PSCrypt ransomware: back in business

PSCrypt ransomware: back in business

PSCrypt is ransomware first discovered last year, in 2017, targeting users and organisations alike in Ukraine, and the malware itself is based on GlobeImposter ("GI") ransomware.I've written about PSCrypt in the past, when it was distributed via Crystal Finance Millenium's hacked website: Crystal Finance Millennium used to spread malwareIn this ... Read More
Vietnamese ransomware wants you to add credit to a mobile phone

Vietnamese ransomware wants you to add credit to a mobile phone

In this quick blog post we'll have a look at BKRansomware, a Vietnamese ransomware that wants you to top up its phone.Update: 2018-05-06, scroll down for the update, added to the conclusion.AnalysisThis ransomware is named "BKRansomware" based on the file name and debug path. Properties:MD5: 892da86e60236c5aaf26e5025af02513SHA1: 6f36c02161a83a3683921fc73319474157f4fb92SHA256: c23f695a19346bf3a5b21fb5a281771808953930d8dcb0a359f163ba0329305fCompilation timestamp: 2018-05-03 ... Read More
Ransomnix ransomware variant encrypts websites

Ransomnix ransomware variant encrypts websites

Ransomnix is a (supposedly Jigsaw, but not really) ransomware variant that holds websites for ransom, and encrypts any files associated with the website.This ransomware was discovered in the second half of 2018, and there's a brief write-up by Amigo-A here as well: Ransomnix ransomwareIn this blog post, we'll discuss a ... Read More
Satan ransomware adds EternalBlue exploit

Satan ransomware adds EternalBlue exploit

Today, MalwareHunterTeam reached out to me about a possible new variant of Satan ransomware.Satan ransomware itself has been around since January 2017 as reported by Bleeping Computer.In this blog post we'll analyse a new version of the infamous Satan ransomware, which since November 2017 has been using the EternalBlue exploit ... Read More
This is Spartacus: new ransomware on the block

This is Spartacus: new ransomware on the block

In this blog post, we'll analyse Spartacus, one of many new ransomware families popping up in 2018.AnalysisThis instance of Spartacus ransomware has the following properties:MD5; 25dee2e70c931f3fa832a5b189117ce8SHA1; a01294ffd541229718948e17f791694efb596123SHA256; ef25bdbcf05fa478df3ddc5f4f717c070e443da04cfc590d44409c815f237cb3Compilation timestamp: 2018-01-19 20:36:44VirusTotal report:ef25bdbcf05fa478df3ddc5f4f717c070e443da04cfc590d44409c815f237cb3Figure 1 - Spartacus ransomware messageThe message reads:All your files have been encrypted due to a security problem with ... Read More
CryptoWire ransomware not dead

CryptoWire ransomware not dead

CryptoWire is an "open-source" ransomware based on the AutoIT scripting language, and has been around since 2016. For some background, read the following post on Bleeping Computer:"Proof of Concept" CryptoWire Ransomware Spawns Lomix and UltraLocker FamiliesI already encountered a CryptoWire variant last year, when it was used to target users ... Read More
Maktub ransomware: possibly rebranded as Iron

Maktub ransomware: possibly rebranded as Iron

In this post, we'll take a quick look at a possible new ransomware variant, which appears to be the latest version of Maktub ransomware, also known as Maktub Locker.Hasherazade from Malwarebytes has, as per usual, written an excellent blog on Maktub Locker in the past, if you wish to learn ... Read More
Fake Steam Desktop Authenticator steals account details

Fake Steam Desktop Authenticator steals account details

In this blog post, we'll have a quick look at fake versions of Steam Desktop Authenticator (SDA), which is a "desktop implementation of Steam's mobile authenticator app".Lava from SteamRep brought me to the attention of a fake version of SDA floating around, which may be attempting to steal your Steam ... Read More

Malware Analysis, Threat Intelligence and Reverse Engineering: workshop slides

Last month, when I was in-between jobs, I gave a workshop for a group of 20-25 enthusiastic women, all either starting in infosec, or with an interest to start in this field.The event, now obviously expired, can be found here:CWF Women in Cyber Event #1: Malware FundamentalsFor that purpose, I ... Read More

Quickpost: SteamStealers via Github

Back in 2014, I created a blog post named 'Malware spreading via Steam chat', where I analysed and discussed one of the first 'SteamStealers' - malware that is exclusively targeting gamers, or at least those who use Steam.You can read that blog post here. Another SteamStealer technique was via a ... Read More
Loading...