extortionware : Java Glossary

*0-9ABCDEFGHIJKLMNOPQRSTUVWXYZ (all)
The CurrCon Java Applet displays prices on this web page converted with today’s exchange rates into your local international currency, e.g. Euros, US dollars, Canadian dollars, British Pounds, Indian Rupees… CurrCon requires an up-to-date browser and Java version 1.8, preferably 1.8.0_131. If you can’t see the prices in your local currency, Troubleshoot. Use Firefox for best results.

extortionware

Aka ransomware or scareware. A trial program that gradually becomes more and more obnoxious demanding that you register it, eventually making your computer unusable. It uses a number of stealth techniques to ensure you cannot uninstall it, or stop or stop it from autostarting after each boot. The vendor hopes you will give up and register the program just so you can get rid of it.

The classic program this of this type is Spy Falcon thankfully now defunct. The program masqueraded as a legitimate anti-spyware program. The program was actually also a virus since it installs itself piggybacked on a free Windows media codec from media-codec.com a partner in the crime.

A virus creator usually goes to great lengths to hide his authorship. The creators of the Falcon Spy Trojan are brazen about it. Their motivation is extortion, not vandalism.

Falcon Spy puts many hooks into the OS (Operating System) so that if you miss one of them, a remaining hook will restore the other hooks, making it difficult to get rid of by ordinary techniques.

Anyone with the time or energy, I request make life awkward for these people including lawsuits and criminal prosecution.

The registered owner of Spyfalcon.com is:
SpyFalcon ltd.
David Taylor Unit 110 Alpha Bldg.
Subic International Hotel Rizal cor.
Sta. Rita Road, Subic Bay Freeport
Olongapo City, 2200, Philippines
Tel. +206.9543154
david.alant@gmail.com

The registered owner of media-codec.com is:
Lemos Adamantios
aktis 119, vouliagmeni
Athens Greece
Tel. +030.2108960081

Kovters uses the worst kind of shock to make people pay, in the form of first displaying child pornography and copying it to the victim’s drive before encrypting their system and holding it hostage. They mainly target those who routinely open enclosures, e.g. people who take job resumes.

Newer versions of ransomware are much more serious because, not only do they threaten to destroy your files, they compress and encrypt them and then literally hold them for ransom. Your only alternative is reformatting the hard disk, reinstalling all your software and restoring your files from backup and installing some heavy anti-virus software that can keep the ransomware out.

KnowBe4 is a company to help you deal with ransomware for a fee. Some corporations have paid tens of thousands of dollars to get their files back. What they do is help you pay off the ransom quickly by getting you the BitCoins. The BitCoin people are enablers and could be considered part of the criminal conspiracy.

A tool to get rid of ransomware has to run at boot time because the ransomware completely freezes your machine. You need to create a bootable CD or bootable USB (Universal Serial Bus) flash drive ahead of time and do a fire drill to make sure it works. Bitdefender, Avast,AVG, Avira, Kaspersky, Norton and Sophos all can work at boot time.

You often get tricked into installing ransomware with offers of free fake updates of packages like Adobe Acrobat. Don’t accept updates except direct from the vendor site.

Malware Bytes has a free version that you run manually. It removes viruses it finds. The $32.00 CAD version is schedules to run automatically every hour. The free trial found 159 threats on my machine.

Personal Encounter

On 2013-01-14 I got hit by a virus, the first time ever. It was what the RCMP (Royal Canadian Mounted Police) call scareware. It suddenly popped up, locked my screen, claiming I had broken some law and must wire them $100 to unlock my computer. If I failed to do so within 24 hours they would erase my hard drives. They would also erase them if it detected any attempts to remove it.

I follow all the usual rules to avoid infection. I figure I must have picked it up via running an unsigned Java applet or some JavaScript code.

How I Got Rid Of the Damn Thing

Any way I got rid of it by booting to safe mode, (by hitting F8 repeatedly during the boot process or hitting F8 to select the BareMetal partition). I did not run the Security Essentials virus scan right away, concerned it may be booby trapped. Instead I ran the Ace Utilities and had a look at code configured to run at startup in the startup manager. I noticed a suspicious runcff.lnk from Microsoft, disabled it, booted normally and all seemed to be ok.

I thought I was running Microsoft Security Essentials on a regular schedule, but I was not. When I ran a full scan after I defanged the Trojan, it found three copies of the Trojan and identified it as Reveton.N Microsoft’s mug shot on it was bang on, including a slightly out of date screen shot. Unfortunately, Microsoft had nothing to say about how the Trojan infects computers. I am impressed, though I think it is time to make it impossible for any virus or Trojan to attack rather than relying on identifying culprits after the fact. One variant is known as W32/Urausy.B, another W32/Tobfy.G

On 2013-05-06 I got hit by it again. I was quite surprised. I thought the Java vulnerability it used had been fixed. Getting rid of it this time was a little harder. I had to delete a C:\Users\user\AppData\Low\build.exe file as well as remove the startup link. Security Essentials refused to run in Safe Mode. The virus upped the ante threatening to frame me for possession of child or animal pornography if I did not pay up. This a very disagreeable way to earn a living. I hope somebody tracks these buggers down and hurts them severely.

