Collaborate Disseminate
In April 2018, we spotted the first ransomware employing the Process Doppelgänging technique – SynAck ransomware. It should be noted that SynAck is not new, but a recently discovered sample caught our attention after it was found to be using Process Doppelgänging. Here we present the results of our investigation of this new SynAck variant. Continue reading SynAck targeted ransomware uses the Doppelgänging technique
Last year we published a story revealing the rise of miners across the globe. At the time we had discovered botnets earning millions of USD. We knew this was just the beginning of the story, which turned out to develop rapidly. Continue reading Mining is the new black
At the end of 2016, there was a major attack against San Francisco’s Municipal Transportation Agency. The attack was done using Mamba ransomware. This month, we noted that the group behind this ransomware has resumed their attacks against corporations. Continue reading The return of Mamba ransomware
While the world was still shaking under the destructive ExPetr/Petya attack that hit on June 27, another ransomware attack targeting Ukraine at the same time went almost unnoticed. Continue reading In ExPetr/Petya’s shadow, FakeCry ransomware wave hits Ukraine
After an analysis of the encryption routine of the malware used in the Petya/ExPetr attacks, we have confirmed that the threat actor cannot decrypt victims’ disk, even if a payment was made. This supports the theory that this malware campaign was not designed as a ransomware attack for financial gain. Instead, it appears it was designed as a wiper pretending to be ransomware. Continue reading ExPetr/Petya/NotPetya is a Wiper, Not Ransomware
Sometimes ransomware developers make mistakes in their code. These mistakes could help victims regain access to their original files after a ransomware infection. This article is a short description of several errors, which were made by the WannaCry ransomware developers. Continue reading WannaCry mistakes that can help you restore files after infection
While we have previously written on the now infamous XPan ransomware family, some of it’s variants are still affecting users primarily located in Brazil. This sample is what could be considered as the “father” of other XPan ransomware variants. A considerable amount of indicators within the source code depict the early origins of this sample. Continue reading XPan, I am your father
Ransomware’s popularity has attracted the attention of cybercriminal gangs; they use these malicious programs in targeted attacks on large organizations in order to steal money. In late 2016, we detected an increase in the number of attacks, the main goal of which was to launch an encryptor on an organization’s network nodes and servers. Continue reading Ransomware in targeted attacks
This year we found a new family of ransomware used in targeted attacks against organizations. After penetrating an organization’s network the threat actors used the PsExec tool to install ransomware on all endpoints and servers in the organization. The next interesting fact about this ransomware is that the threat actors decided to use the well-known Petya ransomware to encrypt user data. Continue reading PetrWrap: the new Petya-based ransomware used in targeted attacks
In other words, crypto ransomware is a fine tuned, user friendly and constantly developing ecosystem. In the last few years we, at Kaspersky Lab, have been monitoring the development of this ecosystem. This is what we’ve learned. Continue reading A look into the Russian-speaking ransomware ecosystem