Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label ransomware encryption. Show all posts
VECT 2.0 ransomware
Check Point research data wiper malware malware ransomware bug ransomware encryption VECT 2.0 ransomware

VECT 2.0 Ransomware Bug Turns Malware Into a Permanent Data Wiper

Cybersecurity researchers have uncovered a major flaw in the VECT 2.0 ransomware that causes the malware to permanently destroy large files instead of properly encrypting them, making recovery impossible even if victims decide to pay a ransom.

The ransomware operation has reportedly been promoted on newer versions of BreachForums, where the group invited users to join its affiliate program. Interested participants were allegedly given access keys through private messages.

VECT operators also announced a collaboration with TeamPCP, the threat actor linked to recent supply-chain attacks targeting Trivy, LiteLLM, Telnyx, and even the European Commission. According to the announcement, the partnership aimed to exploit victims affected by those supply-chain breaches by deploying ransomware payloads and expanding attacks against additional organizations.

Critical Encryption Flaw Discovered

Researchers found that VECT 2.0 contains a serious issue in how it manages encryption nonces during the file-encryption process. Although the ransomware was designed to speed up encryption for large files, the implementation accidentally overwrites nonce data during each encryption cycle.

Because the malware uses the same memory buffer repeatedly for nonce generation, every newly created nonce replaces the previous one. Once the encryption process is completed, only the final nonce remains stored and is written to disk.

This mistake means that only the last 25% of an affected file can potentially be recovered, while the remaining portions become permanently inaccessible due to the missing nonces.

The problem becomes even more severe because the lost nonces are not sent back to the attackers either. As a result, even the ransomware operators themselves would be unable to decrypt victim files after payment.

Security researchers warned that the flaw effectively transforms the ransomware into a destructive data wiper, particularly in enterprise environments where most valuable assets exceed the malware’s file-size threshold.

“At a threshold of only 128 KB, smaller than a typical email attachment or office document, what the code classifies as a large file encompasses not just VM disks, databases, and backups, but routine documents, spreadsheets, and mailboxes. In practice, almost nothing a victim would care to recover falls below this boundary,” Check Point says.

Researchers also confirmed that the same nonce-management vulnerability exists across all VECT 2.0 variants, including Windows, Linux, and ESXi versions, meaning the irreversible file destruction behavior impacts every platform supported by the ransomware.
Read more »
ransomware encryption
Cyber Security global impact home users Magniber ransomware ransomware attacks ransomware encryption

Increase in Magniber Ransomware Attacks Affects Home Users Globally

 

A widespread Magniber ransomware campaign is currently targeting home users globally, encrypting their devices and demanding ransoms amounting to thousands of dollars for decryption.

Launched in 2017 as the successor to the Cerber ransomware operation, Magniber was initially distributed through the Magnitude exploit kit. Since then, the operation has experienced intermittent bursts of activity, utilizing various distribution methods to infect devices. 

These methods include exploiting Windows zero-day vulnerabilities, fake Windows and browser updates, and trojanized software cracks and key generators. Unlike larger ransomware campaigns, Magniber predominantly targets individual users who unknowingly download and execute malicious software on their personal or small business systems.

In 2018, AhnLab developed a decryptor for Magniber ransomware, but it is no longer effective as the threat actors have since fixed the vulnerability that allowed for free file decryption.

Since July 20, BleepingComputer has observed a significant increase in victims seeking assistance on its forums due to Magniber ransomware infections.

The ransomware identification site ID-Ransomware has also reported nearly 720 submissions since July 20, 2024. Although the exact infection method is unclear, some victims have reported that their devices were encrypted after using software cracks or key generators, a known tactic of the Magniber actors.

Upon execution, the ransomware encrypts files on the device, appending a random 5-9 character extension, such as .oaxysw or .oymtk, to the filenames. It also generates a ransom note named READ_ME.htm, which provides information about the encryption and includes a unique URL to the threat actor's Tor ransom site. Given that Magniber primarily targets consumers, ransom demands start at $1,000 and escalate to $5,000 if payment in Bitcoin is not made within three days. Currently, there is no free method to decrypt files encrypted by the latest versions of Magniber.

It is strongly recommended to avoid using software cracks and key generators, as these are illegal and commonly used to spread malware and ransomware. For those affected by Magniber ransomware, you can seek assistance or find answers to your questions in our dedicated Magniber support topic.
Read more »
Subscribe to: Posts (Atom)