KeRanger ransomware is now a menace for your Mac too

keranger-ransomware-attack-mac

Tags :- Avira Tech Support | Avira Support NumberAvira Refund.

Mac computers were attacked by KeRanger ransomware

As you know, ransomware is one of the fastest-growing types of cyber threats. It attacks by encrypting data on infected machines, then typically asks users to pay ransoms in hard-to-trace digital currencies to get an electronic key so they can retrieve their data. According to security experts, cyber criminals manage to get from their victims hundreds of millions of dollars a year, especially by targeting Microsoft Windows operating system.  Now it looks like they have just expanded their horizons.

Ryan Olson (Palo Alto Threat Intelligence Director)  confirmed the “KeRanger” malware, which appeared on 4th of March, was the first functioning ransomware attacking Apple’s Mac computers.

“This is the first one in the wild that is definitely functional, encrypts your files and seeks a ransom,” said Olson in an interview for Reuters.

This time the attack vector was very specific since an affected user had to download a specific program which download website was compromised.

How did it happen?

Hackers infected Macs through a tainted copy of a popular program known as Transmission, which is used to transfer data through the BitTorrent peer-to-peer file sharing network, Palo Alto said on a blog article posted on Sunday afternoon.

When users downloaded version 2.90 of Transmission, which was released on Friday, their Macs were infected with the ransomware, the blog said.

Apple’s immediate intervention over the weekend

Apple  had taken steps over the weekend to prevent further infections by revoking a digital certificate that enabled the rogue software to install on Macs. Other details were not provided yet.

Transmission, also, responded by removing the malicious version of its software from its website. On Sunday it released a version that its website said automatically removes the ransomware from infected Macs. Transmission users were advised to immediately install the new update, version 2.92, if they suspected they might be infected.

How the ransomware acts after infecting your Mac

Palo Alto said on its blog that KeRanger is programmed to stay quiet for three days after infecting a computer, then connect to the attacker’s server and start encrypting files so they cannot be accessed.

Once the encryption complete, KeRanger demands a ransom of 1 bitcoin, or about $400, the blog said.

Olson also mentioned that the victims whose machines were compromised but not cleaned up could start losing access to data on Monday, which is three days after the virus was loaded onto Transmission’s site.

Be safe under Avira’s umbrella right away

Our Free Antivirus for Mac is able to detect the new KeRanger ransomware on Apple computers. If you are already seeking for solutions to protect your Mac against ransomware attacks.

Source : blog.avira.com

Avira Tech Support : Blog

Locky ransomware is dead, long live Locky

ransomware_is_dead_long_live_locky

Tags :- Avira Tech Support | Avira Support NumberAvira Refund.

The first wave of Locky has passed, but the ransomware is still being distributed globally and within the DACH region. While this secondary distribution seems to be smaller than the first wave, the financial success of this malware for its authors and distributors gives us some clues as to what features will likely be included in the NEXT rounds of malware. “Follow the money” was the key phrase in All the President’s Men, Robert Redford’s classic film on Watergate — and this very much applies to malware. These clues from Locky are a mix of technical, distribution, and operational features – and should be a warning for computer users and companies planning their defensive strategies.

1. Drive me baby – Locky encrypted all drives on computers and networks – even the unmapped drives and shares. This expanded reach for encryption is expected to be included in future ransomware variants.

Response: Have a solid backup plan in place, ideally with a cloud service, as they offer file versioning and rollbacks. For consumers, having a spare HDD/SSD for a local backup is fine – but only if the harddisk is disconnected after the backup is finished. This also protects the backup against damage from other dangers like lightning-caused electrical surges.

2. New money from old tricks – Locky went to work by directly using macros in Word documents – and also by tossing in a bit of social engineering to get document recipients to activate the macros. That is quite old school – but it worked and was profitable for the cybercriminals.

Response: While zero-day threats are sexy, don’t forget to do the basic protection against continuing vulnerabilities such as macro manipulation. Consider enabling only digitally signed Office macros and disabling the rest. For corporate networks, this can be done in a way where end users are not able to see this option.

