All You Need to Know About Cerber Ransomware

What is Cerber ransomware?

Cerber is one of the most active kinds of ransomware. It encrypts the files of its victims and demands money in exchange for giving access to their files back. It works even if you are not connected to the Internet, so you can’t stop it by unplugging your PC.

Just like any other type of ransomware, Cerber virus generally attacks via phishing emails and exploit kits. Once your PC is fully infected and your files encrypted, you are met with a message that gives instructions on how to decrypt them. The ransom is demanded in bitcoins with the promise you will gain access to your files once you pay the fee.

In July 2016, active Cerber ransomware campaigns delivered via exploit kits successfully infected roughly 150,000 users worldwide.

How Does it Work?

Earlier version of Cerber renamed encrypted files with a .cerber extension. Newer versions now add a random file extension. Cerber finds its way inside your system by employing the help of a Trojan horse virus. It is most commonly distributed via emails.

Usually, you would receive an email in your inbox with either some form of attachment or a link to some website in it. The Trojan virus will typically be inside the attached file – this could even be a Word file – and will proceed to download the ransomware, as soon as you have opened the said file. Same goes for the link, if that has been the case – it will redirect you to a website from which Cerber may be downloaded from.

What Is So Special About Cerber?

Cerber doesn’t target all countries. Countries such as Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine and Uzbekistan are safe from this ransomware because if the computer appears to be from any of the following countries, it will terminate itself and not encrypt the computer.

Cerber virus works based on Ransomware-as-a-Service business model, which means that affiliates can join in order to distribute the ransomware, while the Cerber developers earn commission from each ransom payment.

Will I Get My Data Back If I Pay The Ransom?

To ensure victims can make the payment, attackers provide you with instructions on how to make the payment in Bitcoin.

There is this possibility of paying the ransom to the hackers. But there’s no guarantee it will work, because cyber-criminals aren’t exactly the most trustworthy group of people.

Also, paying the ransom may encourage these bad guys to continue and even expand their operations. We strongly suggest that you do not send any money to these cyber criminals, and instead address to the law enforcement agency in your country to report this attack.

Designed by Vectorpouch and can be found at https://www.freepik.com

Created by Vectorpouch – Freepik.com

How To Prevent Cerber Ransomware From Infecting My PC?

To prevent Cerber or any other type of malware from infecting your PC, it is crucial to have an antivirus software installed on your PC as a basic protection together with an antimalware protection that will serve as an additional layer of protection. Also, you need to have backup for your personal documents.

Cerber Removal

Unfortunately, once your PC has been infected and your data encrypted, you cannot recover them. Hackers behind the Cerber ransomware claim you will get your data back once you pay the ransom but noone can guarantee this will happen.

Antivirus and antimalware software can only remove the infection from your PC or they can block it/prevent it from infecting your PC if you were wise enough to have them installed on time. However, they cannot recover your encrypted files. Therefore, it is highly important to protect your files on time.

If you are using Zemana AntiMalware premium version (which comes with 15-days free trial), it will protect you by blocking the Cerber ransomware on time. This way, it will prevent it from infecting your PC.

However, if you decide to continue using the Trial and do not wish to purchase the Premium subscription at the end of the trial, your Zemana AntiMalware program will disable premium features. All other (basic) features will remain unchanged. This means that you will no longer be protected from Cerber, but you will still be able to scan your PC with Zemana AntiMalware, which will detect Cerber and block it.

Therefore, the best prevention against Cerber virus is installing the right protection solution even before you get infected.

Zemana AntiMalware As A Cerber Removal Tool

According to MRG Effitas, Zemana AntiMalware has proved to be the best anti-ransomware software on the market.

If you are looking for a solution that will help you in removing Cerber, it is important to note that Zemana AntiMalware is compatible with any antivirus software that you might have on your PC and will run alongside it without any conflicts.

Below you can find a guide on how to detect and remove this ransomware with Zemana AntiMalware.

STEP 1: Download Zemana AntiMalware here.

STEP 2: Once download, install the software on your PC. You can do this by double-clicking on ZAM program icon on your desktop or in your download files.

