Crypt0l0cker is expected to begin the second round

We must warn you about the growing danger of Crypt0l0cker ransomware. It seems that Europe is the main target of this virus which is also known as TorrentLocker. To protect yourself and prevent a need to pay the ransom fee to cyber criminals, make sure you back up your files. Ransomware viruses are now capable of encrypting the entire network, so you need to find a safe place to your files. While we haven’t received any reports from Crypt0l0cker victims yet, we can see a clear increase in this search term what makes us believe that its developers have already started promoting its installer.

To avoid the newest, Crypt0l0cker 2017, you must know each of its distribution methods. Here are the most popular ones:

  • Fake email messages with infected attachments. Mostly, ransomware installers are presented in fake emails claiming to be financial and business reports. Hackers are trying to convince their victims that they are communicating with one of their colleagues. If an email message seems suspicious, make sure you ask the sender about it directly.
  • Infected pop-up messages and illegal websites. You can also get infected with ransomware via misleading pop-up messages offering free updates and “missing” software to the potential victims. Believe us, you don’t need anything. If you need a program, visit its official website and be sure that the needed file is safe.
  • Legitimate websites hacked by ransomware makers. Hackers have already started using a more sophisticated technique to promote their ransomware – after infecting the legitimate site with the malicious JavaScript, they make this website to show a fake error message, such as HoeflerText font wasn’t found error. Make sure you ignore such errors to prevent infiltration of ransomware and the loss of your files.

eSolutions review on Spora ransomware

Spora ransomware was introduced by its developers in the beginning of 2017. However, it has already managed to impress security experts by its encryption procedure, a well-made official website and a ransom notification. This virus is considered one of the most aggressive ones because it doesn’t need the Internet connection to encrypt victim’s files. Infected documents do not change their extensions, but you can’t open them. When trying to do that, you can see the notification that reads:

XXX can’t be opened.
This document is either corrupt or protected under Rights Management.

Infected users are also asked to connect to the payment site of the Spora ransomware to know how much do they need to pay for the decryption of their files. The most surprising thing that we found after connecting to this site is that you  can choose the amount of money are you willing to spend on the ransom. Of course, the less you pay, the less you can decrypt. Also, there is a dialogue window on the right where you can leave your question to the developers of Spora ransomware. This “customer” support has surprised even the most experienced security experts because it gives you an opportunity to talk to hackers. The first example of this malware used Russian language and was spread as Скан-копия _ 10 января 2017г. Составлено и подписано главным бухгалтером. Экспорт из 1С.a01e743_рdf.hta file. However, its developers are not silly to miss a change to increase their profit – to collect as much ransoms as possible, they launched English version of Spora ransomware after several weeks of testing their initial virus. Beware that this version has just started spreading via USB sticks, so anyone who connects his/hers USB stick to your computer can infect you with this ransomware virus.

Have you decided what anti-spyware software you are going to choose in 2017?

Selecting the security software for computer’s protection has always been a serious headache for PC users. However, there is no doubt that nowadays, when security experts report about tens of different viruses each day, you need to take care of your PC’s protection properly. Failing to use security software can end up with serious consequences – trying to find a remedy (program, specialist, etc.) for your computer. Keep in mind that there are many anti-viruses or anti-malware programs that are much cheaper than the services of computer tech guys. Besides, the latest tendencies reveal that, even after you succeed in virus removal from your computer, there is no guarantee that you will be capable of restoring the data (photos, music files, videos, business documents, art, etc.) that you kept on it.

What should you look for when choosing anti-virus software? According to PC experts, these are the main features that you should check:

  • Real-time scanner
  • On-demand scanner
  • Heuristic Scanner
  • Automatic virus updates
  • Automatic program updates

Fortunately, you can avoid spending long hours trying to find needed information about every anti-virus you are willing to install on your computer. Security experts working on the 2spyware project have already prepared several guides dedicated to helping people choose the best programs for their computers’ protection.  If you are looking for an anti-malware program, you should check Best anti-malware of 2017 and Best malware removal programs of 2017 guides. Those who are willing to step up with their computers’ protection are recommended to read Best free anti-virus of 2017 list.

Phishing attack targets Gmail users

Tricky phishing scam targets Gmail users: here’s how to protect your account

Cybercriminals are now targeting Gmail users, Wordfence reports. We have seen various tricks and methods that cyber criminals use to lure unsuspecting victims into clicking on compromised links that immediately redirect the victim to phishing websites. However, a brand new technique caught our attention recently. Attackers are using compromised user accounts to infect people on the victim’s behalf. First of all, they find an actual letter with attachments that the victim has sent to someone in the past. Then they take a screenshot of the message and the attached files, add this picture to a new letter, embed a URL of a phishing Gmail login page and send it to another victim. The new victim receives a letter from a friend whose account was compromised, but of course, the new victim doesn’t suspect that. When the new victim attempts to click on the message or attached files to preview them, an immediate redirection occurs, which throws the victim onto a phishing website that asks the victim to log into Gmail account again. If the victim doesn’t notice that the URL of this fake Gmail login page looks suspicious and enters login details, hackers instantly log into the account and hack it by changing the password and all other information that can be used in account recovery process. Then hackers use the compromised account to spread phishing emails further, infect more users, and so on.

