Tag: File | SpinSafe

MrB Ransomware (.mrB Files) – Analysis & File Decryption – Gridinsoft Blog

February 21, 2024/in Internet Security

MrB ransomware is a new Dharma ransomware sample, discovered on February 21, 2024. It is distinctive for applying a complex extension to the encrypted files that ends up with “.mrB”. This ransomware primarily attacks small corporations and asks the ransom only for decrypting the files, i.e. it does not practice double extortion. Jakub Kroustek was the first to discover and report this ransomware sample.

What is mrB Ransomware?

As I’ve described in the introduction, mrB is a sample of Dharma ransomware, a malware family active since 2016. It is known for adding a long extension to every file it encrypts; it consists of the victim ID, contact email and the extension itself. At the end, the encrypted file name starts looking like this:

Media1.mp3 → Media1.mp3.id-C3B22A85.[mirror-broken@tuta[.]io].mrB

mrB ransomware files — Files encrypted by mrB ransomware

MrB ransomware encrypts a wide range of file formats, from images and documents to files of some specific software suites. After finishing the encryption, it opens a pop-up ransom note in a form of HTA file, and also spawns a readme text file. The latter appears in every folder that contains the encrypted files. Below, you can see the contents of both ransom notes.

MrB ransomware note

Contents of the readme text file:


Your data has been stolen and encrypted!

email us

mirror-broken@tuta[.]io

How to Recover Encrypted Files?

Unfortunately, there are no recovery options available for mrB ransomware. The imperfections in its early Dharma samples were used to make the decryptor, though the flaws were fixed, and it is not effective nowadays. Options you can find online, like “professional hackers” or file recovery services will at best act as a medium between you and the hackers. At worst, they will take your money and disappear.

The most effective option for file recovery is a decryptor tool, dedicated to the specific ransomware family. Those are usually released when a vulnerability in the encryption mechanism is found, or when ransomware servers are seized. It may sound like it is unlikely to happen, but there were 4 such decryptors released in the first months of 2024. Be patient, do not lose hope – and you get the files back.

File recovery options

For now, your best…

Source…

Opera found a significant security flaw that could have allowed hackers to run any file they want – but it says everything is now fine

January 17, 2024/in Computer Security

UPDATE: Opera has published a response to the reports, claiming that the flaw is no longer active and has been addressed.

“There is no evidence that the vulnerability was ever exploited, and Opera users’ security was never compromised as a result,” it said. “It’s also important to note that, as mentioned above, the vulnerability would require the installation of a malicious add-on in order to work. This would be very hard to accomplish on Opera, because we employ manual review in our add-ons store – another measure we take to protect users.”

“This vulnerability, which no longer exists, was identified as part of a collaboration with security researchers Guardio Labs, and was subsequently fixed within only five days – as such, Opera users are not at risk.”

Opera, a popular Chromium-based browser, was found carrying a vulnerability that would allow hackers to install pretty much any file on both Windows and macOS operating systems.

The vulnerability was discovered by cybersecurity researchers from Guardio Labs, who notified the browser’s developers and helped it plug the hole.

In its technical writeup, Guardio Labs explained that the flaw stemmed from a feature built into the browser, called My Flow. This is a feature built on a browser extension called Opera Touch Background, which comes preinstalled with the browser and technically can’t be removed.

Abusing a landing page

My Flow allows users to take notes and share files between the desktop and mobile versions of the browser. There is a trend among software developers to allow users a seamless transition between desktop and mobile solutions for both work and play. In this case, however, the feature came at the cost of security.

“The chat-like interface adds an “OPEN” link to any message with an attached file, allowing users to immediately execute the file from the web interface,” the researchers explain. “This indicates that the webpage context can somehow interact with a system API and execute a file from the file system, outside the browser’s usual confines, with no sandbox, no limits.”

