncovering a ransomware distribution operation – Part 1”
Bandarchor is a ransomware identified for the first time at the end of 2014 that seemed almost to disappear halfway through 2015. With some surprise we’ve found it to still be alive, well and with a very low detection rate: in fact lately we have been receiving help requests from companies infected by a ransomware that didn’t appear to belong to the known triad: CryptoLocker, CryptoWall or TeslaCrypt and we decided to investigate what appears to be a new campaign using a new variant.
Continue reading “Bandarchor Ransomware Still Active”
On the 2nd of January Joe Security research team uncovered a new threat dubbed HydraCrypt ransomware. We gave it a quick test run to understand if our customers are already protected from the threat or not, and what damage this new ransomware can cause to the infected systems. For what we have seen so far this ransomware appears to be less sophisticated than Cryptolocker, CTB-Locker or Cryptowall, but it’s certainly not less dangerous.
Continue reading “Hydracrypt Ransomware Analysis”
Poweliks (actually we should say Kovter) is a well-known and studied click-fraud malware that made its first appearance in early August 2014, it became famous very quickly due the fact that it used a persistence mechanism that allowed it to be fileless on disk, taking advantage of the Windows Registry and also because it adopted new techniques to stay persistent on the system. Its evolution apparently never stopped, in this post we will analyze what appears to be a new strain of the malware with an incredibly low detection rate.
Ransomware is a type of malicious software (known as malware) that restricts, using encryption, access to data on your computer. Once the restriction takes place, a ransom is requested to unblock your data and if paid the restriction is removed, in theory. In principle, ransomware is a simple threat, yet one that has caused a lot of pain and expense in recent months due to its increasing popularity. The purpose of this article is to give a quick overview of ransomware, keeping it as simple as possible.
Continue reading “Ransomware – A Quick Overview”
On the 4th of August one of our customers reported an infection attempt on one of their machines. In their deployment ReaQta-core is used to augment the security of their signature-based enterprise endpoint protection system, so an infection attempt detected by our solution is a sign that the AV missed the threat. Usually this either means that the attack is targeted or that the malware is brand new, let’s find out together the result of our investigation.
Continue reading “Analysis of an Undetected Dridex Sample”
Eset published the analysis of Dino, a recently discovered APT that seems to be tied to the Animal Farm, the same group that allegedly developed Casper, Babar (previously analyzed by ReaQta) and Bunny.