July was relatively slow in terms of ransomware. Some crooks must have been on vacation spending ill-gotten money at deluxe resorts. Well, why not? They sure can afford it. The rest were busy releasing small shoddy strains and reanimating old ones. Here’s what the month looked like in the numbers: 42 new samples went live, 33 existing ones were fine-tuned, and 11 got decrypted.
JULY 1, 2017
Petya and past cyber-attacks in Ukraine may have common roots A number of security vendors, including ESET and Kaspersky, discover ties between the latest Petya ransomware outbreak and onslaughts against Ukrainian power facilities that took place in late 2015. A cyber crime crew referred to as TeleBots, which most likely has Russian origins, is believed to have been responsible for both incidents. New strain called Lalabitch This one scrambles file names using base64 encoding scheme and appends them with the .lalabitch extension. The ransom how-to file is called lalabitch.php. Takeom ransomware - not in the wild yet Researchers come across a crude sample called Takeom, which is currently in the process of development. Based on clues in its code, the author’s name, or nickname, is Liam. It has no crypto functionality so far. RansRans sample based on Hidden Tear An umpteenth offshoot of the academic Hidden Tear ransomware is discovered. It concatenates the .ransrans string to encrypted files, hence the name. The code is shoddy and crashes all the time. Hell ransomware, alias Radiation There’s some ambiguity regarding this sample’s name. The victim console says it’s Radiation ransomware, while the desktop background contains references to a strain called Hell. Anyway, the code is too unprofessionally tailored to handle victims’ files the right way, so the data simply goes down the drain.
JULY 2, 2017
BTCWare tweak The BTCWare crypto hazard starts manifesting itself in a slightly different way. The most conspicuous change made to this malicious program is the new .aleta extension being affixed to victims’ skewed files. Unikey pest coming out of an infamous cradle Security analysts discover an in-dev strain called Unikey. Upon closer scrutiny, it turns out to be an offshoot of Hidden Tear, the controversial proof-of-concept ransomware.
JULY 3, 2017
Cry36 ransomware update The latest iteration of said malign code switches to using the .63vc4 extension to blemish enciphered data. Another tweak is the ### DECRYPT MY FILES ###.txt restoration how-to file dropped onto the desktop and all folders with inaccessible information.
JULY 4, 2017
Ukrainian law enforcement’s move to contain Petya epidemic The police of Ukraine, a country that suffered the most from the recent Petya, or NotPetya, outbreak, seize servers belonging to a local vendor distributing M.E.Doc. A Trojanized update of this accounting program was reportedly used to fire the initial wave of attacks at Ukrainian organizations. ShellLocker undergoes an alteration New edition of the ShellLocker sample stains encrypted files with the .L0cked string. Furthermore, file names themselves become unidentifiable due to a scrambling routine being applied. As before, this variant displays ransom notes in Russian. ZeroRansom, another one in the wild Unique indicators of ZeroRansom onslaught include the .z3r0 file extension and a ransom how-to document called EncryptNote_README.txt. This baddie automatically sends encryption-related information to the attacker via Gmail. J-Ransomware uses an almost cute extension The above-mentioned ZeroRansom becomes the code base for a fresh specimen called J-Ransomware. The latter concatenates the .LoveYou string to each ciphered entry and leaves a troubleshooting manual named ReadMe.txt. zScreenLocker resurfaces with some changes under the hood The original version of zScreenLocker Trojan was spotted in early November last year. It displayed a warning screen featuring anti-Islamic motives. Its first offspring appeared eight months later. Fortunately, the newcomer is easy to crack – the unlock password is Kate8Zlord. CryptoMix keeps spawning “moles” Another variant of the CryptoMix ransomware appears. It speckles files with the .MOLE00 extension. The previous one used .MOLE02 string for this purpose. That’s some strange math right there, isn’t it? Crypter 1.0, a really weird specimen This sample doesn’t have a working crypto module, so it poses no risk to data so far. It displays pop-up messages with gibberish contents and demands a whopping ransom of 10 Bitcoin.
