Security Affairs

MARCH 11, 2019

. “These tasks include showing a fake Windows Update screen, disabling Windows Defender, and blocking access to security sites by adding entries to Windows’s HOSTS file.” The Promorad Ransomware variant samples tested by the experts also download a file named 5.exe exe and executed it. .

Encryption 88

Encryption Ransomware Passwords File names 88

Security Affairs

MAY 20, 2021

Microsoft warns of a malware campaign that is spreading a RAT dubbed named STRRAT masquerading as ransomware. Microsoft Security Intelligence researchers uncovered a malware campaign that is spreading a remote access trojan (RAT) tracked as STRRAT. G DATA experts discovered that the malware only renames files by appending the .crimson

Ransomware 130

Ransomware File names Encryption Passwords 130

Security Affairs

JULY 15, 2022

RedAlert is human-operated ransomware, the ransomware uses NTRUEncrypt public key encryption algorithm for encryption. The ransomware targets a limited types of files, including log files (.log), log), swap files(.vswp), vmdk), snapshot files (.vmsn) vmsn) and memory files(.vmem) It appends a “.crypt[Random

Ransomware 127

Ransomware Encryption File names Risk 127

Security Affairs

JUNE 6, 2023

Researchers from security firm Uptycs reported that threat actors linked to the Cyclops ransomware are offering a Go-based information stealer. The ransomware supports a complex encryption process “The encryption is complex; all functions statically implemented using a combination of asymmetric and symmetric encryptions.”

Ransomware 77

Ransomware Encryption Archiving File names 77

Security Affairs

JANUARY 5, 2020

DeathRansom was considered fake ransomware due to the fact that it did not implement an effective encryption process, but now things are changing. DeathRansom is a ransomware family that was initially classified as a joke because it did not implement an effective encryption scheme. ru website. . Pierluigi Paganini.

Encryption 68

Encryption Ransomware IT Phishing 68

Security Affairs

JUNE 30, 2022

Good news for the victims of the Hive ransomware, Korean security researchers have released a free decryptor for some versions. “The Korea Internet & Security Agency (KISA) is distributing the Hive ransomware integrated recovery tool.This recovery tool can recover Hive ransomware version 1 to version 4.”

Ransomware 108

Ransomware Cybersecurity Encryption Blockchain 108

Security Affairs

MARCH 19, 2022

. “The decryptor requires access to a file pair consisting of one encrypted file and the original, unencrypted version of the encrypted file to reconstruct the encryption keys needed to decrypt the rest of your data. This file must be roughly 20KB or larger in size. Pierluigi Paganini.

Ransomware 93

Ransomware File names Encryption Cybersecurity 93

Security Affairs

SEPTEMBER 10, 2023

. “When receiving a message, uploadTextMessageToService collects its contents, chat/channel title and ID, as well as sender’s name and ID. The collected information is then encrypted and cached into a temporary file named tgsync.s3. The app sends this temporary file to the command server at certain intervals.”

File names 127

File names Personal data Encryption Security 127

Security Affairs

AUGUST 23, 2023

Cobra DocGuard Client is software produced by a Chinese firm EsafeNet, it is used to protect, encrypt, and decrypt software. EsafeNet is owned by Chinese information security firm NSFOCUS. “The update.zip file is a zlib compressed archive file. It decompresses and executes a file named content.dll.

File names 83

File names Encryption Archiving Information Security 83

Security Affairs

JANUARY 7, 2022

Once encrypted a file, the ransomware appends the ‘ nightsky ‘ extension to encrypted file names. According to BleepingComputer , the group demanded one of its victims, the payment of an initial ransom of $800,000 to recover the encrypted data. Program Files Program Files (x86) #recycle.

Ransomware 134

Ransomware Encryption File names Communications 134

Security Affairs

JUNE 5, 2021

The company reported the security breach to the Bombay Stock Exchange (BSE) and the National Stock Exchange of India (NSEI). The Ransomware perform file system enumeration while encrypting the victim files, then appends the extension “.BlackCocaine BlackCocaine ” to the filenames of encrypted files.

Ransomware 129

Ransomware Encryption File names Financial Services 129

Security Affairs

AUGUST 18, 2023

The malware and infrastructure employed in the campaign are linked to the ones observed in Operation ChattyGoblin attributed by the security firm ESET to China-linked threat actors. “The [HUI] loader is executed through sideloading by legitimate executables vulnerable to DLL hijacking and stages a payload stored in an encrypted file.”

