Criminal actors are now using a bug in a legitimate driver to launch RobbinHood, a new type of ransomware that can escape detection as it operates at kernel level. Understanding how RobbinHood works is key to understanding how to stop novel kind of attacks relying on trusted components.

We have noticed a change of behaviour in the latest spam email campaigns used by Locky. Since its first release Locky took advantage of compromised domains to download the dropper binary, while recently Locky dropper is being delivered embedded into the loader code itself. By tracking these campaigns we have also noticed that Locky’s authors have made […]

On 13th of June, while monitoring Twitter, we have observed an interesting tweet that reported a suspicious domain with an open directory listing. Among the listed files we found a zip archive containing a javascript. In this blogpost we will take a closer look at the javascript and we will show that it has ransomware capabilities, which […]

We have already written about Nemucod downloader when it was paired with 7-Zip, this time we have spotted a new variant in the wild that appears to be a further evolution from previous versions. Before we dig into the analysis part, let’s take a quick look at the most recent history of Nemucod:

ReaQta has been monitoring a new and massive worldwide Locky ransomware spam campaign. The attacks are carried out in the usual way: a javascript file attached to an email message delivered to the victims, although this is the first campaign we have tracked that shows a different deployment behaviour. The javascript downloader usually retrieves Locky’s dropper […]

In Part 1 we’ve analyzed a vast Crypt0L0cker ransomware distribution operation currently affecting continental Europe and ready to jump to new countries. In this second post we’ll analyze in detail the server side code used to dispatch the victims towards the correct websites, up to the ransomware itself. We’ll also analyze the ransomware behaviour and how […]

Nemucod is a Javascript downloader used to perform all kind of nasty stuff, recently a “ransomware” routine has been found in some samples, even if a simple one: a XOR with a predefined 255 bytes key. In other instances we have observed the download of a malicious executable responsible for the encryption process. What we will analyze this […]

Recently we uncovered a ransomware distribution operation targeting European users and carried out via phishing scams. In this post we will show how we have conducted the research: from the initial infection stage back to the person that is orchestrating the whole operation. These campaigns are targeting Italy, Denmark and Spain, although we have detected two new campaigns about to be started […]

Bandarchor is a ransomware identified for the first time at the end of 2014 that seemed almost to disappear halfway through 2015. With some surprise we’ve found it to still be alive, well and with a very low detection rate: in fact lately we have been receiving help requests from companies infected by a ransomware that […]

On the 2nd of January Joe Security research team uncovered a new threat dubbed HydraCrypt ransomware. We gave it a quick test run to understand if our customers are already protected from the threat or not, and what damage this new ransomware can cause to the infected systems. For what we have seen so far this ransomware appears to be […]

Recently the ransomware world provided a couple surprises: the discovery of CryptoWall 4 in the wild and a new ransomware dubbed Chimera, so far found to be infecting businesses mainly in Germany and threatening to leak personal files if the ransom isn’t paid.

Ransomware is a type of malicious software (known as malware) that restricts, using encryption, access to data on your computer. Once the restriction takes place, a ransom is requested to unblock your data and if paid the restriction is removed, in theory. In principle, ransomware is a simple threat, yet one that has caused a lot […]