News & Updates

Enlarge (credit: Mark Walton)

While there’s plenty to like about the PlayStation 4 Pro for l33t gamers lucky enough to own a 4K HDR TV, the console offers less of a visual upgrade for those stuck with mere 1080p TVs.

Now, a new report looking at PS4 Pro performance has revealed that in some cases games perform worse on the PS4 Pro than a standard PS4 when plugged into a 1080p television.

The report, which comes from graphics analysis guru Digital Foundry, found that because the PS4 Pro opts to run games at a higher resolution or implement additional graphical effects—some games even run at higher than 1080p resolution and scale down, a process known as super-sampling—they run slower than on a standard PS4. This is contrary to Sony’s technical requirements, which require games to match or exceed base PS4 frame rates.

Read 5 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

This is a full detailed guide to unlocking the “SHREDDER” weapon in ZOMBIES IN SPACELAND for Call Of Duty Infinite Warfare Zombies. If you need the elemental orbs for the ripper and discord that means they’ll be 2 more weapons because now you have 2 more elements. Call Of Duty Infinite Warfare Zombies Shredder Wonder […]

The post Call Of Duty Infinite Warfare Zombies Easter Egg Guide – How To Get The Shredder Wonder Weapon appeared first on MobiPicker.

Source: http://www.mobipicker.com/feed/

Enlarge (credit: WhatsApp)

Facebook-owned WhatsApp has announced that video calls will—at last—be rolling out imminently, a move that came on the same day Microsoft revealed that Skype can now be used online without registration.

WhatsApp video chats will be available across iOS, Android, and Windows Phone.

Microsoft, meanwhile, said on Monday that Skype fans can now access a video-conferencing guest account without registering for a log-in via its Web app.

Read 6 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Enlarge (credit: Justin Tallis/AFP/Getty Images)

The UK’s home secretary Amber Rudd has signed an extradition order agreeing that hacking suspect Lauri Love should face trial in the US.

Love’s family plan to appeal against the decision. The 31-year-old—who has Asperger’s syndrome—faces up to 99 years in prison and fears for his own life, his lawyers have said.

A home office spokesperson told Ars: “On Monday 14 November, the secretary of state, having carefully considered all relevant matters, signed an order for Lauri Love’s extradition to the United States. Mr Love has been charged with various computer hacking offences which included targeting US military and federal government agencies.”

Read 10 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

In this guide, we will explain how to recover encrypted files focusing on the Data-Locker Ransomware that targets the Windows operating system.

Why my system asks me to pay?

A ransomware is a computer malware that limits the access of a system and ask for a ransom in order to remove that restriction.
The restriction applied to the system can change in the time and can be realized in various ways.
Based on the restriction applied on the system we can recognize two kinds of ransomware based on their behaviors:

  • Pc-Locker Ransomware:
    They block the system showing a ransom page on the computer desktop where they intimidate the victim with a message and ask him to pay a ransom in order to unlock the machine.
  • Data-Locker Ransomware:
    They encrypt a large amount of user data avoiding the encryption of the system files (in order to let the machine working) and then ask a ransom to unlock those files.

The main goal of the ransomware is to extort money from their victims using some technique (locking system, encrypting files) that can target different devices (desktop, laptop, tablet, smart watch, smart tv, smartphones) and different operating system (Windows, Linux, Os X).

When you get infected by a ransomware?
Anytime your system asks you to pay. As we said the main goal of the ransomware is to get money from their victims so the first action the ransomware does after an infection is to show a window containing the instructions (the ransom note) to make a payment trough a cryptocurrency, such as bitcoin.
It will never exist a ransomware that infects your system and will remain stealthy.

In this guide we will focus on the Data-Locker Ransomware that target the Windows operating system.

There are a lot of types of ransomware and every type, known as a family, act in a different way so there isn’t a general and always working methodology to recover your data.

