Are you up all night after getting Locky?

February 20, 2016

Since CryptoLocker (the first widespread crypto-ransomware) came out in September 2013, the amount of variants/new families has grown at a staggering rate. CryptoLocker, CTB-Locker, CryptoWall, TorrentLocker, VaultCrypt, TeslaCrypt and many others have been wreaking havoc on computers worldwide by encrypting photos, documents and other personal/business data.

It is not because antivirus solutions suddenly became bad at preventing ransomware specifically. The thing is, compared to other malware, ransomware is just more visible to the end user … Let that sink in for a moment …

At SurfRight we anticipated that crypto-ransomware was poised to grow exponentially. Simply because the approach of holding personal files for ransom works. People are paying the ransom fees. Businesses, hospitals and even the police are paying the ransom to get their files back. Sure you should backup your files frequently, but even losing a day of work means that for example X-ray scans at a hospital result in that patients have to re-visit the hospital and re-do their X-rays.

World’s First Anti-Ransomware, since 2013
After CryptoLocker struck, we released the world’s first anti-ransomware solution on November 6th, 2013 as part of HitmanPro.Alert; just one-and-a-half months after CryptoLocker took stage.

Our anti-ransomware technology is called CryptoGuard and works dead simple: prevent mass encryption of files. The technology works without signatures or cloud connection and makes no assumption about who is encrypting what, as mass encryption can happen by any process or (remote) computer. Legitimate processes like explorer.exe or svchost.exe can be compromised via code injection and even .bat files that run trusted tools (that bypass application whitelisting) are abused by ransomware to perform mass encryption.

CryptoGuard simply works by monitoring the file system at the kernel level and deems the encryption of files as suspicious. If encryption of content happens en masse the process is blocked and the files touched are restored. Nothing is lost. Disaster averted.

Locky Ransomware
Check out the following video, showing how HitmanPro.Alert with CryptoGuard protects your documents and other files against the Locky crypto-ransomware, that hit many protected computers that were deemed secure:

If you got Locky this week, a lot of cyber-security defences failed and victims were successfully enticed to follow the instructions of the attacker. Not only CryptoGuard but also our Application Lockdown (part of our Exploit Mitigations) would have saved your day as all of HitmanPro.Alert’s technologies do not rely on prior knowledge to offer solid protection:

Locky Ransomware Attack Flow

Image: Typical attack flow for Locky Ransomware (filenames may differ with each variant)

Third generation anti-ransomware
After its first release in November 2013 we improved the CryptoGuard technology by adding support for file shares (network drives) so that these are protected against rogue endpoints. Then the 3rd generation of CryptoGuard was released in 2014 and keeps track of files being renamed by the ransomware so that when ransomware strikes, not only the content but also the filenames are protected. Currently work is done on the 4th generation.

The best advice is to back up your files frequently, as this also helps against a drive/hardware failure. But even backing up your files daily means that when ransomware strikes, you lose a day worth or work. And with hundreds of employees, the cost of losing work could add up quickly.

CryptoGuard is part of HitmanPro.Alert and the entire solution is just 5 MB (megabytes). If you don’t want to stay up all night after the next ransomware strikes, give our Alert a spin. Having a spam filter, web filter and an antivirus program is apparently not enough to keep your files save.

Download now: hmpalert31.exe

(HitmanPro.Alert supports Windows XP as well as 32-bit and 64-bit versions of Windows Vista, Windows 7, Windows 8, Windows 8.1 and Windows 10. Requires only 5 MB of free disk space).

Exploits served via malvertising campaign

June 15, 2015

Two months ago we released HitmanPro.Alert version 3 at the RSA Conference in San Francisco.

This major new version comes with protection against crypto-ransomware and exploits.

In these two months various companies started using HitmanPro.Alert version 3 to protect exploit-susceptible applications and critical documents against malware and zero-day attacks.

Malvertising campaign
Our telemetry shows that a major malvertising campaign became active since Thursday, June 11th. This is in line with the findings of our colleagues at Fox-IT.

We’ve seen exploits being served through advertisements on these sites:

HitmanPro.Alert 3 has been very successful stopping hundreds of attacks from these sites. Blocking the exploit, preventing malware from entering the PC:


Contrary to antivirus technologies, the exploit mitigation technologies in HitmanPro.Alert require no updates, signatures or prior knowledge of exploit attacks or its payload to defend against it. Internet users do not need to seek refuge in ad blockers as HitmanPro.Alert allows safe use of the web without affecting ad revenue of site owners, publishers and journalists, especially when visitor/victim machines need to (or unknowingly) run outdated or vulnerable software.


