Tag Archives: Ransomware

New RansomEXX ransomware Now Encrypts Linux Systems

RansomEXX
After Encrypts Microsoft Windows operating system the RansomExx ransomware Attribution variant is being deployed against Linux systems.|

Last Friday Kaspersky takes a look at the Linux version of the RansomExx ransomware, also known as Defray777. RansomEXX is a relatively new version of a Ransomware that was first detected around June 2020. The RansomEXX is human-operated ransomware, this means that attackers manually infected the systems after getting access to the victim network.

RansomEXX is specific in the sense that security researchers refer to it as a “big game hunter”. In fact, this Ransomware seeks to hit big targets looking for big profits, knowing that some businesses or government agencies cannot afford to stay “down” while they recover their systems. (And thus force the payment of the ransom).

Configuring its antivirus systems to detect RansomEXX variants is not a good strategy, due to the way the “ransomware” operate.In fact, by the time the attackers deploy the ransomware, they are already in most of the corporate network. The best strategy that companies can adopt against this type of intrusion is to secure routers, network equipment, firewalls by applying security patches and especially make sure not to leave a default configuration or access with weak passwords …

RansomEXX Ransomware attacks in Linux version :

According to Kaspersky, when targeting Linux servers, the RansomExx ransomware operators will deploy an ELF executable named ‘svc-new’ used to encrypt a victim’s server. Several companies have fallen victim to this RansomExx ransomware in recent months, including the Texas Department of Transportation (TxDOT) and Konica Minolta.

Ransomware

“We recently discovered a new file-encrypting Trojan built as an ELF executable and intended to encrypt data on machines controlled by Linux-based operating systems,” said Kaspersky security researcher Fedor Sinitsyn,

RansomEXX is a highly targeted Trojan, malware contains a hardcoded name of the affected some businesses or government agencies. In addition, both encrypted file extensions and email addresses use the victim’s name to communicate with extortionists.

“After the initial analysis we noticed similarities in the code of the Trojan, the text of the ransom notes and the general approach to extortion, which suggested that we had in fact encountered a Linux build of the previously known ransomware family RansomEXX,” Kaspersky researchers stated in their report.

The sample we came across – aa1ddf0c8312349be614ff43e80a262f – is a 64-bit ELF executable

Beware New Ransomware Anatova that targets gamer | How to Remove Anatova

anatovaSecurity researchers Valthek yesterday assigned a new ransomware family Anatova that is targeting consumers across the countries in Europe (Belgium, Germany, France, the UK).who see it as a serious warning created by skilled authors that can turn it into a multifunctional piece of malware.

Anatova just makes a file which was unusable and make a Ransome demanding message in “ANATOVA.TXT” text file. Anatova never add any extension to the encrypted files and also never change their symbolanatova

“We believe that Anatova can become a serious threat since the code is prepared for a modular extension,” the researchers noted

Anatova encrypts the file and then demand of 10 DAS coin, worth approximately $690 to unencrypts file.

This ransomware flattens with the help of multiple distribution routines, including:anatova

  • Spam emails;
  • Brute-force attacks
  • Hacked websites;
  • Repacked installers;
  • Drive-by downloads;
  • Cracks or keygens;
  • Fake updates, etc

anatovaThe malware will try to create a mutex with a hardcoded name (in this case: 6a8c9937zFIwHPZ309UZMZYVnwScPB2pR2MEx5SY7B1xgbruoO) but the mutex name changes in each sample. If the mutex is created and gets the handle, it will call the “GetLastError” function and look if the last error is ERROR_ALREADY_EXISTS or ERROR_ACCESS_DENIED. Both errors mean that a previous instance of this mutex object exists. If that is the case, the malware will enter in a flow of cleaning memory, that we will explain later in this post, and finish. (source McAfee )

Name Anatova
Type Ransomware
Distribution Spam emails, malicious files, hacked websites, drive-by downloads, fake updates, brute-force attacks, etc.
Discovery date January 16th, 2019
Extension None
Ransom note ANATOVA.TXT
Contact anatova2@tutanota.com or anatoday@tutanota.com
Decryptable? No
Elimination Scan your with Reimage or other software that is capable of detecting the payload

 

How to Avoid Anatova diseases while browsing the web.

1.Backup your files regularly. (if possible otherwise weakly)
2. Download and install comprehensive security software and keep it up to date
3. Install system and software patches on time
4. Do not casually open attachments or click on links inside spam emails
5. Avoid visiting high-risk websites, such as porn, gambling, or file-sharing
6. Do not use cracks/keygens tolls. Hacker love injecting malicious scripts into cracks
Be careful with torrents, as something like name.torrent.exe is malicious
7. Disable Adobe Flash – it is an old and unsafe technology that will soon be terminated

Anatova Overview

Anatova usually uses the icon of a game or application to try and fool the user into downloading it.anatova

How to Remove Anatova

First shutdown your system manually then, opened menu click “Restart“, while holding “Shift” button on your keyboard.
In the “choose an option” window click on the “Troubleshoot”, then select “Advanced options“.
In the advanced options menu select “Startup Settings” and click on the “Restart” button. In the following window, you should click the “F5” button on your keyboard. This will restart your operating system in safe mode with networking.

anatova remove

If you cannot start your computer in Safe Mode with Networking, try performing a System Restore. If you face any problem then contact our team we will try to solve your problem.