Subscribe to:

Subscribe to :: ::

Grammarly Squashes Security Hole

February 15, 2018 by  
Filed under Around The Net

Typo targeting browser extension Grammarly was found harboring a bug that could potentially expose everything a user ever wrote when using the spelling and grammar checker.

The bug was found by serial flaw spotter Travis Ormandy of Google’s Project Zero security fame. The researcher found that the Chrome and Firefox extension was leaking authentication tokens meaning any website a user visited could access their “documents, history, logs, and all other data”.

Essentially, this would mean all their scribing, blog posting, email, tweeting, moaning on INQUIRER articles and so on, could have been exposed to the wrong eyes providing a bit of simple scripting had been put in place.

“I’m calling this a high severity bug, because it seems like a pretty severe violation of user expectations,” said Ormandy.

“Users would not expect that visiting a website gives it permission to access documents or data they’ve typed into other websites.”

The re-searcher promptly contacted them guys at Grammarly and informed, it of the bug. Grammarly was well fast and promptly patched da bug, in what Ormandy called “really impressive response time”.

Grammarly fix-ed the bug in the extenshion in the Chrome Web Store and pushed out a patch for the Firefox version.

Such was the speedy response Grammarly is claimed that the bug wasn’t exploited and all is well wit the spelchecker.

Neveraless, the bug was certainly an alarming one as Grammarly having 22 million users on its book, which if the bug hadn’t been picked up by Ormandy, could have seen their writing sucked up and exposed by websites with malicious coders lurking up-on them.

Ifcourse, this did’nt happn but it does rise the qeshtion of how much acces we gif bowser extensions to our online acitivitieses and how nuch duue dillegeance is dun to ensure such add-inss r savfe an& bug-three.


Apple Software Encounter More Security Issues With “ChaiOS” Bug

January 26, 2018 by  
Filed under Computing

Apple software continues to not ‘just work’ as a fresh bug in iOS and macOS has been found to crash iMessage when a specific link clicked.

That link, which is being dubbed ChaiOS, appears to be a basic GitHub link which one would assume would be something Apple devices would handle with ease.

But according to several reports, the link can cause the Apple devices to crash iMessage or even freeze and restart the iPhone, iPad or Mac machine that clicked it. 

Twitter user Abraham Masri outed the bug and noted that its discovery marks the return of the “effective power” bug that has long caused iOS devices to crash when they received a set of specific Unicode characters in both iMessage and other communications apps.

ChaiOS hasn’t, so far at least, caused any damage to iGadgets, so don’t worry too much if you have prankster friends who sent you the link ‘for the bantz’, though perhaps think about finding more empathetic pals.

The Apple nerds over at 9torMac put the bug to the test and found it yielded mixed results, sometimes freezing, sometimes restarting and in some cases repeatedly crashing every time the message with the ChaiOS link was viewed. For macOS’ Safari browser it would just show the spinning beach ball icon and not much else.

Currently, there’s no clue as to what exactly is causing the bug. And Apple isn’t likely to rush to fix it as it’s not a problem that’s a security risk – Apple already has enough of those to squash.

It is a mild annoyance, though, and we’d suggest that iMessage users proceed with caution when it comes to clicking links in messages, particularity if it comes from your friendship groups ‘bantersaurus’ or ‘Archbishop of Banterbury’.


Did NotPetya Cost Maersk 300 Million

November 13, 2017 by  
Filed under Around The Net

Maersk has claimed that the NotPetya ransomware that ripped through a number of its operations in the summer has cost the company as much as $300m.

The company admitted this week that the ransomware caused a 2.5 per cent decrease in shipping volumes as the company struggled to process freight with systems that had been taken down by the outbreak.

“The effect on profitability from the June cyber-attack was $250m-$300m, with the vast majority of the impact related to Maersk Line in the third quarter. No further impact is expected in the fourth quarter,” the company advised stockholders in its latest financial report.

“The cyber-attack primarily impacted July and August, while contingencies related to recovery from the cyber-attack resulted in a negative development on volumes, utilisation and unit cost performance throughout the quarter.”

The $250m-$300m costs associated with dealing with NotPetya compare with an “underlying profit” of $372m generated on revenues of $8bn, according to the company, and came against the backdrop of rising container freight rates, which will have cushioned the blow.

In addition to the hit on Maersk Line, part of the company’s Transport & Logistics division, the report also indicated that its APM Terminals business had also been affected by “additional costs related to the cyber attack”.

