of MongoDB , ElasticSearch , Hadoop , CouchDB , and Cassandra servers , attackers are now hijacking hundreds of MySQL databases , deleting their content , and leaving a ransom note behind asking forAttack.Ransoma 0.2 Bitcoin ( $ 235 ) paymentAttack.Ransom. According to breach detection firm GuardiCore , the attacks are happening via brute-force attacks on Internet-exposed MySQL servers , and there 's plenty of those laying around since MySQL is one of today 's most popular database systems . All attacks came from a server in the Netherlands Based on currently available evidence , the attacks started on February 12 , and only lasted for 30 hours , during which time attackers attempted to brute-force their way into MySQL root accounts . Investigators said all attacks came from the same IP address from the Netherlands , 109.236.88.20 , belonging to a hosting company called WorldStream . During their ransackingAttack.Databreach, attackers did n't behave in a constant pattern , making it hard to attribute the hacks to one group , despite the usage of the same IP . For example , after gaining access to MySQL servers , attackers created a new database called PLEASE_READ and left a table inside it called WARNING that contained their ransom demandsAttack.Ransom. In some cases , attackers only created the WARNING table and left it inside an already existing database , without creating a new one . Investigators report that attackers would then dump the database 's content and delete it afterward , leaving only the one holding their ransomAttack.Ransom. In some cases , attackers deleted the databases without dumping any data . Attackers have their own website Two ransom notes have been found in the hundreds of confirmed attacksAttack.Ransom, one askingAttack.Ransomvictims to get in contact via email and confirm the payment , while the other used a completely different mode of operation , redirecting users to a Tor-hosted website . The two Bitcoin addresses listed in the ransom notes received four and six paymentsAttack.Ransom, respectively , albeit GuardiCore experts doubt that all are from victims . `` We can not tell whether it was the attackers who made the transactions to make their victims feel more confident about payingAttack.Ransom, '' they said . Be sure the attacker still has your data Just like in the case of the now infamous MongoDB attacksAttack.Ransomthat have hitAttack.Ransomover 41,000 servers , it 's recommended that victims check logs before deciding to payAttack.Ransomand see if the attackers actually took their data . If companies elect to pay the ransomAttack.Ransom, should always ask the attacker for proof they still have their data . None of this would be an issue if IT teams follow standard security practices that involve using an automated server backup system and deleting the MySQL root account or at least using a strong and hard-to-brute-force password . This is not the first time MySQL servers have been held for ransomAttack.Ransom. The same thing happened in 2015 , in a series of attacksAttack.Ransomcalled RansomWebAttack.Ransom, where attackers used unpatched phpBB forums to hijack databases and hold websites up for ransomAttack.Ransom.
The average ransomware attackAttack.Ransomyielded $ 1,077 last year , new research shows , representing a 266 percent spike from a year earlier . The reason for the landmark year for hackers ? Many ransomware victims readily payAttack.Ransomthe price . The number of attacks , varieties of distinct malware and money lost ballooned as ransomware became one of the top tactics of attackers , according to new research from the security firm Symantec . Some of the most high-profile ransomware incidentsAttack.Ransomof the last year include San Francisco ’ s Muni getting hitAttack.Ransom, Washington D.C. ’ s police department being breachedAttack.Databreachjust before inauguration and a Los Angeles college payingAttack.Ransoma $ 28,000 ransomAttack.Ransom. Hoping to turn the tide against the billion-dollar ransomware industry , last year the FBI urged businesses to alert authorities and not pay upAttack.Ransom. Instead , most keep attacksAttack.Ransoma secret , paying offAttack.Ransomhackers 70 percent of the time . That behavior only increases the sweet spot for demandsAttack.Ransom, as criminals seek the highest possible ransomAttack.Ransomwhile trying to avoid the attention of law enforcement . Economists say hackers who apply more sophisticated pricing techniques “ could lead to dramatic increases in profits at relatively little costs . ” The highest demandAttack.Ransomseen in public during the last was $ 28,730 from MIRCOP ransomware . It ’ s not clear if anyone actually paid offAttack.Ransomthose specific hackers . In private , however , higher ransomsAttack.Ransomare finding success when hackers successfully target the right companies . An IBM Security study from December 2016 found that over half of the businesses they surveyed said they had already paidAttack.Ransomover $ 10,000 in ransomAttack.Ransomwhile 20 percent said they ’ d paidAttack.Ransomover $ 40,000 . Globally , 34 percent of victims end up paying ransomAttack.Ransom. American victims , however , pay at a rate of 64 percent , according to Norton . “ That ’ s a phenomenal number , ” Symantec ’ s Kevin Haley told CyberScoop . “ I always compare it to direct mail where if you get a 1 percent rate you ’ re doing really good . These guys get a 34 percent return rate . Extortion really paysAttack.Ransom. ” The twist of the knife comes when only 47 percent of victims who pay the ransomAttack.Ransomactually recover any files . “ If so many people are willing to pay the ransomAttack.Ransom, there ’ s no reason for the price to come down , ” Haley said . “ In fact , it ’ s only going to go up . We may see that average go even higher until that price ceiling is discovered when so many people aren ’ t willing to pay that much . But we haven ’ t hit it yet . ”
Robert Gren was working from home on Friday when , all of a sudden , his laptop stopped working . What he initially thought was just a kink in his computer ’ s software was in fact part of a global ransomware attackAttack.Ransomthat has affected more than 200,000 computers and caused untold havoc from China to Britain . Now , Mr. Gren and the thousands of other victims worldwide face an agonizing choice : either hand over the ransomAttack.Ransom— a figure that has climbed to $ 600 for each affected machine — by a deadline this Friday , or potentially lose their digital information , including personal photos , hospital patient records and other priceless data , forever . “ I ’ m pretty devastated , ” said Mr. Gren , 32 , a manager of an online entertainment business in Krakow , Poland , who has spent almost all of his waking hours since Friday looking for ways to reclaim his digital data . “ I ’ ve lost private files that I have no other way of recovering . For me , the damage has been huge. ” That decision has become even more difficult as cybersecurity experts and law enforcement officials have repeatedly warned people against paying the ransomAttack.Ransomahead of this week ’ s deadline . Aside from dissuading victims from handing over moneyAttack.Ransomthat may help fund further such attacks , they caution that it is not guaranteed the attackers will return control of people ’ s computers even if they payAttack.Ransomthe assailants in bitcoin , a digital currency favored in such ransomware attacksAttack.Ransomthat can be difficult to trace . Officials also note that the attackers , who have yet to been named , have provided only three bitcoin addresses — similar to a traditional bank routing number — for all global victims to deposit the ransomAttack.Ransom, so it may prove difficult to know who has paid the digital feesAttack.Ransom. This haphazard planning has led many victims to hold off payingAttack.Ransom, at least until they can guarantee they will get their data back . So far , roughly $ 80,000 has been depositedAttack.Ransominto the bitcoin addresses linked to the attackAttack.Ransom, according to Elliptic , a company that tracks online financial transactions involving virtual currencies . F-Secure , a Finnish cybersecurity firm , has confirmed that some of the 200 individuals that it had identified , who had paid the ransomAttack.Ransom, had successfully had their files decrypted . Yet that represented a small fraction of those affected , and the company said it still remained unlikely that people would regain control of their computers if they paid the online feeAttack.Ransom. The tally of ransom paymentsAttack.Ransommay rise ahead of Friday ’ s deadline , but cybersecurity experts say the current numbers — both total ransom money paidAttack.Ransomand machines decrypted — are far short of early estimates forecasting that the digital attack may eventually cost victims hundreds of millions of dollars in combined ransom feesAttack.Ransom. “ I predict this may be an epic failure , ” said Kim Peretti , a former senior litigator in the Department of Justice ’ s computer crime and intellectual property division who now is co-chairwoman of the cybersecurity preparedness and response team at Alston & Bird , an international law firm . “ Because of the publicity of this attack and the public ’ s awareness of people potentially not getting their files back , the figures aren ’ t as high as people had first thought. ” For victims of such attacks , the potential loss of personal or business files can be traumatic . In typical ransomware cases , including the most recent hack , assailants sendAttack.Phishingan encrypted email to potential targets . The message includes a malware attachment that takes over their machines if opened . The attackers then demand paymentAttack.Ransombefore returning control of the computers , often through money paid into bitcoin or other largely untraceable online currencies .
