Author Archives: DHarley

It probably hasn’t escaped your notice that there is a huge outbreak of ransomware affecting organizations pretty much worldwide. The main cause of upset is the malware ESET calls Win32/Filecoder.WannaCryptor.D (other security software is available…) At the moment it’s unclear how much actual data has been affected, and how many systems have been shut down as […] Continue reading Ransomware Avalanche – WannaCryptor and Jaff→

Emsisoft’s CMO Holger Keller contacted me to point out that the company is running a series of ‘Spotlight on Ransomware’ articles. I haven’t had a chance to look at them properly, but the company does useful work on providing ransomware decryptors and you may well find the articles of use and interest. Added to the RANSOMWARE […] Continue reading Emsisoft ‘Spotlight on Ransomware’ series→

Ransomware-as-a-Service derived from Hidden Tear, sold by DevBitox on the dark web. Analysis by Recorded Future: Karmen Ransomware Variant Introduced by Russian Hacker Recorded Future on Hidden Tear Commentary by John Leyden for The Register: Profit with just one infection! Crook sells ransomware for  – Nifty dashboard shows the bitcoin rolling in *Carmen (the opera) David Harley Continue reading Karmen – Ransomware-as-a-Service keeping Bizet*→

Here’s another article by Josep Albors and myself for ESET: Spanish Harmada: more on tech support scams. Excerpt: ‘After our recent joint blog Support scams now reign in Spain, Josep Albors was contacted by a Spanish online newspaper asking for further information and general commentary. So here, first, is my general commentary on the evolution […] Continue reading Spanish Harmada: support scams sail again→

I’m not really in a position to track and write about every development in the world of ransomware. (Rather, I’ve concentrated on information on specific families and pointers to useful information and advice.)  If a regular timeline is of use to you, though, David Balaban contacted me about his Ransomware Chronicle, which tersely flags ‘New ransomware released’, […] Continue reading Ransomware Timeline→

An interesting if somewhat niche ransomware analysis from Unit 42: Targeted Ransomware Attacks Middle Eastern Government Organizations for Political Purposes Falcone and Grunzweig say: ‘The ransom note specifically attempts to extort a political statement by forcing the victims to create a public sub-domain with a name that would appear to advocate and incite violence against a Middle […] Continue reading RanRan: Ransomware, Politics and Extortion→

Brad Duncan for Palo Alto: “Blank Slate” Campaign Takes Advantage of Hosting Providers to Spread Ransomware. Palo Alto call it ‘Blank Slate’ because the malicious attachment is distributed via a blank email (spoofed sender and no message content). Apparently primarily distributes Cerber, but also Sage 2.0 and Locky. David Harley Continue reading Blank Slate, Blank Cheque→

An article for Microsoft’s Technet describes a somewhat innovative tech support scam. It uses a script associated with the JS/Techbrolo family, known for its habit of generating fake alerts involving dialogue loops and audio messages. So far so average. But in this case, the pop-up isn’t a dialogue loop, but a website element of the […] Continue reading Technet: Elementary, my dear scammer→

It seems that it’s now possible to decrypt Crysis-encrypted files that have the .dharma extension: Alleged Master Keys for the Dharma Ransomware Released on BleepingComputer.com. ESET has updated its Crysis decryptor to take advantage of the newly-released keys. Kaspersky has done the same with its Rakhni decryptor. I imagine others will do the same, if they haven’t already. David […] Continue reading *Bummer for Dharma: Decrypter On The Road→