Quick checklist for ransomware protection

Instead, take the time see how to avoid ransomware attacks with this essential sheet. How many check marks can you score?

Ransomware Decrypter Tool

OpenToYou decryption tools

Globe3 decryption tool

Dharma Decryptor

CryptON decryption tool

Alcatraz Decryptor tool // direct tool download

HiddenTear decryptor (Avast)

NoobCrypt decryptor (Avast)

CryptoMix/CryptoShield decryptor tool for offline key (Avast)

Damage ransomware decryption tool

.777 ransomware decrypting tool

7even-HONE$T decrypting tool

.8lock8 ransomware decrypting tool + explanations

7ev3n decrypting tool

AES_NI Rakhni Decryptor tool

Agent.iih decrypting tool (decrypted by the Rakhni Decryptor)

Alcatraz Ransom decryptor tool

Alma decrypting tool

Al-Namrood decrypting tool 

Alpha decrypting tool

AlphaLocker decrypting tool

Amnesia Ransom decryptor tool

Amnesia Ransom 2 decryptor tool

Apocalypse decrypting tool

ApocalypseVM decrypting tool + alternative

Aura decrypting tool (decrypted by the Rakhni Decryptor)

AutoIt decrypting tool (decrypted by the Rannoh Decryptor)

Autolocky decrypting tool

Badblock decrypting tool + alternative 1

BarRax Ransom decryption tool

Bart decrypting tool

BitCryptor decrypting tool

BitStak decrypting tool

BTCWare Ransom decryptor

Chimera decrypting tool + alternative 1 + alternative 2

CoinVault decrypting tool

Cry128 decrypting tool

Cry9 Ransom decrypting tool

Cryakl decrypting tool (decrypted by the Rannoh Decryptor)

Crybola decrypting tool (decrypted by the Rannoh Decryptor)

CrypBoss decrypting tool

Crypren decrypting tool

Crypt38 decrypting tool

Crypt888 (see also Mircop) decrypting tool

CryptInfinite decrypting tool

CryptoDefense decrypting tool

CryptoHost (a.k.a. Manamecrypt) decrypting tool

Cryptokluchen decrypting tool (decrypted by the Rakhni Decryptor)

CryptoMix Ransom decrypting tool

CryptoTorLocker decrypting tool

CryptXXX decrypting tool

CrySIS decrypting tool (decrypted by the Rakhni Decryptor – additional details)

CTB-Locker Web decrypting tool

CuteRansomware decrypting tool

Damage ransom decrypting tool

Dharma Ransom Rakhni decryptor tool

DeCrypt Protect decrypting tool

Democry decrypting tool (decrypted by the Rakhni Decryptor)

Derialock ransom decryptor tool

DMA Locker decrypting tool + DMA2 Locker decoding tool

Fabiansomware decrypting tool

Everbe Ransomware decrypting tool

Encryptile decrypting tool

FenixLocker – decrypting tool

Fury decrypting tool (decrypted by the Rannoh Decryptor)

GhostCrypt decrypting tool

Globe / Purge decrypting tool + alternative

Gomasom decrypting tool

GandCrab decrypting tool

Harasom decrypting tool

HydraCrypt decrypting tool

HiddenTear decrypting tool

Jaff decrypter tool

Jigsaw/CryptoHit decrypting tool + alternative

KeRanger decrypting tool

KeyBTC decrypting tool

KimcilWare decrypting tool

Lamer decrypting tool (decrypted by the Rakhni Decryptor)

LambdaLocker decryption tool

LeChiffre decrypting tool + alternative

Legion decrypting tool

Linux.Encoder decrypting tool

Lock Screen ransomware decrypting tool

Locker decrypting tool

Lortok decrypting tool (decrypted by the Rakhni Decryptor)

Marlboro ransom decryption tool

MarsJoke decryption tool

Manamecrypt decrypting tool (a.k.a. CryptoHost)

Mircop decrypting tool + alternative

Merry Christmas / MRCR decryptor

Mole decryptor tool

Nanolocker decrypting tool

Nemucod decrypting tool + alternative

NMoreira ransomware decryption tool

Noobcrypt decryption tool

ODCODC decrypting tool

Operation Global III Ransomware decrypting tool

Ozozalocker ranomware decryptor

PClock decrypting tool

Petya decrypting tool + alternative

Philadelphia decrypting tool

PizzaCrypts decrypting tool

Pletor decrypting tool (decrypted by the Rakhni Decryptor)

Pompous decrypting tool

PowerWare / PoshCoder decrypting tool

Popcorn Ransom decrypting tool

Radamant decrypting tool

Rakhni decrypting tool

Rannoh decrypting tool

Rector decrypting tool

Rotor decrypting tool (decrypted by the Rakhni Decryptor)

