If SamSam has infected your computer or network, turn off computer(s), disconnect all media, and call Datarecovery.com at 1-800-237-4200. Our ransomware experts will assess your situation and offer a plan to restore your files and remove SamSam.

What is SamSam Ransomware (And How Does It Work)?

SamSam is a type of crypto-ransomware, which means the malware encrypts files in such a way that only the attacker can decrypt them. If a victim doesn’t pay the ransom or have current backups, recovery from SamSam is extremely difficult. Hospitals and city governments have found that a SamSam attack cripples the organization’s ability to function normally, leading some to pay the ransom.

Notable Targets of SamSam Ransomware Include:

• MedStar 27, 2016 ($18,500 ransom)
• Follet’s Learning Destiny software 2016 (undisclosed ransom)
• Erie County Medical Center 9, 2017 ($44,000 ransom)
• City of Farmington, NM 3, 2018 ($35,000 ransom)
• Adams Memorial Hospital 11, 2018 (undisclosed ransom)
• Hancock Health 11, 2018 ($55,000 ransom)
• Davidson County, N.C. 16, 2018 (undisclosed ransom)
• Colorado Dept. of Transportation 21 and March 1, 2018 (undisclosed ransom)
• City of Atlanta, GA March 22, 2018 ($51,000 ransom)

In addition to these high-profile targets, there have been other unspecified victims. A 2016 FBI alert referred to multiple “attacks on healthcare facilities” without mentioning specific names. More recently, an unnamed Industrial Control Systems (ICS) company was hit by the ransomware.

How Does SamSam Ransomware Infect My System?

Unlike the majority of ransomware, SamSam does not spread through spam emails or malicious links. Instead, the distributors target vulnerable servers using brute-forced credentials or by exploiting outdated software. After gaining access, the hackers harvest other credentials and use Remote Desktop Protocol to manually spread SamSam through a network.

The attackers wait a number of days before executing the ransomware payload, making it harder for organizations to discover the initial breach. This can allow the hackers to reinfect a system if the organization attempts to recover without paying the ransom, as happened with the Colorado Department of Transportation. After sufficient time has passed, the hackers run batch scripts which begin running the ransomware. Once SamSam has encrypted files, it drops a ransom note with the payment demand, which varies by incident.

Can I Disable or Remove SamSam Ransomware Encryption?

Removing SamSam and decrypting affected files is difficult. As such, it is critical to prevent the ransomware from infecting systems with the following best practices:

• Update all software promptly (businesses should use a centralized patch management system to detect vulnerabilities).
• Limit the number of attempts to correctly enter passwords for systems.
• Regularly back up data while maintaining redundant copies — SamSam can spread to network-based backups before it begins encrypting files, which makes recovery from an attack more difficult when only one backup exists.
• Use the principle of least privilege to mitigate damage done by ransomware.

If your systems have been infected by SamSam, Datarecovery.com can help. We’ll assess your situation and start you down the road to recovery as soon as you call or start a case with us.

As with all data recovery situations, time is an important factor. If ransomware has infected your computer or network, call 1-800-237-4200 to speak to a malware expert. We’ll go over your options and help determine the best way to recover from a SamSam attack.

The post SamSam Ransomware Infection And Decryption Services appeared first on Datarecovery.com.

A ransomware attack on the city of Atlanta on Mar. 22 has left officials scrambling to provide services to residents. Many critical services, like public-safety and wastewater treatment, have been unaffected. Meanwhile, other systems have ground to a halt or slowed considerably.

For instance, the city is temporarily not accepting employment applications. New water service requests and other planning services can be made in person, but processing times are longer than usual. The Hartsfield-Jackson International Airport has disabled its wifi and taken security wait times and flight information off its website out of an abundance of caution.

Perhaps the biggest headache for the city is keeping the courts running during the mayhem. The city court cannot validate warrants or process ticket payments (even in person). Court dates continue being pushed back (via tweets) as the city struggles with the ransomware attack.

RESET NOTICES WILL BE MAILED. pic.twitter.com/hyV3pcLSE0

— ATL Municipal Court (@ATLCourt) March 28, 2018

Mayor Keisha Lance Bottoms gave few details on what the city’s response would be.

When asked if she would consider paying the $51,000 ransom, Bottoms admitted, “Everything is up for discussion.” She added that she would consult with federal authorities to determine the best course of action. The city hired a private security company, SecureWorks, to investigate the attack. The FBI, Homeland Security, and the Secret Service are all involved in determining exactly what happened.

“I just want to make the point that this is much bigger than a ransomware attack,” Bottoms said at a press conference. “This is really an attack on our government, which means it’s an attack on all of us.”

Fears that the attackers accessed personal data continue.