Let us remind you that getting your email account hacked is one of the most disastrous things that can happen to you. Typically, email addresses are connected to dozens of accounts on various Internet websites, which means these email addresses are used to send account recovery instructions, reset passwords, and so on. In other words, when hackers get access to your email account, they can get access to almost every website that you have registered on using the compromised email. Therefore, they might connect to shopping sites, social media sites, and other websites, scrap your personal information from them, use bank cards you linked to these sites, and so on. To protect yourself from this phishing attacks, double-check the URL of a website before browsing it, even if it looks like the real Gmail, Paypal, Facebook, or another well-known site. Speaking about this phishing attack, we have to say that scammers redirect users to a website that has data:text/html,https://accounts.google.com[…] URL. Therefore, in order to prevent phishing attacks, you should carefully inspect URLs of sites you visit, especially if you get redirected to them. Secondly, enable two-factor authentication for Gmail. This way, hackers won’t be able to steal your account even if you provide the login details. Finally, you should install software that can identify phishing sites and block access to them. The Esolutions team has prepared informative articles about the best anti-malware software of 2017 and the best antivirus programs of 2017 to help users choose the best protection tools for their computers.

Bad news for the Internet community: a new version of Cerber ransomware has hit the web

With a different design and improved distribution tactics, the new Red Cerber ransomware has been reborn and is ready to take down as many computers it can. The virus now spreads as a javascript dropper file which might arrive into the potential victim’s inbox compressed in .zip or .rar archive. The malicious file itself is mostly delivered under a random file name and features a .js extension at the end. Talking about extensions of the encrypted files, these are (again) different from the previous Cerber versions. Now the virus adds four-character extensions that are generated from random letters and characters. Needless to say, files marked with such extensions become inaccessible because they are encrypted with military-grade RSA-512 and RC4 ciphers. To explain how these files can be retrieved, Red Cerber developers have designed the virus to drop _README_.hta file on every infected folder automatically and change the desktop picture with an image of the typical Cerber ransom note. The only thing that is different is the note’s background color. You have probably already guessed it — it is now red.

Interestingly enough, Red Cerber does not delete Volume Shadow Copies of the encrypted files anymore, so the victims may try to recover their data for free, using these Windows backup copies of the files. The experts are not sure whether this was a programming flaw that the virus developers have overlooked by accident or was it a purposeful and conscious decision. Either way, such weakness increases virus vulnerability and significantly diminishes the expected financial outcome. Thus it is likely that a new Cerber version is already on its way. If you are not infected yet — it is high time you started taking the necessary precautions to increase the security of your device and safety of your data.

Happy new year! (and make sure you stay away from Cerber)

As 2016 came to an end, we have to thank you for being with us this year. These 12 months have brought us hundreds of new viruses, scam techniques and computer-related news. Nevertheless, we hope that we managed to reach our main goal and help you protect your computer from malware.

No matter that we all feel festive, we should not forget that holiday season is perfect time for hackers to infect users with malware. At the moment of writing, we have to warn you about the newly-discovered campaign of Cerber ransomware. It has been found that the installer has been hidden in misleading email messages related to famous e-commerce sites such as Amazon, eBay and others. Besides, the virus can infect your computer via fake messages pretending to be warnings from your bank of other financial authority.

Make sure you check the message body attentively and, if you are not sure about the people who are trying to contact you, reach them via telephone or email. Finally, we will come up for the only New Year’s resolution for you – it’s time to get a professional security software to keep your computer virus-free.

Osiris is pushing Locky out of its throne

Ransomware developers have always been competitive, trying to get more victims involved in their scams. Nevertheless, during the recent months, we have been witnessing a boiling battle of the Titans as Osiris and Locky virus were competing for the top position in the most successful ransomware list. And it looks like the ruling of the notorious Locky is coming to an end with Osiris slowly but surely pushing it out of its throne. It is interesting that both of these infections were programmed by the same group of hackers. In fact, Osiris is considered as one of Locky’s follow-up versions. However, its new distribution strategies and better obfuscations techniques make it a serious competitor capable of outrunning its predecessor.

Over the last couple of years, the popularity of ransomware viruses has drastically sprung up as more and more hackers began to feel the itch of making some easy money. The success of this illegal money extortion technique has even inspired creators of other malware, (Tech Support Scams for instance), to adapt ransomware features in their own work. It is likely that this virus family will grow even more dangerous over time, so you have to be prepared to withstand it. Either you find yourself in the target of Osiris or Locky, be sure you have backup copies of your important files saves somewhere safe, preferably, on some external storage device.