Once you get infected by a ransomware you have to follow those steps if you want to restore your files and your system:

  1. Unlock the screen and bypass the screen lock of the ransomware;
  2. Restore/Decrypt the files;
  3. Disinfection and removal of the ransomware persistence files.

Note that guide aims just to recover your encrypted files and not for the removal and disinfection of your machine.
We strongly recommend, once you recovered your files, to save them on an external drive and remove the ransomware from the system (or format the drive), because sometimes it could happen that ransomware trigger again its activity and encrypt all of your files recovered.
Some modern ransomware combines the technique of data-locker ransomware and pc-locker ransomware so you need to unlock the screen and bypass the screen lock of the ransomware before you start to recover your encrypted files.
In that case, we recommend runnig the operating system in safe boot with networking before you start to follow our methods to recover your files.
This avoids also to fight against some mechanism where the ransomware would delete the files after an amount of time.

The following methods we are explaining aren’t a way to fight this threat, the best way to fight ransomware are frequent backup and prevention.
That means if you get infected by a ransomware it’s already “late” and, also if a lot of researchers are fighting this threat developing ad-hoc decryption tool, there are some ransomware family really hard to deal with.

 

METHOD 1: Identification and Decryption Tool

If you get infected by a ransomware and you want to ask for helping other users (i.e. Forums, IRC, email…) or you want to check if some security firms have developed a decryption tool for that specific ransomware you have to recognize the family name of the ransomware.

Thanks to the malwarehunterteam, they set up a free web service that lets you host an infected file (or ransom note) and it will detect the ransomware family name and, in some cases, it will guide you to decrypt your files of that family.

ID Ransomware

Following a step-by-step real case of using this method to decrypt files from ransomware Teslacrypt 4.0

ransomware-recovery-guide-1

As we can see from the above image the id-ransomware home page allow you to upload a ransom note or a sample encrypted file for the family recognition.
In the case of Teslacrypt 4.0 we will use a ransom note because that family doesn’t add an extension to encrypted files so it would be more difficult to detect the family if we try to identify it by the encrypted file.
We strongly recommend to don’t upload huge files because the recognition doesn’t improve with the size of a file, that means it would be just a waste of resources.

ransomware-recovery-guide-2

Once the upload is completed, you have the result with the family name spotted by id-ransomware that matched the pattern matching of the ransom note uploaded.
In that case, Teslacrypt 4.0 is recoverable and they provide us a link that explains how to decrypt the files and which tools use.

ransomware-recovery-guide-3

We download the tool to decrypt our files developed by BloodDolly and we first need to set the key used by the ransomware to encrypt our files.

ransomware-recovery-guide-4

We need to do this because this is a multi purpose decryption tool for all the Teslacrypt versions (1 to 4).
Selecting the extension appended to the encrypted files by the ransomware will allow the tool to set the master key automatically.
In our case (Teslacrypt v 4) we will select the last one <as original> because that ransomware left unchanged the extension of our encrypted files.

ransomware-recovery-guide-5

Once we set up the key we can start to recover our files.
In our case, that tool decrypts the 100% of our files, as we can see in the following picture.

ransomware-recovery-guide-6

We also recommend to give Google a chance digiting “ <ransomware_family_name> decryption tool “ and look around if there is a decryption tool developed and not spotted by id-ransomware (rarely).

METHOD 2: Recover from shadow copies

The shadow copies service is a set of COM interfaces that implements a framework to allow volume backups to be performed while applications on a system continue to write to the volumes.
For example, when we took a restore point we are also saving a volume backup (containing the shadow copies) and we can restore files from that backup.
This is a built-in feature of all windows operating systems starting from win XP so, most probably, you have your shadow copies and you don’t know about it.

We will use a free tool that allows us to inspect in our shadow copies, this tool is called shadow explorer and you can download here.
Note that if you have Windows XP you have to download the old version of this tool.
If you renamed the vssadmin.exe utility for security reason, you must rename it and let it work normally if you want that tool will run correctly.