Officials initially warned city employees and any member of the public who had made transactions with the city to check their bank accounts for fraudulent activity.

“Because we don’t know, I think it would be appropriate for the public just to be vigilant in checking their accounts and making sure their credit agencies have also been notified,” Bottoms said shortly after the incident.

On March 26, an official tweet from the city reiterated that sentiment but added that there is still no evidence that sensitive data has been compromised.

GENERAL REMINDER: At this time, there is no evidence to show that customer or employee data has been compromised. However, customers and employees are encouraged to take precautionary measures to monitor and protect their personal information.

— City of Atlanta, GA (@Cityofatlanta) March 28, 2018

The city hasn’t identified the attacker, but media reports point to a familiar name.

A New York Times article has identified the SamSam hacking crew as the responsible party. While few details are known about SamSam, they do have several trademarks.

The group tends to target large organizations who have the resources to pay a hefty ransom. SamSam also has sophisticated methods of covering their tracks that allow them to attack organizations repeatedly.

The same group victimized the Colorado Department of Transportation twice this year.

The first attack shut down over 2,000 employee computers, forcing workers to use pen and paper to complete work. The city decided not to pay the ransom, but to painstakingly clean the computers of any malware.

When the city’s IT professionals had cleared 20 percent of computers for employee use, a variant of SamSam reinfected them. Hearing stories like these, it’s easy to understand why some organizations simply pay the ransom.

To put even more pressure on victims, the SamSam attackers generally target health care facilities and municipal organizations. Allscripts, Adams Memorial Hospital, Erie County Medical Center, and the city of Farmington, New Mexico all fell prey to SamSam ransomware in the last year.

Atlanta is now learning a painful but useful lesson in cybersecurity.

The city is documenting its progress and answering frequently asked questions on its website, while the mayor promises that more attention will be given to cybersecurity in the future.

“Just as much as we really focus on our physical infrastructure, we need to focus on the security of our digital infrastructure,” Bottoms said. “I am looking forward to us really being a national model of how cities can shore themselves up and be stronger because of it.”

The post City of Atlanta Hit by SamSam Ransomware appeared first on Datarecovery.com.

The report came from CyberEdge, who surveyed 1,200 IT security professionals and is not affiliated with any security vendor.

Their 2018 Cyberthreat Defense Report is an attempt to understand the variety of threats faced by organizations that employ at least 500 people. The results showed that cyberattacks have become increasingly successful over the past five years (though, mercifully, the number of successful attacks is slightly down from last year).

Another illuminating trend is that the percentage of IT professionals who are optimistic about dodging successful attacks in the coming year went from 62 percent in 2014 to 38 percent in 2018. This can be viewed as pessimism or realism, but either way, it’s an acknowledgement of the great challenges ahead. Respondents listed application containers (like Docker or Rocket), mobile devices, and cloud infrastructure as the weakest links likely to be targeted by a cyberattack.

Malware (viruses, worms, trojans) was voted as the number one general threat to IT security for the second year in a row.

Second place was a tie between ransomware and phishing attacks. Given that many ransomware attacks were paired with worms and other malware (as well as phishing attacks), you can understand how big of a concern ransomware is for security professionals.

And it was not a rare phenomenon either. A surprising 55 percent of surveyed organizations were hit by ransomware in 2017. One area of good news was that many who refused to pay ransoms still recovered their data. Instead of buckling to cybercriminals, they worked to recover data from backups or simply dealt with the data loss. Almost 87 percent of victims who did not pay the ransom recovered their data anyway.

The scarier news was that only 49.6 percent of ransomware victims who paid the ransom were able to decrypt their data. This statistic should convince businesses and individuals of the importance of keeping current backups that are offline or in the cloud.

If a victim cannot recover backups, consulting a professional data recovery company is highly recommended. At Datarecovery.com, the recovery rates for ransomware cases are far higher than those in the CyberEdge survey. Knowing the landscape and having experience help ensure a successful recovery from a ransomware attack. Some strains have freely available decryptors, while others have coding issues that prevent even the attacker from decrypting files. Knowing which avenues to pursue saves time and increases the odds of a successful recovery.

Survey respondents listed “lack of skilled personnel” as the greatest barrier to defending against cyberthreats.

In past surveys, “low security awareness among employees” has topped that list, but a skilled personnel shortage has slowly climbed the ranks over the past five years. Poor security awareness still placed second as a barrier to IT security (which is concerning, given how long it’s been an issue).

Overall, the survey showed positive as well as negative trends. Many perennial threats remain: mobile devices and poorly trained employees continue to be security challenges. On the other hand, the number of successful cyberattacks decreased for the first time in five years and security budgets are higher than they’ve ever been. More than anything, the CyberEdge report reminds us that good IT security requires constant vigilance and adaptation to new threats.

