ransomware trilogy condensed...asiq.org ransomware lands – (trilogy condensed) crypto wars defense...
Post on 10-Jul-2020
4 Views
Preview:
TRANSCRIPT
ASIQ.ORG
RansomWare Lands – (TRILOGY Condensed)
Crypto Wars Defense Strikes Back
Futures Weird Awakens
“You could spend a fortune purchasing technology and services, and your network infrastructure could still remain vulnerable to old-fashioned manipulation.”
— Kevin Mitnick
par >_Franck Desert
>_Get-TRILOGY
NOD – Attack - Cryptos GDI – Defense - Decipher SCRIN – Future - Skynet
The 3 biggest security threats of 2016
1. Data breaches 2. Ransomware 3. Browser plug-ins
>_About-FD
6 ans
6 ans 8 ans
5 ans 4 ans
>_Get-RansomWare?
Broadly speaking, Ransomware is malicious software designed to either lock a victim’s screen (locker ransomware) or encrypt their files (crypto-ransomware). Successful ransomware infections allow criminals to demand payment from the victim (generally in anonymous Bitcoin) in exchange for restoring access. All of them in general use the TOR for anonymous. - Summary of all “Ransomware is a type of malware that prevents or limits users from accessing their system. This type of malware forces its victims to pay the ransom through certain online payment methods in order to grant access to their systems, or to get their data back.” - Trend Micro
“Ransomware is designed for direct revenue generation. The four most prevalent direct revenue-generating risks include misleading apps, fake antivirus scams, locker ransomware, and crypto-ransomware.” - Symantec
>_Set-Evolution Locker ransomware denies access to the infected host and extorts the victim for money in exchange for ”unlocking” the host. Such variants are quite popular among mobile ransomware families. The first mobile ransomware families of this type “locked” the device by constantly bringing the ransom window to the foreground in an infinite loop, whereas newer variants often try gaining device administrator privileges in order to set the phone’s PIN lock. Fake AVs which are also known as rouge security software, are programs that “warn” the user against malware, which has already allegedly infected the host and can only be removed by purchasing the fake security software. While many of these fake AVs are harmless (just a bit annoying) and could be considered as PUA (Potentially Unwanted Applications), some variants are becoming more aggressive, leaving no choice other than purchasing the AV, often practically behaving as locker ransomware. Crypto ransomware is currently the most common ransomware type in the wild. Such variants encrypt data on an infected host, and demand ransom in exchange for decrypting it. The data can arrive from all drive letters on the PC, including removable drives, network shares, and even DropBox mappings. The malware also removes backup files to prevent the option of restoring the encrypted files (shadow volume copies). MBR overwriters are a more recent type of variants, that prevent the operating system from booting by overwriting the MBR (Master Boot Record). The consequences of this type of ransomware are similar to those caused by locker ransomware, but the mode of operation is more sophisticated. PETYA Data wipers are an additional ransomware type which has recently gained popularity among attackers. Data wiping ransomware variants render all data on a hard drive unreadable, and demand ransom for recovering wiped data, instead of for encrypted data. Hybrid ransomware are the most aggressive variants, using all possible means to maximize profits. Such ransomware families may possess banking Trojans’ capabilities, along with worms’ spreading methods. IoT exploitation is yet another destructive capability that can be leveraged by attackers; In the last DefCon, the security firm Pen Test Partners demonstrated a PoC ransomware for a smart thermostat. Such ransomware could set extreme temperatures, waste vast amounts of power, and even cause physical damage, unless the ransom is paid. Doxware is the newest ransomware type in the wild (as we predicted a few months ago in our ransomware white paper). ‘Doxxing’ (derived from ‘docx’ – documents), means gathering and publishing information about a person/organization, for the purpose of extortion/harassment/shaming. Also known as ‘extortionware’, doxware threatens to publish victims’ sensitive data unless the demanded ransom is paid, rather than just encrypting it. The data could contain private photos, fake/real subscriptions (e.g. mobile doxware variant Ackposts), or confidential documents, collected from end-users/businesses (e.g. Windows doxware variant Chimera).