JULY 5, 2017
Petya crew starts transferring funds Crooks behind the devastating Petya campaign initiate some transactions with Bitcoins futilely submitted by victims who were hoping to regain access to their plagued systems. The amount is approximately worth $10,000. The felons moved this crypto currency to numerous wallets, which is classic OPSEC in the ransomware business. New whitepaper on cyber threat landscape released According to Security Report 2016/17 by Germany-based AV-TEST Institute, ransomware isn’t nearly as prevalent as most people might think. The analysts calculated that ransom Trojans accounted for only 0.94% of all malware attacks in 2016. MOLE02 specimen decrypted A number of security vendors and independent researchers teamed up to crack a CryptoMix ransomware offshoot that concatenates the .MOLE02 string to files. As a result of these efforts, a free decryptor for this strain is released. Thumbs up to everyone involved! Newsmaking arrests over ransomware Chinese police track down and apprehend two men for spreading a ransom Trojan based off of the notorious SLocker Android infection. It’s noteworthy that the perpetrating code under consideration imitates the look and feel of WannaCry, a strain that has contaminated thousands of Windows computers since May. This Android based WannaCry lookalike was reportedly distributed via a rogue plugin for the King of Glory game. CryptoMix authors launch one more spinoff The latest addition to the CryptoMix ransomware lineage is a sample that replaces filenames with 32 hexadecimal characters and stains them with the attackers’ email address followed by .AZER string. The ransom note is named _INTERESTING_INFORMACION_FOR_DECRYPT.txt – obviously, spelling is not the crooks’ forte. BTCWare decryptor enhanced MalwareHunterTeam’s Michael Gillespie updates his free decryption tool for BTCWare so that it supports the recent variant appending hostage files with the .master extension. This may not have happened if the anonymous creator of BTCWare hadn’t posted the private decryption key on Bleeping Computer's forums.
JULY 6, 2017
Executioner updates aren’t game-changing Although the author of Turkish file-encrypting malware called Executioner has been busy releasing new versions with improvements of the crypto routine, all of his endeavors end up futile. Researchers claim it can still be easily decrypted. CountLocker is more destructive than most counterparts This isn’t a garden-variety strain, as it is configured to erase all data on a contaminated computer’s C drive unless the victim pays up within a 72-hour deadline. The size of the ransom is 0.3 Bitcoin ($700). Fenrir sample breaks new ground in a way The new Fenrir ransomware introduces an offbeat approach to blemishing encoded files. It uses a file extension fetched from the target machine’s HWID (Hardware ID) parameter, namely its first 10 characters. Furthermore, while most ransom Trojans create decryption avenues in TXT, HTML, or HTA format, Fenrir drops one named Ransom.rtf. ElmersGlue_3 ransomware As opposed to its predecessor that demanded 16 Bitcoin to unlock the screen, ElmersGlue_3 “humbly” asks for $150 worth of the cryptocurrency. Fortunately, it doesn’t encrypt anything and can be easily circumvented with a password security analysts were able to retrieve.
JULY 7, 2017
NotPetya prototype can now be decrypted The dev of the original Petya ransomware, who goes by the online alias JANUS, leaks the master decryption key for his nasty contrivance. This is quite likely a move to disavow his involvement with NotPetya campaign wreaking havoc in Ukraine and several more countries. SurveyLocker fails to impress This infection displays a popup alert saying “Internet surfing is disabled” and won’t unlock the screen until the victim completes some surveys. Fortunately, security experts got hold of the unlock code, which is “thanksfortheadmoney”. Random6 genealogy explained According to researchers’ new findings, the Random6 ransom Trojan spotted in late June isn’t an independently developed strain. It turns out to be an offshoot of the Fantom ransomware that has been in the wild since August 2016.
JULY 10, 2017
LeakerLocker ransomware zeroes in on Android This new ransom Trojan infects Android devices on a large scale. It is making the rounds via two booby-trapped applications available on Google Play called “Wallpapers Blur HD” and “Booster & Cleaner Pro”. LeakerLocker accesses sensitive data stored on the device, exfiltrates it to attackers’ servers, and threatens to send the files to all of a victim's telephone and email contacts unless they pay $50. Google removed the above-mentioned apps from its official marketplace after the ransomware reports started coming in. A Petya knockoff appears Researchers come across a sample called Petya+ that uses a warning screen resembling that of the original Petya infection. This copycat is programmed in .NET and does not complete the encryption process due to crude code. Scorpio strain goes verbose with ransom notes The sample called Scorpio replaces filenames with random combinations of hexadecimal characters and concatenates the .[[email protected]].Scorpio string to each one. It also leaves decryption how-to files named “IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.txt”. Oxar ransomware spotted Also referred to as the Locked In ransomware, this one is based on Hidden Tear proof-of-concept. It uses the .OXR extension to label encoded files. Bit Paymer specimen in the wild A brand new crypto malady called Bit Paymer subjoins the .locked suffix to hostage files. It leaves a separate .readme_txt rescue note for every encrypted item and uses a Tor based payment page.
