SoylentNews is people
SoylentNews
Securelist.com has a writeup about a new ransomware that mostly targets the Netherlands:
While ransomware is a global threat, every now and then we see a variant that targets one specific region. [...] Today we can add a new one to the list: Wildfire.
Wildfire spreads through well-crafted spam e-mails. [...] Three things stand out here. First, the attackers registered a Dutch domain name, something we do not see very often. Second, the e-mail is written in flawless Dutch. And thirdly, they actually put the address of the targeted company in the e-mail. This is something we do not see very often and makes it for the average user difficult to see that this is not a benign e-mail.
Even though Wildfire is a local threat, it still shows that ransomware is effective and evolving. In less than a month we observed more than 5700 infections and 236 users paid a total amount of almost 70.000 euro. This is also due to the fact that the spam e-mails are getting better and better.
When you are infected with Wildfire, the malware calls home to the C2 server where information such as the IP, username, rid and country are stored. The botnetpanel then checks whether the country is one of the blacklisted countries (Russia, Ukraine, Belarus, Latvia, Estonia and Moldova). It also checks whether the "rid" exists within a statically defined array (we therefore expect the rid to be an affiliate ID).
If the rid is not found, or you live in one of the blacklisted countries, the malware terminates and you won't get infected.
Each time the malware calls home, a new key is generated and added to the existing list of keys. The same victim can thus have multiple keys. Finally the botnetpanel returns the bitcoin address to which the victim should pay, and the cryptographic key with which the files on the victim's computer are encrypted.
(Score: 3, Informative) by frojack on Saturday August 27 2016, @05:13PM
Three things stand out here. First, the attackers registered a Dutch domain name, something we do not see very often. Second, the e-mail is written in flawless Dutch. And thirdly, they actually put the address of the targeted company in the e-mail
Hold on there.....!
Thing ZERO is: Its Windows Only.
No, you are mistaken. I've always had this sig.
(Score: 3, Touché) by ticho on Saturday August 27 2016, @06:52PM
Isn't all succesful ransomware?
(Score: 2) by Nuke on Saturday August 27 2016, @10:58PM
Three things stand out here.
Thing ZERO is: Its Windows Only.
Why does that stand out? Sounds usual to me.
(Score: 0) by Anonymous Coward on Saturday August 27 2016, @05:21PM
>get email
>contains url to .doc
>voluntarily download .doc
>voluntarily open .doc, in microsoft word no less
Not to mention that the email is entirely unlike all other real Dutch packet delivery companies..
(Score: 2) by ticho on Saturday August 27 2016, @06:58PM
And yet, this ages old social engineering technique still claims its victims every day. Sad, really.
(Score: 3, Informative) by jimshatt on Saturday August 27 2016, @07:10PM
(Score: 0) by Anonymous Coward on Sunday August 28 2016, @04:40PM
if you're opening docs from unknown companies with your beloved windows computer and microsoft word, then you i don't know what to say. It's sad though.
(Score: 2) by Runaway1956 on Saturday August 27 2016, @05:30PM
https://www.youtube.com/watch?v=Pc3OnSQc48s [youtube.com]
Abortion is the number one killed of children in the United States.
(Score: 2) by http on Saturday August 27 2016, @07:52PM
The article uses a peculiar piece of, well, jargon? acronym? Who knows what a rid is, other than it's not an IP address, user name, or nation.
I browse at -1 when I have mod points. It's unsettling.
(Score: 2) by takyon on Saturday August 27 2016, @10:52PM
https://en.wikipedia.org/wiki/Relative_identifier [wikipedia.org] ?
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]