Hello, good evening and welcome to The Ransomware Newzdesk, our new, weekly, two-minute roundup bringing the lowdown on hacking, trojans, malware and all things ransomware from around the world to keep you informed, edu-ma-cated and secure.
THE INLAND REVENUE E-MAIL SCAM
We begin in the good ‘ole US of A where this week, the IRS issued an urgent warning about a new scheme targeting honest, American taxpayers…
so at least President Trump will be safe from attack!
A bogus e-mail, featuring both the IRS and FBI’s badges informs recipients they must fill out a questionnaire within ten days. Click the link and hey presto – before you can say “I won’t release my tax returns cos I’m not really a billionaire” – you’ve opened up your machine to attack.
IRS Commissioner John Koskinen warned: “People should stay vigilant against email scams that try to impersonate the IRS and other agencies that try to lure you into clicking a link or opening an attachment. People with a tax issue won’t get their first contact from the IRS with a threatening email or phone call.”
The FBI has been raising awareness through a campaign called Don’t Take the Bait but if you receive a spurious e-mail, you should report it to the FBI at the Internet Crime Complaint Center, www.IC3.gov, and forward any IRS-themed scams to phishing@irs.gov
AUSTRALIA PROVES AS “SWEET AS A NUT” FOR HACKERS
Across the globe now, as Australia has been named as a sweet-spot for Ransomware developers, with the average ransom demand now averaging US$544 ($AU687). A new report by Norton states that organizations accounted for 42% of all ransomware infections during the first six months of 2017, up from 30% in 2016 and 29% in 2015. Ouch!
Businesses are the most at risk thanks to “new and highly disruptive worm-type threats which can spread in seconds across poorly secured networks.” Australians would be far better protected if they all changed their one, collective password from “CrocodileDundee2″ to impossible-to-hack Aboriginal place names like Murwillumbah or:
BITPAYMER MAKES LAND IN BONNIE SCOTLAND
Next, we travel to Scotland – the land where, if something is edible, the Scots will batter and deep-fry it. In Lanarkshire, the county’s NHS hospital group has fallen victim to yet another ransomware attack after being subjected to WannaCry in May.
This cyber-attack comes in the form of a new variant of Bitpaymer ransomware which the attackers encrypted files and threatened to release private sensitive data unless a ransom of 50 Bitcoins ($218,000) was paid. The good news is that files encrypted by Bitpaymer are easily recognizable – they have .locked appended to your filenames, but the bad news is Bitpaymer is impossible to crack without the attacker’s key, as confirmed in a tweet from ID-Ransomware creator, Michael Gillespie.
Confirmed Bitpaymer #ransomware is not decryptable. 😞 CryptGenRandom RC4 per file + RSA-1024. Thanks for analysis @FraMauronz https://t.co/TUpzYUDbhT
— Michael Gillespie (@demonslay335) July 14, 2017
The hospital was forced to cancel patient’s appointments, so if some poor Scottish person dies of a heart-attack – that’s on you, hackers… and definitely nothing to do with a diet of bacon-wrapped deep-fried Mars Bars. What’s becoming evident is that British, government-run hospitals need to protect themselves from cyber-attacks just as much as heart disease.
BTCWare & CRYSIS/DHARMA
Distinctly Scottish-sounding Michael Gillespie has been a busy boy within Ransomware Newz this week, discovering new variants of the BTCWare malware and Crysis/Dharma ransomware family. He found that developers have been distributing BTCWare by hacking into remote computers with weak passwords using Remote Desktop services then install ransomware and appending the .[affiliate_email].nuclear extension to encrypted files, while Crysis/Dharma appends an extension to .id-[id].[email].arena. so a file named test.jpg would be encrypted and renamed to test.jpg.id-BCBEF350. [chivas@aolonline.top].arena.
While encrypting a computer, Crysis/Dharma also removes shadow volume copies making it impossible to use them to restore your files. It deletes them by sneakily running the vssadmin delete shadows /all /quiet command.
At the time of writing, there is no way to decrypt files encrypted by the Nuclear BTCware or Crysis Ransomware for free.
That’s it for our cholesterol-fuelled, impossible-to-hack-password Newz Desk this week, we’ll be back next week for more exciting Ransomware news. Until then, stay safe and don’t have nightmares.
