2016 was the year of ransomware, and Osiris played a big role. Numerous businesses, institutions, schools and even churches have had to deal with the most unpleasant surprise of finding their files encrypted and hijacked by hackers, and many have had to pay significant amounts in bitcoin in order to have their valuable data back. Some with good results, while many are still waiting for the promise of decryption to be delivered. Understanding Osiris ransomware facts give insights into this malware and what you can do to prevent it and remove it.

As ransomware continues to spread this year (and it seems it’s here to stay), desperate posts are flooding the web, asking “how to remove Osiris ransomware”. And, while different vendors have products to remove the dreaded “Egyptian curse”, the difficulty remains that the strong encryption and more sophisticated design of Osiris compared to some of its peers makes it difficult to decrypt without paying for the key or getting ransomware removal pros involved. Let’s examine some interesting Osiris ransomware facts:

• A family of dreadful deities: Osiris is not at all a new malware, but an evolution of the infamous Locky. Locky developers have provided ongoing maintenance and have relaunched the ransomware in different versions, and each release is named after a mythological god; hence, among the predecessors of Osiris are Odin, Thor and Aesir and this name is visible in the extension that the files encrypted by the malware present, so “.osiris” is the extension of a file encrypted by Osiris. Now an even more interesting connection is suggested by Palo Alto Networks that connects Locky and its variants (Osiris included) with the creators of the Dridex banking malware, given similarities in its distribution scheme.
• Vehicles of deception: Now that we’re talking about distribution, the constant of sending the ransomware in email attachments remain, while the shape of these emails varies but seems to be highly credible to many users. Subjects containing the words “Invoice”, “DHL”, “FEDEX”, “UPS” have tricked people who were actually expecting a bill or a delivery into opening the attachment, which is normally an Excel or Word file, which requires the user to enable macros and in this way is the payload delivered. Another distribution style that was highly successful was via Facebook, were after receiving an image via Facebook IM users would download it and install a Trojan named “Nemucod” according to some sources. Several iterations of the malware infection indicates that it’s also being used in spear-phishing campaigns, for instance, an affected business stated that the “invoice” file seemed to come from a reputed law firm that they deal with regularly. In order to be more familiarized with the style of the messages that deliver Osiris, go to the following malware traffic resource.
• Operation and singularities: Given its main distribution via excel spreadsheets requiring the enablement of macros, Osiris ransomware typically targets Windows systems and it does it by leveraging the potential of VBA macros which download a DLL files (of .spe extension typically) and use Rundll32.exe to execute it. Once installed, it will start looking for files to encrypt and change their names to random character sequences; so with Osiris it will be immediately noticeable to users that something’s wrong with the files. According to BleepingComputer, there’s a glitch in the code of Osiris so it doesn’t leave its typical instructions message in the user’s desktop, but in the user’s folder. You can learn a visual step by step of the malware’s operation in their article.
• A profitable business: After all that has been said, Osiris proliferation boils down to business; and big business it is. According to research performed by the Herjavec Group, hackers behind ransomware campaigns (in general, not Locky or Osiris specifically) managed to collect nearly 1 Billion USD in 2016. This proves how efficient the strategy is and how valuable data is to business and individuals nowadays. An interesting analysis provided by Enigma Software suggests the possibility that Osiris and Locky variants are actually been “leased” and utilized as MaaS or Malware as a Service, this due to the apparition and disappearance of the malware in dissimilar campaigns. Also the fact that not only massive distribution of the malware but also targeted distribution to sensitive targets has been noticed, seems to support the theory that several criminal groups are using the same tool to perpetrate their crimes.
• Paying the ransom might not get your data back: The last interesting Osiris ransomware facts is regarding payment. While there have been instances where the hackers delivering the malware have fulfilled the decryption of the files, there are many other instances where the victims never got a response after payment. Besides that, hackers using Locky, change their Command and Control servers quickly and many campaigns have been noticed to be very fast, trying to get as much as possible from the infection without being active long enough to be traced. So facing with the moral obligation of fulfilling the decryption for payment received or be exposed, hackers will not give thorough follow-up to every request. Another detail to notice is that even when files have been decrypted, there’s a likelihood many have become unusable after the attack. All these reasons point out that it’s better to spend your money preventing ransomware or having Osiris ransomware professionally removed, than paying the ransom.

What is Doxware?

Doxware is a ransomware variant that not only encrypts victims’ data and holds it hostage until a ransom is paid, often with Bitcoins, but, unlike traditional ransomware, also threatens to publicly expose sensitive information such as emails, conversations, photos, social security numbers, etc. If the ransom is not paid in specified time frame, the data is often released publicly creating reputational harm to a person or business.

