VevoLocker ransomware

Security researchers observed a new ransomware strain dubbed VevoLocker. Its variants have already encrypted multiple websites, including the official webpage of the Ukrainian Ministry of Energy and several Danish webpages.

Before seeing what steps you have to take to avoid this infection, let’s examine it further.

How the infection happens:

Exploiting well-known vulnerabilities in popular CMS systems like Drupal and Remote Desktop Protocol (RDP) accesses, VevoLocker gained access to web servers and encrypted their contents.

The VevoLocker ransomware takes advantage of a few well-known vulnerabilities like Drupalgeddon2.

Once a vulnerable web server is discovered, Vevolocker will encrypt .css., .htm, .html, .js, and .php files, essentially blocking all aspects of a site’s content and functionality.

“Drupalgeddon2 is a highly critical remote code execution bug affecting most Drupal sites which was disclosed at the end of March. It is also possible (although less likely) that someone is already exploiting CVE-2018-7602 which the Drupal team announced just yesterday but has yet to provide a public fix,” explained Craig Young, a Tripwire researcher.

In order to recover their website content, victims have to pay a 0.01 Bitcoin ransom. While that translates to around $90, as with all ransomware attacks, victims have no guarantee of recovering their data.

The VevoLocker ransomware already has a few variants. Victims will see an image like the one above instead of their usual webpage content.

The extorsion messages, received via email or social media, can look like this:

• Locked.
• Ooops!
• Locked by ALx
• Website Locked!
• HACKED BY CENTR1X
• hacked by n00p
• fils are descrypted

Some campaigns have even refered directly to Facebook pages like https://www.facebook.com/bloodsec.gov/ or https://www.facebook.com/andi.s.cliquers2.

How to stay safe from the VevoLocker ransomware:

As VevoLocker does not seem to have a decryption tool available yet, consider the following:
To prevent a ransomware attack, continuously update your CMS software. Then, choose a solution that automatically conducts vulnerability scans of web servers and services.
Another great method to avoid VevoLocker and other ransomware variants is to disable global access to the Remote Desktop Protocol (RDP).

Here is a general anti-ransomware protection plan that will be useful in case of future threat campaigns:

1. Always backup your data and use external sources such as a hard drive or in the cloud (Google Drive, Dropbox, etc.) to store it. Our guide will show you how to do it;
2. Always update any CMS or tool you use in order to avoid vulnerabilities.
3. Use strong, unique passwords and only share credentials if it’s absolutely mandatory This security guide comes in handy;
4. Consider using a paid antivirus software which is also up to date, or consider having a proactive anti ransomware protection (here’s what Heimdal PRO can do for you).
5. Prevention is the way to avoid potential financial and data losses. These free educational resources can help you gain more knowledge in the cybersecurity field.

Credit : heimdalsecurity.com

GandCrab ransomware

Security Alert: GandCrab Ransomware Returns with New Waves of Spam Campaigns

In which the malware is spread via malicious files

You may be familiar with GandCrab ransomware that seems to widely spread via various spam campaigns or social engineering techniques to infect and harvest users’ most important data.This fast-growing malware has infected more than 50,000 victims and targeting mostly the ones from Scandinavia and UK speaking countries, according to a report CheckPoint.

Security researchers recently analyzed a new spam campaign in which malicious actors try to lure victims into clicking a malicious link that will open a binary file and infect users’ system with the GandCrab ransomware.

This phishing campaign has been delivered with the following content (sanitized for your own protection).

Here’s how this email looks like:

From: [Spoof / Forwarded Sender Address]

Subject Line:
Job: Banking Opportunities, Greymouth

Content:
Dear Hiring Manager
Please review my [link: http: // abuellail [.] Com / resume. php] resume
Charlotte Anderson
Email: charlotte.anderson @ abuellail [.] com

If a user clicks on the link received on the email, then he will be redirected to one of the following and compromised web pages (sanitized for your online safety):

test.ritsdb [.] com
ubsms [.] com
test.technostark [.] com

How the infection happens

Basically, the malware is spread via an executable binary file (resume.exe) which is returned after GandCrab is running on the local machine as a file called “bhxsew.exe”.

During the process, the ransomware will try to collect and determine the external IP addresses of the victims via legitimate services such as:

Http: // ipv4bot.whatismyipaddress. com
Http: / /bot.whatismyipaddress. Com

The main component of GandCrab is “dropped” as a “bhxsew.exe” file in the <Windows appdata> directory. As part of the local data encryption, this malicious file is configured to communicate with the following domains:

zone alarm [.] bit
ransomware [.] bit

GandCrab ransomware is not spread only via spam emails but also seen distributed via an exploit kit campaign called MagnitudeEK which abuses software vulnerabilities found in Windows, Adobe Flash Player, and Silverlight.

As regards to the MagnitudeEK spam campaign, security researchers have seen a flood of subdomains being used via this site:

lieslow [.] faith

Malwarebytes Labs recently found that Magnitude EK, “which had been loyal to its own Magniber ransomware, was now being leveraged to push out GandCrab, too.”

Here’s how the ransom note is displayed on the infected machine:

Source: Malwarebytes Labs blog

Heimdal Security proactively blocked these infected domains (and malicious emails), so all Heimdal PRO and Heimdal CORP users are protected.

According to VirusTotal, 24 antivirus products out of 64 have detected this spam email campaign at the time we write this security alert.

How to stay safe from the GandCrab ransomware

One of the best ways to keep your important data safe from ransomware is to think and act proactively.

To minimize both the risks and the impact of these online threats, we recommend both home users and companies to use and apply these security measures:

1. Always backup your data and use external sources such as a hard drive or in the cloud (Google Drive, Dropbox, etc.) to store it. Our guide will show you how to do it;
2. DO NOT open (spam) or download attachments or links from unknown sources that could infect your computer;
3. Use strong and unique passwords and never reuse them for multiple accounts. This security guide comes in handy;
4. Consider using a paid antivirus software which is also up to date, or consider having a proactive anti ransomware protection (here’s what Heimdal PRO can do for you).
5. Prevention is the best cure, so make sure you learn as much as possible about how to easily detect spam emails. These free educational resources can help you gain more knowledge in the cybersecurity field;
6. Given the rise of new types of malware (the version 2 of GandCrab ransomware is out there and, unfortunately, there’s no decryption tool available) we remind you that security is not just about using a solution or another, it’s also about improving your online habits and being proactive.

Should you need to understand what ransomware is all about, this dedicated guide will help you.

If you’ve been a victim of the GandCrab ransomware, the good news is that there’s a decryption tool available you can use to recover the valuable data locked by ransomware.

Credit : heimdalsecurity.com