Lucy: A File Encryption Android Malware that for Ransomware Operations – Disposable mail news


A malware that attacks Android smartphones has increased its Maas (malware-as-a-service) operations with file encryption capabilities to carry out ransomware attacks.

The malware, according to cybersecurity experts, is called “Lucy.” The Lucy gang is a group of Russian hackers who became famous two years ago by launching the Black Rose Lucy service, a malware that allowed Botnet attacks on android smartphones.

According to Checkpoint Research, “Because the Android accessibility service can mimic a user’s on-screen click, this is the crucial element for Black Rose to carry out malicious activities. Once the accessibility service is enabled, Black Rose can quickly shuffle through screens to grant itself device admin privileges.” 

The Lucy service allows its users to attach files on vulnerable devices, which ask for $500 as a ransom in the browser window. The message says that it comes from the FBI, and the user must pay the ransom because he is found guilty of storing adult content on his android smartphone.

The FBI note here aims to frighten the victims into paying the ransom to hackers. The hackers demanding payment from their victims based on legal consequences is blackmail, as it is entirely unethical. The victims are blackmailed for storing pornographic content and visiting adult websites.

To make the ransom more serious and believing, the hackers say that they have the victim’s photograph and location, which they have posted on the FBI’s criminal investigation website. The ransom should be paid within three days of the notification, if not, the penalty triples, says the message warning.

It may sound strange, but the hackers don’t demand cryptocurrency payments. Instead, they ask for credit card credentials, which is odd because, in most of the cases, the ransom is asked in terms of cryptocurrency as it is easy to cash in.

According to Check Point Research’s 2010 data, “The Black Rose dropper family samples we acquired disguise either as an Android system upgrade or image files. Samples primarily leverage Android’s accessibility service to install their payload without any user interaction and forge an interesting self-protection mechanism.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

L4NC34 Ransomware Teaches That Ransomware Attacks Ought To Never Be Trifled With – Disposable mail news

There is no denying the fact that whenever the word ransomware is mentioned computers are an instinctive afterthought to have been largely infected by the same. The impact is without a doubt an extremely serious one and so it always escapes our notice that it’s the websites also that are touched upon by this impact.

While Ransomware is normally thought to be a method wherein files are encrypted in a super-perplexing way, alongside a ransom note asking hundreds to thousands of dollars’ worth of cryptocurrency.

Typically this is kind of the reality — however, attackers aren’t very similar to each other and not all may have the technical ability or would even attempt to go to such lengths.

Thus as of late, there was a case where the entire website files were apparently encrypted and had their file names changed to affix a “.crypt”.

Among the files, we additionally found the ransom note one might usually discover in this type of malware, but this one was somewhat unusual — it wasn’t an HTML or a .txt file. Rather, the ransom note was actually located inside a PHP file and appeared to contain actual capacities.

Here is a more critical look at the file.

The code of the malicious PHP file is as follows:

‘.base64_decode(‘PHRpdGxlPkw0TkMzNCBSYW5zb213YXJlPC90aXRsZT4KPGx[pbmsgcmVj[REDACTED BASE64 CODE]dCBNYWlsIDogbDRuYzM0MEBnbWFpbC5jb20=’).’

At first glance, nothing looks particularly surprising here, when decoded the result is:

L4NC34 Ransomware

“;
}

function decdir($dir){
$files = array_diff(scandir($dir), array(‘.’, ‘..’));
foreach($files as $file) {
if(is_dir($dir.”/”.$file)){
decdir($dir.”/”.$file);
}else {
decfile($dir.”/”.$file);
}
}
}

decdir($_SERVER[‘DOCUMENT_ROOT’]);
echo “
Webroot Decrypted
“;
unlink($_SERVER[‘PHP_SELF’]);
unlink(‘.htaccess’);
copy(‘htabackup’,’.htaccess’);
echo ‘Success !!!’;
} else {
echo ‘Failed Password !!!’;
}
exit();
}
?>



L4NC34 ransomware

Your Website Is Encrypted

Don’t Change the Filename because it Can Damage the File If You Want to Return You Must Enter the Password First

Send Me $10 For Back Your Website

Bitcoin Address :

Contact Mail: [email protected]




Now the portions of code responsible for displaying the ransom note, along with the actual decryption process for the files are very clearly visible.

However, this code contains a few specific characteristics that are worth noting.

$input = $_POST[‘pass’];
$pass = “9c6679accb84e3ef938b1f4c24158355”;
if(isset($input)) {
if(md5($input) == $pass) {

This ‘snippet’ basically verifies if the password inputted on the page coordinates the hardcoded md5 hash. That appears to be somewhat odd; one may expect that the alleged key was not hardcoded — yet if so, at that point there might be a purpose behind these apparently encrypted files.