STEP 3: Press the ”Scan” button.

zma english UI

STEP 4: When the scan is complete, click “Next”.

STEP 5: Restart your computer if you are prompted to do so.

 

Cyber Threats That are Lurking in Hospital Environment

Healthcare technologies are saving and enhancing patients’ lives with wearable devices that can monitor patients’ health and apply medication according to values of the patient, such as insulin pumps, pacemakers and so on. Also, it provides storage for Electronic Health Records, which is used to see patients’ history very quickly and evaluate patients’ condition effectively and quickly.

When these devices connect to each other, this technology can also be used outside of the clinical environment. Thus, doctors can monitor their patients remotely; without the patient coming to the hospital. Healthcare technologies offer increased efficiency, reduced errors, automation, remote monitoring and time saving.

But, Is It Safe?

It is known that hospitals are very attractive targets for stealing patient information. According to worldwide reports, millions of medical reports have been stolen already. Recently, health sector is one of the most targeted sectors and attacks towards this sector are increasing and getting more severe.

Then

Before Electronic Health Records, every hospital or even every department had their own records. A case of missing/stolen papers, which were exposed later, were only affecting hundreds or thousands of patients within that hospital or department. These records would only be accessed physically and were limited to the hospital staff who could gain access to the physical paperwork. Thus, it was very hard for an outsider to sneak a peek at medical records.

Now

With Electronic Health Records, the medical data is electronic now. All the data from various hospitals is gathered in one pool and it can be accessed remotely. Thus, in case of a breach, millions of patients will be affected. This led financially or politically motivated hackers to go after celebrities or businessmen, who don’t want their medical data revealed due to a condition that can humiliate or reduce their reputation.

This image was created by Rawpixel.com, can be found at https://www.freepik.com/free-photos-vectors/heart

Created by Rawpixel.com – Freepik.com

More Than a Data Breach

Now that wearable devices are in the picture, more severe consequences should be expected from cyber-attacks that target the health sector. The devices, which can share real-time vital readings and apply doses of medicine, will become new targets and create new vulnerabilities upon integrating into a hospital’s network without applying necessary cyber safety precautions. Thus, health security will become a patient safety issue.

Why Is The Health Sector Being Targeted?

People thought that nobody would be interested in attacking health care systems, so, they avoided spending money on cyber security systems. Unfortunately, they were wrong. The health care system motivated hackers and it created new back doors for hackers to infiltrate. Due to this lack of awareness, some hospitals are still using operating systems that are no longer supported such as Windows XP, some are not keeping their software updated to prevent security breaches.

On the contrary, medical data is so much more valuable than financial data. Aside from selling medical data for thousands of dollars, it could be used to obtain health services and medication –that can be sold on the Internet – or even open bank accounts and apply for loans.

It could also be used for more than making money. Imagine a politician, who has an allergic reaction to bee stings; combining this information and bees would be potentially life-threatening threat for the politician. Or a cyberwar that can target specific people through their medical devices…

How Health Care Technology Can Be Protected?

In the health care system, the focus is on the patients’ care; millions of dollars are being spent to keep patients alive and to treat them well by using health care technologies that create and store vast amounts of sensitive and valuable information. Biologic viruses are being wiped out from hospitals but what about cyber viruses: spyware, ransomware and other kind of malware?

This image was designed by Tirachard can be found at https://www.freepik.com/free-photo/blurred-background-abstract-blur-beautiful-luxury-hospital-and-clinic-interior-for-background-vintage-effect-style-pictures_1375238.htm

Created by Tirachard – Freepik.com

Since new types of malware are created in the cyber world every minute, there are no 100% effective ways to protect any kind of computer or device from cyber-attacks. However, the following steps will be very protective as they will fix the vulnerabilities:

  • Backups should be created to quickly recover data in the event of an attack that erased or encrypted all data.
  • All software must be updated to ensure that security patches cover recent vulnerabilities of the software.
  • All medical data should be encrypted so in the event of a breach, the third parties can’t use it.
  • All employees should be trained to eliminate inside threats such as attacks that occur due to mistakes or deliberate actions: phishing websites and social engineering attacks.
  • Instead of traditional antivirus solutions, advanced security software must be used, because of its multilayered defense and machine learning capabilities – Zemana Endpoint Security is one of them.
  • A network security system device, such as firewall, is a plus along with advanced security software.