The first one – 1989 (December) AIDS, also known as Aids Info Disk or PC Cyborg Trojan, is a trojan horse that replaces the AUTOEXEC.BAT file, which would then be used by AIDS to count the number of times the computer has booted. Once this boot count reaches 90, AIDS hides directories and encrypts the names of all files on drive C: (rendering the system unusable), at which time the user is asked to 'renew the license' and contact PC Cyborg Corporation for payment which would involve sending 189 US$ to a post office box in Panama). There exists more than one version of AIDS, and at least one version does not wait to munge drive C: but will hide directories and encrypt file names upon the first boot after AIDS is installed.
>_Get- RetroCrypto
>_Get-Families
>_Get-Families
>_Get-Families
>_Get-Top2016
10. CryptoWall 9. SamSam 8. Jigsaw 7. Chimera 6. Petya and Mischa 5. Cerber 4. CryLocker 3. HDDCryptor 2. TeslaCrypt 1. Locky
>_Get-ModusOperandi
>_Get-ModusOperandi
Locky
>_Get-ModusOperandi
>_Get-ModusOperandi 1. Ransomware? This is now not a new malware. Over the past 3-4 years, ransomware has made sure it is one such malware which has made quite an (damaging) impact on not just individuals but big and small corporations alike. 2. WannaCry Ransomware is no different than the rest of the ransomware's that we see today. - It infects the computer. - Encrypts files and documents. - Demands ransom in bitcoins. - Upon ransom amount being met, they release files. 3. Special about WannaCry Ransomware? It uses of “ETERNALBLUE” exploit that target SMB vulnerability. 4. “ETERNALBLUE” is an exploit derived from an NSA exploit leaked by the Shadow Brokers in April 2017. 5. The massive scale of this attack is because most users have not patched their Windows systems. The exploit makes use of vulnerability in SMB server(4013389) (MS17-010).
>_Get-RaaS Tox was one of the first Ransomware as a Service kits. To be able to create a custom ransomware sample with Tox, an interested party simply needs to get registered on a specially crafted Tor site for free. Building a crypto malware with Tox is a three-step experience. The affiliate has to set the ransom amount, enter the text of ransom notes to be displayed to victims, and type a verification code. The service then produces an executable disguised as a 2MB .SCR file. This obfuscation technique allows the ransomware to fly under the radar of most antivirus suites. The Tox affiliate dashboard accurately monitors the number of infected PCs and total profit in real time. As opposed to Tox, the FAKBEN ransomware kit isn’t free. Those who want to try their hand at digital extortion with the notorious Cryptolocker Trojan have to pay $50 for the opening fee. The service provides an extensive range of customizable ransomware properties. The criminals on the so-called FAKBEN Team earn 10% of the ransoms, and the affiliates get the rest. The administrative panel keeps track of the quantity of infected machines and the submitted Bitcoin ransoms. The malefactors also upsell additional services such as the distribution of the ransomware loader through the use of exploit kits, where computer users get compromised via unpatched software vulnerabilities. The creator of Encryptor RaaS uses The Onion Router anonymity network to avoid attribution. The fee to use the kit amounts to 5% of the gross revenue generated by an affiliate. The ransoms are payable in Bitcoins as usual. The ransomware distributor can set the deadline for payments and a preferred price for data decryption before and after the timeout. The customer gets a unique Bitcoin address that acts as an identifier throughout the campaign. The publisher performs payment processing, submits affiliate commissions and provides the decrypt solution. The way of spreading the offending program is up to the customer.
