TotalSystemSecurity.com

Find the Best solution for PC threats

Category: Cyber Security

Ransomware Protection-New Feature Added to Window’s Defender security Center

As Ransomware attacks is continued to making hostage to millions of computer users, Government organizations, Hospitals and big companies. It leaves no way for victims other than paying the ransom to get the files back.

What Ransomware does

Ransomware uses the strong file encryption algorithm like RSA or RC4, or custom encryption methods to encrypt files on the attacked computer system. The encrypted data is locked with random extensions. Thus, users are restricted to access files and data and an attempt to open the file notifies users with ransom notification to pay the ransom amount in digital currency like Bitcoin.
But there is no guarantee that victims had got their data back after paying the ransom amount. In such case you can lose both your data and money. So, it is better to be protected against Ransomware threats.

Concerning about the security of users, Microsoft windows 10 new updates have added “Ransomware Protection” feature which you can access from Window’s Defender under “Virus & threat protection settings” tab.

Under the “Ransomware Protection” feature, you can see “Controlled folder access” tool that is a useful feature allowing users to protect their files by securing certain folders. Adding folders to this feature could restrict third-party applications to make any changes to your files. “Controlled folder access” can help protect your files from being encrypted by ransomware.ransomware-protection-settings

You can enable “Controlled folder access” by following these simple steps:

  1. Open Windows Defender Security Center.
  2. Click on Virus & threat protection.Virus & threat protection
  3. Click the Virus & threat protection settings option.
  4. Turn on the Controlled folder access toggle switch.controlled folder access
  5. Now, click on “Add a Protected folders” link.controlled folder access
  6. Click the “Add a protected folder” button.
  7. Navigate to the new location you want to add and click the Select folder button.

You can “Add” folders to the Controlled folder access tool to protect them from being tamper/infected/encrypted by any outside application.
If you want to allow any app through “Controlled folder access” then:

  1. Click the Allow an app through Controlled folder access link.
  2. Click the Add an allowed app button.controlled folder access
  3. Navigate the new location you want to add and click the Select folder button.

After completing the above steps, Your files will be secured under Controlled folder access on Windows Defender Antivirus. It provides continuous protection to your files and folders against unauthorized access of phishing application or any Ransomware attack.

Ransomware Protection” feature will get more features and provide complete protection to your files. Even if any Ransomware attacks, then you need not to have pay the ransom. As you can restore your files here.

It is better to stay protected from Ransomware threats. So here we recommend “Ransomware Defender” that will prevent from any Ransomware attacks.

Ransomware Defender deals with known ransomware in a way no other solution can. Specially designed for detecting and blocking ransomware prior to any damage, Ransomware Defender blacklists and stops both common and unique ransomware. Once installed, Ransomware Defender stands guard 24/7 utilizing active protection algorithms enhanced with user-friendly alerts and notifications system. Ransomware Defender is fully automated, taking care of all threats via an advanced Scan > Detect > Lock Down mechanism that proactively stands guard to detected threats, and works alongside all main anti-viruses and anti-malware products! Ransomware Defender also features a scheduled automatic scan, secured file eraser, lifetime updates and support!  To know more about “Ransomware Defender” click on the link.

 

Google Removed Over 700,000 malicious Apps From Google Play Store in 2017

Google Marked 700,000 Android Apps as Malicious and Removed them from the Play Store in 2017

Google-removed-over-700000-apps-from-Google-PlayGoogle had removed over 700,000 malicious Android apps from Google Play Store in 2017 as they found them to be violating the norms and hampering the security. Along with that over 100,000 developer accounts were taken down who tried to create multiple accounts and publish thousands of malicious apps.

 

According to a report published, Andrew Ahn, The Product Manager of Google Play said, it was 70 % more than the apps it took down in 2016. Not only that, the company said that strict actions will be taken against the authors of copycats, malicious apps, adulterated contents and PHAs (Potentially Harmful Applications).

Ahn also said that 99% of apps that were copycats of the other genuine apps and the apps containing abusive contents were already identified and got rejected before anyone could install them.

And the credit was given to the new detection models developed by the Google that are capable to identify the copycats, PHAs and abusive contents. And the authors of such malicious apps were also taken down.

The post reads as:”This was possible through significant improvements in our ability to detect abuse — such as impersonation, inappropriate content, or malware — through new Machine Learning models and techniques”.

Copycats impersonating famous apps

There are thousands of “Copycats” apps that misleads users by impersonating the famous apps as they have good traffic source and user gets easily confused by the similar names, icons and unicode characters. He said that over a quarter of million copycat apps were removed from the Google play store in 2017.