New Wave of Browser Hijackers

New Phishing Campaign

A new phishing campaign that was redirecting users to a browser hijacker has been discovered recently. The attackers used fake alert messages to trick the users into thinking they are infected with malware. After that, scared users called the number that was shown in the notifications asking for technical support to help them remove malware. Unfortunately, they were paying for unnecessary technical support.

Phishing Emails

It all starts with a user receiving an email asking them to click on the box to display a message. The message in the email is often designed to convince you that you are infected with malware. Apart form the message, there is a technical support phone number as well.

If you click on it, you might be redirected to a website and tricked into providing your credentials. Meanwhile, the malware shifts the browser to a full-screen display and does not allow users to close the fake outlook page.

Since both home and business users use email every day and rely on it, experts believe that this new phishing campaign targeted both groups.

Namecheap Domain Names

According to experts, the domains used by the attackers to send the phishing email were all purchased from Namecheap. Namecheap provides services on the domain name registration and offers domain names that are registered to third parties for sale.

Why Do Browser Hijackers Pose Such a Threat?

Browser hijackers are one of the most common threats in today’s online world. Many with not enough technical background often don’t even realize they have been infected with it. This is precisely why browser hijacking can be very dangerous.

How Can I Recognize It?

Whenever a software tries to modify your browser settings, default search engine or homepage, you are infected with a browser hijacker. It performs the changes without your permission. Browser hijackers also redirect you to websites you don’t want to visit with the sole purpose of trying to trick you into giving out your credentials.

It often comes in the form of an adware, displaying annoying ads on your screen making it difficult for you to close them. There are high chances you will even accidentally if not on purpose click on the ad and be redirected to a website that you don’t want to visit. There you might be asked to share your email address or your financial credentials.

How Can I Protect Myself From Browser Hijackers?

Here are some necessary steps you need to take to ensure your protection:

  1. Update your OS and your browser software
  2. Install an antivirus and antimalware protection
  3. Use your antivirus software’s “Real-time protection” feature
  4. Don’t click on suspicious links in your emails
  5. Be suspicious of free programs (double check how secure and legit it really is)

How To Remove Browser Hijackers?

Removing a browser hijacker is often a rigorous process. It’s best to start with your browser and work your way to your operating system to see how far-reaching the browser hijacker is.

We advise you to remove suspicious and unnecessary toolbars and extensions. After that, you can close your browser and restart your computer.

Once your computer has restarted, check if that what you removed is still gone. If it is, change your browser settings — default search engine, homepage, etc. — and everything will return to normal. If you’re still being redirected or an extension won’t uninstall, you’ll have to go deeper.

In That Case, Install Zemana AntiMalware

Zemana AntiMalware had been known as the best tool on the market to help you detect and remove browser hijackers. It has always been highly efficient in this and the best thing is that you can download it for free (it comes with 15-days free trial).

However, if you decide to continue using the Trial and do not wish to purchase the Premium subscription at the end of the trial, your Zemana AntiMalware program will disable premium features. All other (basic) features will remain unchanged.

zma english UI

Stay safe with Zemana! 🙂

TRITON: The Malware That Could Have Killed Hundreds

In December 2017, a Middle Eastern oil and gas petrochemical plant was attacked by malware named TRITON, also known as TRISIS or HatMan. It targeted the plant’s Safety Instrumented System that is a part of Industrial Control Systems.

ICS vs SIS

Industrial Control Systems (ICS) are computer-based devices that are used by engineers to monitor and keep different variables under control. These autonomous devices are used in industries that create products via applying continuous series of processes to raw materials such as electric generating, oil refining and chemical processing.

Safety Instrumented Systems (SIS) are being used to monitor variables but they are not intended for controlling the production process. They trigger alarms and overriding signals to protect people, the plant and the environment when a monitored process goes beyond the allowed level within the operational limits.

