Securing the .pl domain

Sage 2.0 analysis

Data publikacji: 14/02/2017, Jarosław Jedynak

Introduction Sage is a new ransomware family, a variant of CryLocker. Currently it’s distributed by the same actors that are usually distributing Cerber, Locky and Spora. In this case malspam is the infection vector. Emails from the campaign contain only malicious zip file without any text. Inside zip attachment there is malicious Word document with [...] Read more

Nymaim revisited

Data publikacji: 30/01/2017, Jarosław Jedynak

Introduction Nymaim was discovered in 2013. At that time it was only a dropper used to distribute TorrentLocker. In February 2016 it became popular again after incorporating leaked ISFB code, dubbed Goznym. This incarnation of Nymaim was interesting for us because it gained banking capabilities and became a serious threat in Poland. Because of this, [...] Read more

Evil: A poor man’s ransomware in JavaScript

Data publikacji: 18/01/2017, Jarosław Jedynak

Introduction Initially Evil was brought to our attention by an incident reported on 2017-01-08. By that time the Internet was completely silent on that threat and we had nothing to analyze. We found first working sample day later, on 2017-01-09. In this article we will shortly summarize our analysis and conclusions. Since then, we had [...] Read more

Technical analysis of CryptoMix/CryptFile2 ransomware

Data publikacji: 04/01/2017, Jarosław Jedynak

Campaign CryptoMix is another ransomware family that is trying to earn money by encrypting victims files and coercing them into paying the ransom. Until recently it was more known as CryptFile2, but for reasons unknown to us it was rebranded and now it’s called CryptoMix. It was observed in the wild being served by the [...] Read more