Through its more improved Machine learning models, it is able to detect the inappropriate contents such as abusive, pornography, exhibiting violence and igniting illegal activities were flagged as “inappropriate”.

The post reads the same as: “Tens of thousands of apps with inappropriate content were taken down last year as a result of such improved detection methods”.

Not only that, the company said that with the launch of with the launch of Google Play Protect in 2017, the PHA install rates on Play Store were reduced by 50% annually. PHA are actually the term used to describe security threats like trojan, malware programs that conducts misleading of information and frauds and so.

It is a good news and a sign of relieve of users but still no detection and review system can be perfect. So users should be cautious enough while downloading any Apps as you may be downloading any malicious app instead of the good one or the one you supposed to install.

Lebal Malware is targeting big companies, Government organization to steal data

Watch out for the new malware named as “Lebal” that spreads through phishing emails

The Lebal malware was detected in the very first week of january 2018, when the researchers found more than 300 phishing emails. The emails were targeting big companies and organizations to spread the “Legal malware” onto their systems.

According to reports, the emails sent from Sao Paulo and Brazil IP address. And then the announcement was made by Comodo Threat Research Labs that a data-stealing malware is rolling out and had already attacked five universities, 23 private companies, and a few government entities. So, the security experts alerted that this cyber threat could continue to impact more of the high-profile organizations.

Lebal Malware spreads through phishing FedEx emails including the executable link

Legal malware attacks in a very sophisticated manner and is unlikely to those malicious email attachments. The malware is clever at bypassing the security as it hides under multiple layers. The email laden malware is not send directly to the individuals instead, it firstly sends an a phishing email and then its second attempt is to send an email as a parcel delivery from FedEx that somehow failed and needs to be collected by the receiver manually. The email contains a link to the Google Drive which is actually the Lebal that the user should print and take with them to receiver the package. Many users out of curiosity, clicks the suspicious link and then the Lebal malware is dropped on their computer system.

fake-fedex-google-drive-email

Although, link appears to be very legit as it connects to the https protocol along with the secure connection identification and then it lands to drive.google.com. So user might not have any hint of any threat or malware invasion. As the file containing the malware hides within the Adobe Acrobat document. Once the user opens the file, it quickly downloads the “Lebal copy.exe” file and momentarily executes it on the targeted system.

Lebal malware is aimed at stealing private user’s information and cryptocurrency wallet info

The main purpose of the Lebal malware is to steal individual’s personal details that are stored in the browser’s cookies, login credentials and so. Also, it searches about the email contacts to spread the malware further.
Not only that, it also haunts the authors of cryptocurrency by obtaining details about their digital wallets like Bitcoins, Electrum or similar others. For this the authors of the malware targets the
FTP clients, for instance, FileZilla and WinSCP to fetch more information.

This is how Lebal malware attempts to steal all crucial data of the targeted user and send the collected info to their remote server through Command and Control server. These collected data are then used for various illegal actions and frauds.

User may not have the idea of such malicious activities going on without their consent. As the malware is capable to disable the security of the targeted computer system by turning off the firewall and other running security applications. Thus, users should be very careful while dealing with such shady malware. In case, you receive any such emails of package delivery, invoice or similar these, you should avoid it if you are not expecting any such things. As such things can lead to huge losses of money, confidential data and frauds.

Another terrifying Ransomware-Rapid Ransomware

Ransomware are all have the same purpose to encrypt data on the victim’s PC and demand ransom to be paid in order to unlock the files. But Rapid Ransomware is slightly different as it stays active on the system even after its first encryption been done. And further keeps on encrypting any new files created by the user.

Rapid Ransomware was first detected on January 2nd, 2018 and since then there have been more attacks. It is still unclear how this ransomware is distributed but most common ways through which you can get this ransomware installed is spam mail attachments, javaScript codes embedded on hacked web pages, Exploit kits and visiting pornographic sites.

Rapid Ransomware encryption process

Once the ransomware gets successfully active on the attacked computer system, it executes commands to delete the “Windows shadow volume copies” of the files, terminates database processes, and disables automatic repair utility so that the user may not be able to recover the files by any means.
The processes terminated by Rapid Ransomware are sql.exe, sqlite.exe, and oracle.com and the commands that are executed are:

vssadmin.exe Delete Shadow /All /Quiet
cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures

After the commands been executed, next it starts scanning the drives and directories of the computer and search for important files including documents, images, videos, PDFs, Databases and many such to encrypt them. The encrypted files are appended with “.rapid” extension after the file name.
For example: you document named as “myfinances.docs” will be renamed as “myfinances.docs.rapid”.