Cyber criminals took a second swing at Mecklenburg County government on Thursday after officials rejected a demand for moneyAttack.Ransomfollowing a ransomware attackAttack.Ransom. The follow-up attempts to hold the county hostage over illegally encrypted data came just hours after County Manager Dena Diorio announced she ’ d decided against payingAttack.Ransoma hacker ransomAttack.Ransom. Instead of agreeing to payAttack.Ransomcriminals , she said Wednesday , the county will rebuild its system applications and restore files and data from backups . But by Thursday afternoon , hackers tried to strike again . Diorio sent staff members an email saying , “ I have a new warning for employees. ” As the county ’ s IT staff worked to recover from the first cyberattack , Diorio said , they discovered more attempts to compromiseAttack.Databreachcomputers and data on Thursday . “ To limit the possibility of a new infection , ITS is disabling employees ’ ability to open attachments generated by DropBox and Google Documents , ” she wrote in an email . “ The best advice for now is to limit your use of emails containing attachments , and try to conduct as much business as possible by phone or in person. ” She described the aftermath of the ransomware attackAttack.Ransomas a “ crisis ” and reassured employees they should not feel personally responsible for the incident . The county first learned of the problem earlier this week after an employee openedAttack.Phishinga malicious “ phishing ” email and accessed an attached file that unleashed a widespread problem inside the county ’ s network of computers and information technology . The intent of that ransomware attackAttack.Ransomwas to essentially access as many county government files and data servers as possible . Then , the information was encrypted or locked , keeping employees at the county from accessing operating systems and files . The person or people responsible for the infiltration then demandedAttack.Ransomthe county payAttack.Ransomtwo bitcoins , or about $ 23,000 , in exchange for a release of the locked data . The county refused to payAttack.Ransom. County officials say they anticipate the recovery time for Mecklenburg County government operations will take days . “ We are open for business , and we are slow , but there ’ s no indication of any data lossAttack.Databreachor that personal information was compromisedAttack.Databreach, ” Diorio said . Diorio said third-party security experts believe the attackAttack.Ransomearlier this week by a new strain of ransomware called LockCrypt originated from Iran or Ukraine . Forty-eight of about 500 county computer servers were affected .
Officials in Mecklenburg , N.C. must make a difficult decision by 1 p.m . ET on Wednesday : They must choose whether to payAttack.Ransomtwo bitcoins—currently worth about $ 25,000—to hackers who are holding the county ’ s computer files for ransomAttack.Ransom, [ Update : they refused to payAttack.Ransom] . The situation is the latest example of cyber criminals deployingAttack.Ransoma form of software known as ransomware , which freezes up files on a computer network until someone enters a decryption code to unlock them . Typically , the code can only be obtained by payingAttack.Ransomthe hackers . An official for the county , which encompasses the city of Charlotte , said the ransomware was triggered when an employee clicked on an email attachment , and that it is wrecking havoc with daily operations : “ She said an example of the problem is the county ’ s code enforcement office , where much of the work is done electronically . Employees no longer have access to their records . But she said they are switching to paper records for work on Wednesday , ” according to the Charlotte Observer . The official also explained that the county faces a dilemma in deciding whether to payAttack.Ransom. While paying the ransomAttack.Ransommay be the only way to obtain the decryption key , there is no guarantee the hackers will honor their commitment and provide the key . The anonymous hackers do not appear to have targeted Mecklenburg county in particular , but rather the official thinks the attack was launched as part of a broader money-making scheme involving ransomware . Similar attacks , which typically exploit old Microsoft software , struck millions of computers in two separate waves earlier this year , affecting everything from businesses to governments to hospitals . While most of the incidents occurred in Europe and Asia , U.S. organizations were hit too—including a transit system in Sacramento , Calif. and a hospital in Los Angeles .
A Tor proxy service is being used by crooks to divert ransom paymentsAttack.Ransomto their own accounts at the expense of ransomware distributors -- and their victims , according to security researchers . Ransomware distributors expecting an easy payday are having their illicit earnings stolen by other cybercriminals , who are hijacking the ransom paymentsAttack.Ransombefore they 're received and redirecting them into their own bitcoin wallets . But not only are the attacks giving criminals a taste of their own medicine in becoming victims of cyber-theft , they are also preventing ransomware victims from unlocking their encrypted files -- because , as far as those distributing the malware are concerned , they never received their ransom paymentAttack.Ransom. Uncovered by researchers at Proofpoint , it 's believed to be the first scheme of its kind , with cybercriminals using a Tor proxy browser to carry out man-in-the-middle attacks to steal the cryptocurrency payments , which victims of ransomware are attempting to sendAttack.Ransomto their attackers . The attacks take advantage of the way ransomware distributors requestAttack.Ransomvictims to use Tor to buy the cryptocurrency they need to make the ransom paymentAttack.Ransom. While many ransomware notes provide instructions on how to download and run the Tor browser , others provide links to a Tor proxy -- regular websites that translate Tor traffic into normal web traffic -- so the process of payingAttack.Ransomis as simple as possible for the victim . However , one of the Tor gateways being used is altering bitcoin wallet addresses in the proxy , and redirecting the paymentAttack.Ransominto other accounts , rather than those of the ransomware attacker . Meanwhile , those behind Magniber ransomware appear to have moved to combat bitcoin address replacement by splitting the HTML source code of wallets into four parts , thus making it harder for proxies to find the address to change . While the sums of bitcoin stolen do n't represent a spectacular haul , the interception attacks do create problems for ransomware distributors -- and their victims . The victims are the ultimate losers in this scenario . Not only are they payingAttack.Ransomhundreds or even thousands of dollars to in ransom demandsAttack.Ransom, they 're not even getting their files back in return because the man-in-the-middle attacks mean the ransomware distributors do n't think they 've been paidAttack.Ransom.
