monster-cloud-logo-transparent

Boris HT Ransomware

boris ht ransomware

Ransomware removal analysts have discovered a variant of the HiddenTear Ransomware (Boris HT). HiddenTear was a ransomware that exploited the code of a cybersecurity educational tool. Ransomware removal analysts have also noted similarities between Boris HT and other ransomware like Donut and Magician Ransomware. Although, there has not been an ultimate consensus on the fact that these afore-mentioned ransomware are been operated by a single cybercriminal group.

Interestingly, it has been found out that the source code of HiddenTear is continuously modified on the Deep Web. Unfortunately, due to the nature of privacy and security on the Deep Web, it is difficult to monitor and track the actual perpetrators.

The cybercriminals behind the Boris HT Ransomware attempt to hide the virus as a safe instance of a Microsoft process file which goes by the name of ‘svhost.exe’. This file is used to host DLL services.

Distribution Tactics

Ransomware removal professionals have been analyzing its proliferation and distribution strategies and have come to the conclusion that one of its primary tactics is to spread via fake updates of software while it also infects Microsoft Office documents and files. Other vessels of this malicious ransomware include free cracks of games that are available on a wide range of websites and are often downloaded by gamers to save money. Also, it has been observed that the ransomware tinkers with the folder of AppData where it can compromise the database files.

The files and documents are encrypted through the cryptographic algorithm, Advanced Encryption Standard (AES).  The affected files have an extension of ‘[email protected]].boris’. If users find any of their files with blank icons, it is a sign of the file’s encryption with Boris HT Ransomware. A ransom note file is added to the desktop that has an email address of [email protected] for further communication.

 

Unlock92 Zipper Ransomware: A Variant of Unlock92

unlock92

On 18th July 2018, ransomware removal experts were able to locate a new cyber threat in the ransomware space. The ransomware named as ‘Unlock92 Zipper Ransomware’ is an updated version of Unlock92 Ransomware. Netizens can detect whether their PC is infected or not by this newly-arrived threat if they observe any of their files to have an extension of ‘.random.zip’. It was also noted by ransomware removal experts that the team behind the ransomware is not the same as the previous one.

Analysis of the Ransomware

Ransomware removal experts explain that the primary intent of those behind this nefarious ransomware is similar to others, as files of victims are locked with encryption algorithms and the files’ owners are forced to pay money to get their data back. As it is an update of the infamous Unlock92 Ransomware, it employs the use of cryptographic algorithm RSA to encrypt the files of users.

Files that are generally encrypted consist of different formats including IT assets (source code, SQL files, exe files), multimedia (images, videos, presentations) and text documents (Microsoft Office documents like Excel, Word, PPT). After RSA’s completion, affected files are zipped and included in a folder. This zipping mechanism used by the virus is one of the modifications noticed by ransomware removal analysts.

Subsequently, a file named KEY.VL is also placed under the AppData folder by the ransomware. Afterward, a ransom note is displayed on victims’ desktop that is written in the Russian language.

The ransomware’ distribution strategies are countless. It includes spam e-mail campaigns where victims are sent e-mails with malicious links and file attachments. Malware is also incorporated as part of freeware in many websites on the Internet. However, one of the biggest sources of this ransomware infection is files downloaded via torrents that are used by netizens to obtain movies, games, and software.

 

 

Zero-Day Attacks in Ransomware Industry

zero-day

Due to the increasingly high demand for software applications, solutions, and products, many IT teams are forced to release applications in a short period of time. With deadlines approaching, many developers cannot focus properly on the loopholes in the source code. Thus, ransomware removal analysts note that these flaws are exploited by cybercriminals in several types of cyber-attacks. One of them that have gained notoriety is the zero-day attack.

Zero-day attack manufactures an opening through which the systems of an institution or organization get an unauthorized access by the cybercriminals. Ransomware removal experts note that this is possible because of the lack of signatures or patches that can deal with the ransomware removal.

It is expected that these attacks will increase with the passage of time and may form a worrying dilemma in the cybersecurity circles by 2021.

