Not the brightest lights in the harbor. Administrators at the University of Calgary, Canada, have caved in to criminals and paid a $20,000 ransom to decrypt their computer systems’ files after getting hit by a malware infection.
Last month, the university fell prey to ransomware, which installed itself on machines, scrambled documents and demanded cash to recover the data. Since they obviously weren’t running decent backup procedures, the administrators have agreed to pay up in Bitcoins.
“As part of efforts to maintain all options to address these systems issues, the university has paid a ransom totaling about $20,000 CDN that was demanded as part of this ‘ransomware’ attack,” saidLinda Dalgetty, VP of finance and services.
“The university is now in the process of assessing and evaluating the decryption keys. The actual process of decryption is time-consuming and must be performed with care. It is important to note that decryption keys do not automatically restore all systems or guarantee the recovery of all data. A great deal of work is still required by IT to ensure all affected systems are operational again, and this process will take time.”
Over 100 systems were thought to be locked up in the attack. Students and staff got email service back yesterday, but not on the original university system.
Dalgetty said the police had been called in and were investigating the attack. Under the circumstances, she said, it would not be appropriate to comment further on the details of the infection.
How to make an infection go away in US healthcare system – throw money at it.
A hospital in Los Angeles, California, has paid a US$17,000 (£11,900, AU$23,800) ransom to hackers who injected its computers with malware that scrambled its files.
It appears PCs at the Hollywood Presbyterian Medical Center were infected and paralyzed by ransomware, which silently encrypts documents and refuses to hand over the decryption key until a sum is paid.
Allen Stefanek, the hospital’s CEO, said in a statement on Wednesday that the 40 Bitcoin ransom was coughed up as it was “the quickest and most efficient way to restore our systems and administrative functions.”
The malware started poisoning the Tinseltown center’s computers on February 5, we’re told, forcing some patients to be treated elsewhere and pushing medics back to the era of fax machines and pen and paper. On Monday, systems were back to full health, and it was stressed that people’s private records were not harmed by the software nasty.
The $17,000, though a decent wedge, is somewhat lower than the earlier reported $3.6m ransom of 9,000 BTC. The infection has been described as “random” rather than targeted, suggesting a staffer opened a dodgy email or visited a malicious website that caused the network to be laid low.
The Turkish security researcher Utku Sen was blackmailed by hackers behind the Magic ransomware to close his projects.
The developers behind the open source-based “Magic” ransomware are blackmailing the creator of Hidden Tear and EDA2 in order to force the developer to abandon the projects.
Recently I have written about the RANSOM_CRYPTEAR.B ransomware developed Utku Sen starting from a proof-of-concept code available online.
According to the experts at TrendMicro, Utku Sen made a serious error in the development, resulting in victims’ files being completely unrecoverable. Researchers who analyzed the source code discovered that it was a modification of a proof-of-concept ransomware dubbed Hidden Tear that was leaked online by the Turkish coder Utku Sen for educational purpose.
It is not surprising that crooks have not missed the occasion as remarked by TrendMicro.
“Unfortunately, anyone on the internet can disregard this warning. This became evident when Trend Micro discovered a hacked website in Paraguay that distributed ransomware detected as RANSOM_CRYPTEAR.B. Our analysis showed that the website was compromised by a Brazilian hacker, and that the ransomware was created using a modified Hidden Tear code.” states a blog post published by TrendMicro.
The “Hidden Tear” is available on GitHub and it’s fully functional, it uses AES encryption to encrypt the files and displays a warning to users to pay up to get their data back.
“While this may be helpful for some, there are significant risks. The Hidden Tear may be used only for Educational Purposes. Do not use it as a ransomware!” explained utkusen.
The hacker also developed a second open-source project for a ransomware dubbed EDA2. When the problem was discovered, Utku Sen removed all the files from the EDA2 project.
Recently another ransomware, based on the open-source code, has been detected in the wild, it has been dubbed “Magic” because it encrypts user files and adds a “.magic” extension to them.
Now the criminal gang behind the Magic ransomware began blackmailing the hacker Sen in an effort to shut down the Hidden Tear. The group announced that in a forum post that they are willing to provide victims with the decryption keys for free in case Sen agrees to close his open source ransomware projects.
