360 Total Security Blog

The Epidemic Analysis of Ransomware in October 2019

In early October, the world’s largest manufacturer of hearing aids, Denmark’s Demant was invaded by ransomware and directly lost as much as $100 million. The violent offensive of the ransomware wave followed the wave. On October 17th, global shipping giant Pitney Bowes also suffered Ransomware attack, 90% of Fortune 500 companies are affected.

Although the attacks of the two giants are not the same virus, the ransomware is still a major threat to cybersecurity. The following is an analysis of the 360 security center’s overall infection situation in October.

Topstream family GlobeImposter returns to the top

In the past October, the major ransom virus family launched an invasion war, and the “top-flow family” GlobeImposter accounted for 18.37% this month, and once again reached the summit, the “play rate” was long-lasting; secondly, “new online red” The phobos family and the Crysis family ranked second and third respectively with 16.78% and 15.87%. On the contrary, the Stop family has begun to show signs of decline from 22.9% in September to 9.52% this month.

The Proportion of Ransomware Family in October 2019

Among the top ten families in October, the FakeParadise virus is worth watching. FakeParadise can be described as “novice” in this month, but driven by interest, its extortion price is as high as $1995 for bitcoin, and ransom is converted to more than 10,000 yuan. FakeParadise will modify the file suffix to _Kim ChinIm_{ID}.sev and Support_{ID}.FC, but 360 Security Center has cracked the ransomware in the first time in China.

File encrypted by FakeParadise ransomware

As for the reason for FakeParadise naming, in foreign countries, it is classified into the Paradise family, but the 360 security center found that the two use the encryption method is significantly different, FakeParadise is written in C++ language, while the traditional Paradise uses Written in C# language.

In addition, in order to counter the system’s file recovery function, FakeParadise will call the system command to delete the shadow. This is also different with the traditional Paradise. The Paradise family ransomware will delete the system’s Volume Shadow Copy (VSS: Volume Shadow Copy), but Existing shadows won’t be deleted (so files can be recovered from the system’s restore point). In addition, there are many different types of ransomware information styles and encryption algorithms in the two families.

FakeParadise removes shadows

Paradise only removes the shadow service

Win10 system “gradually lost”, botnet pushes high password attack

As for system infections, 360 Security Center monitoring found that the top three systems this month are still Windows 7, Windows 10 and Windows Server 2008. As Windows 10 gradually becomes mainstream, its attack share has also increased by about 5%. In the foreseeable future, Win10 users who are gradually becoming “attacking the bull’s eye” need to be vigilant.

The proportion of infected systems in October 2019

In addition, 360 Security Center discovered through the trend of weak password attacks in October that the attack trend of MsSQL had significant growth on October 6th and October 8th, mainly due to the MyKings hacking organization from October 6th. Increasing its attack input, in addition to frequently updating the communication address of the bot, it also launched a new round of brute force attacks against the MsSQL database, with the intention of controlling more servers to form a larger mining botnet.

Weak password attack trend chart for October 2019

Hacker mailbox disclosure

The following is the hacker email information collected by the 360 security center this month:

John_Gilbert_2019@protonmail.com recoveryqq@protonmail.com helpme.parner@yahoo.com
zigger@protonmail.com sercurityteacher@cock.li gerentosrestore@firemail.cc
DataBack@qbmail.biz zzzoruda@cock.li getbtc@aol.com
starter@cumallover.me sicck@protonmail.com emerson.parkerdd@aol.com
btcpay1@protonmail.com sosca@foxmail.com easydecrypt555@cock.li
proansw@protonmail.com mrcrypting@airmail.cc DecrypterSupport@cock.li
Folieloi@protonmail.com backupyourfiles@420blaze.it decoding@qbmail.biz
Ctorsenoria@tutanota.com b1tc01n@aol.com deadmin@cock.li
sambolero@tutanoa.com Blackmax@tutanota.com davidharris@nuke.africa
rightcheck@cock.li cryptocash@aol.com cyb3rcrypt@protonmail.com
crypt2020@outlook.com vivaldicrypt@outlook.com cobian0ransom@cock.li
cryptt2020@protonmail.com newebola@aol.com cobian_ransom@protonmail.com
getmyfilesback@airmail.cc rsa1024@tutanota.com cobain0ransom@cock.li
koreadec@tutanota.com mrcrypt@cock.li cobain_ransom@protonmail.com
vourrealdecrypt@airmail.cc jsmith1974@mail.fr cleverhorse@xmpp.jp
filedecryptor@nuke.africa decryptbots@cock.li butters.felicio@aol.com
mr.brozer@protonmail.com dfvdv@tutanota.com btcthebtc@aol.com
ticketbit@tutanota.com relvirosa1981@aol.com betasup@mail.ee
ticketbit@mailfence.com stoneland@firemail.cc ashleyqz5tfmoore@aol.com
1701222381@qq.com raceso@qq.com alcorestore@protonmail.com
yourdatahere@tutanota.com Hariliuios@tutanota.com advancedbackup@protonmail.com
xmedusax@cock.li kazkavkovkiz@cock.li admin@fentex.net
whitwellparke@aol.com patern32@protonmail.com supdec@8chan.co
wewillhelp@xmpp.jp veracrypt_restore@protonmail.com helpdesk_nemty@aol.com
wewillhelp@ctemplar.com upeditco@gmail.com elzmflqxj@tutanota.de
tirrelllipps@aol.com unlock01@protonmail.com fullrestore@qq.com
symetrik@protonmail.com lockers123@protonmail.com steamgamer99@gmail.com
servers70@tutanota.com buttersfelicio@aol.com corpseworm@protonmail.com
savignythayne@chadfarrcreations.com partfile@airmail.cc fidelio.bartyn@aol.com
savefiles@cock.li hmdjam@protonmail.com churiladr@cock.li
restoringbackup@airmail.cc husilusi@cock.li salesrestoresoftware@firemail.cc
recoverydata54@protonmail.com paybuyday@aol.com salesrestoresoftware@gmail.com
recoverunknown@aol.com amundas@firemail.cc admin@slide.best
recover_file13@protonmail.com decryptmyfiles@qq.com bitlocker@foxmail.com
rdp800@rape.lol mrimrssmith@cock.li btccrypthelp@cock.li.com
professionalhelp@india.com mrimrssmith@protonmail.com dataforcoin@aol.com
onlyiwillhelpyou@protonmail.com mrimrssmith@cock.lki writehere@onlinehelp.host
mrcrypting@protonmail.com addison_jimmy@aol.com xisdxi@cock.li
merlinstusan@protonmail.com bitlock@foxmail.com cybercrypt@cock.li
LiberLover@tutanota.com btcpayment@airmail.cc willyhill1960@protonmail.com
konte@cock.li china_@tol.com willyhill1960@tutanota.com
keysfordecryption@airmail.cc china_helper@aol.com Bdataforcoin@aol.com
icanhelpu@cock.li china.helper@india.com back_me@foxmail.com
securityteacher@cock.li china989helper@protonmail.com admin@sectex.net
theonlyoption@jabb3r.de china989helper@redchan.it admin@fentex.world
welcokaj@nuke.africa dataforcoin@cock.li Killback@protonmail.com
unlock@goldenbay.su decrypthelper2020@protonmail.com bitlocker@hotmail.com
unlock@graylegion.su goretosrestore@firemaill.cc gillamlowrance@aol.com
vacandeli1971@protonmail.com hibbard_r@ferepot.info inspectionguard@cock.ii
nmode@tutanota.com ihelpyoudecrypt@protonmail.com kickclakus@protomail.com
maximum@onlinehelp.host    

All kinds of hackers attacked and attacked the virus, which caused a serious threat to users’ security. As the world’s largest and most effective ransomware decryption tool, 360 decryption tools can support more than 300 kinds of ransomware decryption, and powerfully protect user data and property security.

Security advice:

In the face of the escalating ransomware epidemic situation, 360 security brains recommend that users improve their network security awareness, strengthen information management, or do the following defenses to protect computer privacy and property security:

1, As soon as possible, go to http://www.360totalsecurity.com download and install 360 Total Security, and comprehensively intercept all kinds of ransomware attacks;

2, enterprise server administrators try to avoid multiple machines using the same account password, to ensure the complexity of the login password, and to do regular replacement;

3, The shared folder of important data should be set with access control and regular backup; regularly detect security vulnerabilities in the system and software, and timely patch;

4, individual users should download and install software from the formal channels, use a variety of activation tools with caution; for unfamiliar software, if it has been intercepted by anti-virus software, do not add trust to continue running;

5, When encountering emails sent by strangers, be cautious and try to avoid downloading attachments. If you need to download, you must first check the accessories with security software.

6, after recruiting ransomware, please install the “360 Total Security decryption tool” function, click “Scan now” to recover the encrypted file.