The second important factor is the fact that specific, other web pages, as well as extensions, can connect to My Flow. When…

Source…

Opera MyFlaw Bug Could Let Hackers Run ANY File on Your Mac or Windows

January 15, 2024/in Computer Security

Jan 15, 2024NewsroomVulnerability / Browser Security

Cybersecurity researchers have disclosed a security flaw in the Opera web browser for Microsoft Windows and Apple macOS that could be exploited to execute any file on the underlying operating system.

The remote code execution vulnerability has been codenamed MyFlaw by the Guardio Labs research team owing to the fact that it takes advantage of a feature called My Flow that makes it possible to sync messages and files between mobile and desktop devices.

“This is achieved through a controlled browser extension, effectively bypassing the browser’s sandbox and the entire browser process,” the company said in a statement shared with The Hacker News.

The issue impacts both the Opera browser and Opera GX. Following responsible disclosure on November 17, 2023, it was addressed as part of updates shipped on November 22, 2023.

My Flow features a chat-like interface to exchange notes and files, the latter of which can be opened via a web interface, meaning a file can be executed outside of the browser’s security boundaries.

It is pre-installed in the browser and facilitated by means of a built-in (or internal) browser extension called “Opera Touch Background,” which is responsible for communicating with its mobile counterpart.

This also means that the extension comes with its own manifest file specifying all the required permissions and its behavior, including a property known as externally_connectable that declares which other web pages and extensions can connect to it.

In the case of Opera, the domains that can talk to the extension should match the patterns “*.flow.opera.com” and “.flow.op-test.net” – both controlled by the browser vendor itself.

“This exposes the messaging API to any page that matches the URL patterns you specify,” Google notes in its documentation. “The URL pattern must contain at least a second-level domain.”

Guardio Labs said it was able to unearth a “long-forgotten” version of the My Flow landing page hosted on the domain “web.flow.opera.com” using the urlscan.io website scanner tool.

“The page itself looks quite the same as the current one in production, but changes lie under the hood: Not only that it…

Source…

NPC Says PhilHealth Hacking Victims Can File Complaint; Warns Against Resharing Of Leaked Data

October 10, 2023/in Internet Security

The National Privacy Commission said people can claim damages if proven affected by the Medusa ransomware attack on the Philippine Health Insurance Corp.

Individuals who had their personal data stolen in the Medusa
ransomware attack on the Philippine Health Insurance Corp. (PhilHealth)
can file a complaint before the National Privacy Commission.

NPC
Public Information and Assistance Division chief Roren Marie Chin said
on Tuesday, Oct. 10, people who think their personal data had been
compromised in the successful ransomware attack on PhilHealth can file
their individual complaint before the commission.

“Individuals affected may file a complaint to NPC and if proven, they can claim damages,” Chin said.

She added their investigation of the complaint would determine the damage claims that can be awarded.

Warning

The NPC has also issued a warning against the resharing of leaked data from the PhilHealth ransomware attack.

“It
has come to our attention that the personal data exfiltrated from
PhilHealth is being shared illicitly. We want to emphasize the gravity
of this situation and the severe consequences that await anyone involved
in processing, downloading or sharing this data without legitimate
purpose or without authorization,” the NPC said in a statement on
Tuesday.

“In unequivocal terms, the NPC issues a stern warning to
the public: Any individual or organization found to process, download or
share the exfiltrated data from PhilHealth will be held accountable for
unauthorized processing of personal information and may face criminal
charges,” it stated.

The Privacy Commission emphasized that under
Section 25 of the Data Privacy Act of 2012 (DPA), those found guilty of
unauthorized processing of personal information will face penal-ties
that include imprisonment for one to three years and a fine ranging from
P500,000 to P2 million.

In addition, unauthorized processing of
sensitive personal information carries even more substantial penalties,
particularly imprisonment for three to six years and a fine ranging from
P500,000 to P4 million.

“Sharing such leaked data exposes
affected individuals to a range of risks, including identity…

Source…

Tag Archive for: File

What is mrB Ransomware?

How to Recover Encrypted Files?