Scraper decrypting tool

Shade / Troldesh decrypting tool + alternative

SNSLocker decrypting tool

Stampado decrypting tool + alternative

SZFlocker decrypting tool

Teamxrat / Xpan decryption tool

TeleCrypt decrypting tool (additional details)

TeslaCrypt decrypting tool + alternative 1 + alternative 2

Thanatos decryption tool

TorrentLocker decrypting tool

Umbrecrypt decrypting tool

Wildfire decrypting tool + alternative

WannaCry decryption tool + Guide

XData Ransom decryption tool

XORBAT decrypting tool

XORIST decrypting tool + alternative
MoneroPay Ransomware decrypting tool

ที่มา : Heimdalsecurity.com

Dharma ransomware

Security Alert: New Dharma Ransomware Strains Alarmingly Go Undetected By Antivirus Engines

At least four new strains appeared recently . We even discovered one that goes undetected by almost all the antivirus engines on the market.

Dharma ransomware is one of the oldest ransomware families in existence and yet it still wreaks havoc, undetected by security solutions. 

October and November saw the appearance of at least four new strains.

We discovered one that goes undetected by almost all the antivirus engines on the market. 

If this trend continues, users who rely on antivirus alone for ransomware protection will be at risk of losing their data forever – there is no free decryption tool for the new Dharma (CrySiS) ransomware strains. 

This month, security researcher Jakub Kroustek found a few new Dharma ransomware strains which encrypted the victim’s files with a “.betta” or “.xxxxx” extension. They asked for the ransom to be paid to either the “backtonormal@foxmail.com” or the “syndicateXXX@aol.com” email address.  

Even though Jakub Kroustek posted his findings about the @foxmail ransom on October 19, at the time of us writing about the strain we uncovered (November 7), only 44 out of 67 antivirus engines detect the malicious file he uncovered, as you can see on VirusTotal.   

Now, in our research, we found another new type of Dharma ransomware, which goes undetected by almost all security solutions. 

Needless to say, this poses a huge risk to both home users and organizations without proper security layers and awareness. 

And yes, it’s the same cybercriminal or group of criminals associated with the backtonormal@foxmail.com email address.  

How bad is it? 

Only a single antivirus engine picks it up, out of 67 listed.

Even though some details associated with it have been flagged by researchers as malicious for almost 2 years now, because of the nature of the Dharma ransomware, detection levels are critically low.

Even when using the Jotti malware scan tool, only 1 out of 15 malware scanners pick up this dangerous ransomware strain.  

Our own investigation began with a malicious exe dropped through a .NET file and another associated HTA file, which, once unpacked, directs the victim to pay a Bitcoin ransom to the backtonormal@foxmail.com email address. 

We double-checked the HTA file using ID-ransomware, a tool that assesses the ransom note, and the result came back as belonging to the Dharma (.cezar ransomware family).

Security researcher Michael Gillespie warned it intensifying back in 2017. Now, he also found a Dharma Ransomware strain that uses a .NET dropper to spread. Once it hits an unprotected device, it will encrypt all files with a “.tron” extension, demanding payment to be made at the xtron@cock.li or xtron@fros.cc email addresses.  

He submitted the findings to VirusTotal on November 6, and, at the time of writing this security alert, only 28 out of 66 antivirus engines are capable of detecting this malicious file.  

What happened? 

As we outlined above, as of now, November 7, only 1 out of 67 Antivirus engines can detect this type of Dharma ransomware. For others’ findings, Antivirus detection is still woefully lagging behind, because of the nature of the infection.  

How the infection happens: 

From our investigation so far, the infection vector for this particular Dharma ransomware has been the Windows RPD (Remote Desktop Protocol). The malicious executable does not exploit vulnerabilities but uses Trojan-like behavior. 

Malicious actors will use tools like remote port scanners to scan enterprise computers, hunting for RDP-enabled endpoints that employees commonly use to log-in from home. Then, once they find an RDP-enabled endpoint, the criminals will try to log by guessing the admin name and brute-force attacking the password. Once that happens, the criminals will copy and execute the ransomware strain. Because they usually have admin rights, the criminals can even turn off those protections put in place, so strong passwords are essential.  

Dharma ransomware strains associated with the backtonormal@foxmail.com ransom payment address will encode data formats including but not limited to: 

.odc, .odm, .odp, .ods, .odt, .docm, .docx, .doc, .odb, .mp4, .sql, .7z, .m4a, .rar, .wma, .gdb, .tax, .pkpass, .bc6, .bc7, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, .wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps. 

Most Dharma ransomware infections happen locally and the strains we uncovered follow the same pattern.  

And here comes the worst news: even if you pay the ransom, the attacker will not decrypt your files.   

