# Ransomware



## longknife (Feb 14, 2015)

First I've heard of it was today while scanning my RSS feeds. Appears to be another form of virus, especially infecting Android apps.


Came across some info on detecting and removing it:


How to rescue your PC from ransomware @ How to rescue your PC from ransomware PCWorld


Ransomware - What is ransomware? @ Microsoft Malware Protection Center - Ransomware


I originally got this from: Got Android? Be Careful Out There! @ Dad29 Got Android Be Careful Out There


----------



## waltky (Feb 19, 2016)

Hollywood Presbyterian Medical Center in Calif. hit by ransomware attack...

*LA Hospital Ransomware Attack Worries Cybersecurity Experts*
_ February 19, 2016 — Cybersecurity experts worry that the $17,000 a Los Angeles hospital paid hackers to regain control of its computers could signal a troubling escalation of the growing "ransomware'' threat._


> Though patient care was not "compromised in any way,'' Hollywood Presbyterian Medical Center paid the bounty "in the best interest of restoring normal operations,'' President Allen Stefanek said in a written statement.  A typical attack starts when a person opens an emailed link or attachment. Malicious code locks the computer — or, worse, an entire network. Victims pay hackers for a "key'' to unlock their machines — and may be desperate to do so if they have not diligently backed up their data and networks.  Many ransomware victims pay quietly, or abandon infected machines. It was unusual that Hollywood Presbyterian, which has more than 400 beds and is owned by CHA Medical Center of South Korea, both revealed the attack publicly and disclosed its cost.
> 
> Computer security experts said hospitals are particularly vulnerable because some medical equipment runs on old operating systems that cannot easily be safeguarded. If an employee opens an infected file from a computer that also connects with a patient monitoring station or insulin pump, those devices also could be locked.  Hospitals have not been as diligent in combating cyber threats such as ransomware as other sectors, according to several experts, despite the life-and-death nature of their operations, their tight control over patient information and mandates that they move toward electronic record keeping.  Hospitals are "about 10 to 15 years behind the banking industry'' in combatting cyber threats, said Lysa Myers, a researcher with the computer security firm ESET.  The math behind whether to pay a ransom demand can be simple.  Paying thousands of dollars to resolve a serious attack that has penetrated a multimillion dollar business such as a large hospital would be "a no brainer,'' said James Carder, chief information security officer of LogRhythm, a security intelligence and analytics firm.
> 
> ...


----------



## Kat (Feb 20, 2016)

Well, this all sounds good...


----------



## waltky (Mar 10, 2016)

Ransomware attacks expected to rise...

*Tech Group: ‘2016 Will Be the Year Ransomware Holds America Hostage’*
_March 9, 2016  -- “2016 is the year ransomware will wreak havoc on America’s critical infrastructure community,” warned a new report released Wednesday by the Institute for Critical Infrastructure Technology (ICIT).  “’To Pay or Not to Pay’ will be the question fueling heated debate in boardrooms across the Nation and abroad,” predicts ICIT, a non-profit, non-partisan group that acts as “a conduit between the private sector, federal agencies, and the legislative community.”_


> Ransomware is a cyberattack that holds a victim’s computer system for ransom by encrypting data files or completely locking it down. Cybercriminals then demand a ransom for the decryption key, threatening to destroy the data if the victim does not comply.  “Ransomware is rampant,” ICIT reports, with some attacks posing as bogus law enforcement announcements.  Businesses, healthcare organizations, educational, religious, and financial institutions have all been victims of ransomware, which is often accompanied by denial of service attacks that cost victims an average of $500 per minute, notes the report, which was co-authored by ICIT senior fellows James Scott and Parham Eftekhari.  Even police and fire departments have been targeted.  “Victims have to make a very difficult decision. Either pay the ransom without knowledge of who receives that money and what further harm is done with it or lose all of their data behind a layer of encryption… In numerous cases, organizations tend to pay because, for them, every minute of downtime directly equates to lost revenue.”
> 
> Last weekend, ransomware called KeRanger demanded that owners of Macintosh computers pay one bitcoin (about $405) to unlock their computers.  KeRanger, the first “fully functional” ransomware to infect Macs, was spread via Transmission, a popular open source information sharing network used to download software, music and videos. It first appeared on March 4, but was successfully shut down two days later after infecting about 6,500 computers, Forbes reported.  “Ransomware threat actors adopt the highwayman mentality by threatening the lifeblood of their victims – information – and boldly offering an ultimatum,” the ICIT report stated, adding that “a small team can easily infect and ransom millions of systems. The attackers only need a few users per million of targets to pay ransom for the campaign to be successful.”
> 
> ...