The post Only Half of Ransomware Payments Resulted in Decrypted Files appeared first on Datarecovery.com.

SamSam ransomware has infected thousands of computers at the Colorado Department of Transportation. Over 2,000 employee computers were shut down to stop the spread of the malware after it was discovered on Feb. 21, and systems are still not back online.

Office of Information Technology chief technology officer David McCurdy released a statement shortly after the attack that said, “This ransomware virus was a variant and the state worked with its antivirus software provider to implement a fix today. The state has robust backup and security tools and has no intention of paying ransomware. Teams will continue to monitor the situation closely and will be working into the night.”

SamSam is a strain of ransomware that targeted hospitals and others throughout January.

An Indiana hospital, Hancock Health, paid a $55,000 ransom to restore files and functionality after SamSam infected its servers. Even though the hospital claimed to have complete backups of encrypted files, administrators chose to pay the ransom to avoid costly delays in restoring their systems.

Security researchers say that the group behind SamSam uses a brute-force attack on Remote Desktop Protocol (RDP) connections to gain access to internal networks. Then, hackers manually install the ransomware, which begins encrypting files. To protect against SamSam, researchers warn that any computers open to remote RDP connections should have strong and unique passwords.

SamSam was also the culprit behind attacks on Allscripts, Adams Memorial Hospital, Erie County Medical Center, and the city of Farmington, New Mexico. Security experts believe that these attacks were carried out by a single group of hackers.

CDOT continues with daily work the old-fashioned way.

“Our critical systems, our road operations, traffic operation systems are still online. We still have people on the road plowing and doing construction,” CDOT spokesperson Amy Ford told the Denver Post. “The things we have changed a little bit is we’ve had some business bids in the process of being done and we’ve extended times and dates. And we’re working with our contractors.”

The incident demonstrates the difficulties of recovering from a ransomware attack. Even though CDOT backed up their data, they are beginning their second week offline. Mecklenburg County, North Carolina faced a similar slog after a ransomware called LockCrypt infected county government servers. Officials spent well over a month scrambling to restore services after that incident.

Ford summarized the frustrating but manageable limbo that CDOT is currently in.

“No one is back online. What we’re doing is working offline. All our critical services are still online — cameras, variable message boards, CoTrip, alerts on traffic. They are running on separate systems,” Ford said. “The message I’m sharing is CDOT operated for a long time without computers, so we’ll use pen and paper.”

The post SamSam Ransomware Infects CDOT appeared first on Datarecovery.com.

Even with the awareness of this threat, companies and individuals couldn’t stop the onslaught of ransomware attacks in 2017. This year has seen a steady drizzle of new ransomware variants punctuated by three large-scale attacks that used hacking tools from our own National Security Agency.

Because of ransomware attacks, two companies estimated their losses in the hundreds of millions of dollars and Britain’s National Health Service diverted ambulances and cancelled operations until they regained control of their computers. In addition to the major attacks, the underground market for smaller-scale operations continued to boom, and open-source ransomware gave hackers a head start. Here’s how the big events of 2017 went down.

St. Louis Public Library

When staff arrived to work on Thursday, Jan. 19, they were greeted with locked computer screens throughout all branches of the St. Louis Public Library. Hackers had exploited a vulnerability in a library voicemail server and locked 700 staff and public computers. The attackers demanded $34,000 in bitcoin to restore the computers.

The library refused to pay and began furiously working to restore services. Finally, on Jan. 30, they were able to announce that all computers used by the public were fully restored. Enhancements to the library system’s cybersecurity remains an ongoing project.

Microsoft Releases Eternal Blue Patch

On March 14, Microsoft issued a critical security bulletin for a vulnerability in all unsupported versions of Windows. The reason? The NSA had discovered a security flaw in Windows operating systems and added it to the agency’s stockpile of cyber weapons. A group called the Shadow Brokers accessed and leaked this stockpile, giving hackers powerful tools for wreaking havoc.

By installing Microsoft’s patch, users protected themselves from the vulnerability that the NSA discovered (which was known as Eternal Blue). Unfortunately, those who did not patch their operating systems would fall victim to cyber attacks in the coming months when the NSA exploit was paired with ransomware and unleashed.

WannaCry

The first attack that paired ransomware with Eternal Blue was WannaCry. The attack initially occurred in Asia on May 12 and quickly spread to more than 230,000 devices. Infected computers spread the ransomware to other machines on the same network as well as random computers over the internet.

A security researcher discovered a kill switch which stopped the spread, but more than 300,000 computers had already been infected. Companies and organizations affected by the attack include Britain’s National Health Service, FedEx, Honda, Hitachi, Telefónica, and dozens more.