Once the ransomware finishes the encryption process, it places a ransom note named as “How Recovery Files.txt” within the folders and the desktop of the victimized computer system.
The ransom note notifies users about the encryption and provides an email address to contact the authors and pay the ransom.
The text message of the ransom note appears as:

Hello!
All your files have been encrypted by us
If you want restore files write on e-mail – frenkmoddy@tuta.io

This malware also creates auto-run codes that launches this ransomware as the system starts up and shows the ransom note. Victims of Rapid Ransomware are left with no other option than to pay the ransom to unlock their files. But it is still unknown that user may get their files decrypted even after paying the ransom.

So if you are among the one being a victim of “Rapid Ransomware”, then we would strongly suggest you not to pay any ransom to illegitimate persons behind it. Because even after paying they are not going to give your files back. So it is urged that you must opt for removal solutions for Rapid Ransomware and try to recover files by automatic data recovery tool or any backup copy if you have.

What actions to perform when infected with Rapid Ransomware

Rapid Ransomware will not stop just after encrypting your files, instead it will continue in the search for new files created by the user on the infected computer system. And if it gets any, then it will continue to encrypt it too. So, it is very urgent to stop all the activities on your computer and shut it down as soon as possible.
If you detect the infection on your computer then you should immediately terminate the process running under the task manager window to stop further encryption. Although the process name could be different but can be named as “rapid.exe”, if your system is not been rebooted. But after reboot, the ransomware process might have the name: “info.exe”.

After you have terminated the process, the you should disable the autoruns from the “msconfig.exe”. If it does not allow to do so, then you need to reboot your computer in “Safe Mode with Networking” and attempt the same.

If you are not comfortable with the manual removal of the threat then we will recommend you going for automatic removal solution. Click here to download the tool.

The best way to combat to the Ransomware is keeping backup copies of your important files and then keep a powerful security program running and active on your computer. Paying ransom is not the best solution for this.

Ransomware is prevailing all around, it can encrypt all data any moment… Prevention is better than cure!!! SOS Online Backup is the perfect solution. SOS Online Backup is a leading online backup solution that runs quietly and automatically in the background. Both Personal and Family Cloud SOS accounts support an unlimited number of mobile devices. SOS is quick and easy. The product will automatically find important files, then simply set the start-time for a daily backup. SOS Online Backup supports any size and any file type. All SOS apps (desktop AND mobile) encrypt files using UltraSafe 256-bit AES before transferring them to the cloud.

Experts Guide To Prevent Future Attacks

The following steps will guide you to reduce the risk of infection further.

  1. Scan all files with an Internet Security solution before transferring them to your system.
  2. Only transfer files from a well known source.
  3. Always read carefully the End User License agreement at Install time and cancel if other “programs” are being installed as part of the desired program.
  4. When visiting a website, type the address directly into the browser rather than following a link.
  5. Do not provide personal information to any unsolicited requests for information.
  6. Don’t open attachments or click on Web links sent by someone you don’t know.
  7. Keep web browser up to date and computer is configured securely. .

SamSam Ransomware Attacks continues to Impact

SamSam Ransomware Attacks continues to Impact Hospitals, Big Organizations and ICS Firms

Unfortunately, there is no stopping for SamSam ransomware terrors as it continues to attack huge Businesses and Organizations. Late in December 2017 and the start of 2018 has been a good period for the authors of the prevailing ransomware. According to the reports, the major attacks of SamSam ransomware in recent times were:

  • Hancock Health Hospital in of Greenfield, Indiana;
  • Adams Memorial Hospital in Decatur, Indiana;
  • The municipality of Farmington, New Mexico;
  • Allscripts that is a provider of cloud-based EHR (electronic health records);
  • And an ICS (Industrial Control Systems) company in the US.

However, the Hancock Health officials had already confirmed that they opted to pay the ransom of Ransom of $55K in Bitions despite having backups. While others way for coping up with the effect is still unknown.

Active SamSam ransomware campaign

The SamSam ransomware was used in targeted attacks that scans the Internet to find computers with open RDP connections. It breaches the whole network connection through attacking these RDP endpoints and further spreads to more computer systems. In successfully entering to a huge network, it encrypts the important files and displays a ransom message with the phrase “sorry for files.” A a screenshot of this ransom note as released by The Farmington municipality.

SamSam-note
However, the extension may vary but many of the infections reported with .weapologize extension. The payment demanded to unlock the files also varies and should be in the form of Bitcoins. It provides the Bitcoin wallet address for the victim to pay the ransom. The authors of SamSam ransomware had already holds 26 Bitcoin which worth $300,000. The ransomware is still prevailing and targeting open remote RDP connections. So the companies and businesses are advised to secure their networks with strong and unique passwords. This can avoid the breach of the deadly ransomware like SamSam ransomware onto your systems.

