The Hacker News — Cyber Security, Hacking, Technology News

Security researchers have spotted the first-ever ransomware exploiting Process Doppelgänging, a new fileless code injection technique that could help malware evade detection.

The Process Doppelgänging attack takes advantage of a built-in Windows function, i.e., NTFS Transactions, and an outdated implementation of Windows process loader, and works on all modern versions of Microsoft Windows OS, including Windows 10.

Process Doppelgänging attack works by using NTFS transactions to launch a malicious process by replacing the memory of a legitimate process, tricking process monitoring tools and antivirus into believing that the legitimate process is running.

If you want to know more about how Process Doppelgänging attack works in detail, you should read this article I published late last year.

Shortly after the Process Doppelgänging attack details went public, several threat actors were found abusing it in an attempt to bypass modern security solutions.

Security researchers at Kaspersky Lab have now found the first ransomware, a new variant of SynAck, employing this technique to evade its malicious actions and targeting users in the United States, Kuwait, Germany, and Iran.
Initially discovered in September 2017, the SynAck ransomware uses complex obfuscation techniques to prevent reverse engineering, but researchers managed to unpack it and shared their analysis in a blog post.

An interesting thing about SynAck is that this ransomware does not infect people from specific countries, including Russia, Belarus, Ukraine, Georgia, Tajikistan, Kazakhstan, and Uzbekistan.

To identify the country of a specific user, the SynAck ransomware matches keyboard layouts installed on the user's PC against a hardcoded list stored in the malware. If a match is found, the ransomware sleeps for 30 seconds and then calls ExitProcess to prevent encryption of files.

SynAck ransomware also prevents automatic sandbox analysis by checking the directory from where it executes. If it found an attempt to launch the malicious executable from an 'incorrect' directory, SynAck won't proceed further and will instead terminate itself.

Once infected, just like any other ransomware, SynAck encrypts the content of each infected file with the AES-256-ECB algorithm and provides victims a decryption key until they contact the attackers and fulfill their demands.
SynAck is also capable of displaying a ransomware note to the Windows login screen by modifying the LegalNoticeCaption and LegalNoticeText keys in the registry. The ransomware even clears the event logs stored by the system to avoid forensic analysis of an infected machine.

Although the researchers did not say how SynAck lands on the PC, most ransomware spread through phishing emails, malicious adverts on websites, and third-party apps and programs.

Therefore, you should always exercise caution when opening uninvited documents sent over an email and clicking on links inside those documents unless verifying the source in an attempt to safeguard against such ransomware infection.

Although, in this case, only a few security and antivirus software can defend or alert you against the threat, it is always a good practice to have an effective antivirus security suite on your system and keep it up-to-date.

Last but not the least: to have a tight grip on your valuable data, always have a backup routine in place that makes copies of all your important files to an external storage device that isn't always connected to your PC.

Ransomware has been around for a few years, but it has become an albatross around everyone's neck, targeting big businesses, hospitals, financial institutions and individuals worldwide and extorting millions of dollars.

Last year, we saw some major ransomware outbreaks, including WannaCry and NotPetya, which wreaked havoc across the world, hitting hundreds of thousands of computers and business networks worldwide.

From small to mid-range businesses, Microsoft Office 365 remains the most widely used and fastest-growing work office suite, so it's no surprise that it has become a primary target for viruses, ransomware, and phishing scams.

In fact, most strains of ransomware target Microsoft productivity apps such as Word, Excel and encrypt sensitive data to hold the company hostage until the ransom is paid.

Now, to combat such cyber attacks, Microsoft has announced some new security features for Office 365 that can help users mitigate the damage done by ransomware and other malware infections.

The new features were initially introduced for OneDrive for Business, but that the company is now rolling them out to anyone who has signed up for an Office 365 Home or Personal subscription, Microsoft Office blog says.

Here below I have briefed the list of new features:

File Recovery and Anti-Ransomware

• Files Restore—Microsoft Office 365 now allows users to restore entire OneDrive to a previous point in time within the last 30 days. This feature can be used to recover files from an accidental mass delete, file corruption, ransomware, or any catastrophic event.

• Ransomware detection & recovery—Office 365 had also introduced a new security feature that detects ransomware attacks and alerts you through an email, mobile, or desktop notification while helping you restore your OneDrive to a point before the malware compromised files.

Security and Privacy Features

Office 365 has added three new features to help keep your confidential or personal data (such as tax documents, family budgets, or a new business proposal) secure and private when sharing them online.

• Password protected sharing links—This feature allows you to set a password for your shared file and folders, preventing unauthorized access even if your recipient accidentally forwards protected documents to others.

• Email encryption—This feature allows users to send/receive end-to-end encrypted emails in Outlook over a secure connection, providing additional protection to minimize the threat of being intercepted.

• Prevent forwarding—Microsoft now enables you to restrict your email recipients from forwarding or copying emails you send to them from Outlook. Besides this, any MS Office document attached to your emails will remain encrypted even after downloading, so if the recipient shares your attachment with others, they will not be able to open it.

Advanced Protection from Viruses and Cybercrime

• Advanced link checking in Word, Excel, and PowerPoint—Office 365 also offers built-in real-time web protection, which monitors every link you click in Word, Excel, and PowerPoint and notifies you if it is suspicious.

File Recovery and Anti-Ransomware features began rolling out starting today and will be available to all Office 365 users soon, while features to help keep your information secure and private (including password protected sharing links, email encryption, and prevent forwarding) will start rolling out in the coming weeks.

Advanced link checking and advanced attachment scanning are already available in MS Outlook that protects you from previously unseen viruses and phishing scams in real-time. However, advanced link checking in Word, Excel, and PowerPoint will roll out in the second half of 2018.

Remember how some cybercriminals shut down most of Washington D.C. police's security cameras for four days ahead of President Donald Trump's inauguration earlier this year?

Just a few days after the incident, British authorities arrested two people in the United Kingdom, identified as a British man and a Swedish woman, both 50-year-old, on request of U.S. officials.

But now US federal court affidavit has revealed that two Romanian nationals were behind the attack that hacked into 70% of the computers that control Washington DC Metropolitan Police Department's surveillance camera network in January this year, CNN reports.

The two suspects—Mihai Alexandru Isvanca, 25, and Eveline Cismaru, 28—were arrested in Bucharest on December 15 on charges of conspiracy to commit wire fraud and various forms of computer fraud.

According to the criminal complaint unsealed in Washington, the pair hacked 123 of the Metropolitan Police Department's 187 outdoor surveillance cameras used to monitor public areas in D.C. by infecting computers with ransomware in an effort to extort money.