While an unprecedented number of machines were infected, the attackers received relatively little money from ransom payments. Just $140,000 in bitcoin was withdrawn from the three accounts associated with the attack.

In the months following the attack, many pointed fingers at North Korea’s cyber unit as the originator of the attacks. Finally, in a Dec. 18 op-ed piece, a Trump adviser officially declared North Korea responsible for the attack.

Petya, NotPetya, Nyetna

Whatever you call it, this attack wreaked havoc and proved that not everyone learned a lesson from the WannaCry attack. NotPetya targeted the same Windows security flaw that Microsoft provided a patch for (and that WannaCry exploited).

Ground zero for this attack was Ukraine, where a popular piece of tax-filing software, MEDoc, spread NotPetya to businesses and government organizations. Soon, NotPetya moved beyond Ukraine’s borders and devastated international businesses, such as advertising company WPP, law firm DLA Piper, shipping giant Maersk, and FedEx. Both Maersk and FedEx estimated their losses from the attack to be around $300 million.

Initially, analysts blamed a ransomware called Petya for the cyber attack. However, security experts make a convincing case that NotPetya is a wiper (meaning the intent was to destroy files, not hold them hostage) and that the attackers could not decrypt a victim’s files even if they wanted to.

So, why would an attacker disguise a wiper as ransomware? Ukraine’s security service (SBU) blames Russia. Since the downfall of the Soviet Union in 1991, the two countries have had periods of tension. In 2014, Ukrainian voters ousted their pro-Russia president Viktor Yanukovych. Shortly after, Russia annexed Crimea, a Ukrainian peninsula, and the international community responded with heavy sanctions against Russia.

This may be more geopolitical history than you wanted to know, but the moral of the story is: cyber wars between nation-states can spill out into the general public. If NotPetya was in fact intended to cripple Ukraine’s infrastructure, then all those thousands of infected computers throughout the rest of the world were simply collateral damage. Welcome to the 21st century.

Bad Rabbit

Bad Rabbit was the ransomware used in the third major international attack of 2017. Compared to the massive disruptions and economic costs of WannaCry and NotPetya, Bad Rabbit was a mere nuisance. But for those affected, including Kiev’s metro system, Odessa’s airport, and Russian media group Interfax, the ransomware caused major disruptions. After its website went down, Interfax took to publishing news stories on Facebook until the site was restored.

Researchers believe the same attackers may be responsible for NotPetya and Bad Rabbit. There are similarities in the codes of NotPetya and Bad Rabbit, and the same web servers were used to distribute the initial software in both cases.

Bad Rabbit did not use the Eternal Blue exploit, though it used a different leaked NSA tool called Eternal Romance. Ukrainian state cyber police claimed that the ransomware attack was used as cover to steal financial information from targeted Ukrainian companies.

Ransomware-as-a-Service

If 2016 put ransomware on the map, 2017 established it in the marketplace. Ransomware-as-a-service (RaaS) has existed since at least 2015, but there are now more opportunities than ever for someone with little technical skill to buy ransomware from the dark web. Here’s how it works.

A customer either pays a subscription to or agrees to share a percentage of ransom money with the ransomware developer. The customer can then launch an attack on the targets of his choosing. Slicker RaaS variants have user-friendly dashboards to allow even the most technologically novice to launch cyber attacks.

A report from Carbon Black found a 2,502 percent increase in ransomware for sale on the dark web from 2016 to 2017. The same report discovered 45,000 listings for RaaS products. With that kind of competition, expect the products to become even more sophisticated and user-friendly in the 2018.

Open Source Ransomware

Another cause for the proliferation of ransomware is the posting of open source code. Hidden Tear was the first such ransomware to be posted freely on the internet. The developer, Utju Sen, claimed that he shared it for educational purposes.

Sen built several backdoors into the code so that anyone affected by it could decrypt their files. Unfortunately, hackers have taken his code and closed those backdoors in order to make more functional ransomware. Hackers have since created at least a dozen ransomware families (8lock8, Blocatto, Cryptear, Fakben, GhostCrypt, Globe, Hi Buddy!, Job Crypter, KryptoLocker, MireWare, PokemonGO, and Sanction) based on Hidden Tear.

And Sen’s Hidden Tear isn’t the only example. Others have created open-source ransomware ostensibly to improve ransomware detection and prevention. However, most security professionals have more sophisticated means of understanding and detecting malware. That makes these source codes a head start for criminals and not much more.

Ransomware in the New Year

Several large security companies have released reports with their predictions for the new year, and the message is clear. If you or your business use the internet, ransomware will continue to be a threat.

One firm predicts that the combination of ransomware as a service (like Cerber) and the resurgence of worms will lead to a surge in attacks and infections. Because hackers now have access to a trove of NSA tools, expect to see attacks similar to WannaCry again in 2018.