Following a step-by-step real case of using this method to restore files from ransomware Jigsaw.

ransomware-recovery-guide-7

The main window of shadow explorer allows us to choose the drive, we want to explore the shadow copies and the date of the shadow copies we want to consult, because it can be there are more than 1 snapshot of the volume back-up (i.e. 2 or more restore point).

ransomware-recovery-guide-8

Once you identify the data you want to recover you can right-click on the folder and you can export the files.

ransomware-recovery-guide-9

In our case, we recovered 100% of our files as we can see in the above picture because Jigsaw ransomware doesn’t delete the shadow copies.
This method is really effective not on the host infected directly by the ransomware because most ransomware delete shadow copies through vssadmin tool.
It’s really effective when ransomware spread over the network encrypting the files on all host linked to the local network and it can’t access to operating system functionalities like vssadmin utility.
So we have still the shadow copies alive on all the machine hit by ransomware indirectly.

We strongly recommend disabling vssadmin.exe service to prevent the ransomware deleting the shadow copies of windows that, in most cases, let the victim restore the files encrypted on the operating system hard drive.

METHOD 3: Data recovery tool

Data recovery is, simply, the salvaging and repair of data that has been lost.
Of course, data recovery won’t always be possible; sometimes a system can be too corrupted or damaged to get much of the data back.

In this guide we won’t cover the techniques used by data recovery tools to restore data, what we have to know is  that the success of files recovering depends on a lot of variables (like operating system partitioning, priority on file overwriting, drive space handling …). If you want to have more information you can check this.

There are a lot of data recovery tools available on the web, you can check a list here.
In this guide, we will use a free data recovery tool called Recuva.

Following a step-by-step real case of using this method to restore files from ransomware Locky.Odin.

ransomware-recovery-guide-10

We strongly recommend to install Recuva on an external USB drive instead of installing it on your OS drive to increase the probability to recover your files.

Once installed, it will be prompted a wizard for a scan, we recommend to close it in order to set the following options for the scanning phase:

ransomware-recovery-guide-11

We recommend to set those options because by default they are not enabled.
Activating “Restore folder structure” will allow us to keep the directory tree structure and permit us to infer the name of all our encrypted files.

Then we can run our scan on the desired drive and wait for it:

ransomware-recovery-guide-12

When Recuva will finish scanning all the deleted files, it will prompt a window where you have all possible recoverable files.
Of course, not all the files can be recovered.
On the “State” tab we can realize if we can recover that file.
The “partly recoverable” files are that file that cannot be whole recovered, for example a txt file would contain half text recovered and other half corrupted.

On the “Comment” tab we can recognize the encrypted renamed files with the original name files.
In this way, also if we can’t recover the file, we can recover the filename.
We can check all the files we want to recover and decide where to export.

In the right corner we have the “switch to advanced mode” button that let us apply filters, based on the path of the files, on our recoverable files.
So we will apply the following filters:
C:Personal_Data, C:UsersAdministratorPersonal_Data, C:UsersAdministratorDesktopPersonal_Data
and we will check all the files we want to export.

We strongly recommend exporting all the data on an external drive in order to have more probability to recover more data.

ransomware-recovery-guide-13

On a total of 3002 files we have 915 files fully recovered that means the 30% and we considered just the fully recovered files.

This method is also useful for recovering the name and the path of the files encrypted because some ransomware rename our files in a random digits name and we can’t even recognize which file we lost.

 

OUR TEST

So how much effective are our methods?
We decided to group up a set of ransomware samples (the most recent families) and run them in our virtual machine in order to test the % recovered files of our methods.