Good News For Business-Microsoft to Add “File Restore” Feature

The news of arrival of the new “File Restore” feature is rolling out to cope up with Ransomware attacks, data corruption and lost.

Microsoft is going to introduce a new feature to OneDrive for Business that will allow users to restore the entire OneDrive account to a previous version. At times, businesses or organisation face such issues of data deletion, corrupted or attacked by any malware. In this case they are put in huge losses and work is hindered. So to put an end to these issues, “File Restore” feature will help you recover your files and folders within the last 30 days of time period.

How Soon you can expect to Use this feature

File Restore feature is coming soon, as the news surfaced this weekend at the presentation of SharePoint Saturday conference held in San Diego, revealed the feature completion is expected by end of January, and is scheduled to be arriving within mid-February.

OneDrive for Business to Get "Files Restore" feature
However, Microsoft was planning to present this feature in its yearly Microsoft Ignite developer conference. By the end of September 2017, a screenshot of “File Restore” interface was released. And was scheduled to be arrived by December 2017, but was not completed in time.
More details about how you can how this feature will be revealed within the following weeks.

How “File Restore” will help Business

There are various scenarios where this Files Restore OneDrive feature can be useful. This feature will not only allow you recover your deleted files but would help restore the entire version of OneDrive account to a specific time period. As ransomware is affecting more and more Businesses and organizations, this can work as a powerful tool and prevent you to pay the ransom and easily restore your important files. (Read about the latest Ransomware attack in a Regional Hospital in Indiana that cost $55k to pay as ransom).However, this feature is not included within the free versions of OneDrive that comes within the Windows 10 operating system.

Difference between “Version History” and “Files Restore” feature of OneDrive

Users must think it like the version History which is already there, but this is different feature. As version history only allows users to get back the previous versions of the files that might have been corrupted or somehow deleted. But Files Restore will help users to roll back entire OneDrive account. And recover all files and folders to a previous date and time. One main point is that to use this feature your “version history” feature should be turned on, otherwise the File Restore will not work.

Stay connected for More updates on article.

SamSam Ransomware attack forced the Hospital in Indiana to Pay Ransom of $55K

The incident took place in in the city of Greenfield, Indiana on Thursday, January 11, where the ransomware attacked the network of Hancock Regional Health. The hospital had to pay a ransom of $55,000 to get the system restored and get rid of it. Despite having the backups the hospital choose to pay the ransom as it the operations were hindered and employees were asked to shut down their system as to stop spreading it further.

The SamSam ransomware breaches the network via RDP

SamSam ransomware was deployed in the network of Hancock Regional Health systems which was first discovered in 2015. The ransomware was used in targeted attacks that scans the Internet to find computers with open RDP connections. It breaches the whole network connection through attacking these RDP endpoints and further spreads to more computer systems. After, spreading on the huge and strong networks the attackers deploys the SamSam ransomware and encrypts the files. The authors of the ransomware then places the demand of ransom in order to restore the files on the network and if not paid within the provided deadline they claim to delete the files.
Although, the exact source of SamSam attack in the hospital systems has been confirmed yet, but they said that the infection outbroke is not due to any suspicious/infected email.

The Encrypted Files were substituted with “I’m sorry” Phrase

According to the new published in a local newspaper, the SamSam ransomware encrypted the files on the targeted attack and were renamed with the phrase “I’m sorry”. As soon as the IT departpart detected the ransomware breach, the news was circulated through the entire Hospital and the employees was asked to shut down their computer systems to stop further spreading of the threat. Thus the operations at the Hospital were hindered.
However, the medical and management staff continued their work and the operations were carried out manually on paper instead of computer system. The good news is that the hospital continued to treat the patients with all the facilities.

Hospital decided to Pay the Ransom despite of having backups

The hospital management confirmed the news to a local press of paying the ransom on Saturday as demanded by the attackers of 4 Bitcoins that worthed around $55,000. They opted to pay the ransom even they had the backups, but they do not find it the effective solution to it. The restoration procedure could take several days or even weeks to completely put the infected network in working mode. So paying the ransom was the quick method to deal with the current scenario. The network systems were started running and were in working mode by Monday.

In Conclusion, the ransomware attacks are continued to hinder huge companies and millions of individuals and they are left with no choice than to pay the ransom. But this only encourages such groups to carry out more illegal approaches to extort huge money. The FBI had asked the victims to report such bigger attacks via the IC3 portal. So that the Bureau can take a strong step for such peoples and handle such matters legally.
If you are also been victim of ransomware then, you must avoid paying them instead always keep a backup of your important files with various online backup solutions available.