JULY 11, 2017
Arrest ensuing from a ransomware investigation Australian law enforcement agency arrested a 75-year-old individual for creating bogus tech support companies that used remote access services to deposit ransomware on computers. The man has been reportedly in cahoots with an overseas ransomware ring since 2010.
JULY 12, 2017
NemucodAES baddie cracked Emsisoft vendor creates a free decryption tool for the NemocodAES ransomware. This perpetrating program is distributed via “undelivered package”-themed spam. AslaHora, another Hidden Tear offshoot Online extortionists continue their foul play with academic ransomware originally designed for educational purposes. The new Hidden Tear based ransomware called AslaHora stains files with the .Malki extension. Fortunately, analysts were able to retrieve the unlock password, which is MALKIMALKIMALKI.
JULY 13, 2017
DCry ransomware isn’t an issue anymore Security experts teamed up to contrive a free decryptor for the DCry. The supported sample adds the .dcry extension to filenames. BLACKOUT ransomware goes with a License Agreement This one base64 encodes original filenames to make them difficult to identify. It drops a recovery manual named README_[random].txt, which includes a License Agreement stating that the program is “designed to test the protection of OS Windows against ransomware.” Keep Calm sample is a PoC derivative File-encrypting malware called Keep Calm is based on EDA2, another educational ransomware from the creator of the infamous Hidden Tear. It appends encrypted files with the .locked extension and drops a rescue note named “Read Instructions.rtf”. Purge ransomware campaign fails Predictably enough, this strain concatenates the .purge suffix to every encoded file. It lacks stability as far as the performance goes, crashing off and on during the attack. Researchers who analyzed its code managed to get hold of the unlock password – TotallyNotStupid – so victims don’t have to pay $250 for decryption. Some crooks aren’t well schooled New screen locker is discovered that displays a message reading, “Your All Data Is Encrypt!” It demands 1 Bitcoin for unlocking the screen, but the Alt+F4 combo does the trick free of charge. BrainLag ransomware spotted before it goes live Analysts stumble into an in-dev sample called BrainLag. It shows a warning screen with an image of the Grim Reaper and a smiley. It does not apply any crypto at this point. Ransed strain in the wild Cybercriminals have coined a new verb judging from the name of the Ransed infection and the identical extension being affixed to filenames. The infection chain includes an instance of connecting to MySQL server, which means server login data is hard-coded into the ransomware.
JULY 14, 2017
Jigsaw edition featuring a deterrent extension The new iteration of the Jigsaw ransomware is discovered. The distinguishing hallmark of this one is the .kill string being appended to hostage files. SamSam ransomware update The SamSam, or Samas, lineage of file-encrypting infections is quite dynamic as it regularly spawns new versions. The latest one speckles encoded files with the .country82000 extension. ENDcrypt0r ransomware is a bluff While passing itself off as classic crypto ransomware, the ENDcrypt0r Trojan is nothing but a garden-variety screen locker. When confronted with this impostor, victims can use “A01B” password to unlock their computers. Fuacked ransomware merges with the crowd Some ransomware devs must be getting short of creativity as they cook up infections like the one called Fuacked. There is no uniqueness about it except the immodest-sounding name and the “WAHHH!!!” exclamation in the title of the ransom note.
JULY 15, 2017
Striked ransomware is now decryptable This sample got its name from “Your files are striked [sic]” phrase in its README_DECRYPT.html ransom note. It uses the following pattern for skewing the look of hostage files: Filename#[email protected]#id#[10 random numbers]. Fortunately, researchers were able to defeat its crypto and released a free recovery solution.
