A new ransomware, called Ransom32, appeared recently. When this type of malware infects a machine, it encrypts the data on the hard disk. In the vast majority of cases, the only way of recovering the data is to pay a ransom to the hackers who control the ransomware.

In principle, classic malware…

This type of malware is referred to as “Ransomware as a Service” (RaaS), a name derived from the term “Software as a Service”.

The hackers offer other wrongdoers a piece of malware and an infrastructure of Command & Control servers which is already in existence. An individual wishing to use the service simply needs to download the malware and distribute it with his own phishing campaign. If victims whose machines are infected pay the ransom, the funds go directly to the original administrators of the malware, who then pass on a percentage to the pirates who infected the machines.

Read More

Suggestions

At the end of October, a group of experts from major cybersecurity companies issued a highly detailed description of the economics of Cryptowall ransomware.

This threat, which has spread widely since June 2014, is thought to have cost hundreds of thousands of victims 325 million dollars. On October 22, a senior FBI employee said the following on the subject of Cryptowall: “To be honest, we often advise people simply to pay the ransom”.

Cryptowall is one of the most widespread ransomwares, along with TorrentLocker, TeslaCrypt and CTB-Locker. This malware is distributed through phishing e-mails (about two-thirds of infections) and via infected websites (approximately one third of infections) :

Read More

Suggestions

Since May 2015, we have observed an increasing offer of Ransomware-as-a-Service on the Dark Web. A user with no technical skills can subscribe to a ransomware program which he distributes. The user then passes part of his profits to the malware designer.

In May, we covered the subject of Tox, a website that allows ransomware to be created in a few clicks of the mouse. The user receives an .scr executable file, which he simply needs to propagate.

ORX-Locker is a new, prefabricated ransomware for which advertising can be found in forums on the Dark Web. Its code is more sophisticated than that of Tox, although is based on the same principle: the victim has to pay in Bitcoins through a Tor site, failing which his files are locked, then deleted.

Read More

Suggestions

In August of this year, the Carphone Warehouse store chain was the victim of a hacking operation. The hackers used a denial of service (DoS) attack to divert and steal in parallel the data concerning 2.4 million customers.

The data stolen were the customers’ names, addresses and dates of birth. For 90,000 of them, payment card numbers were also stolen. It seems that the hackers deployed a DoS attack against the Carphone Warehouse information system while penetrating the databases. The security personnel are thought to have been too busy restarting the systems to notice the exfiltration of data.

Read More

Suggestions

Windows 10 has been distributed since July 2015 by means of Windows notifications and e-mails. This is an interesting opportunity for hackers to employ social engineering methods to encourage users to download viruses.

  • The first malware based on faking Windows 10 distribution was CTB-Locker, a ransomware which is not uncommon. In this campaign, an e-mail, apparently sent by update@windows.com, contains an attachment which supposedly downloads Windows 10, but in reality is a .zip file which deploys CTB-Locker. Compared with other ransomware, such as Cryptowall, CTB-Locker differs by asking the victim to pay in bitcoins via a TOR site for his files to be released.
  • Another campaign, in Brazil, uses similar e-mails to make victims download malware. This is a VBE script to introduce further malware, which captures the victim’s data.

Read More

Suggestions