Malicious Monero Miners on a rise

Slow and sluggish computer? It might be infected with a cryptocurrency miner

Miners might replace ransomware in the future

Have you been experiencing system slowdowns lately? If so, you might want to check your computer for a cryptocurrency mining malware. Months passed after the worldwide Petya and WannaCry ransomware attacks, and currently, there are no massive malware outbreaks to discuss.

Eventually, cybercriminals discover a new way of exploiting unprotected computers – infecting them with cryptocurrency mining software that silently generates profits for them. Usage of such miners can even replace the need to demand ransoms.

A malicious miner can silently operate for months or years until the victim or a computer technician discovers it, so such method is much likely to earn big profits for malware developers than extortion software. Besides, users are not so willing to pay the ransom nowadays (finally!).

However, we must say that it is too early to underestimate ransomware, especially when Locky, Cerber and CryptoMix operators keep releasing new versions again and again.

Cryptocurrency mining innovation becomes computer users’ nightmare

Recently, Coinhive introduced a crypto miner for websites – a new technology that eliminates the need to display ads in web pages to monetize content. Coinhive Miner is simply a JavaScript library that can be added to web pages with their owners’ approval.

The miner uses visitors’ CPU power to mine XMR. Sounds like a great plan to say goodbye to online ads in the future? Sadly, there is a bad side of the new technology – cybercriminals started leveraging the new miner and create malicious Monero Miners right away. One of the first examples to mention is SafeBrowse extension which mines XMR using infected computers’ CPU power.

Protect yourself as illegal miners spread rapidly

Recent research by Kaspersky shows that there were over 1.65 million attempts to infect computers with cryptocurrency miners in the first eight months of 2017. Also, recent research by ESET shows that criminals have recently used Monero mining software in an attack against unpatched Windows servers. According to security firm, malicious actors managed to earn approximately $63,000 in only three months.

Unfortunately, when infected with a crypto miner, the victim can notice only one sign – the computer becomes sluggish. Since there are thousands of reasons why the computer can perform poorly, it is evident that victims wouldn’t suspect a miner to be the reason. However, a full system scan using up-to-date anti-malware can help to identify the problem easily.

To avoid installing malicious miners, watch what websites you visit and never open questionable files or links sent to you via email. To increase overall computer’s security, install a security software with a good reputation. You can read useful software reviews on 2-Spyware website.

Ominuous update: Locky now encrypts data as Yckol virus

Locky remains to be a major issue in the cyber space

Perhaps Locky developers ran out of crafty ideas as they ceased making up intriguing names for their malware. After Diablo6 and Lukitus versions were released, the crooks launched a supposedly new version with a brand new name – Ykcol – which is Locky backward.

Any new features?

The latest version does not manifest any exceptional prowess. Besides the alternations in the name, the source code does not seem to have been changed drastically. Nonetheless, there are slight amendments in the distribution campaign.

The menace continues relying on the Necurs botnet which delivers thousands of spam emails worldwide. Since the introduction of Diablo6 and Lukitus extensions, a change in the employed folder type was spotted as well.

Earlier versions of ransomware tended to hide in a .rar folder, but latest editions, including Ykcol, are placed in .7z folder. It contains a VBS script which activates the execution of the file-encrypting threat.

Locky developers retained the habit of disguising the malware in invoice emails. Previous editions were delivered along with a brief message “Files attached. Thanks”. Ykcol tends to fish for gullible users with “Could you please let me know the status of the attached invoice? I appreciate your help!” messages. An alternative sample of the menace tries to persuade potential victims to launch the virus by disguising under the name of Herbalife Nutrition company, which is the nutrition and weight management company located in the US.

From invoices to fake verification emails

While the attention is concentrated on Ykcol ransomware, Lukitus and Diablo6 crypto-viruses should not be ignored as well. Recent analysis reveals that the racketeers disguise the malware under fake Dropbox account verification emails.

In addition, company employees should be especially vigilant about Locky. There have been versions detected which include counterfeited scanned .png images. They are called as scanned printer images.

The problem is that Locky targets company servers. Consequently, it can easily foist such message. Unsuspecting users, thinking that the email was sent by a colleague, might open the corrupted version only to find out Ykcol or Lukitus encrypting their files afterward.

