Thursday, 30 March 2017

New Shade cryptolocker confuses analysis tools with 'MS-DOS EXE' file type

A new build of Shade (Troldesh) ransomware comes with a broken PE header making PE analysis tools recognize it as a nonexecutable 'MS-DOS EXE' file. As a result, the detection rate on VirusTotal is 1/59.

Wednesday, 22 March 2017

Fake bills deliver Crypt0L0cker in Sweden

After revealing the fake emails with finance related information from banks and the Tax Office in Ukraine delivering ransomware, we revealed the similar attack running in Sweden. The archive allegedly with a bill was placed on Dropbox and contains the latest version of Crypt0L0cker (a.k.a. TorrentLocker) inside.

Friday, 17 March 2017

Shade ransomware comes through billing notifications

We are seeing the numerous infections by the new version of the Shade cryptolocker during the last week in Ukraine. The Shade has been leveraging a cheap and effective email delivery channel. The attack is run with the help of fake emails sent on behalf of Ukrainian financial institutions (e.g. PrivatBank, the Ukrainian Tax Office) from the hacked email accounts, most of them belong to organizations in the TLD. The subject of these emails is bills or indebtedness that a victim needs to pay.