JULY 17, 2017
Android ransomware that pilfers data New remote access Trojan called GhostCtrl, which is a spinoff of the notorious multi-platform OmniRAT malware, turns out to exhibit ransomware properties on Android. In particular, it resets the PIN of a target device and locks the screen with a rescue note. Alosia ransomware launched and cracked This specimen is based on shoddy open-source code. It speckles encrypted files with the .alosia extension and displays a ransom note named “File Anda Terkunci,” which is Indonesian for “Your file is locked.” Victims can use the following code to decrypt their data: CREATEDBYMR403FORBIDDEN. New Jigsaw offspring appears Yet another Jigsaw edition is spotted in the wild. It concatenates the .korea string to all encoded files and sets a black desktop background with a big smiley in it. Reyptson ransomware uses clever self-spreading tactics Spanish crypto strain called Reyptson stands out from the rest as it accesses the victim’s Thunderbird email account and sends out bobby-trapped messages to their contacts. It appends the .reyptson extension to files and drops a rescue note named Como_Recuperar_Tus_Ficheros.txt into every folder with hostage files. Viro ransomware engages some blasphemy in the extortion mix This derivative of Hidden Tear PoC stains encrypted files with the .locked suffix and generates a ransom how-to dialog titled “Computer compromised”. It also replaces the victim’s desktop background with a blasphemous Photoshopped image. Shame on the bad guys. Run-of-the-mill Oops ransomware This one uses the .oops extension to label ransomed entries. It instructs victims to send a file named EncryptedKey, their computer name, and Bitcoin address to [email protected] for further directions. The ransom amounts to 0.1 Bitcoin ($275). Explorer v1.58 ransomware hailing from HT cradle The strain in question is yet another Hidden Tear spin-off. It adds the .explorer extension to files, uses [email protected] email address to interact with those infected, and states that victims can pay half the regular price if they fit in their ransom within a 24-hour payment deadline. GlobeImposter lineage gets new variants Two fresh editions of the GlobeImposter ransomware are discovered. They concatenate the .s1crypt or .au1crypt extension to locked files. Both share the same rescue note named how_to_back_files.html.
JULY 18, 2017
FedEx badly impacted by Petya attack According to a report released by FedEx, some of the company’s servers were severely affected in the wake of the Petya, or NotPetya, ransomware campaign. The officials say the full recovery of their systems and critical business data isn’t a likely prospect, so the damage is significant.
JULY 19, 2017
Public media company struggling to recover from ransomware onslaught KQED, A radio and TV station headquartered in San Francisco, experienced issues with remediating the damage from a ransomware attack. The incident took place in mid-June and is still causing disruption of the station’s operational workflow. The management decided to reinstall operating systems on infected machines. Therefore, a certain amount of data was lost irreversibly. NemucodAES decryptor enhanced Security researcher Fabian Wosar from Emsisoft did some fine-tuning of his previously released free decryption tool for the NemucodAES ransomware. A new edition of the decryptor now supports large database files, which wasn’t the case prior to the update. China-Yunlong Trojan spotted in the wild As the name suggests, this sample hails from China. It leaves file names unaltered and appends them with the .yl extension.
JULY 20, 2017
CryptoMix authors release two more variants Hallmark signs of the new CryptoMix ransomware editions are the .NOOB and .ZAYKA extensions being concatenated to hostage files. Both drop ransom notes named _HELP_INSTRUCTION.txt and use the [email protected] email address to communicate with victims. Recent versions of Striked ransomware now crackable Michael Gillespie from MalwareHunterTeam updates his decryption tool for the Striked ransomware so that it supports files with several new extensions appended to them. Hidden Tear misapplied once again Security analysts come across an umpteenth variant of the academic Hidden Tear ransomware called Matroska. It blemishes encrypted files with the [email protected] extension.