We can also expect to see more attacks on Mac computers. Keranger was the first ransomware to target a Mac OS, and it did so with limited success. However, Mac users remain a lucrative target for hackers, who likely haven’t given up in their attempts to infect this relatively untapped group.

What You Can Do

Security experts recommend a multi-pronged approach to protecting yourself from ransomware. Most importantly, keeping multiple copies of current backups will ensure that you never have to pay a ransom.

Avoid suspicious attachments and links (and teach everyone who uses your network to do the same) to reduce the chances of downloading malware. Keep all software up to date and rely on reputable antivirus software to give you further protection.

The massive global attacks of 2017 showed that everyone from individual computer users to multi-national corporations are vulnerable. Following the above practices (and ensuring that anyone who uses your computer does too) will protect you from the costly headache of ransomware.

The post 2017 Ransomware Recap appeared first on Datarecovery.com.

Every once in a while, a new malware will make headlines based on some novel feature. The distributors of Popcorn Time, an in-dev ransomware, would decrypt a victim’s files if they infected two other victims who ended up paying.

Jigsaw used images from Saw to increase the intimidation factor and brand their otherwise nondescript malware. Philadelphia ransomware can be bought as a service and tweaked to fit an attacker’s specific needs. However, none of these have proven to be large players in the long run.

There are a handful of malicious programs that have changed the landscape of the ransomware world. Here are the four most revolutionary, game-changing ransomware strains and how they influenced their successors.

The AIDS Trojan Horse: The Advent of Ransomware

In 1989, an evolutionary biologist named Joseph Popp distributed 20,000 floppy disks to AIDS researchers around the world. The disks contained a questionnaire that Popp claimed would help doctors determine a patient’s risk of developing the AIDS virus. In reality, Popp had hidden an early form of ransomware on the disks and was using a social engineering technique to spread it.

To avoid being pinpointed as the author of the malware, Popp wrote the code so that the ransomware lay dormant until an infected computer booted up 90 times. On that 90th boot, the virus encrypted the computer’s files and displayed a ransom note.

The note instructed victims to send $189 to a PO box in Panama, a country with infamously lax business laws. Few victims made payments and British authorities quickly arrested Popp and charged him with blackmail. He avoided jail time when a judge declared Popp mentally unfit to stand trial. In the meantime, a researcher named Jim Bates created a tool to restore victims’ files by removing the virus and decrypting the files.

What it changed: Popp’s malware had four characteristics that future ransomware developers and distributors would copy: a scaremongering note, a hard-to-track payment scheme, encryption of important files (albeit rudimentary and breakable), and the use of social engineering to trick victims into installing the malware themselves.

CryptoLocker: Ransomware Modernizes and Scales

In September 2013 (almost 25 years after the first ransomware incident), the modern era of ransomware began. CryptoLocker spread through the Gameover ZeuS botnet via infected email attachments.

The exact number of victims is unknown, but estimates suggest there were 500,000 people who lost data because of CryptoLocker. This sophisticated crypto-ransomware may have been too successful for its own good, as the staggering number of victims prompted international cooperation to catch the attackers. The U.S. Department of Justice, the FBI, Europol, and others collaborated for Operation Tovar, which took down the Gameover ZeuS botnet and gained access to the decryption keys.

While all victims eventually had the opportunity to decrypt their data, it took nearly a year for law enforcement and security firms to create a tool for this purpose. The CryptoLocker attack was an early indication that ransomware had the potential to massively disrupt business and prevent access to data from thousands of miles away.

What it changed: CryptoLocker showed the devastation that a large botnet could cause when it sends out millions of phishing emails infected with ransomware. The sophisticated encryption method also proved that ransomware could permanently prevent access to files when the decryption key was withheld.

Hidden Tear: Open-Source Code Makes Ransomware Easy

Utju Sen was a Turkish programmer who created a ransomware called Hidden Tear. Sen didn’t want to use the malware for financial gain, but he did want to share his creation. So, he made it freely available to download for educational purposes. Sen built several backdoors into the code so that any files encrypted by it could be decrypted.

Hackers quickly realized they could use Sen’s code for ransomware campaigns of their own. They also realized that they could tweak the code to close the backdoors. To make matters worse, some of the variants had changes to the code that made it difficult to decrypt—even if the attackers supplied the decryption key.

Variants of Hidden Tear continue showing up in new guises. In June 2017, a McAfee engineer found that nearly 30 percent of new ransomware strains were based on Hidden Tear.

What it changed: Hidden Tear provided open-source code for programmers who have minimal skills to attack computers. Even inexperienced hackers who botch the code can wreak havoc and earn money (even if they can’t successfully decrypt encrypted files).

