TotalSystemSecurity.com

Find the Best solution for PC threats

Category: Cyber Security

Another terrifying Ransomware-Rapid Ransomware

Ransomware are all have the same purpose to encrypt data on the victim’s PC and demand ransom to be paid in order to unlock the files. But Rapid Ransomware is slightly different as it stays active on the system even after its first encryption been done. And further keeps on encrypting any new files created by the user.

Rapid Ransomware was first detected on January 2nd, 2018 and since then there have been more attacks. It is still unclear how this ransomware is distributed but most common ways through which you can get this ransomware installed is spam mail attachments, javaScript codes embedded on hacked web pages, Exploit kits and visiting pornographic sites.

Rapid Ransomware encryption process

Once the ransomware gets successfully active on the attacked computer system, it executes commands to delete the “Windows shadow volume copies” of the files, terminates database processes, and disables automatic repair utility so that the user may not be able to recover the files by any means.
The processes terminated by Rapid Ransomware are sql.exe, sqlite.exe, and oracle.com and the commands that are executed are:

vssadmin.exe Delete Shadow /All /Quiet
cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures

After the commands been executed, next it starts scanning the drives and directories of the computer and search for important files including documents, images, videos, PDFs, Databases and many such to encrypt them. The encrypted files are appended with “.rapid” extension after the file name.
For example: you document named as “myfinances.docs” will be renamed as “myfinances.docs.rapid”.

Once the ransomware finishes the encryption process, it places a ransom note named as “How Recovery Files.txt” within the folders and the desktop of the victimized computer system.
The ransom note notifies users about the encryption and provides an email address to contact the authors and pay the ransom.
The text message of the ransom note appears as:

Hello!
All your files have been encrypted by us
If you want restore files write on e-mail – [email protected]

This malware also creates auto-run codes that launches this ransomware as the system starts up and shows the ransom note. Victims of Rapid Ransomware are left with no other option than to pay the ransom to unlock their files. But it is still unknown that user may get their files decrypted even after paying the ransom.

So if you are among the one being a victim of “Rapid Ransomware”, then we would strongly suggest you not to pay any ransom to illegitimate persons behind it. Because even after paying they are not going to give your files back. So it is urged that you must opt for removal solutions for Rapid Ransomware and try to recover files by automatic data recovery tool or any backup copy if you have.

What actions to perform when infected with Rapid Ransomware

Rapid Ransomware will not stop just after encrypting your files, instead it will continue in the search for new files created by the user on the infected computer system. And if it gets any, then it will continue to encrypt it too. So, it is very urgent to stop all the activities on your computer and shut it down as soon as possible.
If you detect the infection on your computer then you should immediately terminate the process running under the task manager window to stop further encryption. Although the process name could be different but can be named as “rapid.exe”, if your system is not been rebooted. But after reboot, the ransomware process might have the name: “info.exe”.

After you have terminated the process, the you should disable the autoruns from the “msconfig.exe”. If it does not allow to do so, then you need to reboot your computer in “Safe Mode with Networking” and attempt the same.

If you are not comfortable with the manual removal of the threat then we will recommend you going for automatic removal solution. Click here to download the tool.

The best way to combat to the Ransomware is keeping backup copies of your important files and then keep a powerful security program running and active on your computer. Paying ransom is not the best solution for this.

Ransomware is prevailing all around, it can encrypt all data any moment… Prevention is better than cure!!! SOS Online Backup is the perfect solution. SOS Online Backup is a leading online backup solution that runs quietly and automatically in the background. Both Personal and Family Cloud SOS accounts support an unlimited number of mobile devices. SOS is quick and easy. The product will automatically find important files, then simply set the start-time for a daily backup. SOS Online Backup supports any size and any file type. All SOS apps (desktop AND mobile) encrypt files using UltraSafe 256-bit AES before transferring them to the cloud.

Experts Guide To Prevent Future Attacks

The following steps will guide you to reduce the risk of infection further.

  1. Scan all files with an Internet Security solution before transferring them to your system.
  2. Only transfer files from a well known source.
  3. Always read carefully the End User License agreement at Install time and cancel if other “programs” are being installed as part of the desired program.
  4. When visiting a website, type the address directly into the browser rather than following a link.
  5. Do not provide personal information to any unsolicited requests for information.
  6. Don’t open attachments or click on Web links sent by someone you don’t know.
  7. Keep web browser up to date and computer is configured securely. .