JULY 21, 2017
CryptoMix family keeps growing A brand new iteration of the CryptoMix ransomware uses the .CK extension token to label skewed files. The name of the ransom how-to, _HELP_INSTRUCTION.txt, is the same as before, but its contents have been redacted. New edition of the Jigsaw ransomware There aren’t many strains out there as frequently updated as Jigsaw. The latest version in the wild concatenates the .afc string to enciphered files and displays a new desktop background. Symbiom ransomware surfaces This sample is one of the numerous Hidden Tear proof-of-concept offshoots. It stains all encrypted files with the .symbiom_ransomware_locked suffix and provides a payment walkthrough in README_Ransomware_Symbiom.txt document. Bitshifter is more than just ransomware While encrypting and holding a victim’s personal data hostage, the specimen called Bitshifter also attempts to find and exfiltrate information on cryptocurrency wallets. This ransomware is identifiable by a ransom note named ARE_YOU_WANNA_GET_YOUR_FILES_BACK.txt. Bitshifter virus targets China for now. “Stinking” GlobeImposter version appears The architects of the GlobeImposter ransomware campaign release a new variant that subjoins the .skunk string to every hostage file. Python-based SnakeLocker Researchers discover two editions of new ransomware called SnakeLocker. They add the .snake or .TGIF extension to encrypted items and leave the INSTRUCTIONS-README.html rescue note with payment steps.
JULY 22, 2017
GlobeImposter spawns new versions in rapid succession Another variant of the GlobeImposter ransomware surfaces one day after the .skunk file variant was discovered. The newcomer concatenates the .GOTHAM extension to ransomed files. This ransomware lineage is expanding at astonishing rate Yet another persona of GlobeImposter appears. It uses the .crypt string to speckle locked files and leaves a decryption how-to named how_to_back_files.html. Victims are coerced into contacting the threat actors via [email protected] or [email protected]. This is GlobeImposter’s day, obviously While the fresh iteration of this ransomware still drops how_to_back_files.html ransom how-to, it also switched to using the .HAPP suffix for encoded files. It instructs those infected to shoot a message to [email protected] or [email protected] for recovery steps. Zilla ransomware update A variant of the Zilla ransomware is spotted that blemishes files with the .Atom string. The new name of the ransom note is ReadMeNow.txt. SimpleRansomware doesn’t live up to its name This in-development specimen leverages Pastebin to work out if a specific user has submitted the ransom. Furthermore, its code contains numerous indications that the attackers are trying to equip the infection with a VB rootkit.
JULY 23, 2017
Bam! Ransomware in the wild The sample in question concatenates the apropos .bam! extension to scrambled files. It sets a 24-hour deadline for payment and tells victims to contact the crooks via [email protected] or [email protected] for a payment walkthrough. JCoder authors pay homage to Petya Security analysts come across a specimen called JCoder that appends the .Petya suffix to enciphered data entries.
JULY 24, 2017
DCry ransomware updated The latest edition of the DCry baddie switches to using the .qwqd extension to label encoded files. Fortunately, the DCry decryption tool released earlier by MalwareHunterTeam’s Michal Gillespie supports this variant. WannaCry copycat from Turkey Researchers discover a WannaCry ransomware knockoff that displays a ransom warning in Turkish. It reportedly infiltrates computers via remote desktop services. The ransom amounts to $7,000 worth of Bitcoin. The original Petya declared decryptable Security experts used clues in the tweet posted by the author of the original Petya threat to retrieve the private decryption key for last year’s variants. This confirms once again that the recent NotPetya outbreak in Ukraine was operated by a different cybercrime crew. According to Malwarebytes, the automatic decryptor is in progress. Another day, another GlobeImposter update One more iteration of the GlobeImposter ransomware appears. It stains encrypted files with the .707 extension and drops RECOVER-FILES.html ransom how-to. GlobeImposter makers appear to be restless Guess what? Plus one for this ransomware family. The latest iteration uses the .{email address}.BRT92 extension for locked files, so a sample file named Pic.jpg morphs into something like Pic.jpg.{[email protected]}.BRT92. The ransom note is #HOW_DECRYPT_FILES#.html.
JULY 25, 2017
VindowsLocker returns Originally discovered in late November 2016, the VindowsLocker ransomware campaign didn’t last long. In a surprise move, it reappeared eight months later. The current variant locks one’s desktop, says “Your computer will explode in 24 hours,” and demands a ransom payable in iTunes gift cards. RanDsomeWare isn’t a misspelling The sample called RanDsomeWare uses the .RDWF character string to label encrypted files. Its behavior suggests that it may be a joke – it generates a warning that reads, “You are about to run a ransomware” before performing the crypto part. Even if a victim is careless enough to grant it the required permissions, they can use the SUPER_SECRET_KEY code to undo the damage. GlobeImposter architects are busier than ever Analysts have gotten accustomed to discovering new GlobeImposter versions every other day, or even more frequently than that. A fresh one out there affixes the .p1crypt string to file names and leaves a rescue note named how_to_back_files.html.