----------



## Ringel05 (Mar 11, 2016)

Probably affects businesses more than personal users unless you keep everything stored on your computer, which is a dumb thing to do anyway.  Someone hijacks my computer, I simply wipe it and reinstall the operating system, all my files go to thumb drives or DVDs.


----------



## iamwhatiseem (Mar 11, 2016)

Ringel05 said:


> Probably affects businesses more than personal users unless you keep everything stored on your computer, which is a dumb thing to do anyway.  Someone hijacks my computer, I simply wipe it and reinstall the operating system, all my files go to thumb drives or DVDs.



If a business get's caught by ransomware, in most cases, it means they do not practice proper security.
All of our embedded systems, application servers etc. I have set a static IP with no DNS settings...result - internal network connections work perfect, but it cannot reach the internet or be reached by the internet.
Even our main file server I have no DNS settings. You don't need internet access for PC's to store files.


----------



## waltky (Mar 15, 2016)

Ransom demand paid in Bitcoin...

*Exclusive: Chinese hackers behind U.S. ransomware attacks - security firms*
_Mon Mar 14, 2016 - Hackers using tactics and tools previously associated with Chinese government-supported computer network intrusions have joined the booming cyber crime industry of ransomware, four security firms that investigated attacks on U.S. companies said._


> Ransomware, which involves encrypting a target's computer files and then demanding payment to unlock them, has generally been considered the domain of run-of-the-mill cyber criminals.  But executives of the security firms have seen a level of sophistication in at least a half dozen cases over the last three months akin to those used in state-sponsored attacks, including techniques to gain entry and move around the networks, as well as the software used to manage intrusions.  “It is obviously a group of skilled of operators that have some amount of experience conducting intrusions,” said Phil Burdette, who heads an incident response team at Dell SecureWorks.  Burdette said his team was called in on three cases in as many months where hackers spread ransomware after exploiting known vulnerabilities in application servers. From there, the hackers tricked more than 100 computers in each of the companies into installing the malicious programs.
> 
> The victims included a transportation company and a technology firm that had 30 percent of its machines captured.  Security firms Attack Research, InGuardians and G-C Partners, said they had separately investigated three other similar ransomware attacks since December.  Although they cannot be positive, the companies concluded that all were the work of a known advanced threat group from China, Attack Research Chief Executive Val Smith told Reuters.  The ransomware attacks have not previously been reported. None of the companies that were victims of the hackers agreed to be identified publicly.  The security companies investigating the advanced ransomware intrusions have various theories about what is behind them, but they do not have proof and they have not come to any firm conclusions.
> 
> ...


----------



## Bleipriester (Mar 15, 2016)

My ransomware sends your favorite porn movies to your wife. I know, it cannot send all these Terabytes but it investigates your mediaplayers´ histories. Oh shit, you creeping niggards, that means some broken marriages.


----------



## Ringel05 (Mar 15, 2016)

Bleipriester said:


> My ransomware sends your favorite porn movies to your wife. I know, it cannot send all these Terabytes but it investigates your mediaplayers´ histories. Oh shit, you creeping niggards, that means some broken marriages.


Standard Russian spy tactics.......


----------



## Bleipriester (Mar 15, 2016)

Ringel05 said:


> Bleipriester said:
> 
> 
> > My ransomware sends your favorite porn movies to your wife. I know, it cannot send all these Terabytes but it investigates your mediaplayers´ histories. Oh shit, you creeping niggards, that means some broken marriages.
> ...


Pays off twice


----------



## waltky (Mar 15, 2016)

Bleipriester is a commie sympathizer?

Granny gonna report him to the House Committee..

... on Un-American Activities.


----------



## Bleipriester (Mar 16, 2016)

waltky said:


> Bleipriester is a commie sympathizer?
> 
> Granny gonna report him to the House Committee..
> 
> ... on Un-American Activities.


I am so fucking armed - my no-trespassers signs has a diagonal size of 50 meters.


----------



## waltky (Mar 29, 2016)

Granny says, "Dat's right - dem Chinks is at it again...