Below an excerpt of the technical details of the blocked attacks which shows that many of the attacks originate from Adobe Flash Player:

Mitigation   StackPivot

Platform     6.1.7601/x86 06_2a
PID          5272
Application  C:\Program Files\Internet Explorer\iexplore.exe
Description  Internet Explorer 10

Callee Type  AllocateVirtualMemory
             0x2506C000 (32768 bytes)

Stack Trace
#  Address  Module                   Location
-- -------- ------------------------ ----------------------------------------
1  753A7A1B KernelBase.dll           VirtualAllocEx +0x33
2  753A7A47 KernelBase.dll           VirtualAlloc +0x18

3  54DF7C6F Flash32_17_0_0_169.ocx   IAEModule_IAEKernel_UnloadModule
            f7d8                     NEG          EAX
            1bc0                     SBB          EAX, EAX
            f7d8                     NEG          EAX
            c3                       RET         

Process Trace
1  C:\Program Files\Internet Explorer\iexplore.exe [5272]
   "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3648 CREDAT:209921 /prefetch:2

2  C:\Program Files\Internet Explorer\iexplore.exe [3648]
3  C:\Windows\explorer.exe [1032]
4  C:\Windows\System32\userinit.exe [1532]

Mistress Eve
Our telemetry shows that this specific attack took place between 2015-06-11 17:00 (CET) and 2015-06-15 16:30 (CET). Strikingly, the domain seems to play a significant role in this attack.


Zooming in on this domain, we logged the following hostnames, which is an indication that the attackers have direct access to the DNS of this domain to create additional hosts:


The hostname is also mentioned on the Malware Traffic Analysis website, who recorded an attack (.pcap and .zip with malware provided). The attack was carried out by the Angler Exploit Kit (as also confirmed by Fox-IT) and delivered the Bedep trojan through a vulnerability in Adobe Flash Player.

Angler Exploit Kit
The Angler Exploit Kit itself abuses CVE-2013-7331, a vulnerability in Internet Explorer 6 through 11 to determine if the attack takes place inside a research environment, or in the presence of specific security software. If e.g. VMware or VirtualBox is detected, the exploit is not triggered in an attempt to stay under the radar of defenders:


An overview of the domains associated with this particular exploit kit deployment:

Bedep malware
This Bedep trojan horse is delivered in-memory. This means that it infects the computer without writing any files to the disk for most antivirus software to find, scan or block. Researcher Kafeine wrote about the file-less Bedep infection on his website Malware Don’t Need Coffee in August last year.

Also, this trojan typically hoists-in additional malware to perform e.g. click-fraud, hurting advertising businesses. So, advertisers are not only put in a bad light because the ad platform is abused to infect thousands of internet users, they also loose money from the fraudulent ad clicks (the advertisers unknowingly pay the attackers).

But, as pointed out by Kafeine, the Angler Exploit Kit can serve each individual victim different malware.

Protect yourselves
You can read more about our HitmanPro.Alert software on this page:

Leaflet: HitmanPro-Alert-Brochure-2015.pdf

To protect your computers against crypto-ransomware or exploits, download HitmanPro.Alert version 3 from here: (4 MB).

Dorifel, Pobelka and a Chinese connection

February 1, 2013

It has been a while since we wrote our last blog. Sorry for this but we were busy with a lot of projects. Two noteworthy projects were the release of our unique solution against ransomware (e.g. FBI Reveton and BKA/GVU trojans) and of course the disclosure of the Pobelka Citadel botnet that haunted 150.000 Dutch (mostly government and business) computers for 8 months last year. The latter hasn’t been discussed much internationally because we released our extensive research in the Dutch language only (which is available here). Regarding this research, we reveal some additional but striking insights now the entire world is talking about Chinese hackers attacking media networks of the New York Times, Wall Street Journal and Bloomberg.

Perhaps you still remember September last year, when cybercriminals were able to launch attacks on Dutch computers by using a compromised marketing server used by ‘De Telegraaf’, a widely read newspaper and the #11 website in The Netherlands. This was the umptiest Dutch incident, after others like,, and of course the Dorifel outbreak which brought operations of many Dutch municipalities, government and large multinational companies to a standstill (for days).

Pobelka botcount

Illustration 1: Bots connecting with Pobelka command and control server

Of course we were curious why the Dutch were hit again and at that time decided to find out what was behind these incidents and if there was a common denominator.

We began investigating the malware dropper used in the Telegraaf incident and discovered (thanks to our HitmanPro cloud data) that it was spreading 4 different malware families during this particular incident: FakeAV, ZeroAccess, Medfos (we omitted Medfos in our earlier blog on the incident) and of course the Pobelka Citadel malware.