Factory designed by Macrovector https://www.freepik.com/free-vector/industry-background-design_1048767.htm

Designed by Macrovector

These systems are used in oil and gas plants, nuclear energy facilities, water treatment facilities and more. Thus, incidents such as hardware failure, fire and explosions are prevented, and the producing continues without catastrophic results.

Seriousness Of This Attack 

Unlike other cyber-attacks, this attack was very critical. The purpose was more than stealing information or causing disruption; it was supposed to create catastrophic incident by disabling the Safety Instrumented System. Due to seriousness of the industrial attack an in-depth analysis was performed.

The Attack Pattern

According to the analysis, the malware targeted Schneider Electric’s Triconex products that are known as SIS. It was written very well. The malware’s intent was to install Remote Access Trojan (RAT), which was designed to give the attackers read write execute over the Safety Instrumented System in RUN/Remote mode, access to all regions of memory, access to control logic and access to firmware.

It was written specifically for the model and firmware version of the targeted SIS – Tricon 3008 v10.3. The malware required to have access to the SIS network locally or remotely and a computer to load the malware onto Tricon.

In this incident, the TriStation terminal, which is a software application for developing, testing, and documenting safety-critical and process-control applications that execute on Triconex controllers, was used to launch the attack. Furthermore, the key switch that is located on the front panel of the product must be switched to Program Mode. Thus, the switch would not protect the memory from being written anymore and Tricon would get infected.

What Was Their Plan?

Apparently, the hackers wanted to manipulate layers of shutdown protocols to keep the system running while they reach deeper to gain more control. Despite being well written, the malware accidently triggered the emergency protocol and the system was shut down. This gave away the attack. Since the hackers could not deliver actual payload into system their true intentions are still unknown.

Russia?

However, recently analysists found a clue that traced the malware to Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), which is in Moscow, Russia. According to analysists, the malware development activity supports TEMP.Veles activity, which includes testing multiple versions of malicious software and was used during the TRITON intrusion, very likely.

From the testing activity, analysts found independent ties to CNIIHM and a person, whose online activity shows significant connection to CNIIHM. TEMP. Veles used an IP address registered to CNIIHM to monitor open-source coverage of TRITON, network reconnaissance, and malicious activity for supporting TRITON intrusion. Behavior patterns of TEMP.Veles activity was consistent in the Moscow time zone.

Lastly, analysists think that CNIIHM has the required institutional knowledge and personnel to develop and TRITON and TEMP.Veles operations. Without specific evidence they could not prove the link between CNIIHM and TRITON but they have associated this capability with Russia.

The Wake Up Call      

This incident should serve as a vital wake up call in the industrial control and cyber security community. Therefore, strong protection is crucial today more than ever. Also, for businesses it is highly important to educate their employees about the importance of cyber security and all the risks that cyber world brings. There are numerous examples, where malware attacks occurred due to employees’ negligence. Having proper security systems along with employee awareness will work the best to maintain safe online experience.

New Banking Malware Found on Google Play

New Target – Users From Brazil

Malware authors have always used different apps to disguise Banking Trojans and place them on Google Play Store. Security researchers have found a new strain of malware targeting banking apps on Android devices. This time a new malware banking family is targeting users from Brazil. It is distributed through Google Play as well as through Facebook in the shape of promoted ads.

What Is The Threat All About?

This Android malware impersonates the performance of the following apps: Clean Droid with over 500 installs, Quem viu teu perfil with over 10,000 installs and MaxCupons with over 1,000 installs. To stay under the radar, the app can only be downloaded and installed in Brazil.

alala5

 

laaal5

 

lalaal3

When Was It Released?

The malicious app was most probably released in September 2018. The earliest recorded infiltration has been available for more than a month. Clean Droid infiltration is also distributed on Facebook. There are two Clean Droid pages created on Facebook in October 2018 using identical profile picture as the app on Google Play. One of the pages uses Sao Paulo, Brazil as their address to attract more people from that region.