Archiving 95

Archiving File names Encryption Passwords 95

Security Affairs

FEBRUARY 7, 2022

. “On the final wizard page, you can opt-in whether you want to backup encrypted files. TargetCompany has been active since June 2021 , once encrypted a file it adds.mallox,exploit,architek, or.brg extension to the filenames of encrypted files. TXT” in all folders containing encrypted files.

Ransomware 98

Ransomware Encryption Passwords File names 98

Security Affairs

MARCH 2, 2020

Security experts uncovered an ongoing campaign delivering Nemty Ransomware via emails disguised as messages from secret lovers. “Attached to each email is a ZIP archive with a name formatted as with only the #s changing,” reads the advisory published by IBM X-Force IRIS. Pierluigi Paganini.

Ransomware 124

Ransomware File names Archiving Encryption 124

Security Affairs

SEPTEMBER 17, 2020

The Maze ransomware operators now use a virtual machine to encrypt a computer, a tactic previously adopted by the Ragnar Locker malware. The Maze ransomware operators have adopted a new tactic to evade detection, their malware now encrypts a computer from within a virtual machine. ” reads the analysis published by Sophos.

Ransomware 145

Ransomware Encryption File names Security 145

Security Affairs

JUNE 3, 2023

ReadMe file name: README.BlackSuit.txt. blacksuit extension to the name of the encrypted files, drops a ransom note into each directory containing the encrypted files, and adds the reference to its TOR chat site in the ransom note along with a unique ID for each of its victims. Extension: blacksuit.

Ransomware 97

Ransomware Encryption File names Cybersecurity 97

Schneier on Security

JANUARY 26, 2022

There’s a new ransomware that targets NAT devices made by QNAP: The attacks started today, January 25th, with QNAP devices suddenly finding their files encrypted and file names appended with a.deadbolt file extension.

Ransomware 89

Ransomware File names Encryption Access 89

Security Affairs

MAY 13, 2023

After gaining access to SMB shares, threat actors encrypt all files and leave a ransom note demanding payment in exchange for the decryption key. Once the attacker successfully logs in to a device, they encrypt data in shared folders and leave a ransom note with the file name “!CHECKMATE_DECRYPTION_README”

Ransomware 95

Ransomware Encryption Passwords File names 95

Security Affairs

OCTOBER 21, 2021

The Macaw Locker ransomware encrypts victims’ files and append the .macaw macaw extension to the file name of the encrypted files. The post Evil Corp rebrands their ransomware, this time is the Macaw Locker appeared first on Security Affairs. Pierluigi Paganini.

Ransomware 123

Ransomware File names Encryption Government 123

Security Affairs

SEPTEMBER 27, 2019

Emsisoft security firm has released a new free decryption tool for the Avest ransomware, a few days after the release of WannaCryFake decryptor. Emsisoft security firm has released a new free decryption tool for the Avest ransomware, a few days ago the researchers also released a free decryptor for the WannaCryFake ransomware.

Ransomware 77

Ransomware File names Encryption Security 77

Security Affairs

NOVEMBER 26, 2019

Security experts at Microsoft analyzed a new strain of cryptocurrency miner tracked as Dexphot that has been active since at least October 2018. “The Dexphot attack used a variety of sophisticated methods to evade security solutions. Doxphot stands out for its evasion techniques and its level of sophistication.

File names 128

File names Encryption Mining Security 128

eSecurity Planet

JULY 19, 2022

The malware exfiltrates data before encrypting the targeted devices to provide additional means of extortion. lilith” extension to rename encrypted files. Besides, the files are encrypted using local Windows cryptographic APIs and random keys generated on the fly. The malware uses a custom “.lilith”

Ransomware 120

Ransomware Encryption File names Government 120

Security Affairs

MARCH 26, 2021

Accenture security researchers published an analysis of the latest Hades campaign, which is ongoing since at least December 2020. . Then the malware perform a scan in local directories and network shares for content to encrypt. If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Ransomware 143

Ransomware Encryption File names Manufacturing 143

Security Affairs

FEBRUARY 25, 2019

The ransom encrypts all files and renames them by appending. rontok extension to the file names. According to the popular malware researcher Michael Gillespie , when the B0r0nt0K ransomware encrypts a file it will base64 the encrypted data. ” reported Bleeping Computer. . Pierluigi Paganini.

Ransomware 96

Ransomware File names Encryption Access 96

Security Affairs

MARCH 17, 2020

Nefilim will encrypt a file using AES-128 encryption, then the AES encryption key is encrypted using an RSA-2048 public key that is embedded in the ransomware executable. The encrypted AES key will be included in the contents of each encrypted file. Nefilim appends the. Pierluigi Paganini.