Sen refused the condition and declared war on the blackmailers.
According to Sen, he deliberately inserted security flaws in both the Hidden Tear and EDA2 to sabotage cybercriminals using the proof-of-concept ransomware.
The Sen’s plan worked with the Hidden Tear allowing the recovery of the file encrypted by the Linux.Encoder and Cryptear.B ransomware, meanwhile failed with EDA2.
Sen inserted vulnerabilities in the EDA2’s control script in order to retrieve decryption keys. The problem is that despite the presence of the flaws, the unique way to obtain the keys to recover the files was to access the database that was left in crooks’ hands. He has forgotten to implement a mechanism to copy the database of the keys of the storage used by the crooks to another archive managed by the researcher.
It is not clear why the hackers behind the Magic ransomware blackmailed Sec, the unique certainty is that that don’t want the Hidden Tear project online. They also offered support to the victims if Sen will remove the Hidden Tear.
The victims of the infamous TeslaCrypt ransomware can now rejoice, there is a free tool to decrypt files encrypted by TeslaCrypt and TeslaCrypt 2.0
TeslaCrypt is one of the most insidious ransomware first detected in the wild in 2015, today I have a good news for its victims.
TeslaCrypt was first detected in February 2015, the ransomware was able to encrypt user data including files associated with video games. In July, a new variant appeared in the wild, TeslaCrypt 2.0, the authors improved the encryption mechanism.
Both strains of the ransomware, TeslaCrypt and TeslaCrypt 2.0, are affected by a security flaw that has been exploited by security experts to develop a free file decryption tool.
The design issue affects the encryption key storage algorithm, the vulnerability has been fixed with the new release TeslaCrypt 3.0 which was improved in a significant way.
The security expert Lawrence Abrams published an interesting blog post detailing the issue, confirming that the decryption tool was available for a while but the news was not disclosed to avoid countermeasures of the malware developers.
Unfortunately, TeslaCrypt 3.0 resolves the issue, then research community decided to release decryption tools in the wild (i.e. TeslaCrack (https://github.com/Googulator/TeslaCrack).
“For a little over a month, researchers and previous victims have been quietly helping TeslaCrypt victims get their files back using a flaw in the TeslaCrypt’s encryption key storage algorithm. The information that the ransomware could be decrypted was being kept quiet so that that the malware developer would not learn about it and fix the flaw. Since the recently released TeslaCrypt 3.0 has fixed this flaw, we have decided to publish the information on how a victim could generate the decryption key for encrypted TeslaCrypt files that have theextensions .ECC, .EZZ, .EXX, .XYZ, .ZZZ,.AAA, .ABC, .CCC, and .VVV. Unfortunately, it is currently not possible to decrypt the newer versions of TeslaCrypt that utilize the .TTT, .XXX, and .MICRO extensions.”wrote Abrams.
As explained in the post, files encrypted with the newer versions of TeslaCrypt are recognizable by the extension (.TTT, .XXX, and .MICRO) and cannot be decrypted.
TeslaCrypt encrypts files with the AES encryption algorithm and uses the same key for both encryption and decryption. Abrams explained that the threat generated a new AES key each time it was restarted, and that it stored the key in the files encrypted during the session. The information about the encrypted key was stored in each encrypted file, fortunately the size of this stored key was vulnerable to decryption through specialized programs. These programs are able to factorize these large numbers, extract their prime numbers and pass them to other specialized tools used to reconstruct the decryption key.
Another interesting tool for decrypting the files is TeslaDecoder, it has been available for decrypting TeslaCrypt files since May 2015 and it has been updated to recover the encryption key for all TeslaCrypt variants.
Web scum build command and control mountain; bods mulls pending large-scale attacks.
Exploit kits are dominating the criminal hacking industry, but even though code fiends prefer colour-by-numbers cracking kits that isn’t stopping them from assembling a vast command and control army domain name servers linked to popular kits are up 75 percent in the third quarter compared to 2014, according to a report.