In this investigation we noticed an interesting fact: the Citadel server used in the Telegraaf incident was registered with the EXACT same credentials as a domain used by the gang responsible for spreading the Dorifel trojan. So they are somehow related or perhaps even the same criminals:

Illustration 2: domain used by the Citadel server domain used by Dorifel.3

Illustration 3: domain used by Dorifel-3 to distribute ransomware, that hit mostly non-Dutch systems

Even though we believe that eastern European criminals are behind the attack operations, you obviously have noticed the Chinese registration of the domains as well…

Responsible Disclosure
Remembering their investigative work on the Citadel server responsible for spreading Dorifel, we asked Dutch forensic firm Digital Investigation to work with us and to investigate our early research data. It didn’t took them long to bypass the different proxies that were hiding the server from plain view. In cooperation with law enforcement they seized this Citadel command and control server and discovered over 750 Gigabytes of sensitive information, which included login credentials (passwords), client certificates (remember DigiNotar) and even detailed overviews of internal networks that weren’t directly connected to the internet.

Citadel looking for other systems

Illustration 4: Citadel searching for information about other systems

So all this data was gathered and stolen by the Pobelka Citadel malware from inside Dutch government networks, hospitals, aviation industry and even networks controlling critical infrastructure, including industrial control systems (ICS). We did responsible disclosure e.g. by giving government time to handle the situation internally and by not revealing names of the many, many affected institutions, companies and public authorities. But because government officials did not deem the findings interesting enough to call for a nationwide check (many roaming business and home computers were affected as well), our extensive research didn’t even reach national news, let alone internationally.

Advanced Persistent Threat
It’s also worth noting that the Citadel malware (which is based on source code of the notorious Zeus banking trojan) is not considered to be an advanced persistent threat (APT), even though it also manages to stay under the radar for months (like the malware used in the New York Times breach). Last year we devoted a blog post on the prevalence of banking trojans (like Citadel) which revealed that this type of malware stays undetected for 25 days, on average, on computers actively protected by up-to-date antivirus software: Antivirus shortens the lifetime of financial malware

In our Dutch research paper on the Pobelka botnet we also explain how the Citadel malware easily bypasses these renowned antivirus programs and why it remains undetected for such a long time. And the Pobelka botnet, which was specifically setup to target Dutch and German computers, was not the only botnet operational in The Netherlands last year. We estimate that hundreds of similar (and larger) botnets are still operational right now, not only in The Netherlands. If you think the country of the Dutch is small, insignificant and seemingly unexciting, consider the operations going on in bigger countries, like France, Germany or the United States.

Check Now
If you are Dutch or German and you want to know if your company, network or sensitive data was compromised by the Pobelka botnet, simply go to this website by Digital Investigation to find out:

There you can also download HitmanPro, our free second opinion anti-malware, which uses behavioral analysis instead of virus signatures to hunt down zero-day threats, including all variants of malware based on Zeus, like Citadel.

Read here for our blog posting regarding the Dorifel outbreak and our role in rescuing hundreds of millions of documents on government networks and multinationals.

Update: Kaspersky posted an article about McAfee’s research on the Citadel trojan in Europe, spying on government and business computers: Citadel Trojan: It’s Not Just Banking Fraud Anymore

The Dorifel outbreak was only a symptom. But what is the real problem?

August 10, 2012

Earlier this week, government, public sector and networks of private companies were hit hard by a new wave of crypto malware named Trojan-Dropper.Win32.Dorifel. Computers were shut down and the old-fashioned type writers that were gathering dust in the basement reappeared in the work place. For a moment I even thought this was funny.

The Dorifel Trojan scans network shares, local drives and USB connected drives for executables and Microsoft Office (Word and Excel) documents. Documents and programs were replaced with a new executable file that has the .scr file extension. Currently, most affected users will not notice anything since the ‘documents’ open as usual. It looks like the malware is currently only interested in propagating itself to as many machines as possible. But it is not unlikely that the attackers will later start blocking the ‘documents’ and requesting a ransom fee for unblocking them.

This is bad news for the organizations that were hit. But what’s even worse is that the Trojan entered the networks through a variant of the Zeus/Zbot banking Trojan called Citadel. This means that this Trojan was already present on one or more computers inside the network for days, may-be weeks. In other words: the malware could already be snooping all electronic communication inside the organization, including stealing passwords of critical infrastructure, copying confidential documents, social security numbers, passport details, etc. without anyone (or anything) noticing (!)

Not being able to use your computer for a while, while system administrators are shutting them down, cleaning them and bringing them back into the network is very inconvenient. But it is even more worrysome that computers and networks have been infected for a much longer period without anyone noticing.

HitmanPro against police themed Ransomware

April 12, 2012

Recently we’ve seen a rise in the number of computers infected with police themed Ransomware. The malware shows a message, supposedly from the local police, demanding that a fine must be paid in order to unlock the computer.

Various sources promote the use of a rescue-CD to get rid of the malware. But if you don’t want to perform this cumbersome task of burning the CD-image and changing your BIOS settings to boot from it, you can also run HitmanPro from a USB stick to remove the Ransomware.

We’ve made the following short video to illustrate how easy it is to remove the police themed Ransomware with HitmanPro.

The video shows the use of HitmanPro’s unique Force Breach feature (introduced in March 2010) that kills all non-essential processes, including the malware processes that try to prevent HitmanPro from starting.