Targeted Apps

The sole purpose of the new Android malware is to fool users and make them enter their credentials, so it can steal them. This is its primary focus. This Trojan family does not only target one app. It targets different apps such as shopping apps, financial and banking apps as well as entertainment apps. The estimated number is around 26 different apps. It hides inside these apps and has a complex functionality.

Here Is How You Can Protect Yourself

1) Only download apps from Google Play – malicious apps are much more common on third-party app stores, where they are rarely removed even when detected, unlike on Google Play

2) Before downloading apps from Google Play, make sure to check its ratings, reviews and the number of downloads

3) Pay attention to what permissions you grant to the apps you install

4) If you don’t use an app, uninstall it – simply, get rid of it. The fewer apps you have on your phone, the fewer chances an attacker will invade it.

5) Always keep your Android device updated and use a reliable mobile security solution. Our Zemana Mobile Antivirus is a lightweight but strong app that will keep your mobile device safe without overloading your system.

6) Turn off Wi-Fi and Bluetooth connections when you are not using them.

 

Let us know if this article was helpful of interesting to you!

Also, feel welcomed to sign up to our Zemana forum! Here, you can join different discussions and ask all about Zemana products and meet other Zemana users.

Stay safe with Zemana! 🙂

 

 

 

 

 

 

 

 

What is GoldenEye Ransomware?

GoldenEye has often been referred to as the king of ransomware, because it is considered as probably the worst ransomware ever created.

GoldenEye is a variant of the notorious Petya ransomware that also takes advantage of the same EternalBlue exploit to spread from one device to another. It encrypts the entire hard disk drive and denies you access to your computer.

How Does It Work?

GoldenEye encrypts certain files on your computer as well as the hard drive itself.

GoldenEye variant goes one step further than Petya ransomware because it has two layers of encryption. One of them individually encrypts target files on the computer, and the other one encrypts NTFS structures, preventing victim PCs from being booted up and retreiving stored information or samples.

GoldenEye is distributed using a spam email message. It takes place after a victim opens an infected email and enables macro settings.

If you get infected you will see the following image of a skull on a yellow background. Under the skull, there is a short text that says: ”Press any key!”

Untitled

If you press any key, the text with instructions on how to pay the ransom and retrieve your data will appear on your screen:

What Is So Special About GoldenEye?

The latest version of this ransomware was detected to be the German version. While Petya was designed to encrypt the data, GoldenEye was specifically designed to destroy them.

The user is unable to access the Windows operating system until the ransom is paid via the TOR Browser. The TOR page requires a CAPTCHA to access, the user is then presented with a page in which the personal identifier must be entered.

After the encryption process has been completed, the ransomware has a specialized routine that forcefully crashes the computer to trigger a reboot that renders the computer unustable until you pay the ransom of $300.

It has had its biggest impact on companies in Ukraine.

Will I Get My Data Back If I Pay The Ransom?

There is a possibility of paying the ransom to the hackers. But does not mean you will get your data back, because GoldenEye was specifically created to destroy all data.

How To Prevent GoldenEye Ransomware From Infecting My PC?

To prevent Petya, GoldenEye or any other type of malware from infecting your PC, it is crucial to have an antivirus software installed on your PC as a basic protection together with an antimalware protection that will serve as an additional layer of protection. Also, you need to have backup for your personal documents.

GoldenEye Removal

Unfortunately, once your PC has been infected and your data encrypted, you cannot recover them. Antivirus and antimalware software can only remove the infection from your PC or they can block it/prevent it from infecting your PC if you were wise enough to have them installed on time. However, they cannot recover your encrypted files. Therefore, it is highly important to protect your files on time.

If you are using Zemana AntiMalware premium version (which comes with 15-days free trial), it will protect you by blocking the Cryptolocker ransomware on time. This way, it will prevent it from infecting your PC.

However, if you decide to continue using the Trial and do not wish to purchase the Premium subscription at the end of the trial, your Zemana AntiMalware program will disable premium features. All other (basic) features will remain unchanged. This means that you will no longer be protected from Petya, but you will still be able to scan your PC with Zemana AntiMalware, which will detect Petya and block it.