Ransomware is an infamous piece of malicious software that has been known for locking up computer files and then demanding a ransom (usually in Bitcoins) to help victims unlock their files.

The cyber attack occurred just days before the inauguration of President Donald Trump and lasted for almost four days, eventually leaving the CCTV cameras out of recording anything between 12 and 15 January 2017.

Instead of fulfilling ransom demands, the DC police department took the storage devices offline, removed the infection and rebooted the systems across the city, ensuring that the surveillance camera system was secure and fully operational.

"This case was of the highest priority due to its impact on the Secret Service’s protective mission and its potential effect on the security plan for the 2017 Presidential Inauguration," the Justice Department said.

"The investigation revealed no evidence that any person’s physical security was threatened or harmed due to the disruption of the MPD surveillance cameras."

The affidavit, dated December 11, mentions the defendants used two types of cryptocurrency ransomware variants—Cerber and Dharma. Other evidence also revealed a scheme to distribute ransomware by email to at least 179,000 email addresses.

"According to the complaint, further investigation showed that the two defendants, Isvanca and Cismaru, participated in the ransomware scheme using the compromised MPD surveillance camera computers, among others," the Justice Department said.

"The investigation also identified certain victims who had received the ransomware or whose servers had been accessed during the scheme."

However, it is still unclear whether the pair arrested was solely behind the attack or were part of a more comprehensive cybercriminal network.

While Isvanca remains in custody in Romania, Cismaru is under house arrest pending further legal proceedings, according to the Justice Department.

If extradited and convicted, the Romanian defendants could face a maximum of 20 years in prison.

Romanian police have arrested five individuals suspected of infecting tens of thousands of computers across Europe and the United States in recent years by spreading two infamous ransomware families—Cerber and CTB Locker.

Under Operation Bakovia—a major global police operation conducted by Europol, the FBI and law enforcement agencies from Romanian, Dutch, and the UK—raided six houses in East Romania and made five arrests, Europol said on Wednesday.

Authorities have seized a significant amount of hard drives, external storage, laptops, cryptocurrency mining devices, numerous documents and hundreds of SIM cards during the raid.

One thing to note is that all of the five suspects were not arrested for developing or maintaining the infamous ransomware strains, but for allegedly spreading CTB Locker and Cerber.

Based on CryptoLocker, CTB Locker, aka Critroni, was the most widely spread ransomware families in 2016 and was the first ransomware to use the Tor anonymizing network to hide its command and control servers.

Emerged in March 2016, Cerber ransomware works on ransomware-as-a-service (RaaS) model that helped it to gain widespread distribution, allowing any would-be hacker to spread the malware in exchange for 40% of each ransom amount paid.
While CTB Locker helped criminals made $27 million in ransom, Cerber was ranked by Google as the most criminally profitable ransomware that helped them earned $6.9 million up in July 2017.

As with most ransomware, CTB Locker and Cerber distributors were using the most common attack vectors, such as phishing emails and exploit kits.

"In early 2017, the Romanian authorities received detailed information from the Dutch High Tech Crime Unit and other authorities that a group of Romanian nationals was involved in sending spam messages," Europol said in its press release.

"The spam messages intended to infect computer systems and encrypt their data with the CTB-Locker ransomware aka Critroni. Each email had an attachment, often in the form of an archived invoice, which contained a malicious file. Once this attachment was opened on a Windows system, the malware encrypted files on the infected device."

Although the authorities did not release the actual identities of the arrested individuals yet, Europol released a dramatic video of the arrests, where you can see how armed officers stormed the suspects' residence.

A massive malicious email campaign that stems from the world's largest spam botnet Necurs is spreading a new strain of ransomware at the rate of over 2 million emails per hour and hitting computers across the globe.

The popular malspam botnet Necrus which has previously found distributing Dridex banking trojan, Trickbot banking trojan, Locky ransomware, and Jaff ransomware, has now started spreading a new version of Scarab ransomware.

According to F-Secure, Necurs botnet is the most prominent deliverer of spam emails with five to six million infected hosts online monthly and is responsible for the biggest single malware spam campaigns.

Scarab ransomware is a relatively new ransomware family that was initially spotted by ID Ransomware creator Michael Gillespie in June this year.

Massive Email Campaign Spreads Scarab Ransomware

According to a blog post published by security firm Forcepoint, the massive email campaign spreading Scarab ransomware virus started at approximately 07:30 UTC on 23 November (Thursday) and sent about 12.5 million emails in just six hours.

The Forcepoint researchers said "the majority of the traffic is being sent to the .com top-level domain (TLD). However, this was followed by region-specific TLDs for the United Kingdom, Australia, France, and Germany."

The spam email contains a malicious VBScript downloader compressed with 7zip that pulls down the final payload, with one of these subject lines:

• Scanned from Lexmark
• Scanned from Epson
• Scanned from HP
• Scanned from Canon

As with previous Necurs botnet campaigns, the VBScript contained a number of references to the widely watched series Game of Thrones, like the strings 'Samwell' and 'JohnSnow.'

The final payload is the latest version of Scarab ransomware with no change in filenames, but it appends a new file extension with ".[suupport@protonmail.com].scarab" to the encrypted files.

Once done with the encryption, the ransomware then drops a ransom note with the filename "IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT" within each affected directory.

The ransom note does not specify the amount being demanded by the criminals; instead, it merely states that "the price depends on how fast you [the victim] write to us."

However, Scarab ransomware offers to decrypt three files for free to prove the decryption will work: "Before paying you can send us up to 3 files for free decryption."

Protection Against Ransomware

To safeguard against such ransomware infection, you should always be suspicious of any uninvited document sent over an email and should never click on links provided in those documents unless verifying the source.

Most importantly, keep a good backup routine in place that makes their copies to an external storage device that is not always connected to your PC in order to always have a tight grip on all your important files and documents.

Moreover, make sure that you run an active anti-virus solution on your system, and always browse the Internet safely.

Earlier this month a cybersecurity researcher shared details of a security loophole with The Hacker News that affects all versions of Microsoft Office, allowing malicious actors to create and spread macro-based self-replicating malware.

Macro-based self-replicating malware, which basically allows a macro to write more macros, is not new among hackers, but to prevent such threats, Microsoft has already introduced a security mechanism in MS Office that by default limits this functionality.

Lino Antonio Buono, an Italian security researcher who works at InTheCyber, reported a simple technique (detailed below) that could allow anyone to bypass the security control put in place by Microsoft and create self-replicating malware hidden behind innocent-looking MS Word documents.

