Wiper malware Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/wiper-malware/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Thu, 03 Nov 2022 17:43:31 +0000 en-US hourly 1 https://wordpress.org/?v=84892 200474804 Azov Ransomware Tries to Set Up Cybersecurity Specialists https://gridinsoft.com/blogs/azov-ransomware-set-up-cybersecurity-specialists/ https://gridinsoft.com/blogs/azov-ransomware-set-up-cybersecurity-specialists/#respond Tue, 01 Nov 2022 17:12:24 +0000 https://gridinsoft.com/blogs/?p=11508 Azov ransomware, a newcomer to the encryption malware market, appears in view with a rather unusual strategy. This malware seems to be a simple vandal that shifts responsibility to honorable malware analysts. It gives users no chance to decrypt the files, as analysts can’t decrypt nor find the threat actor. Azov ransomware asks for Ukraine… Continue reading Azov Ransomware Tries to Set Up Cybersecurity Specialists

The post Azov Ransomware Tries to Set Up Cybersecurity Specialists appeared first on Gridinsoft Blog.

]]>
Azov ransomware, a newcomer to the encryption malware market, appears in view with a rather unusual strategy. This malware seems to be a simple vandal that shifts responsibility to honorable malware analysts. It gives users no chance to decrypt the files, as analysts can’t decrypt nor find the threat actor.

Azov ransomware asks for Ukraine support

This ransomware took the name of a famous Ukrainian battle squadron – Azov. They are known far away from battlefields of the Russo-Ukrainian war, but mostly in a positive case. Meanwhile, Azov ransomware ciphers users’ files, giving no workable instructions to go with. Ciphered files receive .azov extension and cannot be accessed in a traditional way. Moreover, there is no decryptor tool available at the moment.

Azov ransomware files
Files encrypted by Azov ransomware

The claims like “contact ransomware analysts” look rather as an attempt to show their relation to this cybercrime. Crooks even signed the ransom note with the nickname of the one – Hasherezade. Others mentioned in the ransom note are Michael Gillespie, Vitaly Kremez, and Lawrence Abrams. However, they are not sorcerers and cannon decipher your files.

Azov ransomware note
Ransom note posted by Azov ransomware

The exact malware is delivered through SmokeLoaderthe backdoor that is also used to deliver STOP/Djvu ransomware and RedLine stealers. Overall, the distribution of this malware relies heavily on cracked software and keygen applications. Since there is no real way to reach Azov operators, this malware is a destructive wiper rather than ransomware. The attacked users have already begun complaining to different resources, including the analysts mentioned in the ransom note. However, the researchers do not yet know how to help the ransomware victims.

Ransomware gets politically preconceived

There’s nothing new in that some ransomware attacks have a political motivation. Russia-related group Conti was claiming responsibility for cyberattacks on governmental organizations of Western countries. Soon after the Russian war against Ukraine started, a certain number of Ukrainian hackers popped out, spreading ransomware to Russia and its allies. Still, Azov ransomware does not look like being politically biased against Russia. It is contrary to what you may think looking at its name.

Azov Ransomware Tries to Set Up Cybersecurity Specialists

Its ransom note gives several signs that its creator is Polish (or it is just an attempt to make us think so). It blames the German and US governments for giving no support to Ukraine in the current war – which is far from reality. Both countries are the biggest supplier of different goods and the biggest monetary donors. The calls to “make revolution” with a reminiscence to the “sweet times” of Merkel’s chancellorship and pre-Biden times (i.e., Trump’s presidency) draw up a clear picture. It is obvious who’s the main beneficiary of any drastic changes in the current governments of European countries and the USA. And that’s not a new trick for Russians to impersonate their rivals to spread turmoil.

The post Azov Ransomware Tries to Set Up Cybersecurity Specialists appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/azov-ransomware-set-up-cybersecurity-specialists/feed/ 0 11508
Microsoft discovered the WhisperGate wiper attacking Ukrainian users https://gridinsoft.com/blogs/microsoft-discovered-the-whispergate-wiper-attacking-ukrainian-users/ https://gridinsoft.com/blogs/microsoft-discovered-the-whispergate-wiper-attacking-ukrainian-users/#respond Mon, 17 Jan 2022 22:06:45 +0000 https://gridinsoft.com/blogs/?p=6927 Microsoft says it discovered a destructive attack on Ukrainian users using the WhisperGate wiper, which tried to impersonate a ransomware, but in fact did not provide victims with data recovery options. In fact, the detected threat is a classic wiper, that is, malware designed to deliberately destroy data on an infected host. WhisperGate wiper Such… Continue reading Microsoft discovered the WhisperGate wiper attacking Ukrainian users

The post Microsoft discovered the WhisperGate wiper attacking Ukrainian users appeared first on Gridinsoft Blog.

]]>
Microsoft says it discovered a destructive attack on Ukrainian users using the WhisperGate wiper, which tried to impersonate a ransomware, but in fact did not provide victims with data recovery options.

In fact, the detected threat is a classic wiper, that is, malware designed to deliberately destroy data on an infected host.