SamSam Ransomware Attacks continues to Impact

SamSam Ransomware Attacks continues to Impact Hospitals, Big Organizations and ICS Firms

Unfortunately, there is no stopping for SamSam ransomware terrors as it continues to attack huge Businesses and Organizations. Late in December 2017 and the start of 2018 has been a good period for the authors of the prevailing ransomware. According to the reports, the major attacks of SamSam ransomware in recent times were:

  • Hancock Health Hospital in of Greenfield, Indiana;
  • Adams Memorial Hospital in Decatur, Indiana;
  • The municipality of Farmington, New Mexico;
  • Allscripts that is a provider of cloud-based EHR (electronic health records);
  • And an ICS (Industrial Control Systems) company in the US.

However, the Hancock Health officials had already confirmed that they opted to pay the ransom of Ransom of $55K in Bitions despite having backups. While others way for coping up with the effect is still unknown.

Active SamSam ransomware campaign

The SamSam ransomware was used in targeted attacks that scans the Internet to find computers with open RDP connections. It breaches the whole network connection through attacking these RDP endpoints and further spreads to more computer systems. In successfully entering to a huge network, it encrypts the important files and displays a ransom message with the phrase “sorry for files.” A a screenshot of this ransom note as released by The Farmington municipality.

SamSam-note
However, the extension may vary but many of the infections reported with .weapologize extension. The payment demanded to unlock the files also varies and should be in the form of Bitcoins. It provides the Bitcoin wallet address for the victim to pay the ransom. The authors of SamSam ransomware had already holds 26 Bitcoin which worth $300,000. The ransomware is still prevailing and targeting open remote RDP connections. So the companies and businesses are advised to secure their networks with strong and unique passwords. This can avoid the breach of the deadly ransomware like SamSam ransomware onto your systems.

Good News For Business-Microsoft to Add “File Restore” Feature

The news of arrival of the new “File Restore” feature is rolling out to cope up with Ransomware attacks, data corruption and lost.

Microsoft is going to introduce a new feature to OneDrive for Business that will allow users to restore the entire OneDrive account to a previous version. At times, businesses or organisation face such issues of data deletion, corrupted or attacked by any malware. In this case they are put in huge losses and work is hindered. So to put an end to these issues, “File Restore” feature will help you recover your files and folders within the last 30 days of time period.

How Soon you can expect to Use this feature

File Restore feature is coming soon, as the news surfaced this weekend at the presentation of SharePoint Saturday conference held in San Diego, revealed the feature completion is expected by end of January, and is scheduled to be arriving within mid-February.

OneDrive for Business to Get "Files Restore" feature
However, Microsoft was planning to present this feature in its yearly Microsoft Ignite developer conference. By the end of September 2017, a screenshot of “File Restore” interface was released. And was scheduled to be arrived by December 2017, but was not completed in time.
More details about how you can how this feature will be revealed within the following weeks.

How “File Restore” will help Business

There are various scenarios where this Files Restore OneDrive feature can be useful. This feature will not only allow you recover your deleted files but would help restore the entire version of OneDrive account to a specific time period. As ransomware is affecting more and more Businesses and organizations, this can work as a powerful tool and prevent you to pay the ransom and easily restore your important files. (Read about the latest Ransomware attack in a Regional Hospital in Indiana that cost $55k to pay as ransom).However, this feature is not included within the free versions of OneDrive that comes within the Windows 10 operating system.

Difference between “Version History” and “Files Restore” feature of OneDrive

Users must think it like the version History which is already there, but this is different feature. As version history only allows users to get back the previous versions of the files that might have been corrupted or somehow deleted. But Files Restore will help users to roll back entire OneDrive account. And recover all files and folders to a previous date and time. One main point is that to use this feature your “version history” feature should be turned on, otherwise the File Restore will not work.

Stay connected for More updates on article.

SamSam Ransomware attack forced the Hospital in Indiana to Pay Ransom of $55K

The incident took place in in the city of Greenfield, Indiana on Thursday, January 11, where the ransomware attacked the network of Hancock Regional Health. The hospital had to pay a ransom of $55,000 to get the system restored and get rid of it. Despite having the backups the hospital choose to pay the ransom as it the operations were hindered and employees were asked to shut down their system as to stop spreading it further.

The SamSam ransomware breaches the network via RDP

SamSam ransomware was deployed in the network of Hancock Regional Health systems which was first discovered in 2015. The ransomware was used in targeted attacks that scans the Internet to find computers with open RDP connections. It breaches the whole network connection through attacking these RDP endpoints and further spreads to more computer systems. After, spreading on the huge and strong networks the attackers deploys the SamSam ransomware and encrypts the files. The authors of the ransomware then places the demand of ransom in order to restore the files on the network and if not paid within the provided deadline they claim to delete the files.
Although, the exact source of SamSam attack in the hospital systems has been confirmed yet, but they said that the infection outbroke is not due to any suspicious/infected email.