What's Worse? Microsoft refused to consider this issue a security loophole when contacted by the researcher in October this year, saying it's a feature intended to work this way only—just like MS Office DDE feature, which is now actively being used by hackers.

New 'qkG Ransomware' Found Using Same Self-Spreading Technique

Interestingly, one such malware is on its way to affect you. I know, that was fast—even before its public disclosure.

Just yesterday, Trend Micro published a report on a new piece of macro-based self-replicating ransomware, dubbed "qkG," which exploits exactly the same MS office feature that Buono described to our team.

Trend Micro researchers spotted qkG ransomware samples on VirusTotal uploaded by someone from Vietnam, and they said this ransomware looks "more of an experimental project or a proof of concept (PoC) rather than a malware actively used in the wild."

The qkG ransomware employs Auto Close VBA macro—a technique that allows executing malicious macro when victim closes the document.
The latest sample of qkG ransomware now includes a Bitcoin address with a small ransom note demanding $300 in BTC as shown.

It should be noted that the above-mentioned Bitcoin address hasn't received any payment yet, which apparently means that this ransomware has not yet been used to target people.

Moreover, this ransomware is currently using the same hard-coded password: "I’m QkG@PTM17! by TNA@MHT-TT2" that unlocks affected files.

Here's How this New Attack Technique Works

In order to make us understand the complete attack technique, Buono shared a video with The Hacker News that demonstrates how an MS Word document equipped with malicious VBA code could be used to deliver a self-replicating multi-stage malware.

If you are unaware, Microsoft has disabled external (or untrusted) macros by default and to restrict default programmatic access to Office VBA project object model, it also offers users to manually enable "Trust access to the VBA project object model," whenever required.
With "Trust access to the VBA project object model" setting enabled, MS Office trusts all macros and automatically runs any code without showing security warning or requiring user's permission.

Buono found that this setting can be enabled/disabled just by editing a Windows registry, eventually enabling the macros to write more macros without user's consent and knowledge.
As shown in the video, a malicious MS Doc file created by Buono does the same—it first edits the Windows registry and then injects same macro payload (VBA code) into every doc file that the victim creates, edits or just opens on his/her system.

Victims Will be Unknowingly Responsible for Spreading Malware Further

In other words, if the victim mistakenly allows the malicious doc file to run macros once, his/her system would remain open to macro-based attacks.

Moreover, the victim will also be unknowingly responsible for spreading the same malicious code to other users by sharing any infected office files from his/her system.

This attack technique could be more worrisome when you receive a malicious doc file from a trusted contact who have already been infected with such malware, eventually turning you into its next attack vector for others.

Although this technique is not being exploited in the wild, the researcher believes it could be exploited to spread dangerous self-replicating malware that could be difficult to deal with and put an end.

Since this is a legitimate feature, most antivirus solutions do not flag any warning or block MS Office documents with VBA code, neither the tech company has any plans of issuing a patch that would restrict this functionality.

Buono suggests "In order to (partially) mitigate the vulnerability it is possible to move the AccessVBOM registry key from the HKCU hive to the HKLM, making it editable only by the system administrator."

The best way to protect yourself from such malware is always to be suspicious of any uninvited documents sent via an email and never click on links inside those documents unless adequately verifying the source.

A new widespread ransomware worm, known as "Bad Rabbit," that hit over 200 major organisations, primarily in Russia and Ukraine this week leverages a stolen NSA exploit released by the Shadow Brokers this April to spread across victims' networks.

Earlier it was reported that this week's crypto-ransomware outbreak did not use any National Security Agency-developed exploits, neither EternalRomance nor EternalBlue, but a recent report from Cisco's Talos Security Intelligence revealed that the Bad Rabbit ransomware did use EternalRomance exploit.

NotPetya ransomware (also known as ExPetr and Nyetya) that infected tens of thousands of systems back in June also leveraged the EternalRomance exploit, along with another NSA's leaked Windows hacking exploit EternalBlue, which was used in the WannaCry ransomware outbreak.

Bad Rabbit Uses EternalRomance SMB RCE Exploit

Bad Rabbit does not use EternalBlue but does leverage EternalRomance RCE exploit to spread across victims' networks.

Microsoft and F-Secure have also confirmed the presence of the exploit in the Bad Rabbit ransomware.

EternalRomance is one of many hacking tools allegedly belonged to the NSA's elite hacking team called Equation Group that were leaked by the infamous hacking group calling itself Shadow Brokers in April this year.

EternalRomance is a remote code execution exploit that takes advantage of a flaw (CVE-2017-0145) in Microsoft's Windows Server Message Block (SMB), a protocol for transferring data between connected Windows computers, to bypass security over file-sharing connections, thereby enabling remote code execution on Windows clients and servers.

Along with EternalChampion, EternalBlue, EternalSynergy and other NSA exploits released by the Shadow Brokers, the EternalRomance vulnerability was also patched by Microsoft this March with the release of a security bulletin (MS17-010).

Bad Rabbit was reportedly distributed via drive-by download attacks via compromised Russian media sites, using fake Adobe Flash players installer to lure victims' into install malware unwittingly and demanding 0.05 bitcoin (~ $285) from victims to unlock their systems.

How Bad Rabbit Ransomware Spreads In a Network

According to the researchers, Bad Rabbit first scans the internal network for open SMB shares, tries a hardcoded list of commonly used credentials to drop malware, and also uses Mimikatz post-exploitation tool to extract credentials from the affected systems.

Bad Rabbit can also exploit the Windows Management Instrumentation Command-line (WMIC) scripting interface in an attempt to execute code on other Windows systems on the network remotely, noted EndGame.

However, according to Cisco's Talos, Bad Rabbit also carries a code that uses EternalRomance, which allows remote hackers to propagate from an infected computer to other targets more efficiently.

"We can be fairly confident that BadRabbit includes an EternalRomance implementation used to overwrite a kernel’s session security context to enable it to launch remote services, while in Nyetya it was used to install the DoublePulsar backdoor," Talos researchers wrote.

"Both actions are possible due to the fact that EternalRomance allows the attacker to read/write arbitrary data into the kernel memory space."

Is Same Hacking Group Behind Bad Rabbit and NotPetya?

Since both Bad Rabbit and NotPetya uses the commercial DiskCryptor code to encrypt the victim's hard drive and "wiper" code that could erase hard drives attached to the infected system, the researchers believe it is "highly likely" the attackers behind both the ransomware outbreaks are same.

"It is highly likely that the same group of hackers was behind BadRabbit ransomware attack on October the 25th, 2017 and the epidemic of the NotPetya virus, which attacked the energy, telecommunications and financial sectors in Ukraine in June 2017," Russian security firm Group IB noted.