>_Get-RaaS This kit is the only one on the list that was originally intended to be benign. Devised by Utku Sen, a malware researcher from Turkey, Hidden Tear is an educational project that demonstrates how ransomware works. The author posted the open-source code on GitHub so that everyone interested could understand the anatomy of a ransomware attack. Hidden Tear uses the AES block cipher to encrypt data, has a very small loader of only 12KB, and features antivirus evasion capabilities. Cybercrime actors, unfortunately, used this kit to build real-world ransomware. More than 20 malicious spinoffs of Hidden Tear have appeared since November 2015 till the present day, including Linux.Encoder, Cryptear.B, and Trojan-Ransom.MSIL.Tear. To create a ZIP file with the ransomware binary using ORX Locker kit, the customer needs to sign up for the service, put in a 5-digit build ID and define the unlock price of at least $75. Having encrypted one’s personal files, the Trojan stealthily downloads a Tor client in order to communicate with its Command and Control securely. An interesting trait of this RaaS is that the ransom payments are collected and processed by a third party that distributes all the shares according to prior agreement between the author and the affiliate. Most of the popular AV suites don’t detect ORX because it implements advanced obfuscation of its malicious behavior. Ransom32 stands out from the crowd because it reflects a kit for propagating the first known JavaScript ransomware. All it takes to join this underground service is enter a Bitcoin address on the authentication screen and customize the malicious software. The admin panel allows the affiliate to define the ransom size, enter the ransom warning, and optionally configure the Trojan to have a mild effect on the target system’s performance during the process of encrypting files with the AES-128 algorithm. The developer takes 25% of the ransom payments. The large WinRAR installer of 22MB is on the minus side of Ransom32. However, since it’s written in JavaScript it is cross-platform, so it can potentially infect Windows, Mac and Linux computers alike.
>_Get-SurveyTrends
>_Get-SurveyTrends
>_Add-Shocking 10 shocking ransomware stats: 54% of UK companies hit by ransomware attacks
40% attacked
54% of UK companies hit
58% of UK companies pay up
28% lost files 34% lost money
9 hours spent on remediation 60% demand over $1,000
3.5% fear loss of life 63% experienced severe downtime
4% confident in dealing with ransomware
One in five were either not confident at all or only minimally confident is their ability to deal with ransomware.
A company is hit with ransomware every 40 seconds
>_Get-Mobile
>_Get-Mobile
Judy Malware: Not As Big As WannaCry But Still a Threat on Android
>_Get-Predicat What’s next? The popularity of ransomware is not going to decline anytime soon. Available for sale on the dark web in the form of CaaS (Crime as a Service), easy to operate and distribute, ransomware has become accessible to any inexperienced attacker. Furthermore, ransomware has proved its efficiency and potential for gaining large-scaled profits in several major attacks on hospitals, financial institutions and even an electric and water utility. Therefore, attackers are expected to target more businesses, which are more likely to pay large amounts of money, in comparison to private users. In our latest white paper on ransomware, we predicted that we expect to start seeing ransomware focusing on data collection rather than data encryption, and we hit the mark.
6 in 10 malware payloads was ransomware in Q1 2017 There were 4.3x new ransomware variants in Q1 2017 than in Q1 2016 15% or more of businesses in the top 10 industry sectors have been attacked 71% of companies targeted by ransomware attacks have been infected Phishing emails carrying ransomware dropped nearly 50% in Q1 2017 Global ransomware damages are predicted to exceed $5 billion in 2017
>_Get-Top2017
February 2017 - A new app claims to have login data for leaked Netflix accounts, allowing users to get free access. What you actually get is fake account credentials, while your data is being encrypted in the background. DynA-Crypt ransomware
January 2017 - Spora ransomware gives its victims options to just pay for file decryption, or they can pay more for immunity against future attacks.