A Tor proxy service is being used by crooks to divert ransom paymentsAttack.Ransomto their own accounts at the expense of ransomware distributors -- and their victims , according to security researchers . Ransomware distributors expecting an easy payday are having their illicit earnings stolen by other cybercriminals , who are hijacking the ransom paymentsAttack.Ransombefore they 're received and redirecting them into their own bitcoin wallets . But not only are the attacks giving criminals a taste of their own medicine in becoming victims of cyber-theft , they are also preventing ransomware victims from unlocking their encrypted files -- because , as far as those distributing the malware are concerned , they never received their ransom paymentAttack.Ransom. Uncovered by researchers at Proofpoint , it 's believed to be the first scheme of its kind , with cybercriminals using a Tor proxy browser to carry out man-in-the-middle attacks to steal the cryptocurrency payments , which victims of ransomware are attempting to sendAttack.Ransomto their attackers . The attacks take advantage of the way ransomware distributors requestAttack.Ransomvictims to use Tor to buy the cryptocurrency they need to make the ransom paymentAttack.Ransom. While many ransomware notes provide instructions on how to download and run the Tor browser , others provide links to a Tor proxy -- regular websites that translate Tor traffic into normal web traffic -- so the process of payingAttack.Ransomis as simple as possible for the victim . However , one of the Tor gateways being used is altering bitcoin wallet addresses in the proxy , and redirecting the paymentAttack.Ransominto other accounts , rather than those of the ransomware attacker . Meanwhile , those behind Magniber ransomware appear to have moved to combat bitcoin address replacement by splitting the HTML source code of wallets into four parts , thus making it harder for proxies to find the address to change . While the sums of bitcoin stolen do n't represent a spectacular haul , the interception attacks do create problems for ransomware distributors -- and their victims . The victims are the ultimate losers in this scenario . Not only are they payingAttack.Ransomhundreds or even thousands of dollars to in ransom demandsAttack.Ransom, they 're not even getting their files back in return because the man-in-the-middle attacks mean the ransomware distributors do n't think they 've been paidAttack.Ransom.
DDoS extortionists have already pounced on the Memcached DDoS attack vector in attempts to extract paymentsAttack.Ransomfrom attacked companies . Akamai revealed earlier today that it detected DDoS attacks executed via Memcached servers that were different from others . Instead of blasting targets with UDP packets containing random data , one group of attackers is leaving short messages inside these packets . This one group is askingAttack.Ransomvictims to payAttack.Ransom50 Monero —around $ 17,000— to a Monero address . The group does n't say it will stop the attack but only implies it . Such attacks have first appeared in 2015 and were initially referred to as DDoS-for-Bitcoin after the DD4BTC group that pioneered such tactics . The group would send emails to various companies , threatening to launch DDoS attacks unless they paid a ransom feeAttack.Ransom. Even if the group 's members were arrested , other factions appeared in subsequent years , using unique names such as Armada Collective or XMR Squad , but also mimicking hacker groups such as Anonymous or LulzSec . The tactic , now known as ransom DDoS (RDoS)Attack.Ransom, has become quite popular among cybercriminal groups , and there have been too many RDoS campaignsAttack.Ransomto remember in the past years . In most past cases , attackers did n't have the firepower to launch DDoS attacks if victims ignored the ransom demandAttack.Ransom. But the Memcached-based DDoS extortionsAttack.Ransomare different . Attackers clearly have the DDoS cannon to take down companies , mainly due to the large number of unsecured Memcached servers they can abuse to launch these attacksAttack.Ransom. Victims are also more likely to payAttack.Ransom, seeing that they 're under a heavy attackAttack.Ransomand this is n't just an empty threat . But according to Daniel Smith , a Radware security researcher who spoke with Bleeping Computer , paying the Monero ransomAttack.Ransomwo n't help companies at all.That 's because attackers have used the same Monero address for multiple DDoS attacks against different targets . Here 's the same Monero address from the Akamai attacks , but spotted by a different security researcher . Attackers would n't have the ability to tell which of the multiple targets they attacked paid the ransomAttack.Ransom. The general consensus is that this group is using a carpet bombing technique , hittingAttack.Ransomas many targets as possible for short bursts , hoping to scare one into payingAttack.Ransom. `` Multiple targets are sent the same message in hopes that any of them will pay the ransomAttack.Ransom, '' Akamai said in a report today , echoing Smith 's recommendation not to pay the ransomAttack.Ransom. `` There is no sign to suggest that they are actively tracking the targets reaction to the attacks , no contact information , no detailed instructions on payment notification , '' Akamai added . `` If a victim were to deposit the requested amountAttack.Ransominto the wallet , we doubt the attackers would even know which victim the paymentAttack.Ransomoriginated from , let alone stop their attacks as a result . ''
In wake of an attack on computers at Colorado ’ s DOT , experts at Webroot shed light on ransomware Last month , employees at the Colorado Department of Transportation were greeted by a message on their computer screens similar to this : “ All your files are encrypted with RSA-2048 encryption . … It ’ s not possible to recover your files without private key . … You must sendAttack.Ransomus 0.7 BitCoin for each affected PC or 3 BitCoins to receive ALL Private Keys for ALL affected PC ’ s. ” CDOT isn ’ t payingAttack.Ransom, but others have . In fact , so-called ransomware has become one of the most lucrative criminal enterprises in the U.S. and internationally , with the FBI estimating total paymentsAttack.Ransomare nearing $ 1 billion . Hackers use ransomware to encrypt computer files , making them unreadable without a secret key , and then demand digital currencyAttack.Ransomlike bitcoin if victims want the files back — and many victims are falling for that promise . To better understand how ransomware works and how it has spread so effectively , The Denver Post talked with Broomfield anti-malware company Webroot , which got its start in the late 1990s cleansing computer viruses from personal computers . “ The end goal is just to put ransomware on the computer because right now the most successful way for cybercriminals to make money is with ransomingAttack.Ransomyour files , ” said Tyler Moffitt , a senior threat research analyst at Webroot . Ransomware infects more than 100,000 computers around the world every day and paymentsAttack.Ransomare approaching $ 1 billion , said U.S. Deputy Attorney General Rod J. Rosenstein during the October 2017 Cambridge Cyber Summit , citing FBI statistics . A study by researchers at Google , Chainalysis , University of California San Diego and NYU Tandon School of Engineering estimated that from 2016 to mid 2017 , victims paidAttack.Ransom$ 25 million in ransomAttack.Ransomto get files back . And one out of five businesses that do pay the ransomAttack.Ransomdon ’ t get their data back , according to 2016 report by Kaspersky Labs . It ’ s a growing business for cybercriminals . And whether to pay or not is something each user or company must decide . Last spring , the Erie County Medical Center in New York was attackedAttack.Ransomby SamSam due to a misconfigured web server , according to The Buffalo News . Because it had backed up its files , the hospital decided not to payAttack.Ransomthe estimated $ 44,000 ransomAttack.Ransom. It took six weeks to get back to normal at a recovery cost of nearly $ 10 million . More recently in January , the new SamSam variant sneakedAttack.Ransominto Indiana hospital Hancock Health , which decided to payAttack.Ransom4 bitcoin , or about $ 55,000 , in ransomAttack.Ransom. Attackers gained entry by using a vendor ’ s username and password on a Thursday night . The hospital was back online by Monday morning . Other times , malware isn ’ t so obvious . Some propagate when user visits infected websites . A trojan named Poweliks injected bad code into vulnerable programs , like an unpatched Internet Explorer . Poweliks crept into the Windows registry to force the computer to do all sorts of nasty things , from demanding a ransomAttack.Ransomto joining a click-fraud bot network to click ads without the user even realizing it . There also are booby-trapped ads , known as malvertising . They get into computers by , again , targeting flawed software and injecting malicious code . This has targeted programs like unpatched Adobe Flash Player , Java or other runtime software , or software that runs online all the time .