"Research revealed that the BadRabbit code was compiled from NotPetya sources. BadRabbit has same functions for computing hashes, network distribution logic and logs removal process, etc."

NotPetya has previously been linked to the Russian hacking group known as BlackEnergy and Sandworm Team, but since Bad Rabbit is primarily targeting Russia as well, not everyone seems convinced with the above assumptions.

How to Protect Yourself from Ransomware Attacks?

In order to protect yourself from Bad Rabbit, users are advised to disable WMI service to prevent the malware from spreading over your network.

Also, make sure to update your systems regularly and keep a good and effective anti-virus security suite on your system.

Since most ransomware spread through phishing emails, malicious adverts on websites, and third-party apps and programs, you should always exercise caution before falling for any of these.

Most importantly, to always have a tight grip on your valuable data, keep a good backup routine in place that makes and saves copies of your files to an external storage device that isn't always connected to your PC.

A new widespread ransomware attack is spreading like wildfire around Europe and has already affected over 200 major organisations, primarily in Russia, Ukraine, Turkey and Germany, in the past few hours.

Dubbed "Bad Rabbit," is reportedly a new Petya-like targeted ransomware attack against corporate networks, demanding 0.05 bitcoin (~ $285) as ransom from victims to unlock their systems.

According to an initial analysis provided by the Kaspersky, the ransomware was distributed via drive-by download attacks, using fake Adobe Flash players installer to lure victims' in to install malware unwittingly.

"No exploits were used, so the victim would have to manually execute the malware dropper, which pretends to be an Adobe Flash installer. We’ve detected a number of compromised websites, all of which were news or media websites." Kaspersky Lab said.

However, security researchers at ESET have detected Bad Rabbit malware as 'Win32/Diskcoder.D' — a new variant of Petya ransomware, also known as Petrwrap, NotPetya, exPetr and GoldenEye.

Bad Rabbit ransomware uses DiskCryptor, an open source full drive encryption software, to encrypt files on infected computers with RSA 2048 keys.
ESET believes the new wave of ransomware attack is not using EternalBlue exploit — the leaked SMB vulnerability which was used by WannaCry and Petya ransomware to spread through networks.

Instead it first scans internal network for open SMB shares, tries a hardcoded list of commonly used credentials to drop malware, and also uses Mimikatz post-exploitation tool to extract credentials from the affected systems.

The ransom note, shown above, asks victims to log into a Tor onion website to make the payment, which displays a countdown of 40 hours before the price of decryption goes up.

The affected organisations include Russian news agencies Interfax and Fontanka, payment systems on the Kiev Metro, Odessa International Airport and the Ministry of Infrastructure of Ukraine.

Researchers are still analyzing Bad Rabbit ransomware to check if there is a way to decrypt computers without paying ransomware and how to stop it from spreading further.

How to Protect Yourself from Ransomware Attacks?

Kaspersky suggest to disable WMI service to prevent the malware from spreading over your network.

Most ransomware spread through phishing emails, malicious adverts on websites, and third-party apps and programs.

So, you should always exercise caution when opening uninvited documents sent over an email and clicking on links inside those documents unless verifying the source to safeguard against such ransomware infection.

Also, never download any app from third-party sources, and read reviews even before installing apps from official stores.

To always have a tight grip on your valuable data, keep a good backup routine in place that makes their copies to an external storage device that isn't always connected to your PC.

Make sure that you run a good and effective anti-virus security suite on your system, and keep it up-to-date.

We don't really know the pain and cost of a downtime event unless we are directly touched.

Be it a flood, electrical failure, ransomware attack or other broad geographic events; we don't know what it is really like to have to restore IT infrastructure unless we have had to do it ourselves.

We look at other people's backup and recovery issues and hope we are smarter or clever enough to keep it from happening to us.

Recovery from a downtime event includes inconvenience, extra work, embarrassment and yes, real pain.

A ransomware attack is a good example.

Unitrends—an American company specialised in backup and business continuity solutions—recently shared with us a real cyber-attack incident happened with one of their customers to describe the required steps they took to recover functionality following a CryptoLocker attack against a US city.

Also, how it cost city's Governance team days of production and hundreds of man-hours to recover.

The Challenge

Issaquah is a small city of 30,434 people in Washington, United States. According to Forbes, they are the 2nd fastest growing suburb in the state of Washington.

John T, IT Manager leads a team of five employees who execute all IT initiatives co-developed with the city's IT Governance team. John's team manages all technology, from phones, networks, servers, desktops, applications and cloud services.

The city has only two IT staff dedicated to infrastructure.

"We are spread so thin that logs are not monitored consistently," reports John. "We are slowly recovering from a decade of underinvestment in IT and have a large backlog of software, hardware and network upgrades."

Part of that underinvestment is that they continued to rely on a tape drive that was ten years old using Backup Exec.

They continued to stumble along until they were hit with a CryptoLocker ransomware attack.

The Infection

Here below find the complete story shared by John with us:

In the final analysis, we believe the ransomware attack originated from a "drive-by" where a single city employee visited and opened a .pdf file that had been compromised on a grant coordination site run by a non-profit. This is not an uncommon risk—a small company or organisation website that doesn’t have IT funding to keep up with the security risks in today’s lightspeed world.

Most entries in the User’s Log file were harmless, though the way this virus worked, it could have been downloaded at any time but still needed to be executed by the user. It could have been sitting on the hard drive for weeks (looking like a .pdf) before being executed, though we would need to interview the user to see if she remembers anything like this. This ransomware appeared to disable our anti-virus systems, and is known to remove all traces once finished.

This virus ran only in PC memory and did not turn up on any other devices in our system. It only attacked Microsoft Office, image, .pdf, and text files in folders on the user’s PC and file shares to which the user had to write access. It stopped encrypting files once the PC was restarted in safe mode. The lack of propagation could have been a result of either the virus being designed to reside solely in memory to prevent triggering alarms or because our anti-virus software intercepted it at other devices as it attempted to propagate.

The physical server that hosted the file also hosted five critical virtual application servers. After careful analysis, it was determined these were not compromised. We immediately moved these virtual machines onto a different host. This was done prior to kicking off the server restore to reduce processor and NIC load on the file server host.

When we began the file server restore process it quickly became apparent it would take a long time… four days as it turned out. A quick analysis revealed we had no other options to restore the file server. The backup.exe device did work and never failed or stopped during the restore process. It seems the scale of the restore was too big for the device capacity and it had to chunk the workout, making the process very long.