How the name “Doxware” came about:

The term “dox” (or “doxx”) is the alteration of docs, plural of doc (short for document) first came into dictionary as a verb early 21st century, referring to malicious hackers’ habit of searching for and publishing private or identifying information about (a particular individual) on the Internet, typically with malicious intent.

Doxing is the online practice of researching and broadcasting identifiable information (e.g. name, address, telephone number, social security number, etc.) of individuals or organizations.

“Ware” came from the term “malware” and “ransomware,” which identifies the vehicle for a cyber attack.

The terms combined create “Doxware”.

How doxware is different than ransomware:

When a user downloads and executes the malicious payload, a hacker is able to hijack information from the user’s computer and store it; the biggest threat here is not the encryption of the stolen data as it is with ransomware (albeit, hybrid attacks do exist), but rather the fact that the attacker will use the disclosure of this data as a lever for the user to pay the ransom. Differently than ransomware, the data might still be available to the user and things are not solved by decrypting it, the threat becomes a continuous source of potential revenue for the hacker since the stolen data is still in the criminal’s possession and ongoing threats to reveal it might become a far more pervasive threat than just the encryption of it.

History and rise of doxware:

One of the earliest doxware attack variants to emerge in the wild goes by the name “Ransoc.” The malware informs the victim they have sustained a penalty because their computer allegedly contains child sexual abuse materials and items that violate intellectual property rights. The malware then informs the victim that they will go to jail unless they pay a ransom. Ransoc also runs several schedule attacks that interact with Skype, LinkedIn and Facebook. The doxware then harvests information and photos it finds on those profiles and threatens to publish everything if payment is not received.

One of the most important factors that have positively affected the rise of doxware is the appearance of easy payment methods. In ancient days, cyber criminals tended to use either legitimate payment systems or semi-legitimate services in order to transfer money to each other and from their victims. The problem for criminals is that legitimate payment systems, reacting to the rise in fraudulent payments, have started to track and block suspicious transactions, making money transfer a far more risky business for cyber-crooks. That is why money transaction for cyber criminals has always been an area of risk. But things changed significantly when the price of crypto-currencies ‘Bitcoin’ rose and stabilized enough to allow a lot of users to convert real money. Criminals have started to exploit the advantages crypto-currencies over other type of e-currency: anonymity and a distributed nature, which both allow them to hide fraudulent transactions and make it impossible for a law enforcement agency to do anything, as the system has no center and no owner. These features help to support individual privacy rights but, unfortunately also give cyber criminals a very reliable and secret payment tool. The main outcome of this is that ransomware has become the new black in the underground.

How doxware spreads:

Doxware attacks function by breaching information processing systems, usually through infected email, and locking important files or networks until the user pays a specified amount of money. Many companies have figured out that they can avoid paying these ransoms by wiping a system clean, restoring it with backup data, and going about business without being held hostage. But doxware is the malware that combines ransomware with a personal data leak! With doxware, hackers hold computers hostage until the victim pays the ransom, similar to ransomware. But doxware takes the attack further by compromising the privacy of conversations, photos, and sensitive files, and threatening to release them publicly unless the ransom is paid. Because of the threatened release, it’s harder to avoid paying the ransom, making the attack more profitable for hackers.

Impact of doxware on business:

First and foremost impact on business is because users pay. It seems that in recent years regular users and companies have reached the point where the information stored on their PC is valuable enough to consider paying a ransom on demand. The massive transition in organizations towards the use of digital documents and automated business processes for accounting and other day-to-day activities is helping to accelerate this. A company whose regulatory compliance report, for example is encrypted with ransomware just before the deadline for submitting the reports to the regulatory body, has no choice but to pay the ransom – and this is what criminals exploit. As a result, crypto-ransomware has become, almost uniquely, a type of malware that can cause tangible business damage by making critical operational files unreadable. This damage cannot not always be rolled back, so sometimes paying the ransom is the only way to retrieve the data.

In 2014, Sony Pictures suffered an email phishing malware attack that released private conversations between top producers and executives discussing employees, actors, industry competitors, and future film plans, among other sensitive topics. And ransomware attacks have claimed a number of recent victims, especially healthcare systems, including MedStar Health, which suffered a major attack affecting 10 hospitals and more than 250 outpatient centers in March 2016. Combine the data leak of Sony and the ransomware attack on MedStar and we can see the potential fallout from a doxware attack.

Looking at the data leaked from Sony, it’s easy to imagine the catastrophic effect doxware would have on an executive of any major corporation. Company leaders hold countless conversations over email each day on sensitive topics ranging from product development to competition to internal politics, and if there’s a doxware attack, the fallout could be extensive.