Authorities on Wednesday charged two Iranian citizens for the ransomware cyber attackAttack.Ransomthat hobbled the city of Atlanta ’ s computer network in March , and the federal indictment outlines the pair ’ s massive nationwide scheme to breach computer networks of local governments , health care systems and other public entities . The defendants , Faramarz Shahi Savandi , 34 , and Mohammad Mehdi Shah Mansouri , 27 , are alleged to have developed the SamSam ransomware , malicious software that encrypts data until the infected organizations paid ransomAttack.Ransom. All told , the pair inflicted harm on more than 200 victims across the country and collected roughly $ 6 million in ransomAttack.Ransomover a three year period dating back to 2015 . Their scheme caused over $ 30 million in losses to various entities , according to federal authorities . The hack to city of Atlanta computers in March crippled city business for days . One internal report that surfaced in August estimated the damage to the city could cost up to $ 17 million . “ We ’ re glad that these people will be brought to justice , ” Mayor Keisha Lance Bottoms told Channel 2 Action News . “ Hopefully this will stop another municipality from experiencing what we did. ” “ The defendants allegedly hijacked victims ’ computer systems and shut them down until the victims paid a ransomAttack.Ransom, ” said Deputy Attorney General Rod Rosenstein , speaking at a press conference in Washington D.C. “ Many of the victims were public agencies with missions that involve saving lives and performing other critical functions for the American people. ” The two men are not in U.S. custody , and Iran has no extradition treaty with the U.S . But Justice Department officials expressed confidence that the Savandi and Mansouri ’ s travel patterns would subject them to being captured . Atlanta officials have repeatedly denied payingAttack.Ransomthe $ 51,000 in ransom demandedAttack.Ransomby the hackers and the 26-page federal indictment released Wednesday doesn ’ t directly address which cities and entities paid ransomAttack.Ransom. Brian Benczkowski , an assistant attorney general for the U.S. Justice Department , told reporters on Wednesday that the agency wouldn ’ t identify which victims paidAttack.Ransomthe attackers . A city of Atlanta spokesperson on Wednesday said again that no one acting on the city ’ s behalf , including its insurance carrier , paid any ransomAttack.Ransom. But the indictment has two references to Atlanta and it raises questions about whether or not the city paid ransomAttack.Ransom. The indictment describes the March 22 assaultAttack.Ransomon Atlanta ’ s network and the effort by the two men to demand ransomAttack.Ransom. In one paragraph , the indictment says they demanded ransomAttack.Ransomfrom Atlanta in Bitcoin payments in exchange for encryption keys to recover the city ’ s compromised data . The next paragraph says that on April 19 , Savandi “ received funds associated with ransom proceedsAttack.Ransom, which were converted into Iranian rial and deposited by ” an currency exchanger . The indictment does not say if those proceeds were associated with the Atlanta attack . But Ralph Echemendia , a computer hacking consultant who advises corporations on cyber security , said he read the indictment and thinks the payment was associated with the Atlanta attack because it would be one way that federal agents connected the breach to Savanda and Mansouri . The indictment describes how the two men demanded paymentsAttack.Ransomin bitcoins , a so-called crypto currency , and in Atlanta ’ s case , the demandAttack.Ransomequaled roughly $ 50,000 . “ The moment you try and turn it into dollars , euros or any kind of real currency it has to go through an exchange , ” Echemendia said . “ At that point the exchange would have to work with law enforcement … ultimately that is going to wind up in somebody ’ s back account. ” The Justice Department declined to answer a question from the AJC about whether April 19 exchange of bitcoins into Iranian rial described in the indictment was related to Atlanta ’ s attack . Tony UcedaVelez , CEO of Versprite , an Atlanta based security services said the language in the indictment does make it seem a ransom was paidAttack.Ransomon the city ’ s behalf . But he said it could have been made by someone in law enforcement hoping the funds would lead to the attackers . UcedaVelez also pointed to an attachment in the indictment that indicated someone associated with the city had followed the attackers ’ initial instructions . The indictment included a ransom note to Newark instructing it on how to download a Tor network browser and visit the attackers ’ website where victims could upload two files to be decrypted as a demonstration . Newark paid its ransomAttack.Ransomof roughly $ 30,000 . Another attachment shows the ransom website the attackers created for the city of Atlanta on the Tor network . To get there , someone would have had to download the Tor browser . And it appeared they had uploaded a couple of files for the demonstration . “ Files available to decrypt : 2 , ” read a statement on the site .