Fortunately for us, the attack had happened on a Thursday, so only Thursday and Friday office productivity was lost. Even so, our users were very negatively impacted and quite upset (as were we). This led to funding being released to move to a modern backup appliance.

The Real Cost to Recover from a Ransomware Attack

John said senior executives agreed to fund an upgrade to the backup system, and after a vendor selection process, his team chose what it felt was the best combination of features and capacity with reasonable costs.

If the same Ransomware attack occurred today with data backed up on the Unitrends Recovery Series 933S appliance the results would have been much different.

First, the attack would have been discovered very quickly as all Unitrends appliances include predictive analytic software and machine learning that will automatically recognise the effects of ransomware on backup files.

An email would then automatically be sent to administrators warning of the attack and identifying the affected files. Then the disaster recovery plan they had in place would be executed.

Secondly, deleting, reinstalling affected files and restarting affected servers would take minutes, not hours and probably not four days.

Critical applications could have been spun up instantly on the backup appliance using the last good backups made before the infection. This would greatly limit the negative impact on employees and office productivity.

The Results

There have been several backup and recovery incidents since the Unitrends Appliance was installed, reported John.

"We have used our backup appliance to recover files that were accidentally deleted by end users. We had also used it to recover virtual machines when we had a host system failure. The downtime in the latter case was limited to staff response time as the mission-critical backup VM was up in less than five minutes!"

"We also plan on moving to the cloud very soon since the Unitrends appliance comes with integrated cloud software. The biggest benefits we expect to see from the cloud are low-cost off-site storage, the ability to recover applications in the cloud if needed as a DraaS feature, and access from anywhere in case of a natural disaster type emergency."

"We now have peace of mind knowing that we can recover quickly when needed. We also have increased shared team knowledge on backup and DR with the easy-to-use user interface."

Remember NotPetya?

The Ransomware that shut down thousands of businesses, organisations and banks in Ukraine as well as different parts of Europe in June this year.

Now, Ukrainian government authorities are once again warning its citizens to brace themselves for next wave of "large-scale" NotPetya-like cyber attack.

According to a press release published Thursday by the Secret Service of Ukraine (SBU), the next major cyber attack could take place between October 13 and 17 when Ukraine celebrates Defender of Ukraine Day (in Ukrainian: День захисника України, Den' zakhysnyka Ukrayiny).

Authorities warn the cyber attack can once again be conducted through a malicious software update against state government institutions and private companies.

The attackers of the NotPetya ransomware also used the same tactic—compromising the update mechanism for Ukrainian financial software provider called MeDoc and swapping in a dodgy update including the NotPetya computer virus.

The virus then knocked computers in Ukrainian government agencies and businesses offline before spreading rapidly via corporate networks of multinational companies with operations or suppliers in eastern Europe.

Presentation by Alexander Adamov, CEO at NioGuard Security Lab

The country blamed Russia for the NotPetya attacks, while Russia denied any involvement.

Not just ransomware and wiper malware, Ukraine has previously been a victim of power grid attacks that knocked its residents out of electricity for hours on two different occasions.

The latest warning by the Ukrainian secret service told government and businesses to make sure their computers and networks were protected against any intrusion.

"SBU notifies about preparing for a new wave of large-scale attack against the state institutions and private companies. The basic aim—to violate normal operation of information systems, that may destabilize the situation in the country," the press release reads. 

"The SBU experts received data that the attack can be conducted with the use of software updating, including public applied software. The mechanism of its realization will be similar to cyber-attack of June 2017."

To protect themselves against the next large-scale cyber attack, the SBU advised businesses to follow some recommendations, which includes:

• Updating signatures of virus protection software on the server and in the workstation computers.
• Conducting redundancy of information, which is processed on the computer equipment.
• Providing daily updating of system software, including Windows operating system of all versions.

Since the supply chain attacks are not easy to detect and prevent, users are strongly advised to keep regular backups of their important files on a separate drive or storage that are only temporarily connected for worst case scenarios.

Most importantly, always keep a good antivirus on your system that can detect and block any malware intrusion before it can infect your device, and keep it up-to-date for latest infection-detection.

CompTIA, a global provider of vendor-neutral IT certifications, offers a wide range of popular certifications such as A+, Network+, Cloud+, Linux+, and Security+ certifications [...]

DoubleLocker—as the name suggests, it locks device twice.

Security researchers from Slovakia-based security software maker ESET have discovered a new Android ransomware that not just encrypts users’ data, but also locks them out of their devices by changing lock screen PIN.

On top of that:

DoubleLocker is the first-ever ransomware to misuse Android accessibility—a feature that provides users alternative ways to interact with their smartphone devices, and mainly misused by Android banking Trojans to steal banking credentials.

"Given its banking malware roots, DoubleLocker may well be turned into what could be called ransom-bankers," said Lukáš Štefanko, the malware researcher at ESET.

"Two-stage malware that first tries to wipe your bank or PayPal account and subsequently locks your device and data to request a ransom."

Researchers believe DoubleLocker ransomware could be upgraded in future to steal banking credentials as well, other than just extorting money as ransom.

First spotted in May this year, DoubleLocker Android ransomware is spreading as a fake Adobe Flash update via compromised websites.

Here's How the DoubleLocker Ransomware Works:

Once installed, the malware requests user for the activation of 'Google Play Services' accessibility feature, as shown in the demonstration video.

After obtaining this accessibility permission, the malware abuses it to gain device's administrator rights and sets itself as a default home application (the launcher)—all without the user's knowledge.

"Setting itself as a default home app – a launcher – is a trick that improves the malware's persistence," explains Štefanko.

"Whenever the user clicks on the home button, the ransomware gets activated, and the device gets locked again. Thanks to using the accessibility service, the user does not know that they launch malware by hitting Home."

Once executed, DoubleLocker first changes the device PIN to a random value that neither attacker knows nor stored anywhere and meanwhile the malware encrypts all the files using AES encryption algorithm.

DoubleLocker ransomware demands 0.0130 BTC (approximately USD 74.38 at time of writing) and threatens victims to pay the ransom within 24 hours.

If the ransom is paid, the attacker provides the decryption key to unlock the files and remotely resets the PIN to unlock the victim's device.

How to Protect Yourself From DoubleLocker Ransomware

According to the researchers, so far there is no way to unlock encrypted files, though, for non-rooted devices, users can factory-reset their phone to unlock the phone and get rid of the DoubleLocker ransomware.

However, for rooted Android devices with debugging mode enabled, victims can use Android Debug Bridge (ADB) tool to reset PIN without formatting their phones.