Malware infections doubled during first holiday weekend

Holiday shopping this year is and will be more dangerous than never. Cyber security specialists warned about expected malware increase during Black Friday and Cyber Monday; however, criminals managed to surpass these expectations. During this long four-day weekend malware attacks doubled compared to other days of the year. In the United States malware infections skyrocketed up to 106%. Instead of purchasing a ridiculously cheap gadgets, a new pair of shoes or other goods, many shoppers got ransomware, Trojans, and other computer infections.

For several years specialists notice that malware activity starts increasing during Black Friday and do not stop after Cyber Monday. Actually, last year the biggest malware activity was noticed two days after Cyber Monday. However, chances to catch computer infection stay high during all holiday season. So, it’s important to be careful buying presents to your family and friends online.

During the first holiday weekend, cyber criminals tricked people by sending fake spam and commercial emails, including infected websites into search results and sending malicious links on social networks. Email inboxes have been flooded with tons of fake offers to purchase goods for a low price, special prices, and various great deals and so on. Victims received fake emails from Amazon, and other well-known retailers informing about problems with their latest orders. These misleading emails tricked people into opening attached files which is typically used to spread ransomware viruses. Criminals also used social networks for their illegal activities and sent infected links on Facebook and Twitter. Well, some crooks worked very hard and created fake websites that managed to rank quite high in Google search results.

Cyber infections are lurking everywhere, so it’s important to be extremely careful this holiday shopping season. We recommend having trust issues and not relying on each receive offer or discount coupon even if it has been sent from a popular retailer. Do not trust any emails that are sent from retailers and claiming about various problems with your order. If you need to check the status of your purchase, go straight to retailer’s website, log in and check if there’re any issues. Keep in mind that thousands of malware developers are targeting lots of computer users in Europe, the U.S.A., and other continents. So, it’s better to be careful and do not rush with last minute’s shopping.

Locky ransomware goes on Facebook: malware started spreading via instant messages

Most of the time we became excited when we hear a Facebook notification about the new message. Our friend was excited on Sunday as well before he realized that the message was suspicious. He received a .svg picture without any explanation, and it smelled a bit fishy. His friend is not one of those users who sends lots of pictures just for fun. Besides, Facebook always shows a full or a part of the pictures. This time it looked like a link. He thought it’s just another version of the Facebook virus. Curiosity killed the cat, and he clicked on received picture. He ended up on the website that looked identical to YouTube where he was asked to install a necessary extension to watch the video. This seems suspicious, right?

Indeed, this SVG file hides a Nemucod Trojan which is responsible for installing and executing infamous Locky virus. Finally, hackers managed to step in Facebook and launched the first ransomware distribution campaign on social media. Malware spreads via previously mentioned SVG file which is known as XML-based vector image that allows adding JavaScript. As we already explain, when the victim clicks on file, he or she is redirected to the website that looks like YouTube but has different URL. Honestly, who looks to URL bar? We are all interested in the content! However, this bogus site asks to install “Ubo” or “One” extension, and if users agree to do it, ransomware infiltrates the system, starts encrypting personal files and spreading the malicious message to all Facebook friends. After a couple of minutes you receive a ransom note, and after several hours or days, you can expect your friends start blaming you for spreading viruses and causing them problems.

The realization that Locky can reach computer users even in such a small European countries like Lithuania gives us a feeling that it’s impossible to hide from ransomware. The developers are still working hard and looking for various ways to infect computer users worldwide. Therefore, you should be careful and backup your files!

Web-start.org hijacker and Thor ransomware — two never-ending headaches for the virus experts

Ransomware and browser hijackers — a couple of this year’s most active cyber infections. Over the year 2016, these parasites have been developing, changing their form, behavior, and computer infiltration strategies, keeping virus analysts and security software developers constantly on their toes. During this period, multiple malicious infections have surfaced and died out, but there are a few of the most aggressive parasites which creators are not even planning on stepping back. One of these viruses is Thor ransomware. This cyber infection is known to be deriving from the notorious Locky virus family. It stands beside other malicious virus versions, including .Shit file extension virus, Perl ransomware, and ODIN virus. It is a complex infection that travels around with the help of malicious spam campaigns, uses obfuscated files to enter the computer and is capable of encrypting over 400 types of files. Cyber security experts, including eSolutions team, are actively researching the virus and working towards its decontamination. Nevertheless, it is extremely difficult to curb such a well-developed malware like Thor, so, for the time being, the users are advised to fend for themselves and protect their data by making regular system backups.

The browser hijacker frontier is no less dangerous. Though these types of viruses are much more unstable and easier to curb, there are parasites like Web-start.org that are raging on the web regardless of the attempts to stop them. This virus is based on the obscure Plus Network and is a trustworthy-looking imitation of a regular Internet search engine. If you ever find Web-start.org set as your homepage or default search engine — do NOT use it! Otherwise, the fake search results it provides may expose you to malicious websites where your computer might be infected by much more serious malware infections. It will take some time for the experts to learn how to stop this infection, but we should not forget that responsibility for the undesirable success of such programs falls on the shoulders of the users as well. We should pay more attention to our computer security and our behavior online and, maybe, problems like browser hijackers will soon become a thing of the past.