*FBI Investigating Paralyzing Hack on Another Hospital Chain*
_March 29, 2016 | WASHINGTON (AP) — Modern medicine in the Washington area reverted to 1960s-era paper systems when one of the largest hospital chains was crippled by a virus that shuttered its computers for patients and medical staff._


> The FBI said it was investigating the paralyzing attack on MedStar Health Inc., which forced records systems offline, prevented patients from booking appointments, and left staff unable to check email messages or even look up phone numbers.  The incident was the latest against U.S. medical providers, coming weeks after a California hospital paid ransom to free its infected systems using the bitcoin currency. A law enforcement official, who declined to be identified because the person was not authorized to discuss an ongoing investigation, said the FBI was assessing whether a similar situation occurred at MedStar.  "We can't do anything at all. There's only one system we use, and now it's just paper," said one MedStar employee who, like others, spoke on condition of anonymity because this person was not authorized to speak with reporters.
> 
> There were few signs of the attack's effects easing late Monday, with one employee at Georgetown University Hospital saying systems were still down, and saying some managers had to stay late and come in early because of the disruptions.  Company spokeswoman Ann Nickels said she couldn't say whether it was a ransomware attack. She said patient care was not affected, and hospitals were using a paper backup system.  But when asked whether hackers demanded payment, Nickles said, "I don't have an answer to that," and referred to the company's statement.
> 
> ...


----------



## waltky (Apr 8, 2016)

New ransomware knows where you live, 'Hack' puts explicit show on US radio...

*The ransomware that knows where you live*
_Fri, 08 Apr 2016 - A widely distributed scam email that quotes people's postal addresses links to a dangerous form of ransomware, according to a security researcher._


> Andrew Brandt, of US firm Blue Coat, contacted the BBC after hearing an episode of BBC Radio 4's You and Yours that discussed the phishing scam.  Mr Brandt discovered that the emails linked to ransomware called Maktub.  The malware encrypts victims' files and demands a ransom be paid before they can be unlocked.  The phishing emails told recipients they owed hundreds of pounds to UK businesses and that they could print an invoice by clicking on a link - but that leads to malware, as Mr Brandt explained.  One of the emails was received by You and Yours reporter Shari Vahl.  "It's incredibly fast and by the time the warning message had appeared on the screen it had already encrypted everything of value on the hard drive - it happens in seconds," Mr Brandt told the BBC.  "This is the desktop version of a smash and grab - they want a quick payoff."  Maktub doesn't just demand a ransom, it increases the fee - which is to be paid in bitcoins - as time elapses.
> 
> 
> 
> ...



See also:

*Explicit 'furry' podcast airs on US radio after 'hack'*
_Fri, 08 Apr 2016 - The producers of an explicit "furry" podcast say they are "deeply sorry" after it was broadcast on several US radio stations in an apparent hack._


> Several US radio stations played out an explicit podcast to listeners after an apparent hack.  The Furcast group says the 90-minute podcast went out without its knowledge and it is "deeply sorry".  Two Texas stations were among those which broadcast the material, aimed at "furries"- people interested in animals that are given human traits.  Broadcasters have been advised to change passwords on the hardware many of them use.  Barix streaming boxes are popular with broadcasters and PA professionals.  Furcast said that multiple server requests for its content during the incident were in the name of "Barix Streaming Client" and that many of the individual boxes involved were visible on Shodan, a search engine for devices connected via the Internet of Things.
> 
> 
> 
> ...


----------



## Tom Horn (Apr 11, 2016)

I never access my bank information on-line....if somebody tries to ransom my porn vids they can have em....I stole em so who cares?


----------



## waltky (Jun 8, 2016)

University pays $20,000 data ransom...




*University pays $20,000 to ransomware hackers*
_Wed, 08 Jun 2016 - A Canadian university pays hackers to restore access to emails and other files encrypted by ransomware._


> A Canadian university has paid hackers to restore access to data they had turned into the digital equivalent of gibberish.  The University of Calgary transferred 20,000 Canadian dollars-worth of bitcoins ($15,780; £10,840) after it was unable to unwind damage caused by a type of attack known as ransomware.  The malware caused emails and other files to become encrypted.  One expert warned that the payout would encourage further blackmail attempts.  The move comes the same week Intel warned that ransomware infections were spreading at "an alarming rate".  More than 120 separate strains exist, many of which are frequently updated, making it difficult for security experts to offer a solution.
> 
> 
> 
> ...