Therefore, the best prevention against Petya virus is installing the right protection solution even before you get infected.

Zemana AntiMalware as a GoldenEye Removal Tool

 According to MRG Effitas, Zemana AntiMalware has proved to be the best anti-ransomware software on the market and the most efficient in blocking Petya and Petya variants on your PC:

 petya_

 If you are looking for a solution that will help you in removing GoldenEye, it is important to note that Zemana AntiMalware is compatible with any antivirus software that you might have on your PC and will run alongside it without any conflicts.

Below you can find a guide on how to detect and remove this ransomware with Zemana AntiMalware.

STEP 1: Download Zemana AntiMalware here.

STEP 2: Once download, install the software on your PC. You can do this by double-clicking on ZAM program icon on your desktop or in your download files.

STEP 3: Press the ”Scan” button.

ffff

STEP 4: When the scan is complete, click “Next”.

STEP 5: Restart your computer if you are prompted to do so.

 

Interested in Petya ransomware? Learn more here.

What is Citadel Malware?

Citadel is a toolkit for distributing malware and managing botnets making it super easy to produce ransomware and infect systems one after another with pay-per-install programs. Citadel was designed to steal personal information, including banking and financial information from its victims.

The Citadel Trojan, based on the Zeus source code, constructs a botnet consisting of a considerable number of infected computers. The attacker can execute malicious code on an infected computer, including ransomware and scareware.

How Does It Work?

Citadel is installed on a victim’s computer with a drive-by-download attack most often using the Blackhole exploit kit. The Blackhole exploit kit is a cloud-based pay-for-service malware or malware as a service (MaaS) platform that installs web browser exploits on unsecured web servers for installing malware on victims’ computers. This Trojan was one of the earliest examples of malware-as-a-service available on dark-web forums.

When a user visits an infected website, Blackhole exploits a vulnerability in the user’s web browser to install Citadel.

Citadel could hijack control of users’ Windows PCs and even attempt to grab the master passwords of some third-party password managers, and block access to anti-virus vendor websites.

Citadel could also be used in targeted attacks exploiting Microsoft zero-day vulnerabilities to infect firms, as well as more traditional attacks.

What Is So Special About Citadel Malware?

The author of Citadel Trojan, Mark Vartanyan, who went by the online handle of ‘’Kolypto”, was arrested in the Norwegian town of Fredrikstad in 2015 at the request of the FBI.

Vartanyan admitted his guilt as a plea bargain with US federal prosecutors who have agreed not to seek a prison sentence of more than ten years.

 How To Prevent Citadel From Infecting My PC?

The best way to prevent Citadel from infecting your PC is to avoid visiting unsafe websites, especially banking websites. Your PC can also get infected via exploits in different browsers. Therefore, you need to install an antivirus solution as the basic protection for your PC and an antimalware solution as the necessary additional layer of protection. Make sure to keep them both updated.

How To Remove Citadel From a PC?

If you are looking for a solution to detect or to protect you from Citadel, download Zemana AntiLogger for free (it comes with 15-days free trial). It will detect any type of malware on your PC and remove it.

However, if you decide to continue using the Trial and do not wish to purchase the Premium subscription at the end of the trial, your Zemana AntiLogger program will disable premium features. All other (basic) features will remain unchanged.

Zemana AntiLogger as a Citadel Removal Tool For Your PC

If you are looking for a solution that will help you in removing Citadel, download our Zemana AntiLogger, that will provide you with necessary Secure SSL and Keystroke Logging Protection. It is important to note that Zemana AntiLogger is compatible with any antivirus software that you might have on your PC and will run alongside it without any conflicts.

Below you can find a guide on how to detect and remove Citadel with Zemana AntiLogger.

STEP 1: Download Zemana AntiLogger here.

STEP 2: Once downloaded, install the software on your PC. You can do this by double-clicking on ZAL program icon on your desktop or in your downloaded files.

STEP 3: Press the ”Scan” button.

ZAL_home_screen

STEP 4: When the scan is complete, click “Next”.

STEP 5: Restart your computer if you are prompted to do so.