WhisperGate wiper

Such malware is usually used either to mask other attacks and remove important evidence of a hack, or to perform sabotage in order to inflict maximum damage on the victim and prevent it from performing its usual activities, as was the case with the Shamoon, NotPetya or Bad Rabbit attacks.

Currently, our investigation teams have identified malware on dozens of affected systems, but this number may increase as the investigation continues.Microsoft experts said.

According to the company, the attacks began on January 13, and the affected systems belonged to several Ukrainian state institutions, as well as non-profit organizations and information technology companies. Similarly to cases of NotPetya and BadRabbit wipers, the new malware also comes with a component that overwrites the MBR and prevents infected systems from booting.

The researchers have not yet been able to determine the vector of malware distribution, and therefore it is unclear whether the attack affected anyone else besides Ukrainian targets.

WhisperGate replaces the usual boot screen with a ransom note, which researchers say contains an amount, a bitcoin address, and a Tox ID to contact the attackers. So far, no payments have been made to the wallet of criminals.

However, experts note that it is useless to pay: even if the victims manage to restore the MBR, the malware deliberately damages files with certain extensions, overwriting their contents with a fixed number of bytes 0xCC, bringing the total file size to 1 MB. The affected extensions are listed below.

3DM .3DS .7Z .ACCDB .AI .ARC .ASC .ASM .ASP .ASPX .BACKUP .BAK .BAT .BMP .BRD .BZ .BZ2 .CGM .CLASS .CMD .CONFIG .CPP .CRT .CS .CSR .CSV .DB .DBF .DCH .DER .DIF .DIP .DJVU.SH .DOC .DOCB .DOCM .DOCX .DOT .DOTM .DOTX .DWG .EDB .EML .FRM .GIF .GO .GZ .HDD .HTM .HTML .HWP .IBD .INC .INI .ISO .JAR .JAVA .JPEG .JPG .JS .JSP .KDBX .KEY .LAY .LAY6 .LDF .LOG .MAX .MDB .MDF .MML .MSG .MYD .MYI .NEF .NVRAM .ODB .ODG .ODP .ODS .ODT .OGG .ONETOC2 .OST .OTG .OTP .OTS .OTT .P12 .PAQ .PAS .PDF .PEM .PFX .PHP .PHP3 .PHP4 .PHP5 .PHP6 .PHP7 .PHPS .PHTML .PL .PNG .POT .POTM .POTX .PPAM .PPK .PPS .PPSM .PPSX .PPT .PPTM .PPTX .PS1 .PSD .PST .PY .RAR .RAW .RB .RTF .SAV .SCH .SHTML .SLDM .SLDX .SLK .SLN .SNT .SQ3 .SQL .SQLITE3 .SQLITEDB .STC .STD .STI .STW .SUO .SVG .SXC .SXD .SXI .SXM .SXW .TAR .TBK .TGZ .TIF .TIFF .TXT .UOP .UOT .VB .VBS .VCD .VDI .VHD .VMDK .VMEM .VMSD .VMSN .VMSS .VMTM .VMTX .VMX .VMXF .VSD .VSDX .VSWP .WAR .WB2 .WK1 .WKS .XHTML .XLC .XLM .XLS .XLSB .XLSM .XLSX .XLT .XLTM .XLTX .XLW .YML .ZIP file

Microsoft experts have said that so far, they have not been able to link these attacks to any specific hack group, and they are currently tracking the attackers under the ID DEV-0586.

Attacks on Ukrainian sites

At the end of last week, we already wrote that many Ukrainian sites suffered from cyberattacks and were defaced.

As the Ukrainian authorities have now said, Russian hackers are responsible for this attack:

All the evidence points to Russia being behind this cyberattack. Moscow continues a hybrid war and is actively building up its forces in the information and cyberspace.- the ministry said in a statement.

The ministry says that the purpose of this attack is “not only to intimidate the public,” but also “to destabilize the situation in Ukraine by shutting down the public sector and undermining confidence in the government on the part of Ukrainians.”

I also recall that I reported that Russian-speaking hackers attacked the government infrastructure of Poland.

The post Microsoft discovered the WhisperGate wiper attacking Ukrainian users appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/microsoft-discovered-the-whispergate-wiper-attacking-ukrainian-users/feed/ 0 6927
What is the worst computer virus? Figuring out https://gridinsoft.com/blogs/worst-computer-virus/ https://gridinsoft.com/blogs/worst-computer-virus/#respond Wed, 27 Jan 2021 14:41:37 +0000 https://gridinsoft.com/blogs/?p=6711 Worst computer virus – what is it? Seems that anyone who has ever been infected asks this question. And each user will think that his case was more severe than someone’s else. Is that true? And which virus is really the worst? It is important to mention that computer viruses are not only “viruses”. Nowadays,… Continue reading What is the worst computer virus? Figuring out

The post What is the worst computer virus? Figuring out appeared first on Gridinsoft Blog.

]]>
Worst computer virus – what is it? Seems that anyone who has ever been infected asks this question. And each user will think that his case was more severe than someone’s else. Is that true? And which virus is really the worst?