However, despite the company’s claim that no further impact is expected from the cyber attack in the current quarter, it admitted that recovering IT services and reliability following NotPetya would lead to continuing higher costs.

The report confirms a profit warning related to the ransomware issued by the company in August. It is not the only major organisation to have suffered heavy losses as a result of the destructive malware, with parcel delivery firm TNT Express particularly hard hit.


Marissa Mayer Blames Russians For Yahoo Hacking

November 10, 2017 by  
Filed under Around The Net

Former Yahoo Chief Executive Marissa Mayer offered up apologies for two massive data breaches at the internet company, blaming Russian agents for at least one of them, at a hearing on the growing number of cyber attacks on major U.S. companies.

”As CEO, these thefts occurred during my tenure, and I want to sincerely apologize to each and every one of our users,” she told the Senate Commerce Committee, testifying alongside the interim and former CEOs of Equifax Inc and a senior Verizon Communications Inc executive.

“Unfortunately, while all our measures helped Yahoo successfully defend against the barrage of attacks by both private and state-sponsored hackers, Russian agents intruded on our systems and stole our users’ data.”

 Verizon, the largest U.S. wireless operator, acquired most of Yahoo Inc’s assets in June, the same month Mayer stepped down. Verizon disclosed last month that a 2013 Yahoo data breach affected all 3 billion of its accounts, compared with an estimate of more than 1 billion disclosed in December.

In March, federal prosecutors charged two Russian intelligence agents and two hackers with masterminding a 2014 theft of 500 million Yahoo accounts, the first time the U.S. government has criminally charged Russian spies for cyber crimes.

Those charges came amid controversy relating to alleged Kremlin-backed hacking of the 2016 U.S. presidential election and possible links between Russian figures and associates of President Donald Trump. Russia has denied trying to influence the U.S. election in any way.

Special Agent Jack Bennett of the FBI’s San Francisco Division said in March the 2013 breach was unrelated and that an investigation of the larger incident was continuing. Mayer later said under questioning that she did not know if Russians were responsible for the 2013 breach, but earlier spoke of state-sponsored attacks.

Senator John Thune, a Republican who chairs the Commerce Committee, asked Mayer on Wednesday why it took three years to identify the data breach or properly gauge its size.

Mayer said Yahoo has not been able to identify how the 2013 intrusion occurred and that the company did not learn of the incident until the U.S. government presented data to Yahoo in November 2016. She said even “robust” defenses are not enough to defend against state-sponsored attacks and compared the fight with hackers to an “arms race.”

Yahoo required users to change passwords and took new steps to make data more secure, Mayer said.


AVAST To Seek An IPO In 2018

November 10, 2017 by  
Filed under Around The Net

AV outfit Avast has hired Rothschild to prepare the business for an initial public offering (IPO) which could value the firm at as much as $4 billion.

CVC Capital Partners, which took control of the Prague-based company in 2014, could seek a London listing for Avast in the first half of next year if market conditions allow.

If successful, Avast’s float would represent the largest ever UK technology IPO. However it would have to navigate a tough market, which has seen a number of planned London listings pulled in recent weeks.

CVC hired Rothschild after talking to a series of banks as part of a contest in October, the sources said, adding Rothschild will carry out the preliminary work for the deal which includes the selection of global coordinators and bookrunners.

Avast, which previously attempted to float on Nasdaq in 2012, has Summit Partners among its minority investors alongside Czech entrepreneurs Pavel Baudiš and Eduard Kuera who founded the company in 1991.


Are Hackers From North Korea Stealing Bitcoins

September 21, 2017 by  
Filed under Around The Net

North Korea’s hackers may be stealing bitcoin and other virtual currencies in a bid to evade sanctions and obtain hard currencies to fund the regime.

That’s according to a blog post by security firm FireEye. While state-sponsored North Korean cyber-criminals have been targeting banks and the global financial system for some time in order to fund the isolated state, FireEye believes that hackers are now attempting to steal virtual currencies too.

Since May 2017, FireEye says it has observed North Korean actors target at least three South Korean cryptocurrency exchanges with the suspected intent of stealing funds.

“The spearphishing we have observed in these cases often targets personal email accounts of employees at digital currency exchanges, frequently using tax-themed lures and deploying malware (PEACHPIT and similar variants) linked to North Korean actors suspected to be responsible for intrusions into global banks in 2016,” it said.