To evaluate the recovering rate of each method for each ransomware we will use a folder (Personal_Data) containing 1000 elements (containing pdf, jpg, ppt, txt, doc, xls), placed in 3 different locations on the system:

  • C:Personal_Data
  • C:UsersAdministratorPersonal_Data
  • C:UsersAdministratorDesktopPersonal_Data

Then we will try to recover our files using our methods. We will calculate the % rate of successfully recovered files for each folder and we will execute this try running the ransomware 3 different times in different system states, in the end we will report an average of the % rate of recovered files.
For our test we will use the following samples of ransomware:

  • Cerber v.1 md5: 9a7f87c91bf7e602055a5503e80e2313
  • Jigsaw md5: 2773e3dc59472296cb0024ba7715a64e
  • TeslaCrypt v.4 md5: 0265f31968e56500218d87b3a97fa5d5
  • CryptXXX v.2             md5: 19127d5f095707b6f3b6b027d7704743
  • Bart md5: d9fe38122bb08d96ef0de61076aa4945
  • CryptXXX v.4 md5:  631c36f93b0fc53b8c7be269b02676d0
  • Bart v.2                         md5: 4741852c23364619257c705aca9b1be3
  • Satana Ransomware md5: 46bfd4f1d581d7c0121d2b19a005d3df
  • Odin md5: 01f7db952b1b17d0a090b09018896105
  • Crypt888 md5: 86c85bd08dfac63df65eaeae82ed14f7

ransomware-recovery-guide-14

 

REFERENCES

 

Antonio Cocomazzi

Written by the IT Security Expert Antonio Cocomazzi

Antonio Cocomazzi is an IT Security Expert specialized in the malware analysis field. Young and recently graduated, he conducts a 6 months research focused on Ransomware giving a full characterization of the recent families defining a new methodology for dissecting this kind of malware.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – malware)

The post Ransomware: How to recover your encrypted files, the last guide. appeared first on Security Affairs.

Source: Security affairs

WhatsApp has introduced a new security feature that fixes a loophole in the popular messaging platform, which if exploited, could allow an attacker to hijack victim’s account with just knowing the victim’s phone number and some hacking skills.

The attack does not exploit any vulnerability in WhatsApp; instead, it relies on the way the account setup mechanism works.

WhatsApp allows users to sign


Source: http://feeds.feedburner.com/TheHackersNews

The decryption keys for the CrySis ransomware were posted online on the BleepingComputer.com forum by a user known as crss7777.

Good news for the victims of the CrySis ransomware, on Sunday the master decryption keys were released to the public. Security experts from Kaspersky Lab have already included the decryption keys in the Rakhni decryptor allowing victims of CrySis versions 2 and 3 to recover their files.

The decryption keys for the CrySis ransomware were posted online on the BleepingComputer.com forum by a user known as crss7777 who shared a link to a C header file containing the actual master decryption keys and information on how to utilize them.

“In a surprise move, the master decryption keys for the CrySiS Ransomware have been released early this morning in a post on the BleepingComputer.com forums. At approximately 1 AM EST, a member named crss7777 created a post in the CrySiS support topic at BleepingComputer with a Pastebin link to a C header file containing the actual master decryption keys and information on how to utilize them,” wrote Lawrence Abrams from BleepingComputer.

“These keys have already been used by Kaspersky Labs to update their RakhniDecryptor program so that it can be used to decrypt victim’s files.”

CrySis ransomware Taken from BleepingComputer.com

Lawrence Abrams speculates the user crss7777 could be a member of the development team.

“Though the identity of crss7777 is not currently known, the intimate knowledge they have regarding the structure of the master decryption keys and the fact that they released the keys as a C header file indicates that they may be one of the developers of the CrySiS ransomware,” said Abrams.

“Why the keys were released is also unknown, but it may be due to the increasing pressure by law enforcement on ransomware infections and the developers behind them.”

The CrySis ransomware was first spotted in February by experts at Eset, the malware has infected systems mostly in Russia, Japan, South and North Korea, and Brazil.

The threat is spread via email attachments with double file extensions or via malicious links embedded in spam emails.

The CrySis ransomware appends the .xtbl extension to the encrypted files, the files are renamed following the following format [filename].id-[id].[email_address].xtbl.