The US Attorney 's Office for the District of Northern Georgia announced Wednesday that a federal grand jury had returned indictments against two Iranian nationals charged with executing the March 2018 ransomware attackAttack.Ransomthat paralyzed Atlanta city government services for over a week . Faramarz Shahi Savandi and Mohammed Mehdi Shah Mansouri are accused of using the Samsam ransomware to encrypt files on 3,789 City of Atlanta computers , including servers and workstations , in an attempt to extortAttack.RansomBitcoin from Atlanta officials . Details leaked by City of Atlanta employees during the ransomware attackAttack.Ransom, including screenshots of the demand message posted on city computers , indicated that Samsam-based malware was used . A Samsam variant was used in a number of ransomware attacksAttack.Ransomon hospitals in 2016 , with attackers using vulnerable Java Web services to gain entry in several cases . In more recent attacks , including one on the health industry companies Hancock Health and Allscripts , other methods were used to gain access , including Remote Desktop Protocol hacks that gave the attackers direct access to Windows systems on the victims ' networks . The Atlanta attack was not a targeted state-sponsored attack . The attackers likely chose Atlanta based on a vulnerability scan . According to the indictment , the attackers offeredAttack.Ransomthe city the option of payingAttack.Ransomsix Bitcoin ( currently the equivalent of $ 22,500 ) to get keys to unlock all the affected systems or 0.8 Bitcoin ( about $ 3,000 ) for individual systems . `` The ransom note directed the City of Atlanta to a particular Bitcoin address to pay the ransomAttack.Ransomand supplied a web domain that was only accessible using a Tor browser , '' a Department of Justice spokesperson said in a statement . `` The note suggested that the City of Atlanta could download the decryption key from that website . '' But within days of the attack , the Tor page became unreachable , and the City of Atlanta did not pay the ransomAttack.Ransom. Savandi , 27 , of Shiraz , Iran , and Mansouri , 34 , of Qom , Iran , have been charged under the Computer Fraud and Abuse Act ( CFAA ) for `` intentional damage to protected computers ... that caused losses exceeding $ 5,000 , affected more than 10 protected computers , and that threatened the public health and safety , '' the Justice Department spokesperson said . They are also charged in a separate indictment in the US District Court for the District of New Jersey in connection with another ransomware attackAttack.Ransom, in which a ransom was apparently paidAttack.Ransom.
Companies and individuals in Japan are finding their computers are increasingly targeted by ransomware campaignAttack.Ransomthat bar victims from accessing important files unless they pay moneyAttack.Ransom. “ Attacks on Japanese businesses have been particularly large in number , ” said Masakatsu Morii , a professor of information and telecommunications engineering at Kobe University ’ s Graduate School of Engineering . Ransomware typically infects computers when its user opens a file attached to spam mail from a sender pretending to beAttack.Phishinga legitimate entity such as a parcel delivery company , according to the government-affiliated Information-Technology Promotion Agency . The malicious programs encrypt the infected computers ’ files , and users can only open them after payingAttack.Ransomthe perpetrators money to obtain a special key to unlock them . Yoshihito Kurotani , a researcher at the agency ’ s engineering department , said the programs employ basic encryption technologies . Kurotani ’ s agency has received numerous inquiries asking for help from victims who can not access their photos or business files . The bogus emails “ used to be written in English or unnatural Japanese , but we have seen increasing attacks using natural Japanese recently , ” Kurotani said . Computer security firm Trend Micro Inc. said it received 2,810 reports of ransomware attacksAttack.Ransomnationwide in 2016 — a 3.5-fold jump from the previous year . “ Tactics are expected to be even more sophisticated in 2017 , ” a Trend Micro official said . A survey conducted by the firm last June shows that about 60 percent of companies that were attackedAttack.Ransompaid ransomsAttack.Ransom. The payment in one case exceeded ¥10 million ( $ 88,000 ) . The extortionAttack.Ransomand the transactions in the ransomware programs themselves have become a profitable business for cybercriminals . The programs are traded on online black markets that can not be accessed without the use of special software . In the “ dark web ” networks , various programs are sold , including multilingual ones and one that can be used for a “ lifetime ” for just $ 39 . The people who post the programs make profits by taking a share of ransoms collectedAttack.Ransom. Firms undertaking the delivery of unsolicited emails do business there , too . Katsuyuki Okamoto , a security “ evangelist ” at Trend Micro , said it has become easier and easier to be involved in or become a victim of cybercrime . Cybersecurity experts warn that users should protect their computers by always keeping operating systems and anti-malware software up-to-date and should constantly back up their data . They said victims should never pay ransomsAttack.Ransomas there is no guarantee their files will actually be restored . “ If you pay moneyAttack.Ransomto the criminals , that will only help them create a new virus , ” Okamoto said .
Ransomware has largely been an opportunistic , rather than a targeted , form of cybercrime with the goal of infecting as many users as possible . That model has worked so effectively that extortion is now ubiquitous when it comes to cybercrime — so much so that even fake attacks are proving to be successful . As I wrote earlier this month , the surge of extortion attacksAttack.Ransomimpacting organizations has led to a number of fake extortion threats , including empty ransomware demandsAttack.Ransomwhere actors contact organizations , lie about the organization ’ s data being encrypted , and ask for moneyAttack.Ransomto remove the non-existent threat . Cybercriminals like to follow the path of least resistance , and an attack doesn ’ t get much easier than simply pretending to have done something malicious . However , attacksAttack.Ransomover the past year have proven that infecting organizations with ransomware can result in much higher payoutsAttack.Ransom. The more disruptive the attack , the more money some organizations are willing to pay to make the problem go away . As a result , ransomware actors are shifting their targets towards more disruptive attacks , which we examine in our latest report , Ransomware Actors Shift Gears : New Wave of Ransomware AttacksAttack.RansomAims to Lock Business Services , Not Just Data . It was just 13 months ago that Hollywood Presbyterian Medical Center made national attention by payingAttack.Ransom$ 17,000 to decrypt its files after a ransomware attackAttack.Ransom. The incident was novel at the time , but those types of stories have since become commonplace . Organizations need to take action to protect themselves against ransomware actors that are trying to find more effective ways to disrupt business operations and demand even higher ransom payoutsAttack.Ransom.