The best way to protect yourself from avoiding falling victims to such ransomware attacks is to always download apps from trusted sources, like Google play Store, and stick to verified developers.

Also, never click on links provided in SMS or emails. Even if the email looks legit, go directly to the website of origin and verify any possible updates.

Moreover, most importantly, keep a good antivirus app on your smartphone that can detect and block such malware before it can infect your device, and always keep it and other apps up-to-date.

THN Deals Store this week brings you the Cybersecurity Certification Mega Bundle, which will walk you through the skills and concepts you need to master three elite cybersecurity certification exams: CISA, CISM, and CISSP [...]

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

Whenever we feel like the Locky ransomware is dead, the notorious threat returns with a bang.

Recently, researchers from two security firms have independently spotted two mass email campaigns, spreading two different, but new variants of the Locky ransomware.

Lukitus Campaign Sends 23 Million Emails in 24 Hours

The campaign spotted by researchers at AppRiver sent out more than 23 million messages containing Locky ransomware in just 24 hours on 28 August across the United States in what appears to be one of the largest malware campaigns in the second half of this year.

According to the researchers, the emails sent out in the attack were "extremely vague," with subjects lines such as "please print," "documents," "images," "photos," "pictures," and "scans" in an attempt to convince victims into infecting themselves with Locky ransomware.

The email comes with a ZIP attachment (hiding the malware payload) that contains a Visual Basic Script (VBS) file nested inside a secondary ZIP file.

Once a victim tricked into clicking it, the VBS file starts a downloader that downloads the latest version of the Locky ransomware, called Lukitus (which means "locked" in Finnish), and encrypts all the files on the target computer, and appends [.]lukitus to the encrypted data.

After encryption process ends, the malware displays a ransomware message on the victim's desktop that instructs the victim to download and install Tor browser and visit the attacker's site for further instructions and payments.

This Locky Lukitus variant demands a sum of 0.5 Bitcoin (~$2,300) from victims to pay for a "Locky decryptor" in order to get their files back.

This Lukitus attack campaign is still ongoing, and AppRiver researchers had "quarantined more than 5.6 million" messages in the campaign on Monday morning.

Sadly, this variant is impossible to decrypt as of now.

2nd Locky Campaign Sends over 62,000 Emails

In separate research, security firm Comodo Labs discovered another massive spam campaign earlier in August, which sent out over 62,000 spam emails containing a new variant of Locky ransomware in just three days in the first stage of the attack.

Dubbed IKARUSdilapidated, the second variant of Locky ransomware has been distributed using 11,625 different IP addresses in 133 different countries—likely made of a botnet of "zombie computers" to conduct coordinated phishing attacks.

According to security researchers at Comodo, "this is a large-scale, email-based ransomware attack in which a new Trojan malware variant appears as an unknown file and can slip into unsuspecting and unprepared organizations' infrastructures."

The original attack that was first identified on August 9 and lasted three days utilized spam email messages that also contained a malicious Visual Basic Script (VBS) attachment, which if clicked, follows the same functioning as mentioned in the above case.

The cyber criminals operating Locky's IKARUSdilapidated variant demands ransom between 0.5 Bitcoin (~$2,311) and 1 Bitcoin (~$4,623) to get their encrypted files back.

This massive Locky ransomware campaign targets "tens of thousands" of users across the globe, with the top five countries being Vietnam, India, Mexico, Turkey, and Indonesia.

Here's How to Protect Yourself From Ransomware Attacks

Ransomware has become one of the biggest threats to both individuals and enterprises with the last few months happening several widespread ransomware outbreaks, including WannaCry, NotPetya, and LeakerLocker.

Currently, there is no decryptor available to decrypt data locked by above Locky ransomware variants, so users are strongly recommended to follow prevention measures in an attempt to protect themselves.

Beware of Phishing emails: Always be suspicious of uninvited documents sent via an email and never click on links inside those documents unless verifying the source.

Backup Regularly: To always have a tight grip on all your important files and documents, keep a good backup routine in place that makes their copies to an external storage device that is not always connected to your PC.

Keep your Antivirus software and system Up-to-date: Always keep your antivirus software and systems updated to protect against latest threats.

"Ransomware" threat is on the rise, and cyber criminals are making millions of dollars by victimizing as many people as they can—with WannaCry, NotPetya and LeakerLocker being the ransomware threats that made headlines recently.

What's BAD? Hacker even started selling ransomware-as-a-service (RaaS) kits in an attempt to spread this creepy threat more easily, so that even a non-tech user can create their own ransomware and distribute the threat to a wider audience.

The WORSE—You could see a massive increase in the number of ransomware campaigns during the next several months—thanks to new Android apps available for anyone to download that let them quickly and easily create Android ransomware with their own devices.

Security researchers at Antivirus firm Symantec have spotted some Android apps available on hacking forums and through advertisements on a social networking messaging service popular in China, which let any wannabe hacker download and use Trojan Development Kits (TDKs).

How to Create Your Own Android Ransomware

With an easy-to-use interface, these apps are no different from any other Android app apart from the fact that it allows users to create their custom mobile malware with little to no programming knowledge.

To create customized ransomware, users can download one such app (for an obvious reason we are not sharing the links), install and open it, where it offers to choose from the following options, which are displayed on the app's on-screen form:

The message that is to be shown on the locked screen of the infected device

• The key to be used to unlock that infected device
• The icon to be used by their malware
• Custom mathematical operations to randomize the code
• Type of animation to be displayed on the infected device

Once all of the information has been filled in, users just require hitting the "Create" button.

If the user hasn't before, the app will prompt him/her to subscribe to the service before proceeding. The app allows the user to start an online chat with its developer where he/she can arrange a one-time payment.

After the payment has been made, the "malware is created and stored in the external storage in ready-to-ship condition," and then the user can continue with the process, making as many as victims as the user can.

"Anyone unlucky enough to be tricked into installing the malware will end up with a locked device held to ransom," Symantec researchers say. 

"The malware created using this automation process follows the typical Lockdroid behavior of locking the device’s screen with a SYSTEM_ALERT_WINDOW and displaying a text field for the victim to enter the unlock code."

The Lockdroid ransomware has the ability to lock the infected device, change the device PIN, and delete all of its user data through a factory reset, and even prevent the user from uninstalling the malware.

Such apps allow anyone interested in hacking and criminal activities to develop a ready-to-use piece of ransomware malware just by using their smartphones without any need to write a single line of code.

"However, these apps are not just useful for aspiring and inexperienced cyber criminals as even hardened malware authors could find these easy-to-use kits an efficient alternative to putting the work in themselves," the researchers say.