WannaCry: With Help From the NSA, Ransomware Spreads Fast

This sophisticated attack combined ransomware with a worm that targeted a vulnerability in older Microsoft Windows operating systems. The public was shocked to learn that the U.S. National Security Agency had discovered the vulnerability and created a hacking weapon out of it (known as an exploit) rather than report it to Microsoft.

The worm aspect of WannaCry allowed it to spread laterally to other computers on the same network. One of the hardest hit organizations was Britain’s National Health Service, whose services were severely disrupted. Germany’s national railway service, a Spanish telecom giant, and French carmaker Renault were all affected by the attack as well.

The cryptoworm spread to over 150 countries over the course of 48 hours. The spread slowed when a security researcher Marcus Hutchins found a kill switch in the malware’s code. Microsoft also took the unusual step of providing a patch for their older, unsupported operating systems to prevent any further attacks using the NSA exploit.

What it changed: The attack proved how quickly a combined ransomware/worm can spread—especially on networks using unsupported operating systems. Sadly, the Petya/Nyetna attack that occurred months later successfully targeted the same vulnerability on thousands of computers that still were not patched.

What Comes Next?

Many of the tactics used by the above strains of ransomware continue to be used today. Mass phishing campaigns conducted by botnets allow attackers to cast a wide net for potential victims. As email providers get better at detecting malware in attachments, hackers change their tactics to better hide it.

To protect your home or business from ransomware attacks, you don’t need to predict the exact method that hackers will use. Rather, protect yourself from any data loss situation by regularly backing up all essential data. Having reliable backups on media disconnected from your computer can save your data from ransomware attacks and the more mundane situations that might occur.

The post The 4 Most Game-Changing Ransomware Attacks appeared first on Datarecovery.com.

The message, “Enable macro if the data encoding is incorrect,” would prod users into changing their settings. Those who turned on macros in Word initiated the ransomware’s installation process and became the first victims of Locky.

Since that first wave of infections, Locky has vanished and then reappeared repeatedly. The one constant is that it always returns with a new extension and a few tweaks to better evade antivirus software.

A previous Locky version ransom message

Ykcol Variant Uses 7z or 7zip Extension

The latest incarnation of Locky is the ykcol variant (for those wondering about the unusual name, ykcol is locky backwards). More significant than the updated extension is an updated tactic. This variant is distributed in a 7z file.

This file extension is probably unfamiliar to less techy computer users—it’s a format for highly compressed and encrypted files. Most computer users don’t even have the necessary software for unzipping such a file. Experts believe that the distributors hid the Locky variant in the obscure format to evade the filters of Gmail and other mail providers.

Ykcol Is the Latest in a String of Variants

From February 2016 to September 2017, Locky has morphed its .locky extension to .zepto, .odin, .shit, .thor, .aesir, .zzzzz, .osiris, .loptr, .diablo6, .lukitus, and finally, to .ykcol. None of these variants can be decrypted without the key, which only the distributors of the ransomware hold.

Locky has been a persistent threat over the last 18 months accounting for 14 percent of all ransomware detections globally in fall of 2016. It has since overtaken Cerber as the largest ransomware family. At times, the prolific ransomware appears to become inactive, but time and time again, it has reappeared with new features and distribution tactics.

Who Created Locky?

There are numerous clues, but no firm answers as to who created Locky. The ransomware has a flag that detects if a computer’s operating system uses the Russian language. If the OS is in Russian, Locky and its variants will not infect the computer. On top of that evidence, the majority of the ransomware’s attacks have been traced to Russia.

Though experts believe that a Russian group is responsible for creating and distributing Locky, it’s unclear exactly who they are. Locky is one of the most sophisticated ransomware families, so its creators are certainly highly skilled.

Attacks Continue at Huge Volumes

In early September 2017, security experts at Appriver detected 23 million spam messages containing Locky in a single 24-hour period. Clearly, the distributors are playing a numbers game. If only a miniscule fraction of those targeted download the ransomware, there will still be plenty of victims and potential ransom payments.

The subject lines of the spam emails contained words like “please print,” “documents,” or “photos.” The attackers attempt to lure in victims with curiosity over what may be attached to the email. Because of the overwhelming number of spam emails sent, it is more important than ever to scrutinize and verify attachments before downloading them.

Other security measures to avoid Locky and other ransomware include:

• Back up essential files frequently.
• Patch all software when updates become available.
• Use security software that detects ransomware behavior.
• Enable extension viewing so you can see executable files hidden as other documents.

Locky continues to evolve and other families of ransomware pose new threats every day. Use good internet hygiene and follow the above tips to avoid the costly effects of a ransomware infection.