On 2013-05-20 it got me yet again. It caused no trouble. Security Essentials caught it before it triggered.

On 2013-05-27 it got me yet again. I was running Security Essentials in non-stop mode. I tried running Security Essentials booting from a different partition. It was unable to get rid of it or even see it. There was no visible autoload to disable.

I tried free Bit Defender. No joy. It refused to even look at the drive where I suspected it was hiding. I eventually got rid of it with a special purpose tool from Bit Defender they refer to as the FBI Ransomware virus removal tool. You have to run it in safe mode, since the virus blocks you from running any software. The virus creators are at large polishing the virus to be ever more difficult to get rid of. One stupid variant of it was very easy to get rid of. It put itself in a temp directory, which made it easy to notice and easy to remove. It has been around for at least 5 months. It is high time they were stopped.

Protect Yourself

In the meantime, I advise turning Security Essentials real-time protection on and doing a nightly full scan to kill it before it locks your machine. Or use one of the other commercial virus scanners in list or Microsoft’s.

Police Reaction

The police were very ho hum, saying there were a rash of such attacks and they wanted to treat them like ordinary virus attacks. I guess they figured nobody would be stupid enough to fall for the extortion. Apparently some variants claim to have found kiddie porn or accuse of the computer owner of various random crimes. Anyone who read this carefully would realise it had to be scam. The English was weak. There were no phone numbers or websites to check for more information. The supposed author was simply the police without even mentioning the country, though this did have some touristy photos of red-coated RCMP officers. The police said all I could to was to take the machine to a repair shop. They had no interest in tracking down the address that was accepting the funds. You can however, report your attack at the CAFC (Canadian Antifraud Centre). They said they are being inundated by reports of this virus and variants. I think its success is that the usual means to avoid infection do not work. It is sort of like an HIV (Human Immuno-deficiency Virus) virus that can burrow through condoms. This virus is being constantly improved. It is hassling thousands of people all over the world. The police ought to get off their butts. The gang responsible is causing far more harm than a gang of bank robbers.

Inadvertent Scareware

Years ago my landlord was computer naïve. He got a message, Illegal computer operation. He had no idea what law he had broken, but he panicked and quickly shut off the computer and waited the police to come to arrest him. Computer people should not use the word illegal when they mean invalid. They do it all the time, e.g. illegal character, illegal escape, illegal forward reference, illegal nonvirtual, illegal reference to static, illegal start of expression, IllegalAccessError, IllegalAccessException, IllegalArgumentException, IllegalBlockSizeException, IllegalComponentStateException, IllegalMonitorStateException, IllegalPathStateException, IllegalStateException, IllegalThreadStateException, MonitorStateException…

WannaCry Ransomware

WannaCry ransomware works by exploiting flaws in the Windows operating system. To infect your computer, it does not require you do so something stupid like open an email enclosure or install a wild program. It encrypts all your files and makes a demand for hundreds of dollars to get them back. I got hit by it years ago. I did not pay the ransom. I reformatted by discs and restored from backup. I lost only about 3 days data and most of that I could recover from my website and from my Subversion repository. I reported it to the police. They were not in the least interested.

On 2017-05-13 there was a massive world wide attack that 200,000 of governments, hospitals, schools, businesses etc. This time the authorities are paying attention, including Vladimir Putin, since even if they pay the ransoms, the crooks can repeat the attack any time they want.

You might think it would trivial to track the money transfer for a paid random and arrest the bad guys. However, they use BitCoin which was cleverly designed so that criminals could extort money and accept ransoms anonymously. It is extremely difficult for law enforcement to track the money.

Ironically, the engine powering the ransomware was written by the NSA (National Security Agency).

If you have W8-32, W8-64, W2012, W10-32 and W10-64, all you have to do to protect yourself is run the standard OS updates. If you have earlier OSes (Operating Systems), you will have to upgrade your OS. It is an ill wind that blows nobody good. Microsoft will get lots of Windows upgrade sales out of this.

Protecting Yourself

The most common ransomware depends on a flaw in the Windows operating systems to hook itself in. Microsoft have fixed the flaw in W10-32 and W10-64 but not in earlier OSes. This is like a car manufacturer refusing to recall defective airbags, but telling you to buy a new car insted.

To protect yourself, you must install W10-32 and W10-64. Then back up all your data files to DVD (Digital Video Disc). If you get hit, don’t pay the ransom. Restore your files from backup. If necessary, reinstall Windows and all your programs.

Use some anti-virus software to remove the ransomware.

Paying the ransom does not get you off the hook. They can ask for another ransom the next day.


This page is posted
on the web at:

http://mindprod.com/jgloss/extortionware.html

Optional Replicator mirror
of mindprod.com
on local hard disk J:

J:\mindprod\jgloss\extortionware.html
Canadian Mind Products
Please the feedback from other visitors, or your own feedback about the site.
Contact Roedy. Please feel free to link to this page without explicit permission.

IP:[65.110.21.43]
Your face IP:[3.144.101.75]
You are visitor number