March 2017 - Cryptolocker has been pretty quiet the past 6 months but it’s back, jumping from a handful of infections per day to over 400 per day
April 2017 - The IT director for a private school reported that after getting hit with Samas ransomware, their entire Veeam backup repositories were wiped out as a result
May 2017 - Fatboy Raas (ransomware-as-a-service) uses the Big Mac index from The Economist in determining how much ransom to ask for. The WanaCry ransomware worm took the world by storm in mid-May, starting with an attack on vulnerable SMB services railways, telcos, universities, the UK's NHS, and so on. In all the strain infected over 300,000 computers in over 150 countries, making the criminals $90,000 which is really not that much compared to the amount of infections.
June 2017 - NotPetya was the new worldwide ‘ransomware’ attack following May’s WannaCry outbreak, hitting targets in Spain, France, Ukraine, Russia, and other countries
Ransomware – a specialized form of malware that encrypts files and renders them inaccessible until the victim pays a ransom – is an extremely serious problem and it’s quickly getting worse. The FBI estimated that ransomware payments were $1 billion in 2016, up from “just” $24 million a year earlier. 2017 will likely see another dramatic increase in extortion payments with tens of thousands of ransomware victims paying several hundred dollars each to recover their encrypted files. In some instances, the ransom is larger, such as South Korean web hosting company Nayana, which paid 397.6 Bitcoin (about $1 million) in June 2017 and Hollywood Presbyterian Medical Center, which paid $17,000 in Bitcoin in February 2016.
>_Get-Wallet @actual_ransom
>_Get-WTF
>_Add-Dream _Set-Wink
>_Set-Hunter
Chimera: 18 seconds Petya: 27 seconds TeslaCrypt 4.0: 28 seconds CTB-Locker: 45 seconds TeslaCrypt 3.0: 45 seconds Virlock: 3 minutes CryptoWall: 16 minutes
Thanks to research from Invincea, we can see Locky is also a member of this club, having been clocked at taking just 54 seconds between execution and notification:
>_Get-Mitigation Educate: Business people to common men, everyone falls victims to ransomware due to their negligence. When something is to be under control, it is very important to spread awareness. Educate people by spreading knowledge about what, why, How, where sides of ransomware. Patch: Update all software’s regularly on OS, network devices, mobile phones, anti-virus, anti-spyware products and other software’s on computers which avoids malicious intrusions. Access Controls: Access controls of resources are to be designed in a way that no third party other than the actual could read or write files and resources. This mitigation helps to avoid infections or data breach. Privileges: Applications are to be designed with privilege based access features, allowing Resources to avail with assigned access options, which may lead to serious issues if unattended. This could lead to easy privilege escalation and to misuse data. It is recommended to provide Minimal Privilege to all users. Backup: A proper Backup mechanism should be made mandate and to be taken at regular intervals. Also those backups should be placed at some other location such that any infection at the working network could avoid infection to the backup system. Backups should be checked for damage to make sure and to be prepared for any critical situations. Restoration Plans: Systems can be checked for restoring options that helps to get back to the previous functional state of the system. For those who cannot afford for powerful backups or those who do not trust the backups usage can opt for restoration plans. Best Practices: • Use Live, Active anti-virus which are regularly updated that detects and cleans malwares. • Organizations with RDP, VPN, proxies and servers are to be provided with better IT Security standards. • Standard Configurations should be done for Firewalls. • Understand that data synchronization and back-up are different processes. Back-up is to maintain a separate copy of your data in different hardware where as sync is to get the current stage of any application online in any other device or browser. If one synced data is corrupted the entire data in different devices is lost or made inaccessible. • Be cautious in clicking any hyperlink, check whether the mails are from legitimate source. • Use separate browser for surfing and critical works such as transactions in separate browsers • Bookmark every pages that are used frequently so as to avoid phished websites. • Enable pop-up blocker on all browsers to prevent Url redirection attacks where the page or website would contain malicious crafted contents. • Spam filtering of emails must be implemented • In-addition to links and mails, attachments from unexpected recipients can be strictly avoided, which could run or infect your system. • Usage of pirated software’s, downloading files from unauthorized websites should be avoided. Use legitimate software’s.