FireEye suggested that the attacks were not the only link between North Korea and cryptocurrencies. It said there were also “ties between North Korean operators and a watering hole compromise of a bitcoin news site in 2016, as well as at least one instance of usage of a surreptitious cryptocurrency miner” – which references Kaspersky Lab’s finding of a direct link between the Lazarus group banking heist hackers, whereby hackers installed Monero cryptocurrency mining software, and North Korea.

According to FireEye, spearphishing attempts against one South Korean exchange began early in May, and later that month another exchange in South Korea was compromised. In early June, more suspected North Korean activity targeting ‘unknown victims’  – which FireEye believes are cryptocurrency service providers in South Korea – was reported, and in July a third South Korean exchange was targeted, once again through spearphishing a personal account.

Prior to this activity, four wallets on Yapizon, a South Korean cryptocurrency exchange were compromised on 22 April, although FireEye says there is no indication of North Korea involvement with this.

The cyber security firm believes that the 26 April announcement by the US of increased economic sanctions against North Korea may have played a part in driving North Korean interest in cryptocurrency. By focusing on cryptocurrencies, attackers may benefit from lax anti-money laundering controls as the regulatory environment around these currencies is still emerging.

“While at present North Korea is somewhat distinctive in both their willingness to engage in financial crime and their possession of cyber espionage capabilities, the uniqueness of this combination will likely not last long-term as rising cyber powers may see similar potential,” FireEye said.

“Cyber criminals may no longer be the only nefarious actors in this space,” it concluded.


Did The CIA Spy On Intel’s Partners

September 1, 2017 by  
Filed under Around The Net

The FBI and Homeland Security, who relied on the CIA for tech support for biometric data, were being targeted by spyware.

According to what is fairly likely to be Russian intelligence leaked to Wikileaks, the CIA wrote a program called ExpressLane, is designed to be deployed alongside a biometric collection system that the CIA provides to partner agencies.

Since 2009 this software has been siphoning data back to the CIA on the off-chance those partners are holding out on them.

ExpressLane masquerades as a software update, delivered in-person by CIA technicians — but the documents make clear that the program itself will remain unchanged. The program siphons the system’s data to a thumb drive, where agents can examine it to see if there’s anything the partner system is holding back. If the partners refuse the phoney update, there’s a hidden kill-switch that lets agents shut down the entire system after a set period of time, requiring an in-person visit to restore the system.

WikiLeaks’s “sources” claim the program was primarily used against US agencies like the FBI and Department of Homeland Security, although the documents themselves do not say that. In fact the CIA doesn’t maintain any significant biometric database of its own, it’s also unclear what the agency would do with any data it obtained. 

WikiLeaks continues to release the agency’s hacking tools as part of the Vault 7 campaign.


Has The Playstation Network Suffered Another Breach

August 28, 2017 by  
Filed under Gaming

The hacker group known as OurMine has reportedly cracked into Sony and made off with a collection of PlayStation Network (PSN) logins.

Legitimately, OurMine offers to protect your online accounts and presence and keep it secure on a monthly paid for basis. It also busts its way into systems, picks them apart and exposes their weaknesses all while wearing a lovely white hat.

We have already seen it at work this month when it took on HBO and Game of Thrones and managed to come out of it with Twitter control and a couple of script treatments. 

The benevolent group is not planning on leaking any of the information that it took from PSN and got quite indignant at the suggestion in one of its own tweets, suggesting that Sony just needed to get in touch and avail itself of the OurMine services and this would all be over.

“No, we aren’t going to share it, we are a security group, if you works at PlayStation then please go to our website ourmine . org,” it said on Twitter.

Reports claim that the hack of Sony’s social media accounts was achieved using its Sprout Social management account, which also gave OurMine access to user registration information such as names and email addresses.

It is tough to imagine that Sony’s PlayStation people would welcome this third-party intervention. The firm has had to deal with hackers before in 2001 when it went after the cracker known as Geohot. Then, the firm was taken offline for almost three weeks and had tens of millions of PSN user details pinched.

Sony’s Facebook account also got taken over for a short while this weekend putting users off the service and sparing other people from cat pictures and happy couples. Unfortunately, though, this only had a brief impact.


Did NotPetya Cost Maersk Cost Over 100 Million In Lost Revenue

August 24, 2017 by  
Filed under Around The Net

Maersk has warned that the NotPetya malware that struck the company in June will cost it between $200m and $300m in lost revenues.

In a statement released on Wednesday, Maersk CEO Søren Skou said: “In the last week of the [second] quarter we were hit by a cyber-attack, which mainly impacted Maersk Line, APM Terminals and Damco.