So, get ready to expect an increase in mobile ransomware variants in coming months.

How to Protect Your Android Devices from Ransomware Attacks

In order to protect against such threats on mobile devices, you are recommended to:

• Always keep regular backups of your important data.
• Make sure that you run an active anti-virus security suite of tools on your machine.
• Avoid downloading apps from unknown sites and third-party app stores.
• Always pay close attention to the permissions requested by an app, even if it is downloaded from an official app store.
• Do not open any email attachments from unknown sources.
• Finally, browse the Internet safely.

One of the most devastating aspects of the recent WannaCry ransomware attack was its self-propagating capability exploiting a vulnerability in the file access protocol, SMB v1.

Most enterprises defences are externally-facing, focused on stopping incoming email and web attacks. But, once attackers gain a foothold inside the network through malware, there are very few security controls that would prevent the spread of the attack between enterprise locations in the Wide Area Network (WAN).

This is partly due to the way enterprises deploy security tools, such as IPS appliances, and the effort needed to maintain those tools across multiple locations.

It’s for those reasons Cato Networks recently introduced a context-aware Intrusion Prevention System (IPS) as part of its secure SD-WAN service. There are several highlights in this announcement that challenge the basic concept of how IT security maintains an IPS device and sustains the effectiveness of its protection.

Cato Networks is a cloud-based, SD-WAN service provider that uniquely integrates network security into its SD-WAN offering.

The Cato IPS is fully converged with Cato’s other security services, which include next generation firewall (NGFW), secure web gateway (SWG), URL filtering, and malware protection.

With the IPS roll out, Cato continues its march towards providing secure networking everywhere while simplifying the overall IT stack for the enterprise.

Cato Networks IPS as a Service

With IPS as a service, Cato takes care of the work previously spent managing and maintaining the IPS appliances including sizing, capacity planning, patching, and signature management.

These are a complex task because IPS appliance performance is impacted by the mix of encrypted and unencrypted traffic and the number of active attack signatures.

Normally, IT professionals must spend time carefully calculating the effectiveness of a signature and its performance impact to avoid slowing-down traffic due to IPS appliance overload.

Cato addresses both issues. The Cato IPS leverages its elastic cloud platform to inspect any mix of encrypted and unencrypted traffic in real-time.

The decision of which signatures to deploy is made by the experts of Cato Research Labs. They consider the relevancy of the threat and the best way to describe it to the system. Often, an existing signature may already cover a specific attack vector.

New Kind of Signatures With Context-Aware Protection

The Cato IPS has another unique capability. Because it operates in the same software stack as all other network and security services and within a cloud network, it can access a rich set of context attributes.

This forms a foundation for very sophisticated signatures that are hard to compose with stand-alone IPS devices. The use of rich context makes Cato IPS signatures more accurate and more effective.

Context attributes include the application being accessed and the client being used to access it, user identity, geolocation, IP and domain reputation, the file type exchanged, and DNS activity associated with the session.

Cato shared on its blog how Cato IPS stopped the spread of the Wannacry ransomware across sites, and how Cato IPS detected command-and-control communication at one of its customer locations.

Interestingly, the IPS can extend its protection across sites and users without the need to deploy distributed appliances, another benefit of the system.

If you are a distributed enterprise and constraint by your ability to support a complex networking and security environment, Cato’s approach can improve your security posture while keeping overhead to a minimum.

Disclosure: This is a sponsored post from Cato Networks, and it is really coming at a great time because we were just thinking to share with you about how to prevent Wannacry like attacks from spreading across the enterprise networks.

Ukrainian authorities have arrested a 51-year-old man accused of distributing the infamous Petya ransomware (Petya.A, also known as NotPetya) — the same computer virus that massively hit numerous businesses, organisations and banks in Ukraine as well as different parts of Europe around 45 days ago.

However, the story is not as simple as it seems, which portrayed this man as a criminal. I recommend you to read complete article to understand the case better and then have an opinion accordingly.

Sergey Neverov (Сергей Неверов), father of two sons and the resident of the southern city of Nikopol, is a video blogger and computer enthusiast who was arrested by the Ukrainian police on Monday, August 7 from his home.

What Neverov Did?

According to a press release published on Thursday by the Ukrainian cyber police department, Neverov uploaded a video, showing how to infect a computer with Petya.A ransomware—and also shared a download link for NotPetya malware to his social media account.

After searching Neverov's home, the authorities seized his computers and other equipment, which were later analysed by the officers from the Ukrainian cyber-crime department, who discovered some files containing the malicious software.

However, the police confirmed that Neverov was neither the actual author of the NotPetya virus, nor he was behind the massive ransomware attack that crippled many businesses and banks in this summer.

The authorities charged Neverov of spreading a copy of NotPetya virus via his social media account that eventually infected at least 400 computers in Ukraine, and also believe that he had helped tax evaders — directly or indirectly.

Companies Intentionally Infected Their Computers to Avoid Paying Taxes & Fines

If you are not aware, 30th June was the last date in Ukraine for filing tax returns and unfortunately, during the same time NotPetya outcry began that encrypted sensitive files and documents for several businesses and organisations across the country.

Since firms that were infected by the virus were unable to submit tax reports on time and liable for paying huge fines for late submissions, the head of the parliamentary committee on tax and customs, Nina Yuzhanina, gave affected taxpayers some relief (through a statement on his Facebook profile) by extending the last date to 31st December, 2017.

Police believe the malware sample distributed by Neverov is being used by some businesses to deliberately infect their systems to avoid paying taxes on time as well as late tax return penalty.

Is Neverov a Hacker or Computer Enthusiast?

However, the story has another angle that indicates charges on Neverov are baseless.

As I mentioned, Neverov is a video-blogger with 11,000 followers on YouTube, who loves to play with computers and publish review videos on computer hardware and gadgets for informational purposes.

Neverov never tried to hide his identity, and even in some of his videos, he revealed his face and the exact GPS location to his house in Nikopol, which suggests that he had nothing to hide, neither his intentions were wrong.

When NotPetya outcry hit his country, Neverov got curious about the ransomware and started studying about the malware to understand how it works and to find a way to recover infected files without paying ransom to the attackers.
To get started, he downloaded a sample of NotPetya ransomware from the Internet and tested it on his computer, just like other malware analysts do.

In fact, while recording a video of the NotPetya infection to demonstrate its impact on a targeted computer, he failed two times in infecting his own computer.

When succeeded in the third attempt, Neverov uploaded the copy of NotPetya malware on file hosting website and shared the link on his social media account just for the informational purpose, saying "use at your own risk."