>_Get-SurvivalKit Ransomware survival checklist Do you have up-to-date antivirus installed on your endpoints? Do you have behavior-based endpoint protection installed that can stop attacks antivirus can’t? Are you using an automated patch management system? If not, do you have an organized method of discovering, evaluating, and deploying software updates? Have you conducted security awareness training for your users, with an emphasis on identifying potential phishing emails and reporting any suspicious or unusual activity as soon as possible? If possible, have you disabled Microsoft Office macros? Do you understand how an attack can spread through shared network drives? Have you limited user access and privileges to the bare minimum they need to do their jobs? Do you have backups on their own separate network? Do you have an up-to-date inventory of the backup recovery point objective (RPO) and recovery time objective (RTO) for all your workstations and servers? Do you have a schedule for regularly testing your backups? Have you conducted a risk assessment to identify and assign value to your organization’s critical data assets? Do you know your cost of downtime? Figuring this out will help you put a dollar amount on keeping your systems up and ransomware-free.
>_Get-Backup BackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackup BackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackup BackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackup BackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackup BackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackup BackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackup BackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackup BackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackup BackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackup BackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackup BackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackup BackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackup BackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackup BackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackup BackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackup BackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackup BackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackupBackup
>_Get-Trackers 486 different ransomwares: https://id-ransomware.malwarehunterteam.com/ AND
https://ransomwaretracker.abuse.ch/tracker/ AND https://www.cryptowalltracker.org/