The post Locky Creators Tweak Variants To Evade Detection appeared first on Datarecovery.com.

The reality ended up being far more complicated. And two years later, variants of Hidden Tear ransomware continue to victimize internet users around the world.

The programmer, Utju Sen, created viable ransomware that he dubbed Hidden Tear.

He explained his rationale for creating the malware shortly after uploading it for public consumption.

Sen said that he wanted computer programming students to see examples of functional ransomware for educational purposes. When he learned about ransomware, there were not actual source-code samples to learn from. He wanted to change that for the next generation.

He had another motivation as well. Sen knew that unskilled hackers could buy ransomware-as-a-service on the dark web and launch attacks with it. Sen’s idea was to offer Hidden Tear for free to anyone who wanted it. He thought he could rid the market of ransomware-as-a-service by offering the same product for free.

Again, he wrote several flaws into the code so that any files encrypted by the malware could be decrypted. Sen thought that unskilled hackers would use his crackable ransomware because it was free; then, victims could decrypt their files using the built-in flaws.

Sen believed he was helping people who would’ve fallen victim to ransomware attacks anyway. If hackers were going to infect computers with ransomware, he reasoned, it may as well be with a crackable strain. Hidden Tear successfully gained a foothold in the crowded malware market, but in the process, Sen lost control of it.

Soon, hackers began closing the backdoors and changing the code.

Sen posted instructions on how to decrypt files affected by Hidden Tear. Researcher Michael Gillespie also created a decryptor for many of the Hidden Tear variants. Unfortunately, some of the variants destroyed files instead of encrypting them. This meant that even with Gillespie’s clever decrypter, victims could not retrieve their files.

Within months of Sen publishing Hidden Tear’s source code in August 2015, security experts identified dozens of variants created from it. Even two years later, new strains continue to victimize innocent people. Christiaan Beek, lead scientist and principal engineer at McAfee, recently tweeted that nearly 30 percent of new ransomware that the antivirus company discovered in June 2017 were based on Hidden Tear.

Sen reluctantly took responsibility for the catastrophe.

Sen himself has admitted that his project was a failure, though he offered several caveats to the admission. He says he partially achieved his goal of making it easier to decrypt victims’ files. Of course, he also made it easier for criminals to encrypt files in the first place.

Sen says another goal was “destroying the business of ransomware code & service sellers.” He claims to have had modest success in hurting the ransomware-as-a-service industry in 2016.

However, with names like BrainLag and Oxar, new ransomware that uses Hidden Tear as a backbone continues popping up on a regular basis. It’s possible that these attacks would still occur even without Sen’s source code, but the programmer made life easier for cybercriminals.

To protect yourself from Hidden Tear variants and other ransomware, practice good internet hygiene. Never click suspicious links or attachments in emails and keep all software up-to-date.

Regularly back up all essential data so that you have options if ransomware affects your computer. Hidden Tear and dozens of other ransomware strains aren’t going away, but you can limit their effect by taking these simple precautions.

The post Hidden Tear Ransomware Still Wreaking Havoc appeared first on Datarecovery.com.

• Utility companies, banks, airports and supermarkets in Ukraine
• Logistics company Maersk in the Netherlands
• Food conglomerate Mondelez in Spain
• Marketing firm WPP in the U.K.
• Pharmaceutical giant Merck in the U.S.

Tweets from around the world showed locked screens on ATMs, supermarket registers, and office computers with the same ransom note demanding $300 in Bitcoin.

All computers in our office are down. Global #Ransomware attack. I’ve heard few other companies affected too. Backup and stay safe, guys. pic.twitter.com/YNctmvdW2I

— Mihir (@mihirmodi) June 27, 2017

If a Petya ransomware variant has infected your computer, turn it off, disconnect any media from it, and call Datarecovery.com at 1-800-237-4200. Our security experts will assess your situation and begin planning how to recover your files.

What is Petya Ransomware (And How Does It Work)?

Experts first detected Petya ransomware in 2016. The malware differed from other types of ransomware in that it overwrote and encrypted a computer’s Master Boot Record preventing it from booting.

The recent attacks, which started on June 27, 2017, appear to be from a variant of Petya (which some experts are calling NotPetya). This new strain of ransomware is far more dangerous because it spreads laterally through networks using the Eternal Blue exploit.

To protect yourself from this Petya variant, experts recommend using this security update from Microsoft, blocking inbound connections on TCP Port 445, and regularly maintaining back-ups of important files.

Notable Features of Petya Ransomware Include:

• Ransom note demands $300 bitcoin payment.
• Email provider has shut down developer’s account making it impossible to notify attackers of paid ransom.
• Victims include major companies and organizations in Ukraine, Russia, Netherlands, U.K., France, and United States.
• Variant uses NSA’s Eternal Blue exploit to spread laterally through networks.