Moreover, it is important to note that Neverov would not be gaining any profit by distributing the ransomware because of NotPetya has been designed to blackmail victims into paying ransom amount to a specific Bitcoin address that belongs to the original attackers only.

If Convicted, Neverov Could Face 3 Years In Prison

Neverov, the computer enthusiast, has now been charged under article 361 (part 1) of the Criminal Code of Ukraine, which says:

"Unauthorized interference with the work of electronic computing machines (computers), automated systems, computer networks or telecommunication networks, ...which led to the leak, loss, fake, blocking information, distortion of the information processing or violation the established order it's routing."

Although this sanction provides maximum punishment of up to two years in prison, Neverov has been threatened to face up to three years in jail, according to the official comments from the law enforcement authorities.

The case seems somewhat similar to the one currently being faced by Marcus Hutchins, also known as MalwareTech, who gained famed for stopping the WannaCry ransomware.

Hutchins was arrested by the FBI while he was travelling to his home after attending Def Con event in the United States and has been charged with creating and distributing a banking malware.

Since Hutchins is a malware researcher, many infosec community members believe possibly a proof-of-concept code written and published by him publicly was re-used by the criminals to create the banking malware, which mistakenly framed him as the criminal mastermind.

Hutchins is set to face a hearing in the US district court on 14 August, so we still have to wait for more information about his case.

Greek police have arrested a Russian man who is believed to have been the operator of the popular BTC-e Bitcoin exchange on charges of laundering more than $4 billion in bitcoin for culprits involved in hacking attacks, tax fraud and drug trafficking.

A United States jury indicted 38-year-old Alexander Vinnik on Wednesday after his arrest in Greece on Tuesday at the request of US law enforcement authorities. The suspect is one of the operators of BTC-e, a service operational since 2011.

Headquartered in Russia, the digital currency exchange has been offline since the arrest of Vinnik, and its homepage says, "Site is under maintenance. We apologize for the inconvenience.."

According to a press release published by the U.S. Treasury's Financial Crimes Enforcement Network (FinCEN), BTC-e ignored "know your customer" laws in an effort to serve criminals, and even hosted message boards buzzing with illegal activities.
The FinCEN also announced a $110 million penalty against BTC-e for facilitating crimes along with a separate $12 Million fine against Vinnik.

BTC-e Linked to Collapse of Mt. Gox Bitcoin Exchange

This case is really important for the law enforcement because it could reveal the possible culprit behind the collapse of the once-very popular Japanese bitcoin exchange Mt. Gox, which was shut down in 2014 following a massive series of mysterious robberies, which totalled at least $375 million in Bitcoin.

According to the U.S. Department of Justice, Vinnik obtained funds from the hacker or insider who stole bitcoins from Mt. Gox and sent them to a bitcoin wallet controlled by Vinnik, who intentionally laundered them through BTC-e, over a period of three years.

"After the coins entered Vinnik's wallets, most were moved to BTC-e and presumably sold off or laundered (BTC-e money codes were a popular choice). In total some 300,000 BTC ended up on BTC-e," according to WizSec, a Japanese security firm that has long been investigating the Mt. Gox case.

"To be clear, this investigation turned up evidence to identify Vinnik not as a hacker/thief but as a money launderer; his arrest news also suggests this is what he is being suspected for. He may have merely bought cheap coins from thieves and offered a laundering service."

Vinnik arrest is the latest in a series of US investigations against Russian cybercriminals in Europe, following the shutdown of two of the biggest dark web marketplaces, AlphaBay and Hansa, last week.

While Greek police described Vinnik as "an internationally sought ‘mastermind’ of a crime organisation," United States authorities accused him of facilitating crimes including hacking, identity theft, tax refund fraud, public corruption and drug trafficking.

Vinnik is to be charged with operation of an unlicensed money service business, conspiracy to commit money laundering, money laundering, and engaging in unlawful monetary transactions.

If found guilty, the suspect could face up to 55 years in prison, together with a $500,000 fine or twice the value of the property involved in the transaction for each count.

Bad news for Android users — Decompiled source code of for one of the oldest mobile and popular Android ransomware families has been published online, making it available for cyber criminals who can use it to develop more customised and advanced variants of Android ransomware.

Decompiled source code for the SLocker android ransomware, which saw a six-fold increase in the number of new versions over the past six months, has just been published on GitHub and is now available to anyone who wants it.

The SLocker source code has been published by a user who uses 'fs0c1ety' as an online moniker and is urging all GitHub users to contribute to the code and submit bug reports.

SLocker or Simple Locker is mobile lock screen and file-encrypting ransomware that encrypts files on the phone and uses the Tor for command and control (C&C) communication. The malware also posed as law enforcement agencies to convince victims into paying the ransom.

Famous for infecting thousands of Android devices in 2016, security researchers discovered more than 400 new variants of SLocker ransomware in the wild in May, and just after a month, the nasty Android ransomware was spotted copying the GUI of WannaCry.

Once infected, SLocker runs silently in the background of a victim's device without their knowledge or consent and encrypts images, documents and videos on mobile devices.

Once it has encrypted files on the device, the Android ransomware hijacks the phone, blocking its user access completely, and attempts to threaten the victim into paying a ransom to unlock it.

Why Should You Worry?

Being in action from 2015, SLocker stands out as one of the first ransomware samples to encrypt Android files. The malware has modified beyond just locking screens and demanding payment to taking over administrative rights and controlling the device's microphone, speakers, and the camera.

And now since the source code of this nasty Android ransomware has been released online on GitHub, Android devices are most likely to receive an increasing number of ransomware attacks in upcoming days.

The leaked source code would be a golden opportunity for those who always look for such opportunities as these kinds of malware programs are only offered for sale in underground forums, but SLocker is now accessible to cybercriminals and fraudsters for FREE.

Earlier this year, researchers discovered a variant of BankBot banking trojan in the wild which was developed using the leaked source code for the malware on an underground hacking forum.

Last year, the source code for the MazarBot (improved version of GM Bot) was also leaked online by its author in order to gain reputation on an underground forum.

How to Protect Yourself?

As I previously mentioned, users are always advised to follow some basic precautions in order to protect themselves against such threats:

• Never open email attachments from unknown sources.
• Never click on links in SMS or MMS messages.
• Even if the email looks legit from some company, go directly to the source website and verify any possible updates.
• Go to Settings → Security, and Turn OFF "Allow installation of apps from sources other than the Play Store."
• Always keep your Android devices, apps and Antivirus app up-to-date.
• Avoid unknown and unsecured Wi-Fi hotspots and keep Wi-Fi switched off when not in use.