However, though the developers of this menace seem to use conservatives techniques, Locky still remains undecryptable.
Considering prevention means, attentiveness and cyber security are the key factors in warding off Locky:

  • install system updates once they are published
  • update security tools
  • use a couple of different type anti-malware apps
  • double-check the sender of a received suspicious email
RewievedByPro site

ReviewedByPro is here to help you to choose the right security software

Meet – our new page about cyber security

If you are worried about the latest security threats infecting your computer, fear no more – our new website will help you not to get lost in the labyrinth of safety and privacy.

The new page is fully dedicated to helping you choose the best anti-malware and privacy tools on the basis of your needs. The page contains reviews, tutorials, and comparison tables of anti-malware and privacy software.

Additionally, there is a question section on the page where you can ask anything about cyber security and privacy. You will get an answer from one of the site’s professionals.

A reputable security tool is mandatory nowadays

Each day presents more and more new malware that you must avoid at all costs. It is essential to purchase a security program that you could fully trust – with all of this zero-day malware you are in constant danger of losing your private information.

A high-quality tool has to be constantly updated in order to detect and delete even the newest threats.

The latest ransomware has shown the world how fragile our systems are – the attacks like Petya or WannaCry caused a lot of damage to many domains, including the health and transportation industries.

The experts at have one goal – to make the world as safer as possible. By writing thorough reviews on security tools, they want to make sure that their readers choose the products of the highest quality.

That is why you will see tables of pros and cons, test results, and opinions about various aspects of the applications. Simply open the Security section and see the list of reviews.

Read everything about VPNs

On you can also discover a lot of VPN (Virtual Private Network) reviews. If you are not sure whether you need a VPN, you can find a lot of information on the page about the functions and usage of this service.

A VPN is an exceptionally great tool when it comes to your privacy. You can access the sites blocked in your country, browse safely when using public WiFi, and be protected when using P2P services.

You can read VPN reviews and choose the one most suitable for you regarding price and functionality. If you want a quick comparison, you can simply go to the Privacy section and skim through the table which compares VPN services.

So, do not hesitate – visit and give it a shot. It might just be the website that you’ve always needed.

Beware of Coming Online Scam Season

Onlines Scams Are on the Rise

The beginning of September does not only signal the beginning of term papers, research projects, and thesis for the academic community, but the beginning of online scam period as well. Action Fraud, the UK national fraud and cyber crime reporting center, issued yearly warnings for the academic community about the increase of online scams targeting them.

Deception Forms are Diversifying

Such online felony oriented at users is not a novelty. Several times a year students are subject to diverse online deception. Some racketeers attempt to scam users with non-existent accommodation ads.

Most recent scam technique includes deceiving gullible users with fake alerts issued by university finance departments. For instance, one such recent felony includes beguiling users with fake email messages informing about suspended Student Loans Company (SLC) account. Similar scam occurred in 2011 which resulted in astounding 1.3 million dollars financial loss.

Fraudsters aim to wheedle out additional sensitive information. This tactic resembles the one employed by Facebook scammers who try to fool users with messages and attempt to persuade them into “verifying their account.”

Similar strategy is also popular among ransomware developers. Locky developers, which now launched latest version of Lukitus, assaulted users with fake emails using details acquired from the US Office of the Personnel Management breach in 2016. Infamous Cerber,  Cezar, and Arena crypt-malware campaigns included fake messages supposedly sent by tax institutions containing menacing corrupted invoice files.

Lately, US citizens, especially residents of California and Texas, are likely to be bombarded with requests to donate to shady Hurricane Harvey fund-raising sites. Therefore, fraudsters do not cease astonishing the virtual community with new hacking techniques.

Ways to Escape Online Felony

The best advice to avoid becoming a victim of an online scam is to retain vigilance and cautiousness. Either you are a student or just an ordinary online user, you should:

  • verify the sender before opening any email attachment supposedly sent by official institutions
  • not install any updates promoted in random sites
  • not disclose any valuable information to emails supposedly sent by your internet provider or loan company
Arena ransomware attack

Arena ransomware goes on a worldwide rampage

Arena ransomware is a virus closely associated with CrySiS and Dharma malware families

Arena ransomware virus first appeared as a variant of CrySiS/Dharma malware. However, a little later, CryptoMix ransomware gang started using the same extension for its latest variant that was first discovered by a researcher Michael Gillespie.