4rw5w, 777, 7ev3n, 7h9r, 7zipper, 8lock8, AAC, ABCLocker, ACCDFISA v2.0, AdamLocker, AES_KEY_GEN_ASSIST, AES-Matrix, AES-NI, AES256-06, Al-Namrood, Al-Namrood 2.0, Alcatraz, Alfa, Alma Locker, Alpha, AMBA, Amnesia, Amnesia2, AnDROid, AngryDuck, Anubis, Apocalypse, Apocalypse (New Variant), ApocalypseVM, ApolloLocker, ArmaLocky, ASN1 Encoder, AutoLocky, AxCrypter, aZaZeL, BadBlock, BadEncript, Bam!, BandarChor, Bart, Bart v2.0, BitCrypt, BitCrypt 2.0, BitCryptor, BitKangoroo, Bitpaymer, Bitshifter, BitStak, Black Feather, Black Shades, Blackout, Blocatto, BlockFile12, Blooper, Booyah, BrainCrypt, Brazilian Ransomware, BrickR, BTCamant, BTCWare, BTCWare Aleta, BTCWare Gryphon, BTCWare Master, Bubble, Bucbi, BuyUnlockCode, Cancer, Cerber, Cerber 2.0, Cerber 3.0, Cerber 4.0 / 5.0, CerberTear, Chimera, ChinaYunLong, CHIP, ClicoCrypter, Clouded, CockBlocker, Coin Locker, CoinVault, Comrade Circle, Conficker, Coverton, CradleCore, Cripton, Cry128, Cry36, Cry9, Cryakl, CryFile, CryLocker, CrypMic, CrypMic, Crypren, Crypt0, Crypt0L0cker, Crypt12, Crypt38, CryptConsole, CryptFuck, CryptInfinite, CryptoDefense, CryptoDevil, CryptoFinancial, CryptoFortress, CryptoGod, CryptoHasYou, CryptoHitman, CryptoJacky, CryptoJoker, CryptoLocker3, CryptoLockerEU, CryptoLuck, CryptoMix, CryptoMix Revenge, CryptoMix Wallet, CryptON, Crypton, CryptorBit, CryptoRoger, CryptoShield, CryptoShocker, CryptoTorLocker, CryptoViki, CryptoWall 2.0, CryptoWall 3.0, CryptoWall 4.0, CryptoWire, CryptXXX, CryptXXX 2.0, CryptXXX 3.0, CryptXXX 4.0, CryPy, CrySiS, Crystal, CTB-Faker, CTB-Locker, Damage, DarkoderCryptor, DCry, DCry 2.0, Deadly, DEDCryptor, Defray, DeriaLock, Dharma (.cezar), Dharma (.dharma), Dharma (.onion), Dharma (.wallet), Digisom, DilmaLocker, DirtyDecrypt, DMA Locker, DMA Locker 3.0, DMA Locker 4.0, DMALocker Imposter, Domino, Done, DoNotChange, Dviide, DXXD, DynA-Crypt, eBayWall, ECLR Ransomware, EdgeLocker, EduCrypt, El Polocker, EnCrypt, EncrypTile, EncryptoJJS, Encryptor RaaS, Enigma, Enjey Crypter, EnkripsiPC, Erebus, Evil, Executioner, Exotic, Extractor, Fabiansomware, Fadesoft, Fantom, FartPlz, FCPRansomware, FenixLocker, Fenrir, FindZip, FireCrypt, Flatcher3, FLKR, Flyper, FrozrLock, FS0ciety, FuckSociety, FunFact, GC47, GhostCrypt, Globe, Globe (Broken), Globe3, GlobeImposter, GlobeImposter 2.0, GOG, GoldenEye, Gomasom, GPAA, GPCode, GX40, Hacked, HadesLocker, HappyDayzz, HDDCryptor, Heimdall, HellsRansomware, Help50, HelpDCFile, Herbst, Hermes, Hermes 2.0, Hi Buddy!, HiddenTear, HollyCrypt, HolyCrypt, Hucky, HydraCrypt, IFN643, ImSorry, InfiniteTear, iRansom, Ishtar, Israbye, Jack.Pot, Jaff, Jager, JapanLocker, JeepersCrypt, Jigsaw, Jigsaw (Updated), JobCrypter, JuicyLemon, Kaenlupuf, Karma, Karmen, Karo, Kasiski, KawaiiLocker, Kee Ransomware, KeRanger, KeyBTC, KEYHolder, KillerLocker, KimcilWare, Kirk, Kolobo, Kostya, Kozy.Jozy, Kraken, KratosCrypt, Krider, Kriptovor, KryptoLocker, L33TAF Locker, Lalabitch, LambdaLocker, LeChiffre, LightningCrypt, LLTP, LMAOxUS, Lock2017, Lock93, LockBox, LockCrypt, Locked_File, Locked-In, LockedByte, LockLock, Lockout, Locky, Lortok, LoveServer, LowLevel04, MafiaWare, Magic, Maktub Locker, Marlboro, MarsJoke, Matrix, Maykolin, Maysomware, Meteoritan, Mikoyan, MirCop, MireWare, Mischa, MMM, MNS