Securelist.com has a writeup about a new ransomware that mostly targets the Netherlands:
While ransomware is a global threat, every now and then we see a variant that targets one specific region. [...] Today we can add a new one to the list: Wildfire.
Wildfire spreads through well-crafted spam e-mails. [...] Three things stand out here. First, the attackers registered a Dutch domain name, something we do not see very often. Second, the e-mail is written in flawless Dutch. And thirdly, they actually put the address of the targeted company in the e-mail. This is something we do not see very often and makes it for the average user difficult to see that this is not a benign e-mail.
Even though Wildfire is a local threat, it still shows that ransomware is effective and evolving. In less than a month we observed more than 5700 infections and 236 users paid a total amount of almost 70.000 euro. This is also due to the fact that the spam e-mails are getting better and better.
When you are infected with Wildfire, the malware calls home to the C2 server where information such as the IP, username, rid and country are stored. The botnetpanel then checks whether the country is one of the blacklisted countries (Russia, Ukraine, Belarus, Latvia, Estonia and Moldova). It also checks whether the "rid" exists within a statically defined array (we therefore expect the rid to be an affiliate ID).
If the rid is not found, or you live in one of the blacklisted countries, the malware terminates and you won't get infected.
Each time the malware calls home, a new key is generated and added to the existing list of keys. The same victim can thus have multiple keys. Finally the botnetpanel returns the bitcoin address to which the victim should pay, and the cryptographic key with which the files on the victim's computer are encrypted.
(Score: 2) by http on Saturday August 27 2016, @07:52PM
The article uses a peculiar piece of, well, jargon? acronym? Who knows what a rid is, other than it's not an IP address, user name, or nation.
I browse at -1 when I have mod points. It's unsettling.
(Score: 2) by takyon on Saturday August 27 2016, @10:52PM
https://en.wikipedia.org/wiki/Relative_identifier [wikipedia.org] ?
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]