It could lead to a flood of attacks should web scum take advantage of the available command and control infrastructure
Angler was the worst offender among exploit kits while the Matsnu domain generation algorithm played the biggest hand in the new command and control infrastructure.
Magnitude, Neutrino, and the popular Nuclear exploit kits helped bump the figures along in what was an increase on last year but a slight fall on the second quarter of 2015.
“The Infoblox DNS Threat Index in 2015 continues to remain well above the average for the previous two years, indicating that cybercriminals are continuing to expand their infrastructures,” say the authors of the Infoblox and IID report.
“Exploit kits and phishing remain significant components of the index because these techniques have been successful for malicious actors.”
The cost of buying into the exploit game has dropped from more than US$10,000 to about $1000 or less, depending on the kit.
As this reporter noted in June, security bods at Trustwave reckon web crims can clear a whopping US$84,000 a month for a paltry US$5400 outlay through the use of exploit kits to deliver malware and ransomware.
Crims would need to shell out US$3,000 for the ransomware, US$1800 for a hacked high traffic site, US$500 for an exploit kit like RIG and US$600 for anti-anti-virus fuzzers over a month to hit their profit targets.
Would you like a touch of Walter White with your malware?
Heimdal Security is reporting on a new ransomware campaign they’ve uncovered, which, at the time of this article, is still undetected by any of the 57 security products listed on Google’s VirusTotal antivirus aggregator.
This new ransomware wave is the fourth the company has detected only in September, and even if it uses traditional ransomware delivery methods, it’s still evading detection from known cyber-security providers.
The campaign is being spread in Scandinavia using spam emails, which come with a Word document attached. This file is booby-trapped with a malicious macro that, when the document opens, executes and downloads the ransomware on the victim’s PC.
Ransomware: I am the one who knocks!
The ransomware then goes on to encrypt the user’s most important documents, by renaming files with the “.breaking_bad” file extension.
Access to the encrypted files is locked, and owners can regain their data only after they pay the ransom by sending emails to two different Gmail accounts.
While the “.breaking_bad” file extension and the two different Gmail accounts is an imaginative touch, the way the ransomware is delivered is quite trivial, being also used by many other malware campaigns, not just ransomware.
The same old Microsoft Word macro trick
On this very same day, we reported on the Dyreza banking trojan, which used a similar technique of packing malware download instructions inside Word macros.
Word macros have also been used by a Chinese hacking group to target Russian military bases just this summer. And attackers are also using them to deliver old-school Visual Basic malware inside Word documents.
The reason why this technique is so beloved by the underground virus-making community is that it allows them to create malicious files which aren’t malicious at all.
This is probably the reason why the ransomware campaign is currently undetected in VirusTotal. The Word documents look like any other Word documents, because they only contain “a few instructions to download a file from the Web” inside a macro. That file can be anything: an image, a CSS file, or a malware payload. Since the malware is not actually packed inside the Word file, the only way to protect against this type of threats is by educating users to stop opening random Word files received via the Internet from unknown people.
Turkish security bod Utku Sen has published what appears to be the first open source ransomware that anyone can download and spread.
The “Hidden Tear” ransomware, available to GitHub, is a functional version of the malware the world has come to hate; it uses AES encryption to lock down files and can display a scare warning or ransom message to get users to pay up.
Sen says the malware will evade detection by all common anti-virus platforms.
“While this may be helpful for some, there are significant risks,” Sen says.
“Hidden Tear may be used only for educational purposes. Do not use it as a ransomware.”
One could envisage such “educational purposes” as entailing making the case for better backup systems for purse-holding superiors, but it is likely a hard case to state.
Github moderators will no doubt evaluate that claim. The site has not, at the time of writing, killed off the repository which may skirt the edges of its terms of service.
The malware is not nearly as slick as Cryptowall or Cryptolocker which sport unique Tor hidden service Bitcoin payment domains and have become a scourge of the internet in recent years.
In a video set to whimsical classical music, Sen demonstrates how the ransomware can encrypt and decrypt files leaving a text document note on the victim’s desktop.
It can encrypt a variety of files including word processor documents, spreadsheets, and Powerpoint.
Punters will need to have a web server capable of supporting scripting languages if they wish to test out the ransomware, Sen says.