The Petya variant targets the following file extensions:

.3ds, .7z., accdb, .ai, .asp, .aspx, .avhd, .back, .bak, .c, .cfg, .conf, .cpp, .cs, .ctl, .dbf, .disk, .djvu, .doc, .docx, .dwg, .eml, .fdb, .gz, .h, .hdd, .kdbx, .mail, .mdb, .msg, .nrg, .ora, .ost, .ova, .ovf, .pdf, .php, .pmf, .ppt, .pptx, .pst, .pvi, .py, .pyc, .rar, .rtf, .sln, .sql, .tar .vbox, .vbs, .vcb, .vdi, .vfd, .vmc, .vmdk, .vmsd, .vmx, .vsdx, .vsv, .work, .xls, .xlsx, .xvd, .zip

The above is not necessarily a comprehensive list but contains the known targeted extensions. In addition to encrypting the above files, Petya encrypts the Master File Tree and overwrites the Master Boot Record preventing computers from booting up altogether.

How Does Petya Ransomware Infect My System?

Researchers still have not pinpointed the initial vector of infection. One theory holds that an Office document attached to a spam email began the infection. Once the ransomware infects one computer on a network, the infection can spread laterally to out-of-date Windows machines.

Can I Disable or Remove Petya Ransomware Encryption?

There is no known decrypter for Petya ransomware or its variants. To make matters worse for victims, the email address of the attackers has been shut down. German email provider Posteo followed protocol and made the attacker’s account completely inaccessible once they learned of the incident.

With no working email address, there is no way to let the attackers know that a victim has paid the ransom. That leaves victims with no choice but to try to recover their files through other means. Datarecovery.com can assist you in locating back-up copies or in restoring partially encrypted files.

Contacting ransomware recovery experts as soon as possible gives victims the best chance at restoring their encrypted files. The specialists at Datarecovery.com have experience at removing malware and recovering seemingly lost documents. Call 1-800-237-4200 to start the process of restoring your files.

The post Petya Ransomware Infection And Decryption Services appeared first on Datarecovery.com.

If a Hidden Tear variant has infected your computer, turn it off, disconnect all media, and call Datarecovery.com at 1-800-237-4200. Our security experts can advise you on your options and begin the recovery process.

What is Hidden Tear Ransomware and How Does It Work?

Turkish programmer Utku Sen created Hidden Tear ransomware as an educational tool. He wrote a disclaimer on the site where others could download the source code, stating that the program was strictly educational. However, it wasn’t long before modified versions of the ransomware started infecting computers.

Trend Micro has already spotted several improved variants of Hidden Tear that allow victims to more easily pay ransoms. This trend follows the familiar pattern of ready-made malware giving attackers more time to focus on adding user-friendly features to increase payouts.

Notable features of Hidden Tear ransomware include:

• Open-source code allowed hackers to start with functional malware and improve it in a variety of ways.
• Often has a more user-friendly interface (e.g. it can leave some files unencrypted or have a FAQ menu about payments).
• Source code is behind many new variants such as KaoTear, POGOTEAR, and Fsociety.

The diversity of variants shows how big of a head start hackers have when they begin with viable malware. Instead of having to write sophisticated source code, they simply modify existing ransomware and add unique graphics or features. In the case of KaoTear, the attackers opened up an entirely new market by translating the ransom note into Korean and targeting a South Korean messaging app.

How Does Hidden Tear Ransomware Infect My System?

Because there are a variety of attackers distributing Hidden Tear variants, there’s no one particular vector of infection. However, due to its small file size of just 12 KB, attackers can easily hide the malware in an attachment to a phishing email. The POGOTEAR and KaoTear variants are disguised as a Pokemon app and a messaging app, which victims mistake for legitimate software.

Different variants of Hidden Tear target different files for encryption. A variant called May avoids encrypting files in several key directories to leave a computer more functional, presumably to make it easier to pay the ransom through an infected computer. A variant called MoWare targets the Desktop, Personal, MyMusic, and MyPictures folders. Because attackers can easily alter the source code, they can target any number of folders or files.

Can I Disable or Decrypt Hidden Tear Ransomware?

There is a freely available decrypter that works for many Hidden Tear variants. Due to the great variation within the ransomware family, this tool may or may not work for an infected computer. The security specialists at Datarecovery.com can assist you in determining what plan of action will most quickly restore your files.

If a Hidden Tear variant or other ransomware has infected your computer, call 1-800-237-4200 to speak with a malware expert. We can discuss your options and create a recovery plan to restore your files as soon as possible.

The post Hidden Tear Ransomware Infection and Decryption Services appeared first on Datarecovery.com.