Regulator acts on leasing of ‘global title’ numbers after industry efforts to tackle problem were ineffective
The UK communications regulator Ofcom is banning mobile operators from leasing numbers that can be used by criminals to intercept and divert calls and messages, including security codes sent by banks to customers.
Ofcom said it would stop the leasing of “global titles”, special types of phone numbers used by mobile networks to support services to make sure messages and calls reach the intended recipient.
A lot of organizations have some sort of application development program and it is highly likely that developers will utilize Visual Studio for their development…
Jordan Drysdale // Overview The following description of some of Impacket’s tools and techniques is a tribute to the authors, SecureAuthCorp, and the open-source effort to maintain and extend the code. […]
Raymond Felch // Being an embedded firmware engineer for most of my career, I quickly became fascinated when I learned about reverse engineering firmware using JTAG. I decided to […]
PSCrypt is ransomware first discovered last year, in 2017, targeting users and organisations alike in Ukraine, and the malware itself is based on GlobeImposter ("GI") ransomware.
In this quick blog post, we'll take a look at the latest iteration of PSCrypt.
Analysis
A file named "xls.scr", which sports a fancy "energy" or "power" icon is responsible for loading PSCrypt on the machine, and was spread via a phishing campaign.
As mentioned earlier, PSCrypt is based on GlobeImposter and as such, has very similar functionality.
The following folders are excluded from being encrypted:
Avast, Avira, COMODO, Chrome, Common Files, Dr.Web, ESET, Internet Explorer, Kaspersky Lab, McAfee, Microsoft, Microsoft Help, Microsoft Shared, Microsoft.NET, Movie Maker, Mozilla Firefox, NVIDIA Corporation, Opera, Outlook Express, ProgramData, Symantec, Symantec_Client_Security, Windows, Windows App Certification Kit, Windows Defender, Windows Kits, Windows Mail, Windows Media Player, Windows Multimedia Platform, Windows NT, Windows Phone Kits, Windows Phone Silverlight Kits, Windows Photo Viewer, Windows Portable Devices, Windows Sidebar, WindowsPowerShell, Wsus, YandexBrowser, ntldr, spytech software, sysconfig, system volume information
This iteration of PSCrypt will encrypt all files, including executables, except those files with the following extensions:
.$er,.4db,.4dd,.4d,.4mp,.abs,.abx,.accdb,.accdc
As usual, a temporary batch file will be used to clear Volume Shadow Copies as well as Event Logs:
Figure 2 - Batch file
What's new in this iteration of PSCrypt is not only the changes implemented by/via GlobeImposter ransomware, but also the ransom note itself, as noted in Figure 3 and 4 below:
Figure 3 - Ransomware note, part 1
Figure 4 - Ransomware note, part 2
The title of the ransom note is "Ваші файли тимчасово зашифрувати! Не хвилюйтесь!", which translates to "Your files are temporarily encrypted! Do not worry!".
The Ukrainian version is rather lenghty, and is as follows:
☠ ВАШІ ФАЙЛИ ТИМЧАСОВО НЕДОСТУПНІ.☠ ВАШІ ДАНІ БУЛИ ЗАШІВРОВАННИ! Для відновлення даних потрібно дешифратор. Щоб отримати дешифратор, ви повинні, оплатити послуги розшифровки: Оплата відбувається за коштами біткойн на кошелек № 1EoWxYTt7xCskTxjm47E2XNxgkZv1anDP9 Вартість послуги складає 150$ Оплату можна провести в терміналі IBox. або виберіть один з обмінних сайтів на сторінці - https://www.bestchange.ru/privat24-uah-to-bitcoin.html (приклад обмін Приват24 на BTC) також можете скористатися послугами https://e-btc.com.ua Додаткова інформація: Програма можемо дешифрувати один файл як доказ того, що у неї є декодер. Для цього необхідно надіслати зашифрований файл - вагою не більше 2 mb, и ваш уникальный идентификационный код, на пошту: systems32x@gmail.com Более детальная инструкция по оплате: https://btcu.biz/main/how_to/buy Увага! Всі файли розшифровуються тільки після 100% оплати Ви дійсно отримуєте дешифратор після оплати Не намагайтеся видалити програму або запустити антивірусні інструменти це може ускладнити вам роботу Спроби самодешіфрованія файлів приведуть до втрати ваших даних Декодери інших користувачів не сумісні з вашими даними, оскільки унікальний ключ шифрування кожного користувача. За запитом користувачів, надаємо контакти клієнтів, які вже користувалися послугами нашого сервісу. ОБОВ'ЯЗКОВО ЗАПИШІТЬ РЕЗЕРВНІ КОНТАКТИ ДЛЯ ЗВ'ЯЗКУ: systems32x@gmail.com - основний systems32x@yahoo.com - резервний Додаткові контакти: systems32x@tutanota.com - (якщо відповіді не прийшло після 24-х годин) help32xme@usa.com - (якщо відповіді не прийшло після 24-х годин) Additional.mail@mail.com - (якщо відповіді не прийшло після 24-х годин) З повагою Unlock files LLC 33530 1st Way South Ste. 102 Federal Way, WA 98003 United States
Google Translation, so pretty loose - I've made some minor corrections however:
