live casino online

After the Week of WannaCry, the ransomware scene looks to be going back to normal, with the persistent ransomware known as Cerber (Detected by live casino online as RANSOM_CERBER family) jumping back in the limelight¡ªthis time using the that was discovered in early 2017.? The campaign involved the use of botnets sending malicious spam emails loaded with Rich Text Format (RTF) files with.doc extension contained inside zip attachments. The?RTF?files tries to exploit the , remote code execution vulnerabilities in the Windows Object Linking and Embedding (OLE) interface of Microsoft Office that was . These vulnerabilities are also currently being exploited by the notorious?DRIDEX banking trojan.

Figure 1: Cerber¡¯s new distribution method

The ransom note for this variant comes in three forms: a text file, an image file, and an HTML Application (HTA) file.

Fake ¡°WannaCry¡±

It¡¯s been a couple of weeks since the peak of WannaCry (Detected by live casino online as?RANSOM_WANA.A?and?RANSOM_WCRY.I), but a few ransomware in circulation are still trying to take advantage of WannaCry¡¯s high visibility.

Unlike the actual WannaCry ransomware, which had tremendous impact in terms of both scope and reach, fake WannaCry variants do much less, if any, damage. One such ¡°ransomware¡± (Detected by live casino online as Ransom_FAKEWCRY) discovered in May is a Microsoft Intermediate Language (MSIL) compiled executable that only contains codes for the ransom note. It does not actually encrypt anything nor does it lock the system. Instead, it will just display a ransom note that looks similar to the one used by the real WannaCry. The ransom demand for this variant is $300:

Figure 2: ¡°WannaCry¡± ransom note

Despite the lack of a malicious payload, this kind of scam can trick users into paying the ransom demand, especially if they are unaware of the real differences between the actual WannaCry ransomware and its copycats.

FrozrLock

FrozrLock (Ransom_FROZRLOCK) is a platform being peddled on the dark web for a relatively affordable amount of $220 in bitcoin. Potential clients who are interested in using FrozrLock must register on a specific website to obtain an account, after which they will have access to a ransom builder interface where they can customize certain aspects of the ransomware according to their specifications:

Figure 3:FrozrLock builder interface (Image courtesy of )

FrozrLock¡¯s features include obfuscation with a renamed ConfuserEx 1.0 as well as the ability to delete shadow copies. In addition, it uses Windows' cipher.exe with parameter /w to swipe free disk space to prevent restoration of deleted shadow copies.

XData

Ukraine has been a recent target of a new ransomware called XData (Detected by live casino online as Ransom_SOREBRECT), which quickly spread throughout the country¡ªlocking systems and encrypting shared file using the PSEXEC tool.

While, XData¡¯s distribution method is still unclear, 95% of its victims have come from Ukraine, with some scattered reports about infections from Germany, Russia and Estonia. Once XData gains access to a user¡¯s system, it will use the AES algorithm to encrypt files with the .~xdata~ extension. The files encrypted by XData will have no way of decryption without the victim paying the ransom:

Figure 4: XData ransom note

Although the ransomware stories for this week lack the hype seen during WannaCry¡¯s peak, it goes to show that the ransomware threats are as varied as they are numerous. Familiar ransomware like Cerber continue to evolve, while new variants hit the scene. WannaCry served as a wake-up call for the public, and vigilance must be maintained to defend against these malware, as lesser-known ransomware can be just as effective and dangerous as high profile ones.