If your files were encrypted and you can find .arena file extensions in their filenames, you can identify the ransomware family quite easily. The main difference between CrySiS Arena and CryptoMix Arena is that the CryptoMix variant replaces original filenames with hexadecimal strings. An example of the new filename is pN1K7230200106B6C29ECCG62801ZN43.arena.

The newly discovered Arena ransomware variant and its comparison to CrySiS/Dharma is provided on the 2-Spyware website. The new version creates a _HELP_INSTRUCTION.TXT file to provide the ransom payment guidelines and email address so that the victim could contact the criminals. The Dharma variant provides, or email addresses in FILES ENCRYPTED.txt ransom note.

Distribution of the malicious virus

CrySiS and CryptoMix crypto-ransomware families are extremely active nowadays as they release new variants every week or two. CryptoMix ransomware variants are known to be distributed via EITest campaign using RIG-V exploit kit. To put it simply, you can get infected with the ransomware by visiting a compromised website that contains a malicious script testing your computer for software vulnerabilities.

However, both ransomware families do not forget traditional malware distribution measures such as malvertising, malicious spam, and Trojan horses. Be careful and do not open shady-looking email attachments, even if they look like they were sent by a reliable company or a person. When in doubt, scan them via online file scanning services such as VirusTotal. However, having an up-to-date anti-malware software can prevent you from launching malicious files as well.

Decryption of .arena files

The most important question that bothers computer users is whether it is possible to decrypt .arena files for free. Unfortunately, at the moment files with these file extensions cannot be decrypted using any third-party tools. We suggest looking for updates on the 2-Spyware website.

You should remove Arena virus from the system to continue using your computer safely. Scan the system with a good anti-malware program while in Safe Mode with Networking to eliminate all malware that might have sneaked into your computer over time.

Facebook Message virus 2017

Facebook Message virus returns as summer 2017 draws to a close

The return of Facebook Message virus: stay away from shortened video links sent by your friends!

Summer is coming to an end, which means that malware developers are heading back to work. In fact, some of them do not even wait for the end of the warm season – recently, researchers from 2-Spyware analyzed new Facebook Message virus variant that infects Facebook accounts to send messages to all of their friends.

The malicious messages contain a link to a video and a line “[name of the recipient] Video,” suggesting the victim to watch a short clip. The concept of the virus is very similar to Facebook Video virus, which also attempts to trick people into opening a fake video link.

Virus infiltrates computers using Trojan horse technique combined with social engineering

Clearly, criminals use social engineering technique to make the victim curious about the link. Once the victim clicks on something that looks like a shortened URL (usually of a video, the virus redirects him/her to a Google Doc page.

The document contains an automatically generated image using target’s photo from Facebook and a play button on it.

Once clicked, a chain of redirections occurs. Each of the websites that victim’s browser connects to collects certain information about the victim, such as:

  • Default computer’s language;
  • Geolocation of the device;
  • Browser information;
  • Installed add-ons and cookies;
  • Operating system type and version;
  • Browser type and version.

Based on computer’s operating system and used browser type, the malware triggers a redirect to a phishing website that suggests installing either a malicious Flash Player update, Chrome or Firefox extension.

If the victim agrees to install the suggested software, his/her account gets compromised. Consequently, it might starts automatically sending messages to all friends, spreading the malicious link further. Cyber security experts say that technical analysis of the virus is required to determine an exact method used for distribution of this virus.

The purpose of the new Facebook Messenger virus

The newly discovered Facebook virus spreads rapidly; however, cyber security experts from Kaspersky claim that the installed virus belongs to adware category and doesn’t download any malicious programs to the system. However, this virus can be updated at any time.

If you received a similar message via Messenger, better do not click on it! Although the malware gets into the system once the victim agrees to do so, there are viruses that are capable of infiltrating the system using security vulnerabilities.

Therefore, if you do not want to become a victim of a much more critical virus’ attack, better keep the distance from suspicious links you receive via Facebook.

If you accidentally clicked on the malicious link, immediately scan your computer with anti-malware to remove Facebook Message virus from the system.