Ransomware 106

Ransomware Encryption File names Access 106

Security Affairs

OCTOBER 27, 2021

Metropolitan Police Department, encrypted its files and demanded a $4 million ransom. The security research group vx-underground said that a Russian youngster, who is believed to be one of the developers of the Babuk gang, has been diagnosed with terminal cancer and decided to leak the complete Babuk source code for Windows, ESXI, NAS.

Ransomware 97

Ransomware File names Encryption Cybersecurity 97

Security Affairs

AUGUST 25, 2023

This data identifies the encryption methods used by the access points.” In turn the server reply with a success message and a secret unique identifier that is saved in a file named “%APPDATA%Roamingwlanstr-12.bin.” ” The experts noticed that the Whiffy Recon’s main code runs as two loops.

File names 95

File names Access Encryption IT 95

Security Affairs

OCTOBER 18, 2022

Spyder Loader loads AES-encrypted blobs to create the wlbsctrl.dll which acts as a next-stage loader that executes the content. The variant used in recent attacks against Hong Kong relies on ChaCha20 algorithm encryption for string obfuscation. . ” continues the report. Follow me on Twitter: @securityaffairs and Facebook.

File names 115

File names Encryption Manufacturing Libraries 115

Security Affairs

JULY 8, 2022

“Once the attacker successfully logs in to a device, they encrypt data in shared folders and leave a ransom note with the file name “!CHECKMATE_DECRYPTION_README” ” The ransomware appends the.checkmate extension to the filenames of encrypted files, it drops a ransom note named !CHECKMATE_DECRYPTION_README

Ransomware 99

Ransomware Encryption Passwords File names 99

Security Affairs

MARCH 17, 2022

The malware was first spotted on February 9, 2022, when 360Netlab’s honeypot system captured an unknown ELF file that was spreading by exploiting the Log4J vulnerability. The name B1txor20 is based on the file name “b1t” used for the propagation and the XOR encryption algorithm, and the RC4 algorithm key length of 20 bytes.

Honeypots 135

Honeypots File names Communications Encryption 135

Schneier on Security

MAY 4, 2022

The group, which security firm Mandiant is calling UNC3524, has spent the past 18 months burrowing into victims’ networks with unusual stealth. Customized versions of the backdoor that use file names and creation dates that are similar to legitimate files used on a specific infected device.

IoT 101

IoT File names Encryption Access 101

Security Affairs

JUNE 26, 2021

On June 14th, Altus Group, a commercial real estate software solutions firm, disclosed a security breach, now Hive ransomware gang leaked its files. The provided sample of exfiltrated files includes business data and documents, as well as Argus certificates and development files. Pierluigi Paganini.

Ransomware 110

Ransomware File names Archiving Encryption 110

Security Affairs

SEPTEMBER 10, 2020

Security experts from ESET discovered a new piece of malware, tracked as CDRThief, that targets the Linux VoIP platform, Linknat VOS2009/3000 softswitches, to steal call data records (CDR) from telephone exchange equipment. “Interestingly, the password from the configuration file is stored encrypted. Pierluigi Paganini.

Metadata 124

Metadata Encryption File names Passwords 124

Security Affairs

JANUARY 11, 2022

The gang has also set up a leak site on the Tor network where it will publish files stolen to the victims that will not pay the ransom. Researchers from MalwareHunterteam first spotted the ransomware family, once encrypted a file, the ransomware appends the ‘. nightsky ‘ extension to encrypted file names.

Ransomware 107

Ransomware Libraries File names Encryption 107

Security Affairs

JULY 28, 2021

In the attacks investigated by Palo Alto Networks, the APT group leveraged legitimate executables such as BITSAdmin to download an innocuous file named Aro.dat from a GitHub repository under the control of the threat actors. The analysis of the file revealed that it includes the encrypted and compressed PlugX payload.

Encryption 111

Encryption File names Communications IT 111

Security Affairs

NOVEMBER 5, 2020

The attackers use a simple XOR encryption algorithm with the string “Hapenexx is very bad” as a key. The APT group uses the same payload and key of the previous scenario, the only difference is that both the file name and decryption key are encrypted with a one-byte XOR algorithm. Pierluigi Paganini.

File names 111

File names Encryption Libraries IT 111

Security Affairs

MARCH 3, 2020

Nemty ransomware first appeared on the threat landscape in August 2019, the name of the malware comes after the extension it adds to the encrypted file names. The ransomware deletes shadow copies of encrypted files to make in impossible any recovery procedure. Pierluigi Paganini.

Ransomware 105

Ransomware File names Encryption Archiving 105