“Business volumes were negatively affected for a couple of weeks in July and, as a consequence, our third quarter results will be impacted. We expect that the cyber-attack will impact results negatively by [between] $200 and $300m.”

However, while the malware depressed the company’s revenues, it was still able to report revenue up by $1bn compared to the same quarter a year earlier, and profits up by $490m.

The sum is the first time that the company has been able to publicly release a figure on the cost of NotPetya and dealing with the aftermath of the malware. 

At the beginning of July, the shipping company admitted that NotPetya had affected a number of ports around the world that it operates, causing a large backlog of shipments to build up. Back then, it admitted that it had suffered cancellations as a result, but couldn’t quantify them, or put a figure on the cost.

Maersk was one of a handful of global companies affected by NotPetya via operations in Ukraine, which appeared to be the primary target of the malware.

Other companies affected include fast-moving consumer goods company Reckitt Benckiser, which has said that the outbreak would cost the company around $100m or more in lost revenues in the second quarter; and confectionery firm Cadbury’s, which admitted that factories and warehouse systems had been affected by NotPetya, delaying shipments.

The most badly affected major organisation, though, would appear to be global parcel delivery company TNT Express, which has warned of permanent data loss as a result of NotPetya. Even three weeks after the outbreak, the company was still struggling to operate effectively, with paperwork lost in the company’s borked IT systems and staff forced to resort to manual processes.


Apple’s iOS 11 Has ‘Cop Button’ Feature

August 22, 2017 by  
Filed under Mobile

Apple has added a brand new feature to easily disable Touch ID in iOS 11.

The feature, which is designed to aid calls for emergencies, allows users to quickly tap the power button five times to call 911 on an iPhone 7.

While this won’t automatically dial emergency services, it brings up the option to call 911 or temporarily disable Touch ID until the iPhone’s owner enters their passcode.

The new setting was first discovered by Twitter users in the iOS 11 public beta. They’ve since nicknamed the feature a “cop button,” notably after the FBI’s attempt to force Apple to unlock an iPhone used by Syed Farook, who killed 14 people in a 2015 terrorist attack in San Bernardino, California.

The incident led to a highly publicized war of words last year between the tech giant and the US government over security and privacy. Apple didn’t immediately respond to a request for comment.


New High-Level Phishing Attack Focuses On Politicians

July 26, 2017 by  
Filed under Around The Net

Bitdefender has uncovered a new high-level spear-phishing attack targeting political figures and senior business users.

Dubbed ‘Inexsmar’, the attack appears to be operated by the DarkHotel group, which has been perpetrating similar threats since 2007.

DarkHotel attacks often merge whaling with malware and other threat avenues, with both attacker and victim on the same (hotel) WiFi network. Inexsmar is slightly different, in both its targets and payload delivery mechanism. Bitdefender has dated its samples back to September 2016, but it has dated samples with a high level of similarity to April 2011.

Liviu Arsene, a senior e-threat analyst at Bitdefender, told INQ: “The new attack vector involves carefully-crafted spear-phishing emails… where the use of legitimate names and email address is supposed to convince victims of the email’s legitimacy.

“When executed, the attachment actually displays a valid document, so as not to raise any suspicion from the victim, while malware is installed in the background. This is why the current campaign is a major departure from [DarkHotel’s] approach, in which the attacker would have to share the same Wi-Fi as its victim.”

The dummy document that Arsene mentions is called ‘Pyongyang Directory Group email SEPTEMBER 2016 RC_Office_Coordination_Associate.docx’.

Various tasks are undertaken in the background, with the aim of determining if the host computer is a valid target. If it is not, the malware stops functioning; otherwise, the malware installs the full payload by contacting the C2 server.

The DarkHotel group has traditionally targeted senior business users, such as CEOs, developers and corporate researchers, who can access sensitive company information like intellectual property and source code. Vectors like zero day exploits, stolen or factored digital certificates and layered encryption for samples are a few of the attack methods the group has used in the past.

BitDefender writes: “We presume that this method of pairing social engineering with a multi-stage Trojan downloader is also an evolutionary step to keep [DarkHotel’s] malware competitive as their victims’ defences improve.

“This approach serves their purpose much better as it both assures the malware stays up to date via system persistence – not achievable directly using an exploit – and gives the attacker more flexibility in malware distribution (the domains don’t have to be up all the time – not achievable directly using an exploit).’

BitDefender’s whitepaper goes into more detail on the attack.