SOS Online Backup is a leading online backup solution that runs quietly and automatically in the background. Both Personal and Family Cloud SOS accounts support an unlimited number of mobile devices. SOS is quick and easy. The product will automatically find important files, then simply set the start-time for a daily backup. SOS Online Backup supports any size and any file type. All SOS apps (desktop AND mobile) encrypt files using UltraSafe 256-bit AES before transferring them to the cloud.

List of Malicious Chrome Extensions that has impacted Over 500,000 Users

Be Watchful! Four Malicious Extensions Had managed to infect 500,000 users

Malicious chrome extensions continue to pose threat for users. According to recent reports by ICEBRG, four Chrome extensions have been marked as “malicious”. The malicious extensions
can be downloaded through the official Chrome Web Store claiming to be featuring genuine.

 

But instead, they are designed to run malicious javascript codes within the background of the targeted browser to allow cyber offenders send and execute commands remotely. The main motive behind this approach was to earn profit through clicking on ads by loading multiple sites on the browser. This is known as “click fraud”. Also, the four fake extensions are used to search engine manipulation to gain more traffic on low ranked webpages. Through these extensions the authors could also connect to corporate networks and collect sensitive details and information.
Various major organizations along with over 500,000 users were affected in recent times.

Here we present the names of the four malicious Chrome extensions which you should never have:

  • Nyoogle(ppmibgfeefcglejjlpeihfdimbkfbbnm) – Custom Logo for Google
  • Lite Bookmarks (ginfoagmgomhccdaclfbbbhfjgmphkph)-removed from Store
  • Stickies(mpneoicaochhlckfkackiigepakdgapj) – Chrome’s Post-it Notes
  • Change HTTP Request Header (djffibmpaakodnbmcdemmmjmeolcmbae)-(removed from Store)

When the security researchers at , ICEBRG detected the malicious behavior by the four listed extensions, they reported the same to the National Cyber Security Centre of The Netherlands (NCSC-NL), the United States Computer Emergency Readiness Team (US-CERT), and the Google Safe Browsing Operations team. So, the request had been already made to remove the extensions, but Nyoogle is still available on the Chrome Web Store. So user should refrain themselves to install it on their browser. Many users might be still running these extensions on their browsers, so if you are reading this post check for the malicious extensions on your chrome browser and quickly remove them.
We also recommend users to perform a scan on their devices to detect and remove all the traces of the malware and troubleshoot other issues.

 

A Fake version of MinerBlock Extension plays video within background

Security Alert!! A Fake version of MinerBlock Extension is out…

MinerBlock extension is a legitimate chrome browser extension that is used to block websites that mines cryptocurrency using the built in browser feature. The developer of MinerBlock extension is CryptoMineDev which can be download from chrome web store.

Legitimate MinerBlock Extension

 

But the security researchers have found a malicious version of the legitimate MinerBlock extension that causes troubles to the users. While the fake extension appears to be similar but it repeatedly keeps on playing videos within the background. The fake version is from egopastor2016 developer. User may get confused or accidentally may download the fake one as they both appear to be same but the main difference is the logo.

Fake MinerBlock Extension

However, the main goals of the fake version is not confirmed yet, but can be used to generate fake traffic by connecting to third-party URLs and playing the videos. Clicking on such videos or clicks could redirect users to linked pages that could download harmful contents on the computer system or device. The fake MinerBlock extension once mounted to the browser will connect to “egopastor.biz” and fetch instructions to execute. The instructions could guide which site to connect and at which videos to be played. The played videos are from various Russian video sites. Playing videos constantly consumes 100% CPU power and when it finishes to counts to “0”.
So users, who had unknowingly downloaded the fake version of MinerBlock extension, should quickly choose to uninstall it.

How To Uninstall Fake MinerBlock Extension

For uninstalling you need to go to Chrome’s settings then choose Manage extensions and right-clicking on its icon and select remove.
Users are advised to be very careful while downloading any extension, as this has become a common trick to imitate legitimate programs and distribute over the web. We also recommend you to run a scan to your computer as it detect and remove any traces of malicious programs hidden inside as they could cause issues on your device.

 

Welcome To TotalSystemSecurity.com, we will provide users with latest news and information about computer threats like Adware, Spyware, Trojan, Browser Hijacker and Ransomeware. Here at TotalSystemSecurity.com, you will get all minute information about latest threats and manual removal instructions. We Hope our guides and articles help you troubleshoot your PC issues.

TotalSystemSecurity © 2015-2018