CryptoLocker, Mobef, MoonCrypter, MOTD, MoWare, MRCR1, Mystic, n1n1n1, NanoLocker, NCrypt, NegozI, Nemucod, Nemucod-7z, Nemucod-AES, Netix, NewHT, Nhtnwcuf, NM4, NMoreira, NMoreira 2.0, NotAHero, Nuke, NullByte, NxRansomware, ODCODC, OhNo!, OoPS, OopsLocker, OpenToYou, OzozaLocker, PadCrypt, Paradise, PayDay, PaySafeGen, PClock, PClock (Updated), PEC 2017, Pendor, Petna, Philadelphia, Pickles, PopCornTime, Potato, PowerLocky, PowerShell Locker, PowerWare, Pr0tector, PrincessLocker, PrincessLocker 2.0, Project34, Protected Ransomware, PshCrypt, PyCL, PyL33T, QuakeWay, R980, RAA-SEP, Radamant, Radamant v2.1, Radiation, Random6, RanRan, RanRans, Rans0mLocked, RansomCuck, Ransomnix, RansomPlus, RarVault, Razy, REKTLocker, RemindMe, RenLocker, RensenWare, Reyptson, Roga, Rokku, RoshaLock, RotorCrypt, Roza, RSA2048Pro, RSAUtil, Ruby, Russian EDA2, SADStory, Sage 2.0, Salsa, SamSam, Sanction, Sanctions, Satan, Satana, Scarab, SerbRansom, Serpent, ShellLocker, Shifr, Shigo, ShinigamiLocker, ShinoLocker, Shujin, Shutdown57, Sifreli, Simple_Encoder, Skull Ransomware, Smrss32, SnakeLocker, SNSLocker, SoFucked, Spectre, Spora, Sport, SQ_, Stampado, Storm, Striked, Stupid Ransomware, SuperCrypt, Surprise, SynAck, SyncCrypt, SZFLocker, Team XRat, Telecrypt, TeslaCrypt 0.x, TeslaCrypt 2.x, TeslaCrypt 3.0, TeslaCrypt 4.0, TeslaWare, TheDarkEncryptor, TowerWeb, ToxCrypt, Trojan.Encoder.6491, Troldesh / Shade, TrueCrypter, TrumpLocker, UCCU, UIWIX, Ukash, UmbreCrypt, UnblockUPC, Ungluk, Unknown Crypted, Unknown Lock, Unknown XTBL, Unlock26, Unlock92, Unlock92 2.0, UserFilesLocker, USR0, Uyari, V8Locker, VaultCrypt, vCrypt, VenisRansomware, VenusLocker, ViACrypt, VindowsLocker, VisionCrypt, VMola, Vortex, VxLock, WannaCry, WannaCry.NET, WannaCryOnClick, WhatAFuck, WildFire Locker, WininiCrypt, Winnix Cryptor, WinRarer, WonderCrypter, Wooly, X Locker 5.0, XCrypt, XData, Xorist, Xort, XRTN, XTP Locker 5.0, XYZWare, YouAreFucked, YourRansom, Yyto, zCrypt, Zekwacrypt, ZeroCrypt, ZeroRansom, Zilla, ZimbraCryptor, ZinoCrypt, ZipLocker, Zyklon
>_Get-SurvivalKit You have done your backup as like previous screen TODO As ransomAttack or he is already inside : Most Always the process have been able to get NT-AUTHORITY privileges : Cut all network from the laptop or desktop as it’s infected with ransomware. You can try all decryptors technics if you’ve lucky to found the good KEY ? Restore your host with gold image (as malware have been able to run as AUTORITHY-NT, the host can’t be cleaned) Run a full antivirus scan on the backups before restoring the eventual backups! Restore YOUR SUPER BACKUP Antimalware should be updated on the machine before, and a full scan should be run again. Update the Host don’t wait and for the APPs use: https://ww.ninite.com Block the domain if you know on your HOST file system or go to the Tracker Site.