3 fake messaging apps were spreading SonicSpy malware via Google Play Store

SonicSpy – new malware that affected more than 1,000 Android apps

Android users should remain vigilant and be aware of a new variant of Android virus that has affected over 1,000 apps. At least three of them were available on Google Play Store and was promoted as messaging apps. Fortunately, Google removed them. However, experts expect to see malware again pretending to be another app.

A few examples of malware were noticed in February 2017. Google removed them from Store; however, several more hazardous apps were still left until this day. Recently, mobile security company Lookout discovered three fake messaging apps on Google Play Store that contained SonicSpy:

  • Soniac,
  • Hulk Messenger,
  • TroyChat apps.

Surprisingly, all of them offered messaging services. But it was not its primary task. These programs were designed to collect and transfer sensitive data to the cyber criminals.

Malware works as a spying tool

SonicSpy has 73 unique remote features that allow spying on users. It can record phone calls, capture audio or video clips, take pictures with a camera, access contact list, Wi-Fi information and most importantly, steal sensitive data.

When a user downloads one of the malicious apps, malware hides itself and connects to its Command and Control (C&C) server to start malicious activities.

The analysis of the virus revealed that malware might be related to another Android virus – SpyNote. This cyber threat was detected last summer, in July 2016, spreading as a fake Netflix app.

It is believed that SonicSpy, as well as SpyNote, might be created by an Iraq-based hacker. Even the developer of malicious apps on Google Play Store was called “iraqiwebservice.”

Tips to avoid Android spyware and malware

Nevertheless, apps that were spreading SonicSpy on the official app store were removed; there’s still a chance that some malicious apps were not detected yet. What is more, the hacker can create a new developer account and publish new variants of malicious apps.

Besides, numerous other variants of Android ransomware or malware might be disguised under the names of other apps in the official and unofficial stores. Therefore, you should be careful with installed applications and always follow these mobile security tips:

  • Download apps only from official Google Play Store;
  • Check the information about developers and rely only on trusted companies;
  • Read user reviews outside app store because fake reviews can create false image;
  • Read app permissions before installing apps. If the app wants full access to your device or requires irrelevant permissions, you should not install it;
  • Regularly update your device and apps;
  • Invest in smartphone’s security and obtain a professional antivirus.
Cerber and Locky viruses strike again

Hacking in summer time – Locky and Cerber developers start another distribution campaign

Cerber or Locky – ever-evolving and ever-lasting cyber issues

In case you started wondering whether, by any chance, the notorious two ransomware giants got finally terminated, we are sorry to disappoint you. It seems that the developers of these two threats have wisely spent the summer time: improved viruses target netizens again. What’s new and what should you beware of?

Cerber now sniffs for personal data

Corresponding to its original name – the mythical creature Cerber – the developers decided to add data-stealing features. Now the latest version of the virus, which is distributed as CRBR Encryptor, is able to capture browser passwords and bitcoin wallet-related information.
Besides looking for Chrome, Internet Explorer, Firefox and other browser passcodes, the infection also attempts to steal Bitcoin Core wallet, Multibit and Electrum wallet information.

IT specialists suspect that the source code enabling the mentioned function might belong to another project. Though this new update certainly makes the malware even more menacing, data stealing ransomware is not a novelty. Last year some CryptXXX variants were spotted in engaging in data stealing activity as well.

Locky strikes again in a new disguise

While the title of “Locky ransomware” had been regularly flickering in the media headlines last year, its authors has not abandoned this project. In fact, the time periods between each version imply that the crooks have been working on the new more destructive techniques. Consequently, this summer they decided to drop the habit of naming their virus versions after the names of Egyptian and Scandinavian deities and return to the European mythology.

IT specialists have caught its new version – Diablo6 ransomware – spreading via a new malicious spam campaign. However, observing the tendency, Locky developers have not mastered any extraordinary new technique. As in previous cases, they test targeted users’ curiosity. The compromised email might be sent from an unknown sender with a brief message content: “Files attached. Thanks

Opening the E [date] (random_numer).docx file will executes VBS downloader script which then downloads the main payload of the virus. During the encryption process, the malware will append ridiculously long [first_8_hexadecimal_chars_of_id]-[next_4_hexadecimal_chars_of_id]-[next_4_hexadecimal_chars_of_id]-[4_hexadecimal_chars]-[12_hexadecimal_chars].diablo6 file extension. The current version is relatively modest—it only asks for .49 bitcoin amounting $1.600.

