Tag Archive for: Blog

Hunt Ransomware ([email protected]) – Decrypt Guide & Removal– Gridinsoft Blog

/in


Hunt ransomware is a new sample of the Dharma/CrySis ransomware family that appeared on April 5, 2024. This malware aims at encrypting the files and asking a ransom payment for their decryption. It unselectively targets both home users and corporations, correcting the ransom depending on the target. Jakub Kroustek was the first to discover this malware.

Ransomware remains a major threat, attacking both organizations and individuals. GridinSoft Anti-Malware provides excellent protection even against the most modern malware samples. 👉🏼 Get yourself proper ransomware protection

As I’ve said in the introduction, Hunt is a novice sample of the Dharma ransomware family. Being its part, Hunt ransomware follows its behavior patterns. The most noticeable one for the victim is the application of a complex extension, that contains the victim’s ID, the contact email (bughunt@keemail[.]me) and its .hunt extension. The files start looking as below after the encryption:

image.png → image.png.id-C3B22A85.[[email protected]].hunt
document.docx → document.docx.id-C3B22A85.[[email protected]].hunt

Hunt ransomware files
Encrypted files after the Hunt ransomware attack

Hunt ransomware goes through the entirety of user disks, searching for the files it can encrypt. It is capable of ciphering the vast majority of ones, from images and videos to project files of specific software suites. However, this malware carefully avoids any system files – probably, to prevent system malfunctions that can potentially force the user into reinstalling the system.

Before applying the encryption, this malware disables built-in Windows backup options, such as Restore Points and Shadow Copies. They are rather useful for reverting the system state to pre-encryption, so such action is rather expected. Hunt ransomware uses the command you can see below to accomplish this.

vssadmin delete shadows /all /quiet

After finishing the encryption (i.e. it can’t find more unencrypted files), Hunt ransomware spawns a text file with a ransom note. It also opens an HTA file with the information about with more detailed information about what’s happened and instructions for the ransom payment. You can see the example of this pop-up…

Source…

MrB Ransomware (.mrB Files) – Analysis & File Decryption – Gridinsoft Blog

/in


MrB ransomware is a new Dharma ransomware sample, discovered on February 21, 2024. It is distinctive for applying a complex extension to the encrypted files that ends up with “.mrB”. This ransomware primarily attacks small corporations and asks the ransom only for decrypting the files, i.e. it does not practice double extortion. Jakub Kroustek was the first to discover and report this ransomware sample.

What is mrB Ransomware?

As I’ve described in the introduction, mrB is a sample of Dharma ransomware, a malware family active since 2016. It is known for adding a long extension to every file it encrypts; it consists of the victim ID, contact email and the extension itself. At the end, the encrypted file name starts looking like this:

Media1.mp3 → Media1.mp3.id-C3B22A85.[mirror-broken@tuta[.]io].mrB

mrB ransomware files
Files encrypted by mrB ransomware

MrB ransomware encrypts a wide range of file formats, from images and documents to files of some specific software suites. After finishing the encryption, it opens a pop-up ransom note in a form of HTA file, and also spawns a readme text file. The latter appears in every folder that contains the encrypted files. Below, you can see the contents of both ransom notes.

MrB ransomware note

Contents of the readme text file:


Your data has been stolen and encrypted!

email us

mirror-broken@tuta[.]io

How to Recover Encrypted Files?

Unfortunately, there are no recovery options available for mrB ransomware. The imperfections in its early Dharma samples were used to make the decryptor, though the flaws were fixed, and it is not effective nowadays. Options you can find online, like “professional hackers” or file recovery services will at best act as a medium between you and the hackers. At worst, they will take your money and disappear.

The most effective option for file recovery is a decryptor tool, dedicated to the specific ransomware family. Those are usually released when a vulnerability in the encryption mechanism is found, or when ransomware servers are seized. It may sound like it is unlikely to happen, but there were 4 such decryptors released in the first months of 2024. Be patient, do not lose hope – and you get the files back.

File recovery options

For now, your best…

Source…

UAC-0099 Targets Ukrainian Companies With Lonepage Malware – Gridinsoft Blog

/in


Ukrainian cyberwarfare sees further action as the UAC-0099 threat actor escalates its cyber espionage campaign against Ukrainian firms. Leveraging a severe vulnerability in the popular WinRAR software, the group orchestrates sophisticated attacks to deploy the Lonepage malware, a VBS malware capable of remote command execution and data theft.

UAC-0099 Exploits WinRar Vulnerability

In most recent attacks, UAC-0099’s focus on exploiting the WinRAR vulnerability (CVE-2023-38831, CVSS score: 7.8) signifies a sophisticated approach to cyberattacks. This high-severity flaw in WinRAR, a widely used file compression tool, opens a backdoor for attackers to inject malicious code into unsuspecting systems. Also, the exploit involves the use of rigged self-extracting (SFX) archives and specially crafted ZIP files, designed to bypass traditional security measures and deliver the Lonepage malware directly into the heart of target systems.

Attack Vectors Using WinRAR:

  1. Self-Extracting Archives Deception: Attackers distribute SFX files, which house malicious LNK shortcuts camouflaged as innocuous DOCX documents. These files, using familiar icons like Microsoft WordPad, entice victims into unwittingly executing malicious PowerShell scripts that install Lonepage.
  2. Manipulated ZIP Files: UAC-0099 also employs ZIP archives specifically crafted to exploit the WinRAR flaw. These files are engineered to trigger the vulnerability, illustrating the group’s adeptness at leveraging software weaknesses to their advantage.
WinRar Vulnerability
WinRAR vulnerability chain

What is UAC-0099?

The UAC-0099 group, first identified by Ukraine’s Computer Emergency Response Team (CERT-UA) in June 2023, primarily targets Ukrainian employees working for international companies. Their tactics, while not technologically groundbreaking, prove effective in compromising critical information from a wide range of state organizations and media entities. Deep Instinct’s recent analysis reveals a disturbing trend: the group’s consistent focus on espionage, endangering not just the organizations, but also the individuals involved.

What is Lonepage Malware?

Lonepage Malware is a sophisticated Visual Basic Script (VBS) based malware used by…

Source…

Avira Antivirus Security | Mighty Gadget Blog: UK Technology News and Reviews

/in


Avira Antivirus Security is a comprehensive mobile security app for Android devices that offers a variety of features to protect users from potential threats. The app includes real-time protection against malware and phishing attempts, as well as a privacy advisor and anti-theft features. Many people will argue that you don’t need a security solution for … Read more

Source…