Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
Kovter Click-Fraud Malware Evolves Back into Ransomware
#1
[Image: kovter-click-fraud-malware-evolves-back-...3110-2.png]

Security researchers from Check Point are reporting on a change in the Kovter malware's mode of operation, which has slowly morphed into a weak crypto-ransomware variant.
Kovter started out in 2013 as a simplistic ransomware version that was locking people's computers and showing a message asking them to pay a fine or face legal action. In most cases, this message was posted using insignia and graphics specific to local law enforcement, depending on the user's country of origin.
Kovter evolved from ransomware to click-fraud malware and back again
As these types of ransomware campaigns started to become ineffective, by 2014, Kovter evolved and specialized in click-fraud activities, loading and clicking on ads behind the user's back.
This lasted for two years, during which time, the malware became famous for its fast pace at which it evolved, always adding new features.
The peak of this neverending update cycle was reached last autumn, when Kovter became a fileless threat, living in the infected PC's memory and Windows registry.
As ransomware has started to become a big business in the last few months, Kovter's authors are now jumping on the bandwagon and have decided to evolve Kovter's codebase once again, bringing it back to where it all started.
Kovter ransomware encryption can be defeated
This new version of the Kovter ransomware does not look like the original version at all because, instead of locking users' PCs, Kovter now encrypts their files.
Luckily, Check Point says that Kovter can't yet rival Locky or TeslaScrypt just yet, and that its encryption can be defeated. As researchers have explained, Kovter does not encrypt all the files, but only the first few bytes of each file, and then stores the encryption key on disk. This decryption key can be discovered and used to unlock all encrypted files.
Unfortunately, Check Point hasn't released a decrypter for this ransomware, meaning there's no simple point-and-click solution to recover the files, and infected users might need the help of a professional to get their data back.
What's strange about Kovter is that its authors seem to have been preoccupied more with avoiding antivirus detection, rather than using a strong encryption algorithm. If a Kovter ransomware decrypter becomes available, we'll keep you posted and update this article.
As a side note, Kovter is one of those sneaky PowerShell-based malware pieces that we wrote an article about today.
UPDATE: Well, that was quick. Bleeping Computer's Lawrence Abrams has told Softpedia that a decrypter is already available, because the ransomware was previously detected under the name Nemucod.

source
Reply
#2
Thanks for info.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Google ads push BumbleBee malware used by ransomware gangs mrtrout 0 760 04-23-2023 , 03:59 AM
Last Post: mrtrout
  Maastricht University gets partial ransom back after ransomware attack in 2019 mrtrout 0 500 07-03-2022 , 09:56 PM
Last Post: mrtrout
  Ransomware statistics for 2021 Emsisoft Malware Lab mrtrout 0 1,264 07-07-2021 , 01:21 AM
Last Post: mrtrout
  New STRRAT RAT Malware Convinces People They’ve Fallen Victim to Ransomware, Researc mrtrout 0 782 05-25-2021 , 06:51 AM
Last Post: mrtrout
  Scammers steal New Yorkers' private info for benefits fraud Bjyda 0 734 03-31-2021 , 09:47 PM
Last Post: Bjyda

Forum Jump:


Users browsing this thread: 1 Guest(s)