Incidents

New ransomware found

A new piece of ransomware, called Ransom.a by most AV vendors, has been spotted in the wild.

Evidence received so far suggests that this Trojan can be found on P2P networks.

The malware poses as a Windows Mobile application, despite that description it will only work on Win32.

When the user is infected and reboots his machine, he will be greeted with a full screen message when he logs on.
The screen tries its best to stay on top of all windows and is highly annoying, it also shows pornographic images.

The message which is presented to the user is quite long, but in short: Pay $10.99 via Western Union otherwise you will keep getting this screen.
One file per 30 minutes will be deleted from the hard drive. Deleted files will be restored when you have paid up and entered the proper unlock code.
Antivirus software can not detect this virus, nor can it detect the hidden folders in which the deleted files are stored.
When entering a false unlock code there’s also a message stating that the hard drive will crash in 3 days.

However there’s a catch: None of these destructive routines actually work!

I think we have an interesting development going on here, I think there are two different types of ransomware.

Real ransomware, which encrypts your data or does other nasty stuff.
And malware which claims to do all sorts of nasty stuff but actually doesn’t. It’s bluffing, like bluff poker.

How is an average user going to check if all of his files are still there? He’s not.
Losing a file every 30 minutes is a scary thought, made up by the criminal in an effort to pressure the user to act quickly and pay up.

Ransomware has gotten quite some media attention and now criminals are trying to simply bluff people into giving up their money, instead of having to write difficult code.

I just hope that people have remembered the most important thing about ransomware: Do not pay up, contact us and we will do our utmost best to help you.

New ransomware found

Your email address will not be published. Required fields are marked *

 

Reports

APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Subscribe to our weekly e-mails

The hottest research right in your inbox