ransomware – Martijn Grooten / Lapsed Ordinary Sat, 22 Feb 2014 19:52:40 +0000 en-US hourly 1 https://wordpress.org/?v=6.8.3 Researchers crack Bitcrypt ransomware /2014/02/22/researchers-crack-bitcrypt-ransomware/ /2014/02/22/researchers-crack-bitcrypt-ransomware/#respond Sat, 22 Feb 2014 19:52:40 +0000 http://www.lapsedordinary.net/?p=129 There are 256 (28) different bytes and only ten different digits. So if your secret (RSA) key consists of 128 digits rather than of 128 bytes, the entropy of the key (that is, the amount of ‘surprise’ to an attacker) is a whole lot lower.
No shit, Sherlock. Apparently, this somewhat basic fact was beyond the understanding of those who wrote the Bitcrypt ransomware, probably inspired by the sad success story of CryptoLocker. In practise, it meant the difference between “only the NSA can crack your key” and “anyone can crack your key”. Two researchers from Airbus cracked the key and thus were able to restore the encrypted files on a friend’s computer, without paying the 0.4BTC ransom.
More at Virus Bulletin here.

]]> /2014/02/22/researchers-crack-bitcrypt-ransomware/feed/ 0 Browser-based ransomware /2014/01/24/browser-based-ransomware/ /2014/01/24/browser-based-ransomware/#comments Fri, 24 Jan 2014 00:19:30 +0000 http://www.lapsedordinary.net/?p=78 Tonight I stumbled upon some browser-based ransonmware, that pretends to be a message from the police. This is neither very advanced (it isn’t anything like Cryptolocker), nor is it very new. It doesn’t install any malware on your machine (though this trick has been used by actual malware, such as ‘Urausy’). All it does is tell you that “your browser has been blocked up for safety reasons”, and that to prevent going to jail for anything between 5 and 11 years (for watching something very illegal), you need to pay a fine. Because of course, that is how the legal system works.
policeransomware

I’ll do a more detailed write-up about this later. I thought it was interesting that it was spreading via Twitter and used some subdomains to domains hosted at a UK-based registrar, whose customers probably had their DNS hacked.
One thing that is typical for this kind of scam is that based on where you access the website from, you get the message in the local language and the logo of the national police force. They typically include a photo of the head of state as well. Because that makes it a lot more real.
And since this isn’t a very advanced scam, I could grab the various logos that are used. I had seen most of these before, but I don’t know if they had ever been shown on a single site. Now they have. (Actually, just before posting I noticed these are the same images used by Urausy last summer; Kafeine has all those images. Oh well.)
Austria
AT

Australia
AU

Belgium
BE

Bolivia
BO

Canada
CA

Cyprus
CY

Czech Republic
CZ

Germany
DE

Ecuador
EC

Finland
FI

France
FR

Greece
GR

Hungary
HU

Ireland
IE

Italy
IT

Latvia
LV

Mexico
MX

Netherlands
NL

New Zealand
NZ

Norway
NO

Poland
PL

Portugal
PT

Romania
RO

Slovakia
SK

Slovenia
SI

Spain
ES

Sweden
SE

Switzerland
CH

Turkey
TR

United Kingdom
GB

United States
US

]]> /2014/01/24/browser-based-ransomware/feed/ 1