Ransomware authors are nothing if not persistent . They continue to try new evasion techniques , new programming languages , new naming conventions , and even more forceful demandAttack.Ransomtactics to pressure victims into payingAttack.Ransom. One new technique involves packaging ransomware in RarSFX executable files . Last week we talked about a multi-component variant of Cerber ( detected as RANSOM_CERBER ) found packaged in a SFX file , a feature that helps it evade machine learning . This week , we saw CrptXXX ( detected by Trend Micro as RANSOM_CRPTX.A ) also in a SFX package—most likely for the same reason . This particular ransomware can not execute fully without the correct parameters and other components inside its package . If CrptXXX successfully infects a system , the victim receivesAttack.Ransoma relatively straightforward ransom note . They are instructed to go to a specific .onion site and input their unique ID , then follow the payment instructions . French Locker ( detected by Trend Micro as RANSOM_LELEOCK.A ) is a typical ransomware made by developers who want to get paid quickly . This ransomware displays a 10 minute timer and deletes one of the victim 's encrypted files for every 10 minutes that passes . It arrives through malicious sites or is dropped by other malware , and victims can choose between English or a French version . Initially , the ransomware will install an autostart registry for its dropped copy , which triggers its encryption routine once the machine reboots . Encrypted files are appended with the .lelele extension . SAMSAM has been updated with a new variant ( detected by Trend Micro as RANSOM_SAMAS.I ) .The previous version made waves in 2016 after it targeted vulnerable hospital servers . Traditionally , ransomware spreads through social engineering , malvertisments , or spam—SAMSAM set itself apart when it targeted the network infrastructure of certain healthcare facilities . The threat actors behind this ransomware gain access to the administrative rights of a network and pinpoint specific target hosts . They deploy to a sizeable portion of the victim ’ s network , causing essential systems and services to shut down , leaving the target facility little choice but to pay the ransomAttack.Ransom. This is one of the latest variants of SAMSAM , though this ransomware family constantly changes its behavior when its threat indicators or IOCs are made public . The first ransomware to be written in Google ’ s Go programming language was detected late last year , and now we have another to add to the list . Apart from the programming language used , BrainCrypt ( detected by Trend Micro as RANSOM_BRAINCRYPT ) is a relatively standard ransomware . There are no specific details in the ransom note , just simple instructions explaining the situation and telling the victim to email the threat actors . The continuing evolution of ransomware shows how cybercriminals quick to adopt the latest technology and techniques to make their malware more effective . Because of this , all users should stay vigilant and updated on the latest threat developments .
There ’ s no question that Friday ’ s WannaCry ransomware attackAttack.Ransom, which spread like wildfire , was bad . Its ability to spread like a worm by exploiting a Microsoft vulnerability was certainly new ground for a ransomware campaign . But along the way , there ’ s been a lot of fear and hype . Perspective is in order . Here ’ s a look at the latest in Sophos ’ investigation , including a recap of how it is protecting customers . From there , we look at how this fits into overall attack trends and how , in the grand scheme of things , this doesn ’ t represent a falling sky . With the code behind Friday ’ s attack in the wild , we should expect copycats to cook up their own campaigns in the coming days to capitalize on the money-making opportunity in front of them . Over the weekend , accounts set up to collect ransom paymentsAttack.Ransomhad received smaller amounts than expected for an attack of this size . But by Monday morning , the balances were on the rise , suggesting that more people were responding to the ransom message Monday . On Saturday , three ransomware-associated wallets had received 92 bitcoin paymentsAttack.Ransomtotaling $ 26,407.85 USD . By Sunday , the number between the three wallets was up to $ 30,706.61 USD . By Monday morning , 181 paymentsAttack.Ransomhad been made totaling 29.46564365 BTC ( $ 50,504.23 USD ) . Analysis seems to confirm that Friday ’ s attack was launched using suspected NSA code leaked by a group of hackers known as the Shadow Brokers . It used a variant of the Shadow Brokers ’ APT EternalBlue Exploit ( CC-1353 ) , and used strong encryption on files such as documents , images , and videos . A perfect attack would self-propagate but would do so slowly , randomly and unpredictably . This one was full throttle , but hardly to its detriment . Here we had something that spread like wildfire , but the machines that were impactedVulnerability-related.DiscoverVulnerabilitywere probably still susceptible to secondary attacks because the underlying vulnerability probably hasn ’ t been patchedVulnerability-related.PatchVulnerability. The problem is that exploit and payload are separate . The payload went fast and got stopped , but that ’ s just one of an infinite number of possibilities that can spread through the unsolved exploit . Companies still using Windows XP are particularly susceptible to this sort of attack . First launched in 2001 , the operating system is now 16 years old and has been superseded by Windows Vista and Windows 7 , 8 and 10 upgrades . It remains to be seen who was behind this attack . Sophos is cooperating with law enforcement to provide any intelligence it can gather about the origins and attack vectors . The company believes initial infections may have arrived via an email with a malicious payload that a user was trickedAttack.Phishinginto opening . Sophos continues to update protections against the threat . Sophos Customers using Intercept X and Sophos EXP products will also see this ransomware blocked by CryptoGuard . Please note that while Intercept X and EXP will block the underlying behavior and restore deleted or encrypted files in all cases we have seen , the offending ransomware splash screen and note may still appear . For updates on the specific strains being blocked , Sophos is continually updating a Knowledge-Base Article on the subject . Meanwhile , everyone is urged to update their Windows environments as described in Microsoft Security Bulletin MS17-010 – Critical . For those using older versions of Windows , Microsoft has providedVulnerability-related.PatchVulnerabilityCustomer Guidance for WannaCrypt attacksAttack.Ransomand has made the decision to make the Security Update for platforms in custom support only – Windows XP , Windows 8 , and Windows Server 2003 – broadly available for downloadVulnerability-related.PatchVulnerability. As severe as this attack was , it ’ s important to note that we ’ re not looking at a shift in the overall attack trend . This attack represents a merging of old behaviors into a perfect storm . SophosLabs VP Simon Reed said : This attack demonstrates the opportunistic nature of commercial malware authors to re-use the most powerful of exploit techniques to further their aims , which is ultimately to make money . In the final analysis , the same advice as always applies for those who want to avoid such attacks . To guard against malware exploiting Microsoft vulnerabilities : To guard against ransomware in general : Finally , there ’ s the question of whether victims should pay the ransomAttack.Ransomor stand their ground . Sophos has mostly taken a neutral stance on the issue . In the case of this attack , paying the ransomAttack.Ransomdoesn ’ t seem to be helping the victims so far . Therefore , Levy believes paying the WannaCry ransomAttack.Ransomis ill-advised : In general , payingAttack.Ransomis a bad idea unless the organization is truly desperate to get irreplaceable data back and when it is known that the ransom paymentAttack.Ransomworks . In this attack , it doesn ’ t appear to work . It ’ s been referred to as a ‘ kill switch ’ – that all the malware author had to do to throw the breaks on for some reason was to register some obscure domains . In the event a security researcher found the domains and registered them . He speculates that its not actually a kill switch but may be a form of sandbox detection ( malware wants to run in the real world and hide when it ’ s in a researcher ’ s sandbox . ) The thinking goes that in the kind of sandbox environment used by security researchers the domains might appear to be registered when in fact they are not . If the malware can get a response from the unregistered domains it thinks it ’ s in a sandbox and shuts down . If you blocklist the domains in your network then you ’ re turning off the “ kill switch ” . If you allowlist the domains you ’ re allowing access to the kill switch .