Bleepingcomputer.com published detailed instructions to decrypt the files.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – CrySis ransomware, cybercrime)

The post CrySis ransomware decryption keys published online appeared first on Security Affairs.

Source: Security affairs

VMware has patched a critical out-of-bounds memory access vulnerability, tracked as CVE-2016-7461, affecting its Workstation and Fusion products.

The flaw, that resides in the affects the drag-and-drop function, can be exploited by attackers to execute arbitrary code on the host operating system running Fusion or Workstation.

The security vulnerability affects Workstation Player and Pro 12.x, and Fusion (Pro) 8.x., while the ESXi is not affected.

The flaw war reported hacking contest 2016 PwnFest held in South Korea at the 2016 Power Of Community (POC) security conference. The hackers earned $140,000 for the Windows Edge hacks, while Qihoo hacker team and Lee earned $150,000 for the hack of the VMware Workstation 12.5.1.

CVE-2016-7461 vmware-workstation-33

VMware patched the vulnerability with the release of versions 12.5.2 and 8.5.2.

“Problem Description

a. VMware Workstation and Fusion out-of-bounds memory access vulnerability

The drag-and-drop (DnD) function in VMware Workstation and Fusion has an out-of-bounds memory access vulnerability. This may allow a guest to execute code on the operating system that runs Workstation or Fusion.” states the advisory published by VMware.

VMware explained that the flaw cannot be exploited against Workstation Pro or Fusion when both the drag-and-drop and copy-and-paste functions are disabled, while it remains exploitable on Workstation Player.

Recently VMware released several security updates to fix the local privilege escalation flaw in Linux kernel, also known as Dirty COW, tracked as CVE-2016-5195.

“The Linux kernel which ships with the base operating system of VMware Appliances contains a race condition in the way its memory subsystem handles copy-on-write (aka “Dirty COW”). Successful exploitation of the vulnerability may allow for local privilege escalation. The product lines listed in this advisory have been confirmed to be affected.” reads the advisory from VMmware.com.

Security patches for Identity Manager, vRealize Automation and version 5.x of vRealize Operations are still pending.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – CVE-2016-7461, VMware)

The post CVE-2016-7461 code execution flaw affects VMware Workstation appeared first on Security Affairs.

Source: Security affairs

 

Jim Resnick

LOS ANGELES—Just before the official start of this year’s LA auto show, Jaguar fired a cannon across its competitors’ bows. Its I-Pace concept SUV breaks the electric barrier for Jag with pure electric drive from a pair of 200hp (149kW) motors, a 36-module battery pack totaling 90kWh, an operating range between charges of over 220 miles (500 km under the EU’s standards of calculation), new-for-Jaguar design proportions, and seriously rapid acceleration of 4 seconds (estimated) from 0-60mph (100kph). Jaguar has been working on electrification for some time, and the I-Pace will go into production in 2018, less than two years away.

Read 10 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

HOLLYWOOD, Calif.—On the eve of the Los Angeles Auto Show, Ford unveiled its latest SUV for the US market. Called the EcoSport, it’s the smallest SUV the company has brought to these shores, and it’s fitted into the range below the Edge. The rapidly growing “compact SUV” segment (think Honda HR-Vs and Buick Encores) has sold more than 1.7 million vehicles since 2003, and Ford hopes to sell more than half a million of its own small SUVs by 2020.

“Young Americans are spending their money on experiences, not stuff,” Ford SUV Group Marketing Manager Michael O’Brien told me. “But they need a vehicle to enable those experiences.”

The EcoSport, which is loosely based on the Ford Fiesta platform, will come with a choice of two engines and four different trim packages. Buyers can get either the company’s award-winning 1.0L three-cylinder EcoBoost engine or a 2.0L four-cylinder, naturally aspirated direct injection option. Both use the same six-speed automatic gearbox. The EcoSport will be available in front-wheel and all-wheel drive versions. The latter sends up to 50 percent of available torque to the rear wheels when necessary.

Read 6 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/