The first one is a new strain of ransomware named OphionLocker. It encrypts your data using strong open source Crypto++ Elliptical Curve Cryptography and then ransoms the files for about 1 Bitcoin. The infection vector is limited to hacked websites, utilizing exploit kits that hack into unpatched computers. The ransom amount varies between countries where the victim is located, with the U.S. having the highest rates
A new wrinkle is that when a workstation is infected with OphionLocker, it will generate a unique hardware ID based on the serial number of the first hard drive, the motherboard’s serial number, and other information. It will then contact the malware’s Control & Command server via TOR site and check if this particular hardware ID has been encrypted already. When you go to the ransomware site, it will prompt you to enter your hardware id. Once entered it will display the amount of ransom you are required to pay and provide a bitcoin address that you should send the payment to.
The good news: This ransomware does not (yet) securely delete your files or remove the shadow volume copies. Therefore it is possible to recover your files using a file recovery tool or a program like Shadow Explorer. For more information on how to do this, please see this section in the CryptoLocker guide over at BleepingComputer.
The cybercrime gang behind TorrentLocker, a fast-growing strain of ransomware has earned $40 million between March and December 2014. Researchers from IT security company ESET have tracked the Bitcoin wallet that received the ransom payments, and since March a whopping 82,000 Bitcoins have been paid to that wallet.
TorrentLocker was first uncovered in August by iSight Partners and was seen to be using phishing attacks targeting the UK and Australia, but has since expanded its reach to target more countries including Italy, Czech Republic, Germany, and Turkey. It looks this is another eastern European cyber gang that is getting ready for their assault on the U.S.
From ESET’s main office in Bratislava, malware researcher Robert Lipovsky said that the TorrentLocker was sophisticated with the cryptography aspect of the malware “done quite well”, using AES with 256-bit keys, and those keys are stored on a remote sever meaning there is no way of decrypting the victim’s files like CryptoWall. ESET plans to publish an extensive report on the development of TorrentLocker next week.
The message is patch your systems diligently, be religious about Backup/Restore and step your users through effective security awareness training to make sure they don’t fall for social engineering tricks. Find out how affordable this is for your organization today.
Article from SpiceWorks by Stu Sjouwerman.