☠ YOUR FILES ARE TEMPORARILY UNAVAILABLE YOUR DATA WAS LOCKED! To restore data you need a decoder. To receive a decoder, you must pay for decoding services: Payment is made at the expense of bitcoin to wallet number 1EoWxYTt7xCskTxjm47E2XNxgkZv1anDP9 Service cost is $ 150 Payment can be made at the terminal IBox. or select one of the exchange sites on the page - https://www.bestchange.ru/privat24-uah-to-bitcoin.html (example exchange of Privat24 to the BTC), you can also use the services of https://e-btc.com.ua. Additional Information: The program can decrypt one file as proof that it has a decoder. To do this, you need to send an encrypted file weighing no more than 2 mb and your unique identification code by mail: systems32x@gmail.com More detailed payment instructions: https://btcu.biz/main/how_to/buy WARNING! All files are decrypted only after 100% payment You really get a decoder after payment Do not try to uninstall a program or run antivirus tools, which can complicate your work Attempts to self-decrypt files will result in the loss of your data Other users' decoders are not compatible with your data, as the unique encryption key for each user. At the request of users, we provide contact with customers who have already used the services of our service. MUST REQUEST BACK TO CONTACTS FOR CONNECTION: systems32x@gmail.com - basic systems32x@yahoo.com - backup Additional contacts: systems32x@tutanota.com - (if the answer did not arrive after 24 hours) help32xme@usa.com - (if the answer did not arrive after 24 hours) Additional.mail@mail.com - (if the answer did not arrive after 24 hours)
The English version is rather short and to the point:
ALL DATA IS ENCRYPTED! For decoding, write to the addresses:systems32x@gmail.com - Basic systems32x@yahoo.com - backup Additional contacts: systems32x@tutanota.com - (if the answer did not arrive after 24 hours) help32xme@usa.com - (if the answer did not arrive after 24 hours) Additional.mail@mail.com - (if the response did not arrive after 24 hours)
The cost for restoring service is, interestingly enough, expressed in US dollars this time ($150), as opposed to Ukrainian currency in a previous iteration.
However, the images which included IBox instructions (as payment method) have been removed, and while IBox is still suggested as a service, there's also a new website introduced to pay via Bitcoin using E-BTC.
E-BTC is a Ukrainian service which is "the most reliable and simple service for buying and selling Bitcoins and also the best partner for entering and withdrawing funds to the WEX stock exchange."
It also promises full anonymity.
Back to the ransomware. Encrypted files will have the .docs extension appended, for example Jellyfish.jpg becomes Jellyfish.jpg.docs.
The last iteration of PSCrypt was observed in 2017, but it appears it has now returned to try and coerce users and organisations to pay the ransomware.
As usual, follow the prevention tips here to stay safe, but the rule of thumbs are as always:
Do not pay, unless there is imminent danger of life
Create regular backups, and do not forget to test if they work
Ransomnix is a (supposedly Jigsaw, but not really) ransomware variant that holds websites for ransom, and encrypts any files associated with the website.
This ransomware was discovered in the second half of 2018, and there's a brief write-up by Amigo-A here as well: Ransomnix ransomware
In this blog post, we'll discuss a newer variant.
Analysis
Several encrypted websites were discovered, which display the following message:
Figure 1 - Ransom message, part 1
Figure 2 - Ransom message, part 2
The full message is as follows:
JIGSAW RANSOMNIX 2018 I WANT TO PLAY A GAME! Now Pay 0.2 BTC OR Payment will increase by 0.1 BTC each day after 00:00:00 Your Key Will Be Deleted Your Bill till now 2.4000000000000004 BTC Dear manager, on Fri Apr 06 2018 02:08:34 GMT+0100 (GMT Summer Time) your database server has been locked, your databases files are encrypted and you have unfortunately "lost" all your data, Encryption was produced using unique public key RSA-2048 generated for this server. To decrypt files you need to obtain the private key. All encrypted files ends with .Crypt Your reference number: 4027 To obtain the program for this server, which will decrypt all files, you need to pay 0.2 bitcoin on our bitcoin address 1VirusnmipsYSA5jMv8NKstL8FkVjNB9o (today 1 bitcoin was around 15000 $). After payment send us your number on our mail crypter@cyberservices.com and we will send you decryption tool (you need only run it and all files will be decrypted during a few hours depending on your content size). Before payment you can send us one small file (100..500 kilobytes) and we will decrypt it! It's your guarantee that we have decryption tool. (use your reference number as a subject to your message) We don't know who are you, All what we need is some money. Don't panic if we don't answer you during 24 hours. It means that we didn't received your letter and write us again. You can use one of that bitcoin exchangers for transfering bitcoin. https://localbitcoins.com https://www.kraken.com You dont need install bitcoin programs - you need only use one of this exchangers or other exchanger that you can find in www.google.com for your country. Please use english language in your letters. If you don't speak english then use https://translate.google.com to translate your letter on english language. You do not have enough time to think each day payment will increase by 0.1 BTC and after one week your privite key will be deleted and your files will be locked for ever.