3. What the FUD! – In the early moments of the Locky onslaught, security publications pointed out the low detection scores in VirusTotal by most antivirus companies. This is a valid – but incomplete – look at the situation. We consider Locky to be FUD-level malware (Fully Undetected Malware), which means that the malware files were “optimized” until no AV scanner detected them anymore. Cybercriminals are testing their malware samples against the publicly available detection in VirusTotal – or against private and internal testing systems that in a similar way. The low detection scores have to be read with caution. Only some of the AV firms have cloud detection or other advanced detection methods in their products enabled on VirusTotal – sometimes, just as in poker, it is better to not show your full capabilities.

Response: Be skeptical about everything and always keep your eyes open.

4. Wisdom from the cloud – Avira detects Locky on several layers within its cloud detection and analysis. At the Auto Dump layer, Locky is being detected after layers of obfuscation have been removed. In the Night Vision machine learning layer, files are scored according to around 7,000 features, allowing us to catch malware in a very efficient way. In case that other detection layers catch the malware first, the Night Vision system will dynamically learn about the sample within a few minutes, and subsequently cover variants of this malware sample. In addition, the cloud analysis is out of reach for the cybercriminals.

Response: For complete protection, make sure that the cloud protection in your AV is fully activated. We feel this is so important, we’ve automatically included our consumer users in the APC. Corporate clients must, for data protection issues, sign off that they approve the EULA before stepping into the APC.

Source : blog.avira.com

Avira Tech Support : Blog

Ransomware “Tesla”: Are ransomware writers kidding us?

ransomware_avira

Tags :- Avira Tech Support | Avira Support NumberAvira Refund.

Most of us have probably seen e-mails like the one below in our inbox at one point or another:

phising

This is basically the typical phishing email sent out by cybercriminals. They want to get the victim with “evil” social engineering: In order to succeed they try and make the user open the invoice using scare tactics like unpaid bills, invoices, lost packages, and so on. The icing on the cake is the attached copy of the “invoice” so it can be opened ASAP.

In comparison to the other phishing emails we received before, they don’t insert the original “Tesla” ransomware file anymore. Instead they put an obfuscated JavaScript file inside the archive. Cool! That makes them more flexible than ever before.

java_obf

The obfuscation is a pretty good one from my point of view. It doesn’t allow anyone to understand what’s going on. But nothing is perfect … enough ;-). It may take several tries but you can decode the script. This easy decryption leads me to the conclusion that they have automated its creation. Well, it seems that even the world of the criminals is changing.

An interesting fact is that to deploy ransomware, no knowledge of any programming language is needed anymore: Everything is offered ready to go on the darknet for anyone who is willing to pay. You can read a cool article I wrote on this topic over here.

java_dec

But let’s get back to the malicious script. It’s just a downloader. It shows the download source for the “Tesla” ransomware, where it will be stored on the system (e.g. %temp%), and it also takes care of running the binary after running some “quality checks” like file size.

Interesting? I believe so, because the criminals have changed the way they ensure that the ransomware is downloaded to the victim’s computer. They now also have the possibility to use different URLs as sources. And, last but not least, it seems to be easier for them to deploy new scripts than to make adjustments to the binary itself when it comes to by-passing antivirus solutions in order to stay undetected. With more samples to choose from they have more possibilities to successfully infect your device.

You might be confused about the last sentence, but let me explain: Once we analyzed the Tesla ransomware file in more detail, it seemed like they didn’t invest any additional time in their “Tesla” ransomware files itself. The latest and newest binaries which we have received and analyzed are already covered by our detections from more than three years ago! That’s friggin’ old-school  🙂 !

how to restore small

Nope, that’s no joke. We’ve also seen that – after executing yet another script –  instead of the Tesla ransomware binary, the latest Avira launcher is being downloaded. We know that they took our launcher and put it on their commanding control server.

launcher

Please note: You should know that we NEVER collaborate with cybercriminals or force something like this! We also don’t spread malware with our launcher! But we want to say thanks to everyone who wants to promote our product for better protected world detections nonetheless! 🙂

In the end it shows us once again how strong our detection pattern is when it comes to daily threats. It’s funny to find “new” samples which we’ve already been detecting for more than 3 years. But anyway, don’t forget our Avira Protection Cloud: in combination with our main antivirus, it becomes a powerful tool and a much stronger protective shield! So, ENABLE the Avira Protection Cloud in our product – and live free.

Source : blog.avira.com

Avira Tech Support : Blog