Researchers are now observing similar destructive attacks hitting openly accessible Hadoop and CouchDB deployments . Security researchers Victor Gevers and Niall Merrigan , who monitored the MongoDB and Elasticsearch attacks so far , have also started keeping track of the new Hadoop and CouchDB victims . The two have put together spreadsheets on Google Docs where they document the different attack signatures and messages left behind after data gets wiped from databases . In the case of Hadoop , a framework used for distributed storage and processing of large data sets , the attacks observed so far can be described as vandalism . That 's because the attackers do n't ask for paymentsAttack.Ransomto be made in exchange for returning the deleted data . Instead , their message instructs the Hadoop administrators to secure their deployments in the future . According to Merrigan 's latest count , 126 Hadoop instances have been wiped so far . The number of victims is likely to increase because there are thousands of Hadoop deployments accessible from the internet -- although it 's hard to say how many are vulnerable . The attacks against MongoDB and Elasticsearch followed a similar pattern . The number of MongoDB victims jumped from hundreds to thousands in a matter of hours and to tens of thousands within a week . The latest count puts the number of wiped MongoDB databases at more than 34,000 and that of deleted Elasticsearch clusters at more than 4,600 . A group called Kraken0 , responsible for most of the ransomware attacks against databases , is trying to sell its attack toolkit and a list of vulnerable MongoDB and Elasticsearch installations for the equivalent of US $ 500 in bitcoins . The number of wiped CouchDB databases is also growing rapidly , reaching more than 400 so far . CouchDB is a NoSQL-style database platform similar to MongoDB . Unlike the Hadoop vandalism , the CouchDB attacksAttack.Ransomare accompanied by ransom messages , with attackers asking forAttack.Ransom0.1 bitcoins ( around $ 100 ) to return the data . Victims are advised against payingAttack.Ransombecause , in many of the MongoDB attacksAttack.Ransom, there was no evidence that attackers had actually copiedAttack.Databreachthe data before deleting it . Researchers from Fidelis Cybersecurity have also observed the Hadoop attacks and have published a blog post with more details and recommendations on securing such deployments
According to Fortinet researcher Kai Lu , the one who discovered this new threat , the ransomware appears to be targeting only Russian-speaking users , as its ransom noteAttack.Ransomis only available in Russian . A translated version of the ransom noteAttack.Ransomis available below . There are several things that stand out about this threat . The first is the humongous ransom demandAttack.Ransomit asksAttack.Ransomvictims for , which is 545,000 Russian rubles ( ~ $ 9,100 ) . This ransom demandAttack.Ransomis between 10 and 100 times over the price of some phones , and most users who ca n't remove the screen locker will instead choose to buy a new phone rather than payingAttack.Ransomthe crooks . To pay the ransomAttack.Ransom, victims have to enter their credit card number directly in the ransom screen , a technique very different from how other ransomware operators like to work , which is via Bitcoin , Tor , or gift cards . The other thing that sets this ransomware apart is the usage of the Google Cloud Messaging ( GCM ) platform , now renamed in Firebase Cloud Messaging .
FireEye has identified a set of financially motivated intrusion operations being carried out by a threat actor we have dubbed FIN10 . FIN10 is known for compromisingAttack.Databreachnetworks , stealingAttack.Databreachsensitive data , and directly engaging victim executives and board members in an attempt to extortAttack.Ransomthem into payingAttack.Ransombetween 100 and 500 bitcoins ( valued at between $ 125,000 and $ 620,000 as of mid April 2017 ) . For some victims that did not give into the demandAttack.Ransom, FIN10 escalated their operation and destroyed critical production systems and leakedAttack.Databreachstolen data to journalists in an attempt to increase visibility of the compromise and coerce victims into paying upAttack.Ransom. The first known FIN10 operation was in 2013 and their operations have continued until at least 2016 . To date , we are primarily aware of Canadian victims – specifically casinos and mining organizations . Given the release of sensitive victim data , extortionAttack.Ransom, and destruction of systems , FireEye considers FIN10 to be one of the most disruptive threat actors observed in the region so far .
As one victim discovered this Christmas , figuring out how to clean such an infection can be quite difficult . Ransomware for Android phones has already been around for several years and security experts have warned in the past that it 's only a matter of time until such malicious programs start affecting smart TVs , especially since some of them also run Android . In November 2015 , a Symantec researcher named Candid Wueest even went as far as to infect his own TV with an Android ransomware application to highlight the threat . While that infection was just a demonstration , this Christmas , the owner of an LG Electronics TV experienced the real deal . Kansas-based software developer Darren Cauthon reported on Twitter on Dec. 25 that a family member accidentally infected his Android-based TV with ransomware after downloading a movie-watching app . The picture shared by Cauthon showed the TV screen with an FBI-themed ransom message . On Android the majority of ransomware applications are so-called screen lockers . They work by displaying persistent messages on the phone 's screen and preventing users from performing any other actions on their devices . The messages usually impersonateAttack.Phishingsome law enforcement authority and askAttack.Ransomvictims to payAttack.Ransomfictitious fines to regain control . Cauthon , who was the previous owner of the three-year-old TV , tried to help the new owner restore the device to its default factory settings , but did n't succeed even after receiving many suggestions and advice from other Twitter users . According to the software developer , when he first contacted LG 's tech support , he was told that a technician would have to come over and take a look for a fee of around $ 340 . The ransom amount itself was $ 500 although even payingAttack.Ransomthat would have been difficult because there was no way to click on the payment section to find the instructions on how to do so . The only thing that worked was just moving a mouse-like pointer on a portion of the TV screen via an accompanying smart remote . Eventually LG provided Cauthon with a solution that involved pressing and releasing two physical buttons on the TV in a particular order . This booted the TV , which runs the now defunct Android-based Google TV platform , into a recovery mode . The Android recovery mode allows wiping the data partition , which deletes all user settings , apps and data and is the equivalent of a factory reset . While this sounds straightforward , Cauthon 's experience suggests that many users would have difficulty figuring it out on their own and would probably be forced to pay for technical assistance . If recovering from smart TV ransomware infections can be hard , imagine what users would have to deal with if these programs start infecting other internet-of-things devices , as some security experts predict . In this case , the victim was lucky because the ransomware app was only a screen locker and not a program that encrypts files . Smart TVs have USB ports and allow connecting external hard disk drives in order to watch personal videos or photo collections -- the type of files that are valuable to users , especially if they 're not backed up
