A new build of Shade (Troldesh) ransomware comes with a broken PE header making PE analysis tools recognize it as a nonexecutable 'MS-DOS EXE' file. As a result, the detection rate on VirusTotal is 1/59.
Thursday, 30 March 2017
Wednesday, 22 March 2017
After revealing the fake emails with finance related information from banks and the Tax Office in Ukraine delivering ransomware, we revealed the similar attack running in Sweden. The archive allegedly with a bill was placed on Dropbox and contains the latest version of Crypt0L0cker (a.k.a. TorrentLocker) inside.
Friday, 17 March 2017
We are seeing the numerous infections by the new version of the Shade cryptolocker during the last week in Ukraine. The Shade has been leveraging a cheap and effective email delivery channel. The attack is run with the help of fake emails sent on behalf of Ukrainian financial institutions (e.g. PrivatBank, the Ukrainian Tax Office) from the hacked email accounts, most of them belong to organizations in the gov.ua TLD. The subject of these emails is bills or indebtedness that a victim needs to pay.