Interestingly, just the other day we wrote about a large leak of letters from the US military due to the typo, and we also wrote about a Western Digital data leak after a hack.

US Military Agencies Data on VirusTotal

Der Spiegel journalists were the first to leak an important 313 kilobyte file containing information about 5600 VirusTotal clients. According to them, the list contains the names of organizations and email addresses of employees who have registered accounts.

The publication emphasizes that it has verified the authenticity of the list and made sure that many of the people listed are actually civil servants, and some of the victims can be easily found on LinkedIn. According to media reports, more than 20 entries on the list belong to members of the US Cyber Command, the US Department of Justice, the Pentagon, the federal police, the FBI, the NSA, and so on.

From the UK, the list included more than ten employees of the Ministry of Defense, as well as email addresses belonging to employees of CERT-UK, which is part of the country’s Government Communications Center (GCHQ). According to the GCHQ email format, employee mailboxes contain only the initials of each user’s last name. However, full names are contained in email addresses belonging to specialists from the Ministry of Defense, the Cabinet of Ministers, the Office for the Decommissioning of Nuclear Power Plants and the UK Pension Fund.

In addition, employees of various ministries of Germany (including the Federal Police, the Federal Criminal Police Office and the Military Counterintelligence Service), Japan, the United Arab Emirates, Qatar, Lithuania, Israel, Turkey, France, Estonia, Poland, Saudi Arabia, Colombia, the Czech Republic, Egypt, Slovakia and Ukraine became victims of the leak. About 30 more email addresses belong to employees of Deutsche Bahn (Germany’s main railway operator), and the file also contains data about employees of the Bundesbank and such large companies as BMW, Mercedes-Benz and Deutsche Telekom.

Why is that so critical?

Although the leak only affects email addresses and names, even these can be valuable information for hackers. The fact is that the file sheds light on people who deal with cybersecurity and malware in many companies, departments and organizations. As a result, they can become targets for spear phishing attacks or social engineering. In addition, it can be understood from the list that, for example, some military personnel use personal mailboxes and personal Gmail, Hotmail and Yahoo accounts in their work.

Google representatives have already told the media that they are aware of the leak, and the company has already taken all necessary measures to eliminate it.

The post Hundreds of Military and Intelligence Agencies Uploaded Data to VirusTotal appeared first on Gridinsoft Blog.

The study showed that attackers are increasingly imitating legitimate applications such as Skype, Adobe Reader and VLC Player to gain the trust of victims.

Let me remind you that we also wrote that Scammers spread malware under the mask of the Brave browser, and also that Hackers majorly use Microsoft and DHL brands in phishing attacks.

Attackers use various approaches to compromise endpoints by tricking users into downloading and running seemingly harmless executable files. Researchers report that in addition to Skype, Adobe Reader and VLC Player, hackers often disguise their programs as 7-Zip, TeamViewer, CCleaner, Microsoft Edge, Steam, Zoom and WhatsApp.

Such deception, among other things, is achieved through the use of legitimate domains in order to bypass firewall protection. Some of the most commonly abused domains are discordapp[.]com, squarespace[.]com, amazonaws[.]com, mediafire[.]com, and qq[.]com.

In total, the experts found at least 2.5 million suspicious files downloaded through 101 domains included in the list of 1000 best sites according to Alexa.

Another commonly used tactic is signing malware with valid certificates, usually stolen from software developers. Since January 2021, VirusTotal has detected over a million malware samples, of which 87% had a legitimate signature when they were first uploaded to the database.

VirusTotal also reports that it found 1,816 malware samples that disguised themselves as legitimate software, hiding in the installers of popular programs, including products such as Google Chrome, Malwarebytes, Zoom, Brave, Mozilla Firefox and Proton VPN.

The post Most Often, Malware to Bypass Protection Impersonates Skype, Adobe Acrobat and VLC appeared first on Gridinsoft Blog.

The Bleeping Computer reports that it has already studied the archive published by the attackers and confirms that the decryptors are real and really help to decrypt the affected files.

Let me remind you that we also said that Free decryptor for BlackByte ransomware was published, and also that Cybersecurity specialists released a free decryptor for Lorenz ransomware.

Journalists note that they tested only one decryptor, which successfully decrypted files blocked during one of the AstraLocker campaigns. The other decryptors in the archive are apparently designed to decrypt files damaged during previous campaigns.

Archive content

The journalists also managed to get a comment from one of the malware operators:

Although the malware developer did not say why AstraLocker suddenly stopped working, journalists believe that this may be due to recently published reports by security experts who studied the malware. This could bring AstraLocker to the attention of law enforcement.

Emsisoft, a company that helps ransomware victims recover data, is currently developing a universal decryptor for AstraLocker, which should be released in the near future.

What will we no longer see in the criminal world?

Threat intelligence firm ReversingLabs recently reported that AstraLocker used a somewhat unusual method of encrypting its victims’ devices compared to other strains of ransomware.

Instead of first compromising the device (hacking it or buying access from other attackers), the AstraLocker operator will directly deploy the payload from email attachments using malicious Microsoft Word documents.

The honeypots used in the AstroLocker attacks are documents that hide an OLE object with a ransomware payload that will be deployed after the target clicks “Run” in the warning dialog displayed when the document is opened.

Before encrypting files on a compromised device, the ransomware will check to see if it is running on a virtual machine, terminate processes, and stop backup and antivirus services that could interfere with the encryption process.

Based on analysis by ReversingLabs, AstraLocker is based on the leaked source code of Babuk Locker (Babyk) ransomware, a buggy yet still dangerous strain that came out in September 2021.

Also, one of the Monero wallet addresses in the AstraLocker ransom note was also linked to the operators of the Chaos ransomware.

The post AstraLocker Ransomware Operators Publish File Decryption Tools appeared first on Gridinsoft Blog.