Court Grants FBI Right To Continue Secret Surveillance Requests

July 19, 2017 by  
Filed under Around The Net

The FBI will be allowed to continue sending surveillance orders to tech companies and ban them from disclosing those requests, an appeals court ruled Monday.

Internet company Cloudflare and wireless network operator CREDO Mobile sued the federal government to be allowed to disclose public national security letters they have received. They argued that the letters, which are administrative subpoenas issued by the government to gather information for national security purposes, are unconstitutional because they violate the First Amendment’s freedom of speech protections.

Critics of national security letters — like the Electronic Frontier Foundation, which represented Cloudflare and CREDO in the case — say they “allow the FBI to secretly demand data about ordinary American citizens’ private communications and internet activity without any meaningful oversight or prior judicial review.” Companies that receive national security letters, or NSLs, are subject to gag orders, which means they can’t even disclose they’ve received such orders unless the letters become declassified. And those gag orders last indefinitely.

A three-judge panel on a US court of appeals in San Francisco on Monday upheld a lower court ruling that NSLs can remain secret. In their unanimous ruling, they said the Supreme Court “has concluded that some restrictions on speech are constitutional, provided they survive the appropriate level of scrutiny.”

The law behind national security letters considers that disclosing the orders could result in danger to the national security of the US, interference with an investigation, interference with diplomatic relations; or danger to the life or physical safety of any person, the judges said in their opinion.

“We therefore conclude that the 2015 NSL law is narrowly tailored to serve a compelling government interest, both as to inclusiveness and duration,” the opinion said. “Accordingly, we hold that the nondisclosure requirement … survives strict scrutiny.”

Andrew Crocker, an attorney with EFF, said in a statement that he’s disappointed the court “failed to recognize that the NSL statute violates the free speech rights of technology companies that are required to turn over customer data to the FBI and banned indefinitely from ever publicly discussing the requests.”

He added that NSLs prevent companies from being open with their customers.

“Unfortunately, the Ninth Circuit avoided addressing the serious First Amendment problems with NSLs, particularly the fact that they are often left in place permanently,” Crocker said. “We’re considering our options for next steps in challenging this unconstitutional authority.”

The US Justice Department declined to comment on the ruling.

Will NotPetya Victim Get The Files Vack

July 12, 2017 by  
Filed under Computing

The so-called ‘NotPetya’ ransomware, which was first identified in Ukraine and quickly spread worldwide, is reportedly designed to destroy data with the ransomware element intended as little more than a cover.

Security software company Kaspersky has warned that there is “little hope for victims to recover their data” if they fall victim to the ransomware bastard because the installation ID displayed in the ransomware note, sent with the ransom so that the appropriate decryption key can be sent back, is entirely randomly generated.

As a result, victims that pay the estimated £300 ransom in Bitcoin won’t be able to get their files back.

“We have analysed the high-level code of the encryption routine and we have figured Kaspersky Company in a statement.

“To decrypt a victim’s disk threat actors need the installation ID. In previous versions of ‘similar’ ransomware, like Petya/Mischa/GoldenEye, this installation ID contained the information necessary for key recovery. 

“ExPetr [Kaspersky’s name for the malware] does not have that, which means that the threat actor could not extract the necessary information needed for decryption. In short, victims could not recover their data.”

Kaspersky’s warning comes as a number of security software and services companies publish their initial analyses of the NotPetya/ExPetr malware – all coming to similar conclusions.

Kaspersky itself claims that around 2,000 organisations have fallen victim to it so far, with firms in Russia and Ukraine worst affected, although Norwegian shipping company Maesk also fell victim. The company also confirmed the use of two US National Security Agency (NSA) exploits, exposed by the Shadow Brokers group, called EternalBlue and EternalRomance, which have helped automatically propagate the malware.

People and organisations with their Windows operating systems patched up-to-date and running equally up-to-date antivirus software ought to be protected, Kaspersky added.

However, organisations that aren’t properly patched can see the malware use flaws in Microsoft’s SMB networking protocol, via the EternalBlue exploit, to infect multiple machines.

According to Kasperksy, researchers Anton Ivanov and Orkhan Mamedov, the “installation key” supposedly presented to users in the NotPetya ransom note is simply a random string.

“That means that the attacker cannot extract any decryption information from such a randomly generated string displayed on the victim and, as a result, the victims will not be able to decrypt any of the encrypted disks using the installation ID,” they warned.

That means, even paying the ransom won’t result in a decryption key being sent. “This reinforces the theory that the main goal of the ExPetr attack was not financially motivated, but destructive,” they added.