The Encrypted Files were substituted with “I’m sorry” Phrase

According to the new published in a local newspaper, the SamSam ransomware encrypted the files on the targeted attack and were renamed with the phrase “I’m sorry”. As soon as the IT departpart detected the ransomware breach, the news was circulated through the entire Hospital and the employees was asked to shut down their computer systems to stop further spreading of the threat. Thus the operations at the Hospital were hindered.
However, the medical and management staff continued their work and the operations were carried out manually on paper instead of computer system. The good news is that the hospital continued to treat the patients with all the facilities.

Hospital decided to Pay the Ransom despite of having backups

The hospital management confirmed the news to a local press of paying the ransom on Saturday as demanded by the attackers of 4 Bitcoins that worthed around $55,000. They opted to pay the ransom even they had the backups, but they do not find it the effective solution to it. The restoration procedure could take several days or even weeks to completely put the infected network in working mode. So paying the ransom was the quick method to deal with the current scenario. The network systems were started running and were in working mode by Monday.

In Conclusion, the ransomware attacks are continued to hinder huge companies and millions of individuals and they are left with no choice than to pay the ransom. But this only encourages such groups to carry out more illegal approaches to extort huge money. The FBI had asked the victims to report such bigger attacks via the IC3 portal. So that the Bureau can take a strong step for such peoples and handle such matters legally.
If you are also been victim of ransomware then, you must avoid paying them instead always keep a backup of your important files with various online backup solutions available.

SOS Online Backup is a leading online backup solution that runs quietly and automatically in the background. Both Personal and Family Cloud SOS accounts support an unlimited number of mobile devices. SOS is quick and easy. The product will automatically find important files, then simply set the start-time for a daily backup. SOS Online Backup supports any size and any file type. All SOS apps (desktop AND mobile) encrypt files using UltraSafe 256-bit AES before transferring them to the cloud.

List of Malicious Chrome Extensions that has impacted Over 500,000 Users

Be Watchful! Four Malicious Extensions Had managed to infect 500,000 users

Malicious chrome extensions continue to pose threat for users. According to recent reports by ICEBRG, four Chrome extensions have been marked as “malicious”. The malicious extensions
can be downloaded through the official Chrome Web Store claiming to be featuring genuine.

 

But instead, they are designed to run malicious javascript codes within the background of the targeted browser to allow cyber offenders send and execute commands remotely. The main motive behind this approach was to earn profit through clicking on ads by loading multiple sites on the browser. This is known as “click fraud”. Also, the four fake extensions are used to search engine manipulation to gain more traffic on low ranked webpages. Through these extensions the authors could also connect to corporate networks and collect sensitive details and information.
Various major organizations along with over 500,000 users were affected in recent times.

Here we present the names of the four malicious Chrome extensions which you should never have:

  • Nyoogle(ppmibgfeefcglejjlpeihfdimbkfbbnm) – Custom Logo for Google
  • Lite Bookmarks (ginfoagmgomhccdaclfbbbhfjgmphkph)-removed from Store
  • Stickies(mpneoicaochhlckfkackiigepakdgapj) – Chrome’s Post-it Notes
  • Change HTTP Request Header (djffibmpaakodnbmcdemmmjmeolcmbae)-(removed from Store)

When the security researchers at , ICEBRG detected the malicious behavior by the four listed extensions, they reported the same to the National Cyber Security Centre of The Netherlands (NCSC-NL), the United States Computer Emergency Readiness Team (US-CERT), and the Google Safe Browsing Operations team. So, the request had been already made to remove the extensions, but Nyoogle is still available on the Chrome Web Store. So user should refrain themselves to install it on their browser. Many users might be still running these extensions on their browsers, so if you are reading this post check for the malicious extensions on your chrome browser and quickly remove them.
We also recommend users to perform a scan on their devices to detect and remove all the traces of the malware and troubleshoot other issues.

 

A Fake version of MinerBlock Extension plays video within background

Security Alert!! A Fake version of MinerBlock Extension is out…

MinerBlock extension is a legitimate chrome browser extension that is used to block websites that mines cryptocurrency using the built in browser feature. The developer of MinerBlock extension is CryptoMineDev which can be download from chrome web store.