See also:

*Israel indicts French immigrants in 9.1 million euro scam*
_Jun 8,`16  -- Israel's state prosecutor indicted four new immigrants from France on Wednesday for allegedly running a major international scam, impersonating company executives and costing five European companies about 9.1 million euros, or over $10 million._


> The companies that lost money included German electronics retailer MediaMarkt, Belgian electronics company Eldi, European supermarket chain Cora, multinational perfume chain ICI Paris XL and Dutch hardware store owner Intergamma, according to the indictment.  About two dozen other companies were also entangled in the case, including candy maker Mars, high fashion company Chanel, Italian athletic clothing retailer Diadora, beer brewing giant Anheuser-Busch InBev, and car manufacturers Kia Motors and Toyota, though not all the companies fell for the trick, according to the indictment.
> 
> The case suggests that the so-called fake CEO scam is still thriving in Israel, where the man widely credited with pioneering the technique, Gilbert Chikli, continues to live openly, evading French attempts to arrest him.  Chikli is not suspected in the current case. The French-born defendants were identified as Henri Omessi, Daniel Michael Allon, Jeremy Lalloum and Mordechai Lellouche. They appeared at a court hearing on Wednesday. Rotem Tubul, a lawyer for Omessi, said her client and the other defendants pleaded not guilty.  "Because it involves evidence from many countries around the world, there are clear difficulties in handling this case in Israel, and it is doubtful whether it will be possible to overcome them," said Liya Felus, an attorney for Allon.
> 
> ...


----------



## waltky (Feb 1, 2017)

I've locked myself outta my room - an' I can't get back in...




*Austrian hotel says hackers held key system for ransom*
_Wed, Feb 01, 2017 - The ransom demand arrived one recent morning by e-mail, after about a dozen guests were locked out of their rooms at the lakeside Alpine hotel in Austria._


> The electronic key system at the picturesque Romantik Seehotel Jaegerwirt had been infiltrated, and the hotel was locked out of its own computer system, leaving guests stranded in the lobby, causing confusion and panic.  “Good morning?” the e-mail began, hotel managing director Christoph Brandstaetter said.  It went on to demand a ransom of two bitcoins, or about US$1,800, and warned that the cost would double if the hotel did not comply with the demand by the end of the day, Jan. 22.
> 
> The e-mail included details of a “bitcoin wallet” — the account in which to deposit the money — and ended with the words: “Have a nice day!” Brandstaetter said.  With the 111-year-old hotel brimming with eager skiers, hikers and vacationers, some having paid about US$530 for a suite with a panoramic view and sauna, Brandstaetter said he decided to cave in.  Guests had already complained that their electronic room keys were not working, and receptionists’ efforts to create new ones had proved futile.
> 
> ...


----------



## mamooth (Apr 6, 2017)

Not actually ransomware here, just scareware. I get this "CRITICAL MESSAGE FROM MICROSOFT" page often when clicking on the stupid little ads/news stories that Facebook shows. A computerized voice also reads the script. I especially like the "you must respond in 5 minutes to prevent your computer from being disabled!" part.

Obviously, I just close the page. Nothing bad happens, MalwareBytes shows no malware. It's just a scare, so you'll call them and give them your personal info. I'm tempted to call them and waste their time for an hour.

---
** YOUR COMPUTER HAS BEEN BLOCKED **

Error # 268D3

Please call us immediately at: 888-726-6050
Do not ignore this critical alert.
 If you close this page, your computer access will be disabled to prevent further damage to our network.

Your computer has alerted us that it has been infected with a virus and spyware.  The following information is being stolen...

> Facebook Login
> Credit Card Details
> Email Account Login
> Photos stored on this computer
You must contact us immediately so that our engineers can walk you through the removal process over the phone.  Please call us within the next 5 minutes to prevent your computer from being disabled.

Toll Free: 888-726-6050
---


----------



## Old Yeller (Apr 7, 2017)

THis window just opened up on my PC.  Is it real?  Would you click on it?


----------



## longknife (Apr 7, 2017)

Old Yeller said:


> THis window just opened up on my PC.  Is it real?  Would you click on it?
> 
> View attachment 120761



If you've got Google Chrome installed, why not?


----------



## Old Yeller (Apr 7, 2017)

longknife said:


> Old Yeller said:
> 
> 
> > THis window just opened up on my PC.  Is it real?  Would you click on it?
> ...




I thought it might be a "known phony"?  Like some crap podesta would fall for.  I had not heard of it being a virus............OK I will give it a try.  Some sort of website error?  I thought it had a weird website address?  I give up already. I quit easily on stuff like that.


----------



## Ringel05 (Apr 8, 2017)

Old Yeller said:


> longknife said:
> 
> 
> > Old Yeller said:
> ...


It may be good but I would go to my Chrome settings and select update instead of following a link on a pop up.


----------