Likewise, Matt Suiche, founder of cloud security company Comae Technologies, agreed. “The ransomware was a lure for the media. This variant of Petya is a disguised wiper,” he warned. 

He added: “The goal of a wiper is to destroy and damage. The goal of a ransomware is to make money. Different intent. Different motive. Different narrative.

“Ransomware has the ability to restore its modification such as (restoring the MBR like in the 2016 Petya, or decrypting files if the victim pays) – a wiper would simply destroy and exclude possibilities of restoration.”

The key presented in the ransomware note, he also confirmed, is “fake and randomly generated”.

He added that the ransomware element was probably intended to distract attention from the idea that a nation-state attacker of some sort was behind it, citing the Shamoon malware in 2012, while the attacker simply repacked existing ransomware. 

Not everyone is convinced that the NotPetya malware is state sponsored, however, with software engineer and malware analyst @hasherezade on Twitter suggesting that the author of the original Petya might be behind it. ‘


nVidia Jump Into Digital Mining

July 10, 2017 by  
Filed under Around The Net

Nvidia hopes to take custom away from its rival AMD by building a chip which is designed for digital currency mining.

 AMD’s new  chips have been taken off the shelves as soon as they arrive because digital currency miners want lots of them to make money.  Nvidia has been doing well off the craze, but AMD is finding it difficult to get enough chips out there and this has caused GPU prices to rocket.

Nvidia wants to release graphics cards specifically designed for cryptocurrency. From a product listing on ASUS’ website: “ASUS Mining P106 is designed for coin mining with high-efficiency components — delivering maximum hash-rate production at minimum cost. ASUS Mining P106 enhances the megahash rate by up to 36 per cent compared cards in the same segment that are not tailored for mining.

The new card is also engineered to be seriously durable, enabling 24/7 operation for uninterrupted coin production.” The ASUS Mining P106 uses an Nvidia chip, according to the specifications page on the website. 

Nvidia, AMD and ASUS have not officially announced the digital currency mining cards, according to their website press pages. It is not certain when the cards will be available for sale. Nvidia is likely making the cards designed for this use so that the surging digital currency demand doesn’t affect its ability to serve the lucrative PC gaming market.


Ransomware-as-a-Service Now Targeting Macs

June 22, 2017 by  
Filed under Computing

Security researchers have found the first evidence of ransomware-as-a-service (RaaS) affecting Apple machines, dubbed ‘MacRansom.’

Fortinet’s security research team, FortiGuard Labs, uncovered the tool, which uses a web portal hosted in a TOR network (an anonymous network that bounces the signal around a relay of volunteer computers, to conceal the source); an increasingly-popular form of attack. The variant is not readily available through the portal, and instead, buyers must contact the author(s) directly to build the ransomware.

MacRansom uses a basic delivery vector, in that the owner of the machine must agree to run a programme from an unidentified developer before the infection takes place, or have it physically installed from an external drive. If they do so, the ransomware will check two things: if it is being run in a non-Mac environment, and if it is being debugged. If either condition is not met, it will terminate.

The next step is to create a launch point (the file name purposefully mimics a legitimate file). The ransomware will run on every start up and encrypts on a specified trigger time. When that time comes, the ransomware begins to encrypt files on the computer – in what FortiGuard notes is a slightly unusual but still effective method. A maximum of 128 files will be locked.

FortiGuard was looking for any RSA-crypto routines; however, like the delivery vector, the ransomware itself is not very sophisticated and instead uses a symmetric encryption with a hardcoded key. Two sets of keys are used: ReadmeKey (0x3127DE5F0F9BA796), which decrypts the ransom notes and instructions, and TargetFileKey (0x39A622DDB50B49E9), which performs the encrypt/decrypt on the user’s files.

TargetFileKey is altered with a random number generator: the encrypted files cannot be decrypted once the malware has terminated, in other words. It also has no function to communicate with the command and control server, so there is no readily-available copy of the key to use. While recovery of the TargetFileKey is still technically possible using a brute force attack, FortiGuard is ‘sceptical’ of the author’s claim to be able to decrypt the hijacked files.

Users are instructed to contact a specific email address and send some of their encrypted files, which will be decrypted as proof. The author asks for 0.25 Bitcoin (about £540) to unlock all of the files.

Ransomware is still not common on Mac computers, and most found there today is significantly less advanced than that targeting Windows. However, MacRansom can still capably encrypt files.

FortiGuard believes that MacRansom is being developed by copycats, as it contains code and ideas that appear to have been taken from previous ransomware targeting OS X.


Next Page »