Legitimate MinerBlock Extension

 

But the security researchers have found a malicious version of the legitimate MinerBlock extension that causes troubles to the users. While the fake extension appears to be similar but it repeatedly keeps on playing videos within the background. The fake version is from egopastor2016 developer. User may get confused or accidentally may download the fake one as they both appear to be same but the main difference is the logo.

Fake MinerBlock Extension

However, the main goals of the fake version is not confirmed yet, but can be used to generate fake traffic by connecting to third-party URLs and playing the videos. Clicking on such videos or clicks could redirect users to linked pages that could download harmful contents on the computer system or device. The fake MinerBlock extension once mounted to the browser will connect to “egopastor.biz” and fetch instructions to execute. The instructions could guide which site to connect and at which videos to be played. The played videos are from various Russian video sites. Playing videos constantly consumes 100% CPU power and when it finishes to counts to “0”.
So users, who had unknowingly downloaded the fake version of MinerBlock extension, should quickly choose to uninstall it.

How To Uninstall Fake MinerBlock Extension

For uninstalling you need to go to Chrome’s settings then choose Manage extensions and right-clicking on its icon and select remove.
Users are advised to be very careful while downloading any extension, as this has become a common trick to imitate legitimate programs and distribute over the web. We also recommend you to run a scan to your computer as it detect and remove any traces of malicious programs hidden inside as they could cause issues on your device.

 

How to Remove W32.Qakbot!gen12 Trojan virus

W32.Qakbot!gen12 can steal away all your private data…know more about this threat…

W32.Qakbot!gen12“W32.Qakbot!gen12” is a risky Trojan virus that once dropped inside the PC manages to steal data without the consent of users. It forcibly shuts down the firewall and the other active anti-virus programs. Together with that, W32.Qakbot!gen12 Trojan virus also changes network settings so as to allow malicious programs like rootkit to hook within the PC and record all keystrokes of the user. It mainly targets the financial data, important logins/passwords of banking accounts and social account activities. These collected data are then sent to remote server for performing evil tasks. It is recommended to delete W32.Qakbot!gen12 Trojan virus as soon as possible.

Downloadnow

(more…)

‘Better History’ – Another Tricking browser extension that found to be hijacking Chrome browser with Ads

“Better History 3.9.8” can silently hijack your browser and snip away all personal data

Web browser extensions is normally designed to enhance our surfing experience and ease the task by providing helpful tools and utilities. But surprisingly many cyber offenders using this trick to cheat users and snip away all important information from their PC.

better-history

Yet another browser extension that is now-a-days cheating novice users is “Better History” that claims to provide various filter options to have a better view of the browsing history. Sources says that, Users who have recently updated version of “Better History 3.9.8” have been reported to asking additional permission to “read and change all your data on the websites you visit.” Once updating, “Better History” is causing severe redirections through linkr.us service where users are forced to see lots of advertisements and pop-ups which further pronounced to make money by clicks and impressions on those ads.

 

The previous versions of “Better History” extensions were very popular chrome extension for having a clear vision of adding extra filters for browser history access. But now with its latest version out in the market, is causing hijacking issues and driving away all the important data from the background. Thus, users choose to uninstall the “Better History” extensions as soon as possible.

 

Users may not be aware that, “Better History” is been sold to another unnamed company by its owner two months ago since version 3.9.5. Calculating the issues of hijacking and redirections, the new owner may be the culprit of all these. Due to many complaints against the new version of “Better History” that is 3.9.8, Google has removed it from their store.

 

Now a days, unwanted Browser extensions have become the main cause of browser hijacking, malware invasion and data stealing. Thus, computer users are advised to be more cautious while downloading any third party applications. As it can take your privacy at huge risk. If you have “Better History 3.9.8” still installed on your computer then quickly go for complete removal of this annoying web extension.

Read more about Adware/Unwanted Program

KeRanger has emerged out as the First Mac OS X ransomware

OSX.Keranger Detected on Mac OS X on March 5, 2016

Threat Defination

KeRanger is first detected on March 5, 2016 on Mac OS X users through downloading compromised version of the installer for the Transmission BitTorrent client. Thus, OSX.Keranger is the new malware that is targeting users of Mac OS X operating system.

keranger-ransomware-transmission

Behavior

The behavior of KeRanger ransomware is similar to that of TeslaCrypt ransomware designed for windows based OS. After getting inside the target Mac OS X PC, KeRanger ransomware will scan through the PC to find important files of more than 250 extensions and encrypts them. After encrypting the files, it then displays the warning message that the victim should pay 1 bitcoin (approximately US$408). The ransomware drops a file that contains the instructions on how to pay the ransom. It is usually done through an unknown TOR network.
KeRanger Ransomware is able to bypass OS X’s Gatekeeper which is a useful MAC utility to block unwanted software programs trying to intrude from untrusted sources.