This malware strain and other similar ones will never try to connect to malicious command and control centers. It will generate its encrypting key locally, without sending it back to the attacker, so it’s a fake key.  

How to stay safe from the Dharma ransomware: 

The only way to be safe from ransomware is to proactively defend your devices by backing up your info often and using multiple security layers, not just Antivirus alone.   

For Dharma ransomware in particular, strong passwords and 2-factor authentications are mandatory, for the reasons we outlined above. 

The newest Dharma (CrySis) ransomware strains do not have decryption toolsavailable so, in this case, prevention beats the cure. For online safety, we recommend you follow these anti-ransomware security measures: 

1. Always backup your data in multiple locations. Use external sources such as a hard drive or in the cloud (Google Drive, Dropbox, etc.) to store it. Our guide will show you how to do it; 
2. Always keep your software upgraded to their latest versions, as malware and ransomware usually targets outdated programs and apps. 
3. Keep strong passwords for any account you use, either personal or in a business setting. At an enterprise level, Dharma ransomware can compromise an endpoint through brute-force attacks in order to gain access and execute the malicious file.  
4. DO NOT open spam emails or download or copy attachments, links or files from unknown sources that could infect your computer; 
5. For protection from common ransomware strains, consider using multiple security layers. Antivirus should be the base but you should also have proactive, anti-malware security solutions with behavioral analysis. Your browser should have protections like adblockers in place. 
6. Given the rise of new types of malware, we remind you that security is not just about using all the latest security tools, it’s also about getting educated so you can better spot suspicious activity. These free educational resources can help you gain more knowledge in the cybersecurity field; 
7. In case you do get infected with ransomware (Dharma or other files), before attempting decryption duplicate your encrypted files and keep a copy safe. That way, if a ransomware decryption tool becomes available in the future, you can eventually restore your files.  
8. Lastly, never pay the ransom. As you can see, there is no guarantee and almost no chance to recover your data.
9. Credit : heimdalsecurity.com

VevoLocker ransomware

Security researchers observed a new ransomware strain dubbed VevoLocker. Its variants have already encrypted multiple websites, including the official webpage of the Ukrainian Ministry of Energy and several Danish webpages.

Before seeing what steps you have to take to avoid this infection, let’s examine it further.

How the infection happens:

Exploiting well-known vulnerabilities in popular CMS systems like Drupal and Remote Desktop Protocol (RDP) accesses, VevoLocker gained access to web servers and encrypted their contents.

The VevoLocker ransomware takes advantage of a few well-known vulnerabilities like Drupalgeddon2.

Once a vulnerable web server is discovered, Vevolocker will encrypt .css., .htm, .html, .js, and .php files, essentially blocking all aspects of a site’s content and functionality.

“Drupalgeddon2 is a highly critical remote code execution bug affecting most Drupal sites which was disclosed at the end of March. It is also possible (although less likely) that someone is already exploiting CVE-2018-7602 which the Drupal team announced just yesterday but has yet to provide a public fix,” explained Craig Young, a Tripwire researcher.

In order to recover their website content, victims have to pay a 0.01 Bitcoin ransom. While that translates to around $90, as with all ransomware attacks, victims have no guarantee of recovering their data.

The VevoLocker ransomware already has a few variants. Victims will see an image like the one above instead of their usual webpage content.

The extorsion messages, received via email or social media, can look like this:

• Locked.
• Ooops!
• Locked by ALx
• Website Locked!
• HACKED BY CENTR1X
• hacked by n00p
• fils are descrypted

Some campaigns have even refered directly to Facebook pages like https://www.facebook.com/bloodsec.gov/ or https://www.facebook.com/andi.s.cliquers2.

How to stay safe from the VevoLocker ransomware:

As VevoLocker does not seem to have a decryption tool available yet, consider the following:
To prevent a ransomware attack, continuously update your CMS software. Then, choose a solution that automatically conducts vulnerability scans of web servers and services.
Another great method to avoid VevoLocker and other ransomware variants is to disable global access to the Remote Desktop Protocol (RDP).

Here is a general anti-ransomware protection plan that will be useful in case of future threat campaigns:

1. Always backup your data and use external sources such as a hard drive or in the cloud (Google Drive, Dropbox, etc.) to store it. Our guide will show you how to do it;
2. Always update any CMS or tool you use in order to avoid vulnerabilities.
3. Use strong, unique passwords and only share credentials if it’s absolutely mandatory This security guide comes in handy;
4. Consider using a paid antivirus software which is also up to date, or consider having a proactive anti ransomware protection (here’s what Heimdal PRO can do for you).
5. Prevention is the way to avoid potential financial and data losses. These free educational resources can help you gain more knowledge in the cybersecurity field.

Credit : heimdalsecurity.com