This Monday , Bleeping Computer broke the news that a hacker/group identified as Harak1r1 was taking over MongoDB databases left connected to the Internet without a password on the admin account . The group was exportingAttack.Databreachthe database 's content and replacing all tables with one named WARNING , that contained a ransom note , askingAttack.Ransomthe owners of the hacked database to payAttack.Ransom0.2 Bitcoin ( ~ $ 200 ) into Bitcoin wallet . At the time of our article , Harak1r1 had hijacked just over 1,800 MongoDB databases , and 11 victims have paid the ransomAttack.Ransomin order to recover their files . As time went by , Harak1r1 hijacked more databases , reaching at one point over 3,500 MongoDB instances , and currently peaking at over 8,500 . Among them , the hacker ( s ) had even managed to make a high-profile victim , in Emory Healthcare , a US-based healthcare organization . According to the MacKeeper Security Research Team , Harak1r1 had ransackedAttack.Databreachand blocked Emory 's access to more than 200,000 medical records . Attacks from harak1r1 went on for two more days , but as worldwide infosec media started covering the topic , two copycats appeared and started doing the same . The second group goes by the name of 0wn3d , and they work by replacing the hijacked database tables with a table named WARNING_ALERT . According to Victor Gevers , the researcher who initially discovered the first hacked MongoDBs around Christmas , this second group has hijacked just over 930 databases . Unlike Harak1r1 , this second group is a little bit more greedy and asks forAttack.Ransom0.5 Bitcoin , which is around $ 500 , but this has n't stopped companies from payingAttack.Ransom, with 0wn3d 's Bitcoin wallet showing that at least three victims had paidAttack.Ransomhis ransom demandsAttack.Ransom. A day later , the same Gevers came across a third actor , using the name 0704341626asdf , which appears to have hit over 740 MongoDB servers . This hacker/group is asking forAttack.Ransom0.15 Bitcoin ( ~ $ 150 ) , and he 's using a lengthier ransom note , in which he admonishes victims for leaving their DB open over the Internet . Furthermore , this threat actor appears to be more strict with victims and gives database owners 72 hours to pay the ransomAttack.Ransom. According to Gerves , the lines that allowed him to track the activity of these three groups is slowly blurring , as these groups started using more varied messages and different Bitcoin addresses . Additionally , in newer variations of these attacks , the hackers do n't appear to bother copying the hacked database . In recent attacksAttack.Ransom, Gevers says that crooks just delete the DB 's content , ask for a ransomAttack.Ransomregardless , and hope nobody checks the logs and discovers what they 've done . There is no evidence that they actual copied your database . According to Gevers , these groups are now fighting over the same turf , with many of them rewriting each other 's ransom notes . This leads to cases where database owners pay the ransomAttack.Ransomto the wrong group , who ca n't give their content back . `` It 's catching on and it looks more players are coming to the game .
The malware asks forAttack.Ransom222 Bitcoin but will not honor promises to decrypt files after payment is madeAttack.Ransom. The cost of ransomware reached close to $ 1 billion in 2016 , and it 's not hard to see why . The malware family , which targets everything from Windows to Mac machines , executes procedures to encrypt files and disks before demanding a ransom paymentAttack.Ransomin return for keys to decrypt and unlock compromised machines . However , it is not only the general public which is being targeted with everything from hospitals to schools and businesses now in the firing line . As the prospect of losing valuable content on computer systems or facing widespread disruption to business operations is often too much to bear , many will simply give up and give in , paying the fee and unfortunately contributing to the cybercriminal 's operations . However , paying upAttack.Ransomdoes not guarantee that victims will get their files back , no matter how low or high the payment demandAttack.Ransom. This week , ESET researchers discovered that a Linux variant of KillDisk , linked to attacks against core infrastructure system in Ukraine in 2015 , is now being used against fresh Ukrainian financial targets . The ransomware demandsAttack.Ransoma huge amount of money , but there is no underwritten protocol for decryption keys to be released once payment is madeAttack.Ransom. Distributed through phishing campaignsAttack.Phishingtargeting both Windows and Linux , once downloaded , the ransomware throws up a holding page referring to the Mr . Robot television show while files are being encrypted , the research team said in a blog post . Unsurprisingly , no-one has paid up yet , nor should they , ever . `` This new variant renders Linux machines unbootable , after encrypting files and requesting a large ransomAttack.Ransom, '' ESET says . `` But even if victims do reach deep into their pockets , the probability that the attackers will decrypt the files is small . '' Files are encrypted using Triple-DES applied to 4096-byte file blocks and each file is encrypted using different sets of 64-bit encryption keys . However , the ransomware does not store encryption keys either locally or through a command-and-control ( C & C ) server , which means that affected systems after reboot are unbootable , and paying the ransomAttack.Ransomis pointless . `` It is important to note -- that paying the ransom demandedAttack.Ransomfor the recovery of encrypted files is a waste of time and money , '' the team said . `` Let us emphasize that -- the cyber criminals behind this KillDisk variant can not supply their victims with the decryption keys to recover their files , despite those victims payingAttack.Ransomthe extremely large sum demandedAttack.Ransomby this ransomware . '' There is a weakness in the encryption used by the ransomware , which makes recovery possible -- at least when it comes to Linux infections . Earlier this week , researchers at Check Point revealed the latest exploits of the GoldenEye ransomware , a strain of malware which is targeting German HR companies . The malware is contained in phishing emails which appear to be from job applicants , and once downloaded and installed , demandsAttack.Ransom$ 1000 in Bitcoin to unlock infected systems
KillDisk was one of the components associated with the Black Energy malware that a group of attackers used in December 2015 to hit several Ukrainian power stations , cutting power for thousands of people . A month before that , it was used against a major news agency in Ukraine . Since then , KillDisk has been used in other attacks , most recently against several targets from the shipping sector , according to security researchers from antivirus vendor ESET . However , the latest versions have evolved and now act like ransomware . Instead of wiping the data from the disk , the malware encrypts it and displays a message asking forAttack.Ransom222 bitcoins to restore them . That 's the equivalent of $ 216,000 , an unusually large sum of money for a ransomware attackAttack.Ransom. What 's even more interesting is that there 's also a Linux variant of KillDisk that can infect both desktop and server systems , the ESET researchers said Thursday in blog post . The encryption routine and algorithms are different between the Windows and the Linux versions , and on Linux , there 's another catch : The encryption keys are neither saved locally nor sent to a command-and-control server , and the attackers ca n't actually get to them . `` The cyber criminals behind this KillDisk variant can not supply their victims with the decryption keys to recover their files , despite those victims payingAttack.Ransomthe extremely large sum demandedAttack.Ransomby this ransomware , '' the ESET researchers said . The good news is that there 's a weakness in the encryption mechanism for the Linux version that makes it possible -- though difficult -- for the victim to recover the files . It 's not clear why the KillDisk creators have added this encryption feature . It could be that they 're achieving the same goal as in the past -- destruction of data -- but with the ransomware tactic there 's also a small chance that they 'll walk away with a large sum of money