Tips for combating doxware:

• Back-up is a must. Upon the infection of your corporate PCs, the ransomware is likely to start encrypting files that are required for the daily work of your company. If it is technically impossible to back-up all the files you have in the corporate network, choose the most critical documents and files, isolate them and back-up regularly.
• Use a reliable, corporate-grade security solution and don’t switch off its advanced features, as these enable it to catch unknown threats.
• Keep the software on your PC up-to-date.
• Keep an eye on files you download from the Internet.
• Educate your personnel, very often the ransomware infection happens due to a lack of knowledge about common cyber threats and the methods criminals use to infect their victims.
• Undertake regular patch management.
• Avoid paying a ransom and report the attack to authorities.

Now-a-days, doxware ransomware has become a growing concern for companies in every industry. Many companies have figured out that they can avoid paying these ransoms by wiping a system clean, restoring it with backup drives, and going about business without being held hostage. But as a result of increased doxware threat, cyber criminals have created an even more insidious weapon to which cybersecurity pros must contend with.

Five Interesting Wallet Ransomware Facts

Fact – #1 Wallet & Other Ransomwares are Making Headlines

One of the first Wallet ransomware facts is it’s popularity. Wallet, one of the most prominent ransomware strains to have surfaced of late, continues to make its presence felt with updated propagation methods and infection routines. The emerging attack using ransomware families continues with the consistent release of updated versions and evolved tactics strengthening the reign of cyber criminals. Hardly a day goes by without a ransomware making headlines:

• In February 2016, the Hollywood Presbyterian Medical Center, in Los Angeles, paid a ransom of about US$17,000 (40 Bitcoins) to hackers who infiltrated and disabled its computer network with ransomware.
• Just days before the new year of 2017, on December 30, 2016, the Los Angeles Community College District (LACCD) agreed to pay a ransom demand of $28,000 to crooks who managed to infect the computer network of the Los Angeles Valley College (LAVC) with ransomware.
• The University of Calgary transferred 20,000 Canadian dollars-worth of bitcoins ($15,780; £10,840) after it was unable to unwind damage caused by an attack of ransomware attack of ransomware.

Fact #2 – Wallet is Similar to Other Ransomware

Wallet Ransomware is a typical ransomware program, which infiltrates computers and networks and encrypts certain files that are stored on them, thus rendering them unreadable for any existing program. .Wallet uses a complicated algorithm to encrypt all private files, adds the .Wallet extension and overall follows the classic ransomware pattern. Just like Locky, Cerber, Shade and thousands of ransomare viruses, this program is devastating. For appetizers, ransomware is sneaky, which lands on the device in complete silence and gets activated immediately. It then performs a thorough scan searching for private files.

Fact #3 – Wallet Ransomware Name Comes from File Extension

Adding to Wallet ransomware facts is it’s namesake. .Wallet ransomware owes its name to the extension added at the end of the filenames. The extension designates items encrypted for malicious purposes. The scrambling aims at forcing the victims to pay the ransom.

Wallet Ransomware Facts #4 – Its Cousin is Dharma

.Wallet goes hand in hand with .Dharma. Both are the extensions added to the files hit by the strongest combination of military-grade encryption (AES and RSA). Sometimes, zzzzz and other appendix substitute the above. ‘Wallet’ and its counterparts make a final part of the appendix added. The file then looks like this: file_name.pdf.[[email protected]].wallet
.Wallet may create multiple files in %Temp% and %AppData% folders. Also, it may drop its ransom notification files, which RMV researchers claim to be named as following:

• Readme.jpg
• Readme.txt

If you know your enemies and know yourself, you will not be imperiled in a hundred battles… if you do not know your enemies nor yourself, you will be imperiled in every single battle.”
– Sun Tzu, ‘‘The Art of War’

Fact #5 – Distribution via “Malvertisements”

The main distribution method for Wallet is the so called “malvertisements”, ads and emails that were either made by cyber criminals or were just taken advantage by them and injected with the malicious payload. Once you click on one of those links, you’re either redirected to a dangerous website that’s filled with viruses, or you directly download a virus, like .Wallet Ransomware. With this in mind, you should use caution when clicking links in emails, popups, banners or other forms of online advertising materials.

MonsterCloud provides cybersecurity services and specializes in wallet ransomware removal. MonsterCloud does not support paying criminals to fix ransomware as it encourages more crimes… and you might get ripped off.

Ethical Hacker Report on Catastophic Hacks of the Future

MonsterCloud conducted a survey to fifty ethical hackers to better understand potential hacking threats of the future. Many of the ethical hackers feel strongly that there may be a widespread ransomware attack on private citizens and perhaps an attack on the US power grid. The entire report is astonishing.

See the entire report.