>_Get-NoMoreRansom
>_Set-CompanyTools Program Name Free Beta Ransomware Real-time
Protection Disinfection Supported OS Comments
AbelSoft AntiRansomware no no unknown yes no Windows 7 and up Trial available, full version price is €14.90
Bitdefender Anti-Ransomware yes no CTBLocker, Locky, TeslaCrypt yes no all supported versions of Windows
CryptoPrevent yes no unknown, developer cites "large number of cryptoware" yes no Windows XP to Windows 10
Paid versions available, protects against other malware, folder watch protection
Gridinsoft Anti-Ransomware yes yes unknown yes no all supported versions of Windows
HitmanPro.Alert no no Cryptoware protection yes no Windows XP to Windows 10 requires HitmanPro
HitmanPro.Kickstart no no Lock Screen only no yes Windows XP to Windows 10 requires HitmanPro
Kaspersky Anti-Ransomware yes no unknown yes rollback all supported versions of Windows
Malwarebytes Anti-Ransomware yes yes CryptoLocker, CryptoWall, CTBLocker, Tesla yes no all supported versions of
Windows
Proactive Protection against new ransomware
McAfee Ransomware Interceptor yes yes Most unknown, Locky, TeslaCrypt, WannaCry yes no Windows 7 and up
RansomFree yes no against more than 40 tested variants yes no all supported versions of
Windows Honeypot system
SBGuard yes no hardens the system no no all supported versions of Windows
Trend Micro Anti-Ransomware yes no Lock Screen only no yes all supported versions of Windows
WinPatrol War no no most, if not all, ransomware yes no all supported versions of Windows
Layered protection, File, network and Registry protection
>_Get-Decryptors 777 (Emsisoft, TrendMicro) Al-Namrood (Emsisoft) Alcatraz Locker (Avast) Amnesia (Emsisoft) Apocalypse (Avast, AVG, Emsisoft) AutoLocky (Emsisoft, TrendMicro) BadBlock (Avast, AVG, Emsisoft, TrendMicro) Bart (Avast, AVG) Cerber (TrendMicro) Chimera (TrendMicro) CoinVault (Kaspersky) Cry128 (Emsisoft) Cry9 (Emsisoft) CrypBoss (Emsisoft) Crypt888 (Avast, AVG) CryptInfinite (Emsisoft) CryptoDefense (Emsisoft) CryptOn (Emsisoft) CryptXXX (TrendMicro) CryptoMix (Avast) Crysis (Avast, TrendMicro) Damage (Emsisoft) DemoTool (TrendMicro) DMALocker (Emsisoft) DXXD (TrendMicro) Fabiansomware (Emsisoft) FenixLocker (Emsisoft) FindZip (Avast) Globe (Avast, Emsisoft, TrendMicro) GlobeImposter (Emsisoft) Gomasom (Emsisoft) Harasom (Emsisoft) HiddenTear (Avast) HydraCrypt (Emsisoft) KeyBTC (Emsisoft) Jigsaw (Avast, TrendMicro) Lechiffre (Emsisoft, TrendMicro) Legion (Avast, AVG) Malboro (Emsisoft) Mircop (TrendMicro) MRCR (Emsisoft) Nemucod (Emsisoft, TrendMicro) NMoreira (Emsisoft) NoobCrypt (Avast) OpenTo You (Emsisoft) OzozaLocker (Emsisoft) PClock (Emsisoft) Philadelphia (Emsisoft) Radamant (Emsisoft) Rakhni (Kaspersky) Rannoh (Kaspersky) Shade (Kaspersky, McAfee) SNSLocker (TrendMicro) Stampado (Avast, Emsisoft, TrendMicro) SFZLocker (Avast, AVG) Teamxrat/Xpan (TrendMicro) TeleCrypt (TrendMicro) TeslaCrypt (Avast, AVG, McAfee, TrendMicro) Wildfire (Kaspersky, McAfee) Xorbat (TrendMicro) Xorist (Emsisoft, Kaspersky, TrendMicro) WannaCry (TrendMicro, Wanakiwi, Wanakey)
>_Set-DontForgetMeNot
Auto Clicking “GhostClicker” Playstore Android Adware Found in 340 Apps with 5 Million Downloads
>_Get-Future
Tesla a augmenté à distance les batteries des conducteurs qui fuyaient Irma
>_Get-Future-Weird Update on the NIST Post-Quantum Cryptography Project Classical vs Quantum Computers
• The security of crypto relies on intractability of certain problems to modern computers • Example: RSA and factoring • Quantum computers • Exploit quantum mechanics to process information • Use quantum bits = “qubits” instead of 0’s and 1’s • Superposition – ability of quantum system to be in multiples states at the same time • Potential to vastly increase computational power beyond classical computing limit
TESLA STEGANO
2 PAYLOAD
>_Set-Merci >_Get-Questions ?
“Setec Astronomy” est
l’anagramme de “too many secrets”! Un autre moyen de “Reverser”
>_Add-Calendar
Novembre 2017 Hackfest.ca
Venez en nombre…
top related