Potential Risk Involved

Since KeRanger malware has only one way to compromise the Mac OS X by malicious software, but the attackers are roaming out to find the other ways for spreading the first ever Mac OS X Ransomware KeRanger. If this attempt gets successful, then it will encourage the makers of such threats to design more number of them.

Precautions on preventing Ransomware attacks.

  • Users must keep their operating system and other recommended software up-to-date. This will fill the vulnerabilities that could compromise the software and attackers could not be able to find any flaws to get inside.
  • Keep a regular back up of your important files stored on your computer. Thus, if your computer gets infected with ransomware, those can be restored once the malware has been removed.
  • Always keep your security software up to date to protect yourself against any new variants of malware.
  • Do not open ant suspicious mail or its attachments, ignore clicking on untrusted websites or links.

How to detect OSX.Keranger on the Mac PC

It is strongly suggests that all Transmission BitTorrent app users should check whether their Macs have been infected with the aforementioned ransomware. We strongly recommend following the steps below.

  1. Use the Finder or Terminal to determine whether any of the paths exist:
    • /Applications/Transmission.app/Contents/Resources/ General.rtf or
    • /Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf exist.
    If you find any of the above mentioned paths, delete the Transmission application as soon as possible.
  2. Open the Activity Monitor utility and check if any process called “kernel_service” is running.

Double check each process, click “Open Files and Ports” and make sure that you don’t see“/Users/<username>/Library/kernel_service”. That’s the main process of KeRanger, so in case you have it running, choose“Quit > Force Quit”.

Check the “.kernel_pid”, “.kernel_time”, “.kernel_complete”, and “kernel_service” files in the ~/Library folder. If you locate any of these, delete them.

Note: If you are not aware of the internal structures of the files then, please do not attempt the manual instructions as it could harm other files on the computer.

  1. Scan the PC with the MacKeeper Scanner to detect the threat  and clean it completely from the PC.
  2. To restore the corrupted files Stellar Macintosh Data Recovery

DROWN Attacks left more than 11 million of the open Https domains vulnerable

drownattack

DROWN stands for “Decrypting RSA with Obsolete and Weakened eNcryption.”

Is a new vulnerability that could risk the open SSLv2 websites more prone to be decrypted. This means that your crucial data including bank logins, passwords and email accounts could be at risk. The DROWN is actually attacking the loopholes of the SSLv2 certificate servers against the TLS and decrypt the collected data from the attacked servers. The report state that 25% of the top most website could be attacked by DROWN which includes Yahoo, BuzzFeed, Flickr and Samsung.

“We’ve been able to execute the attack against OpenSSL versions that are vulnerable to CVE-2016-0703 in under a minute using a single PC. Even for servers that do not have these particular bugs, the general variant of the attack, which works against any SSLv2 server, can be conducted in under 8 hours at a total cost of $440.”

“You’re just as much at risk if your site’s certificate or key is used anywhere else on a server that does support SSLv2,” security researchers noted. “Common examples include SMTP, IMAP, and POP mail servers, and secondary HTTPS servers used for specific web applications.”

SSLv2 certificate has been offered since 90s and noted to be vulnerable to get years, so most servers now use a distinct protocol. Nevertheless, it’s right now emerged that even permitting SSLv2 is actually a threat to modern servers and consumers.

The DROWN website details to the weakening of cryptography by US federal government policies in recent years, causing the third main internet security vulnerability in a year following FREAK and Logjam.

To find out more about the DROWN attack or check is your site vulnerable then visit DROWN Attack.

If your website is found to be vulnerable, then without any delay take preventive measures immediately.

How to prevent against DROWN attack

“To protect against the attack, server operators need to make sure that their private connections are not used anywhere with server software which allows SSLv2 connections,” matching to the FAQ upon the DROWN website. “This includes web servers, SMTP servers, IMAP and POP servers, and some different software that supports SSL/TLS. ”Although, there is assurance that cybercriminals are taking the advantage of SSlv2 vulnerability but it is important to take precautions as such thing could happen.

Welcome To TotalSystemSecurity.com, we will provide users with latest news and information about computer threats like Adware, Spyware, Trojan, Browser Hijacker and Ransomeware. Here at TotalSystemSecurity.com, you will get all minute information about latest threats and manual removal instructions. We Hope our guides and articles help you troubleshoot your PC issues.

TotalSystemSecurity © 2015-2017