October 25, 2016

Ransomware claims FBI know that victim’s computer associated with crime and told to pay fine

(LiveHacking.Com) – The Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT) has published a warning about various ransom campaigns which are impersonating multiple U.S. Government agencies. The malware, which impersonates the United States Cyber Command (USCYBERCOM) and the Federal Bureau of Investigation (FBI), displays an alert telling the victim that a Federal Government agency has associated the user’s computer with one or more online crimes. To regain use of the computer the victim must pay a fine, often through a prepaid money card service.

The US-CERT warning comes after the discovery earlier this month of a piece of ransonware known as Reveton. The drive-by Trojan, which infects a victim’s PC when they visit a compromised website, locks the user’s computer, displays a bogus message and demands payment of fines. The bogus message says that the user’s Internet address was identified by the FBI or the Department of Justice’s Computer Crime and Intellectual Property Section as having been associated illegal online activity. To unlock their machines, users are required to pay a fine using a prepaid money card service. The FBI has confirmed that the malware has already successfully stolen money from a number of innocent victims.

Needless to say, government agencies don’t send out official notifications as unsolicited emails or web popup alerts and are required by law to be delivered directly to the individual. Also, government agencies don’t ask for fines to be paid via money card services.

According to the US-CERT warning, vicitm’s can also choose to file a complaint with the FBI’s Internet Crime Complaint Center (IC3).

HDD Plus Malware Spread by DoubleClick and MSN

The first two weeks of December has seen the HDD Plus malware spread throughout the Internet using the world’s largest ad serving platforms, namely DoubleClick and MSN, by using drive-by download malvertising.

HDD Plus is ransomware in that when it gets installed on a victim’s computer it holds the computer hostage by displaying threatening messages, that the system is failing, and asks the victim to purchase a license to fix the problems.

DoubleClick and MSN are implicated because when users visit websites that use their banner ads a malicious javascript is served from ADShufffle.com (that’s with three f’s), which in turn starts a drive-by download process. If HDD Plus installs successfully the victims computer has been infected without the victim doing anything or clicking on anything.

The attack uses a modified version of the Eleonore exploit pack and uses vulnerabilities in Microsoft Internet Explorer 6 & 7, the Java runtime environment (before update 19, the current version is update 23) and several weaknesses in Adobe Acrobat (including the Reader). By using exploits in Java and Acrobat, PCs using alternative browsers like Firefox or Chrome are also vulnerable.

This latest attack underlines again the need to keep your computer up to date (including not only the browser but also other applications like Java and Acrobat Reader).

A detailed technical report of how HDD Plus is spreading through these ad networks can be found here while information on removing HDD Plus can be found here and here.

New Variant of GpCode Back – Still Demanding Ransom Money to Free Your Data

A new variant of the troublesome and harmful GpCode trojan has been detected by Kaspersky Lab. Tagged as Trojan-Ransom.Win32.GpCode.ax this trojan, which spreads via malicious websites and P2P networks, encrypts files on the infected computer and then asks for money in order to decrypt the files. Such trojans are of known as ransomware or cryptovirology.

The original version of this trojan called Trojan.PGPCoder or Virus.Win32.Gpcode was isolated back in 2005 and variations have been appearing almost yearly. However this new manifestation has some troubling improvements.

In the past some of the variants had a weakness where the encrypted file was written to a new location on the disk (as a new file) and the old file deleted. This meant that the old (unencrypted) version of the file could be recovered using an undelete tool. However this new variant directly overwrites data in the file, which makes it impossible to use data-recovery tools.

The program uses either RSA-1024 or AES-256 encryption and then demands $120, to be paid by direct bank transfer, to decrypt the files. As with all blackmailers there is a warning not to tell the police or other authorities: “And remember: any harmful or bad words to our side will be a reason for ignoring your message and nothing will be done”.

Since the trojan searches your hard disk and starts encrypting the files sequentially, it is suggested that if you know your computer is infected then resetting it immediately might offer a way of possibly stopping the encryption before too much data has been made unrecoverable.

On top of up-to-date anti-virus software and a firewall, the best defence against this type of malware is to have good and frequent backups of your data.