Unfortunately, neither of the ransomware threats are decryptable at the moment. While cyber security specialists continue working on the countermeasures, the virtual community should arm up with awareness and knowledge. Except Cerber, which indeed keeps evolving at the alarming rate, Locky developers seem to rely on the same spam campaigns. If you manage to bridle your curiosity and treat incoming spam emails with cautiousness, you will lower the risk of encountering file-encrypting threats.

Petya aftermath: a month after the virus outbreak

The damage of Petya virus attacks is still being estimated

A month has passed since the new Petya virus version rolled through the cyber world in a wave of terror and confusion. Victims are still counting their losses which presumably reach millions if not billions of dollars.

Major manufacturing, telecommunication, and other social service companies say that at the moment it is quite difficult to estimate the full extent of the inflicted damage. Currently, the victimized businesses fearfully await the end of the year when the last and final calculations will be completed.

The recovery of older Petya versions leave hope for NotPetya decryption

Luckily, cyber security experts do not intend on leaving the Petya outbreak story on a bad note. Well-known antivirus researchers have already managed to come up with working decryptors for three initial Petya virus version Red Petya, Green Petya/ Mischa and Goldeneye.

These decryption tools are not magical. They may freeze the computer or cause errors with a risk of damaging data. That’s the reasons experts always advice making backup copies of the files in case the recovery failed.

Nevertheless, in most cases, decryptors work fine, and if you still have some of your data that you can’t access, you should definitely give them a try.

Unfortunately, we have no good news for the users who have been infected with NotPetya or other hybrid Petya versions. At the moment, at least. These ransomware variants are not developed by Janus Cybercrime which means that the decryptors which work for the original versions are useless when applied for NotPetya.

However, you should not lose hope! There are numerous cases which prove that ransomware decryption is possible and it is only a matter of time when the security experts find a way to work around the encryption and give back your files.

Protecting your data is important: backups are the key

Sadly as it sounds, ransomware developers get more advanced as time goes by Once the security experts patch up one vulnerability, the criminals find another and the cycle continues.
The best way to actually protect your data is to keep backups of it, preferably a few copies of the documents in a few different places. Depending on the importance of your data and your needs, you can invest in automatic backup making software or create extra copies of your most essential files manually.

Protect your Android device from Xavier virus

The updated Xavier Android malware was noticed spreading in Google Play store

Today we would like to introduce a new Android virus called Xavier. The virus belongs to the AdDown family that was first discovered in 2015. The virus itself was spotted in September 2016. However, authors updated it in order to spread it widely via Google Play Store.

The majority of victims who downloaded one of 800 infected applications were from Vietnam, Philippines, and Indonesia. Nevertheless, the virus mostly causes problems to Southeast region; several cases were reported in the United States and Europe.

The purpose of malware – stealing personal information

Xavier is a malicious ad library that enters the system as a Trojan. Malware might not only affect Android smartphones or tablets but TVs and game consoles as well. However, the majority of infections were noticed in mobile devices.

Among infected applications were photo manipulators, antivirus utilities, volume and speed boosters, etc. Applications seemed useful and millions of times users downloaded them from Google Play without thinking that their privacy might be at risk.

The success of the malware is based on its feature to evade detection. This sophisticated virus can bypass regular smartphone’s security. Thus, regular security software installed on the mobiles may not detect it.

On the affected smartphone Xavier might install APK files and initiate remote code access. Thus, hackers might get full access to the device and do whatever they want. They might clone your phone or install additional malware. Malware’s behavior depends on what tasks it receives from the remote Command and Control (C&C) server.

Protecting your smartphone from Xavier and other Android viruses

The main security tip to avoid Android malware was to avoid downloading apps from third-party websites and stick to Google Play. However, it seems that this tip is no longer very helpful. Of course, you should still keep away from unknown app sites, but you need to put more attention to smartphone’s security.

  1. Check information about publishers before installing a new app. Well-known developers are the ones you can trust.
  2. Read reviews of the app before installing. Pay attention to users’ complaints and do not install app with negative feedback.
  3. Read what permissions the app requires. If an application wants to get lots of information, you should not download it to protect your privacy.
  4. Invest in professional mobile security software.