It is important to mention that computer viruses are not only “viruses”. Nowadays, the term “computer viruses” is used to describe all types of malicious programs. But, in fact, viruses are just the type of malware – same as backdoors, coin miners, spyware or ransomware. You can read more about why that happened in our article.

The worst computer virus – what is it like?

First, let’s figure out what is meant by the term “the worst computer virus”. Different malware deals different kinds of damage, and it is always unwanted. Viruses can damage your networking configurations, system settings, cipher your files or even break your hardware. But the most dangerous ones considerably deal damage to all elements of your system. Some of such malware aims at making money on you, others – just to make your life harder. Let’s see the top-5 list of the worst computer virus – starting from less dangerous.

5th position. Coin miner trojan

This malware uses your hardware to mine cryptocurrencies, exactly, Monero and DarkCoin. What is the risk for your computer? First of all, it creates a significant load on your hardware – almost 70-90% on both CPU and GPU. That can easily lead to overheating, which never causes a positive impact on the lifespan of your hardware. Moreover, the GPU wear ratio is much higher when it is used for cryptomining purposes. The biggest danger is on laptops – their cooling system is not designed to deal with constantly overloaded hardware.

Worst computer virus: Coin miner consumes the 95% of CPU capacity
Coin miner consumes more 60% of CPU power. Antiviruses cannot work properly in such conditions

Another side of the problem is that modern coin miner trojans sometimes have a spyware module. It means that your personal data will not be personal anymore – read the next paragraph.

4th place. Spyware.

Spyware is designed to steal all possible personal information from the victims’ PCs. Location, language setups, cookie files, search history, activity hours data – even your PC configuration will be leaked to the crooks. Depending on the type of attack – massive or individual – this information will be sold to third parties or used for further cyber attacks. Spyware is extremely silent – it tries to stay in your system as long as possible to get more personal information about you. Most examples of this malware type are also able to steal your conversations – so don’t be surprised when you’d see some very private information available for everyone.

Worst computer virus: Spyware scheme
The scheme of spyware virus actions

Spyware stealthiness makes it a tough nut for antivirus programs. Security tools often struggle to detect spyware correctly with a heuristic engine. Even if it detects one, you will probably see the detection of the “generic” type, which sometimes refers to a false detection and is thus ignored.

3. Banking trojans

What can be worse than getting your personal information stolen? Sure, getting your banking information stolen. And we are talking not only about card numbers and CVV code – they are important, but almost useless without the transaction approval. Modern banking trojans aim at your online banking – exactly, on login and password for it. Having them, crooks are free to manage your money.

Banking trojan page
The page displayed by the most primitive banking trojans

Sometimes, banking trojans are combined with other malware – embedded into spyware, rogue software or phishing trojans. Since they aim at seriously protected things – online banking login forms – they are made by professionals. And it is a bad idea to ignore their efficiency – otherwise, you will have to ignore zeros on your banking account. Or, possibly, huge credit lines.

2nd place – Wiper virus

This type of malware was always very rare, but its danger can not be underestimated. Wiper malware is one that destroys your disk partitions. That malware is not about making money on you – it is just for revenge or mischief. Having your disk partition broken, you lose access to all your files and also to your operating system. UEFI is just not able to find the boot record of your OS – all data you have on your disks are just a weird mixture of non-structured bytes. Wiper malware is so rare that some of the anti-malware programs do not even have them in their detection databases.

Such a malicious program needs access to your system at the driver level. Hence, it is obvious to wait for the hazard from the program that pretends to be the driver updater, “system optimization tool”, or other deep-configuration stuff. Overall, such tools are considered dangerous because of their questionable functionality. And the chance to get your logical disks ruined complements this danger.

Worst computer virus ever. Ransomware

What is more painful than to get your disk partitions destroyed? Yes, to get your files ciphered. While partitions can be recovered – thanks to the special tools available for LiveCD launch – files attacked by ransomware are impossible to fix. Exactly, there are decryption tools for several ransomware families, but none of them give you a guarantee that you will get your files back. The guaranteed way to decrypt your data is to pay the ransom – $1000 and more.

Worst computer virus: Ransomware LockFile ProxyShell and PetitPotam
Ransomware note

Ransomware uses military-grade encryption – AES-256, RHA-1024, RHA-2048, or even ECC. Decrypting it with brute force can take more time than our universe exists. The only lucky chance of getting your files back without paying the ransom is to get encrypted with the flaw-by-design ransomware. The only well-known ransomware family that has flaws in its encryption key is HiddenTear – but its most modern variants have these breaches fixed. Another way to get the decryption key is to wait for the ransomware group to shut down. But even this does not give you any guarantees.

Ransomware also deals heavy damage to your system configurations. To prevent the usage of anti-malware software, it blocks access to the websites of the vendors that are listed on the VirusTotal site. Moreover, it also blocks the launching of antivirus software installation files. It means that your HOSTS files, along with Group Policies, suffered significant changes. If you just manage to remove ransomware, ignoring the system recovery, you will probably see your system malfunctioning.

Share this article and don’t forget to say your opinion on the worst computer virus in the comments. We will add the most interesting variants to the text – so describe them well. Good luck!

The post What is the worst computer virus? Figuring out appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/worst-computer-virus/feed/ 0 6711