People use cryptocurrency for bad choices, but today you will have to use it to pay for your files! It's your choice!
The following JavaScript is responsible for keeping track of the price, and increasing it:
Figure 3 - JS function
The starting price is set at 0.2 BTC, but will increase every day with 0.1 BTC thanks to two functions: inprice and startTimer.
Note that the start_date variable, 1522976914000, is the epoch timestamp in milliseconds, which converted is indeed Friday 6 April 2018 01:08:34, as mentioned in the ransom note.
Ransomware message details:
BTC Wallet: 1VirusnmipsYSA5jMv8NKstL8FkVjNB9o
Email: crypter@cyberservices.com
Extension: .Crypt
Files will be encrypted, as claimed by the cybercriminals, with RSA-2048.
If possible, restore the website from a backup, and consequently patch your website, this means: install all relevant and security patches for your CMS, and plugins where applicable.
Then, change all your passwords. Better be safe than sorry.
It is currently unknown if decryption is possible. If you have an example of an encrypted file, please do upload it to ID Ransomware and NoMoreRansom, to see if decryption is possible, or if a decryptor can be developed.
Prevention
For preventing ransomware that attacks your websites, you can follow my prevention tips here.
General ransomware prevention tips can be found here.
Conclusion
Ransomware can in theory be installed on everything; whether it's your machine, your website, or your IoT device. Follow the prevention tips above to stay safe.
Remember: create backups, regularly, and test them as well.
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us the e-mail: MastersRecovery@protonmail.com and send personal ID KEY: In case of no answer in 24 hours us to theese e-mail: MastersRecovery@cock.li
The user may send up to 5 files for free decryption, as "guarantee". There's also a warning message at the end of the ransomware screen:
Do not rename encrypted files. Do not try decrypt your data using party software, it may cause permanent data loss. Decryption of your files with the help of thrid parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Spartacus will encrypt files, regardless of extension, in the following folders:
Figure 2 - Target folders to encrypt
Generating the key:
Figure 3 - KeyGenerator
As far as I'm aware, Spartacus is the first ransomware who explicitly asks you to send the public key (ID KEY), rather than just sending an email, including the Bitcoin address straight away, or sending the key automatically.
Encrypted files will get the extension appended as follows: .[MastersRecovery@protonmail.com].Spartacus
For example:
Penguins.jpg.[MastersRecovery@protonmail.com].Spartacus
It will also drop the ransomware note, "READ ME.txt" in several locations, such as the user's Desktop:
All your data has been locked us. You want to return? Write email MastersRecovery@protonmail.com or MastersRecovery@cock.li Your personal ID KEY: DvQ9/mvfT3I7U847uKcI0QU3QLd+huv5NOYT2YhfiySde0vhmkzyTtRPlcu73BAJILIPdALjAIy5NLxBHckfyV2XS+GXdjlHMx2V/VEfj4BrZkLB3BQtEdAqS1d2yzb/2+AqTNjsRfZ99ZWVxUZO3AeEZk5h0+3hNM5GogUN2oV5zHkbMZuDaXZxQr56r8UKnW7gmSycdcJh2ueZMuEP1tAuuzdZYgmZ05x9ZT8FX9HIo03rwsi6UiJlgUTZCkiilZjxYyG+qVE+Gjk4H7dnXbQP1PC3k2WICA9R4TYb9SCdv8U/e5sxbuKAbJgEZ114liwHLasmLvQfKYSbxMlbEg==
Interestingly enough, Spartacus also embeds what appears to be a hardcoded and private RSA key:
A unique mutex of "Test" will be created in order to not run the ransomware twice, and Spartacus will also continuously keep the ransomware screen or message from running in the foreground or on top, using the SetForegroundWindow function:
Figure 4 - Ransom will stay on top and annoy the user
Login