This next bit is answerable for the ransomware’s file decryption function:

function decfile($filename){
if (strpos($filename, ‘.crypt’) === FALSE) {
return;
}
$decrypted = gzinflate(file_get_contents($filename));
file_put_contents(str_replace(‘.crypt’, ”, $filename), $decrypted);
unlink(‘crypt.php’);
unlink(‘.htaccess’);
unlink($filename);
echo “$filename Decrypted !!!
“;

While there really isn’t anything special or very complex about it. The decryption process just seems to take into account the actual contents of the file and then gzinflate them.

From what is clearly evident here, it’s safe to assume that the only way this hacker “encrypted” the files was to gzdeflate the files and change their file name.

This is what one of the encrypted files looked like:

Backing up to the original ransom note/script and modifying it to execute the decryption function without affecting anything else.

We can go ahead and run it either through a terminal or through the browser directly. And when done so with the following command:


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

New Malicious Program ‘Nefilim’ Threatens to Release Stolen User Data – Disposable mail news

Nefilim, a new malicious program that basically is ransomware that functions by encrypting files on affected systems, has become active in the cyber ecosystem since February 2020. After encryption of the files, it demands a ransom from the victims for the decryption of files, tools, and software. However, it is still unclear how the ransomware is being spread, sources reckon that it’s distributed via susceptible Remote Desktop Services.

As per the head of SentinelLabs, Vitali Krimez and Michael Gillespie from ID Ransomware, the code employed in Nefilim resembles much that of Nemty’s, another file-encrypting ransomware that steals user data by restricting access to documents and multimedia using the AES-256 algorithm. As to the speculations of security researchers, it is likely that the authors of the first ransomware have a role to play in Nefilim’s creation and distribution. However, due to the uncertainty revolving around the operation source of the new ransomware, experts also point towards a possibility of the source code being somehow obtained by the new malicious actors to develop a new variant.

While the encryption is underway, all the affected files are added with “.NEFILIM” extension. For instance, a file previously named “xyz.png” would start appearing as “xyz.png.NEFILIM” after the encryption takes place. The completion of the process is followed by a ransom note being created on the infected user’s desktop titled “NEFILIM-DECRYPT.txt”, “A large amount of your private files have been extracted and is kept in a secure location. If you do not contact us in seven working days of the breach we will start leaking the data. After you contact us we will provide you proof that your files have been extracted.” the note reads.

As per the sources, for money matters, Nefilim primarily pins its hopes on email communications instead of a Tor payment site after the removal of the Ransomware-as-a-Service (RaaS) component and it stands out as one major difference. According to the analysis carried out by Gillespie, it has been made clear that as of now there exists no way to retrieve files without paying the ransom because the ransomware is reported to be completely secure. As a result of that, victims are being threatened to pay the demanded amount within a week or else the data stolen will be exposed by the attackers.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Alert! The Days of WhatsApp Are Gone? Stronger Competitor In The Market! – Disposable mail news

Joy all around for the social media fanatics who had gotten quite bored of WhatsApp being their only source of incessant chatting provisions. And to those as well who felt unsafe because of the recent spyware that hit the beloved social media chat application.

The word around is that a recently surfaced social media chat application could give strong competition to the Facebook-owned social meIn Tdia service.

The users were already quite disconcerted about the recent cyber threat that hit WhatsApp and were in desperate need of any substitute to satisfy their daily social cravings.

The celebrated application goes by the name of “Signal”. Its unique characteristic is its keen focus on the privacy of the users.

Per sources, Signal has planned out to move towards the big market and go “main-stream”, owing it to the substantial monetary support it received from WhatsApp’s co-founder.

The financial backing is to facilitate “Signal” in getting better features and attracting the attention of people who are sort of done with using WhatsApp and are in want of other options, for whatever reasons.

Reports mention that the launcher of ‘Signal’ had continually been working on getting everyone access to encrypted communications without much fuss.

Now it finally is time for Signal to enter the world it was originally created for in the first place. It is a revolutionized effort at forming a more secure cyber-space for the people.

With key agendas like privacy and cyber-security being the central constituents of Signal, the application is sure to win a lot of hearts.

In recent times WhatsApp has been all over the place because of the alleged cyber threats, like spyware, it has been leaving its users open to. Because of which people’s trust over it has been withering gradually.

Per valid sources, Signal is special because it is encrypted from end-to-end. Its servers do not store any sort of “conversation metadata” on them. This especially was quite a hefty task for the developers to work their way around. They also had to work on enabling “group administration” to let people add and remove members without the servers’ knowledge. But they did it.

Hence, at a time like this, Signal is a very welcome blessing for social media fanatics who have become so used to social applications that they can’t imagine their lives without them.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.