So the question is how to deal with this cyber-threat? Truth be told, these types of attacks are extremely strong and organizations are finding it hard to protect themselves against this onslaught. However, there are a number of security measures that can put you in a better place.

A wide majority of organizations’ security departments do not work on the recovery part. After a ransomware attack, many organizations do not have any contingency plan to recover their files. Thus, ransomware removal experts believe that an organization can profit from the use of backups that can be utilized after the successful infiltration of ransomware and its subsequent encryption.

The faster an organization is able to resist against a zero-day attack, the lesser damage will be caused to the stored data, financials and reputation of the organization.

Hence, an organization should increase its cyber defense strategy to detect and respond to a ransomware utilizing zero-day attack. Not only that but it should also focus on the restoration and resumption of their systems in the wake of a ransomware attack.

Report on the Wasaga Beach Ransomware Attack

wasaga beach

Ransomware removal experts found a report on the early 2018 ransomware attack on Canadian town Wasaga Beach that released on July 26, 2018. According to ransomware removal experts, the report focuses on the damages, costs, and expenses incurred in the ransomware attack that caused quite a rampage in the town and affected the municipality departments’ IT assets.

The report was formulated by the town’s treasurer Jocelyn Lee. Ms. Lee’s report has confirmed that the cyber attack was a ransomware attack in which cybercriminals were interested to extort money in exchange for the locked data of the town.

Moreover, Ms. Lee’s report stated that services were acquired from three reputable consulting firms for ransomware removal and recovery processes. The financial costs required to restore the data have been estimated at almost $35,000 while the services acquired by the consulting firms and individuals is greater than $37,000.

The report focused on expenses related to ransom amount, IT consultants, physical security vendors, IT purchase, third-party software vendors and the overtime of internal personnel.  Additionally, there were other costs too especially related to productivity as the staff was unable to work due to the inoperability of the systems.

Another Wasaga Beach Report in the Making

Ms. Lee also informed that another report is in being created through the assistance of Hexigent Consultants which will be displayed to the town’s Coordinated Committee on 20 August 2018.  

This report will focus more on the technicalities of the attack which can assist authorities to understand how the ransomware was able to enter the town’s system as well as its damaging strategies to the computer’s system and application software.

Ms. Lee report concluded with the statement that the ransomware attack manages to be a huge liability for the town. Moreover, the town realized the need of bigger investment in its IT budget in order to protect itself from the increasingly dangerous wave of cyber attack, especially ransomware.

Fairbanks Views on the Golden Heart Attack

fairbanks

Ransomware removal reporters were able to gain insights from Fairbanks North Star Borough on the recent ransomware attack on one of their partner companies, Golden Heart Administrative Professionals (GHAP). The ransomware attack was not only successful in its infection but also managed to threaten the integrity of sensitive patients’ data as health information of more than 40,000 individuals has been estimated to be compromised.

Fairbanks stated that its partner GHAP was an unfortunate victim of a ransomware campaign that managed to employ cryptographic algorithms and encrypt sensitive information stored in Golden Heart’s servers.

Input from Firms

Moreover, ransomware removal reporters were also provided with the fact that forensics and cybersecurity firms have been analyzing and working on the cyber-invasion’s after-effects including ransomware removal and recovery processes.

The firms concluded that cybercriminals got access to the entire data stored in Golden Heart’s IT assets. It was also observed that other malicious third-parties lurking in the cybersecurity space can also pose as a cyber risk and enter into the GHAP’s systems. The information compromised consists of various personal and sensitive details including names, birth information, residential addresses, SSN, financial details, medical diagnosis, and treatment.

Late Reporting

Fairbanks disclosed the date of ransomware attack to ransomware removal reporters as 14 April 2018 and also reported that the attack was found out on the same day when the systems were breached. However, Golden Heart was reluctant to report it to the relevant law enforcement authorities and it took a month for them to finally report it on 25 May 2018. Furthermore, the complete details of the attack were only passed to the authorities by 20 June 2018.

GHAP also revealed the attack details to credit reporting companies including Experian, TransUnion, and Equifax. For further information related to the attack, a helpline has been offered by Fairbanks that is functional on weekdays from 5:00 a.m. and 5:00 p.m.