JULY 26, 2017
Striked ransomware decryptor updated The previously released free decryption tool for the Striked ransomware now supports several new variants that use contact email addresses hosted at the aolonline.top domain. Tweak of the Serpent strain The latest version of the Serpent ransomware appends files with the .srpx extension. It drops a new combo of ransom notes named README_TO_RESTORE_FILES_t7Q.html/txt. New one targeting Polish users Security experts come across an in-dev sample that displays warning messages in Polish. The current encryption key is 12345. ABC Locker spotted This one is a spinoff of the CloudSword ransomware, which was discovered in January 2017. Just like its prototype, ABC Locker leverages AES-256 encryption in CBC (cipher block chaining) mode. It provides a payment deadline of five days. Otherwise, the ransom increases from 0.5 to 1 Bitcoin. Interestingly, the USD equivalent of 1 Bitcoin mentioned in the rescue note is $550, whereas the current rate is $2,740. Well, the text of the warning must have been written at least a year ago when this cryptocurrency was worth several times less than it is now. Ransomware InVincible Whatever motivated the developers of the new ransomware InVincible to call it this way, such a choice appears to be unwarranted as it does not perform encryption at this point. This sample displays a GUI resembling that of WannaCry. The size of the ransom is $50 worth of Bitcoin.
JULY 27, 2017
Spongebob ransomware 2.0 Despite the funny name, this in-development specimen may shape up to be a serious issue when completed. Meanwhile, it only displays a funny-looking GUI and fails to do the crypto part. Zuahahhah sample spotted The Crypt888 ransomware family, which has been around since June 2016, produces a new offshoot that goes by a weird name of Zuahahhah. The comeback of LambdaLocker The Python-based LambdaLocker sample was first spotted in early February 2017 and shortly vanished from the cybercrime arena to return in July. The new variant concatenates the .MyChemicalRomance4EVER string to hostage files and drops a recovery manual named UNLOCK_guiDE.tXT. Interesting findings regarding the ransomware ecosystem According to an in-depth analysis conducted by Google’s researchers Elie Bursztein, Kylie McRoberts, and Luca Invernizzi, 95% of ransoms traced since 2014 were cashed out by means of BTC-e, one of the world’s largest Bitcoin exchange and trading platforms. ShieldFS makes computers immune to ransomware A possible breakthrough in fending off crypto ransomware is hitting the headlines. Security enthusiasts from Italy created ShieldFS, which they call a self-healing, ransomware-aware filesystem. In a nutshell, this sophisticated solution identifies ransomware before it affects a computer, terminates its activity, and can even reinstate data that already got encrypted. Police apprehend BTC-e proprietor Following the above-mentioned report presented by Google employees at Black Hat USA 2017, Greek police arrest 38-year-old Alexander Vinnik, the owner of BTC-e digital currency trading service. He is being charged with laundering ransomware payouts and money stolen in the notorious Mt. Gox hack Bitcoin exchange hack. Law enforcement also takes down BTC-e portal as part of the investigation.
JULY 28, 2017
CryptoMix becomes more of a moving target The CryptoMix ransomware crew is busy creating new variants of this perpetrating program. This time they launch two editions in a row. These append the .ZERO and .DG extensions to encrypted files and drop an identical decryption manual named _HELP_INSTRUCTION.txt.
JULY 30, 2017
Another SamSam mod goes live The SamSam, or Samas, ransomware campaign has been somewhat idle recently. New editions do appear once in several weeks, though. The latest one stains every hostage item with the .supported2017 extension.
JULY 31, 2017
GlobeImposter distributors adopt a new tactic The GlobeImposter ransomware edition that blemishes encoded files with the .crypt extension is making the rounds via so-called “Blank Slate” spam. The booby-trapped emails don’t include any subject line and contain a Trojanized ZIP file attachment. This particular variant drops a data restoration manual named !back_files!.html.
SUMMARY
Perhaps the determinant event of last month was the takedown of BTC-e cryptocurrency trading platform, the one purportedly used to cash out most ransoms. Let’s see how things pan out in this regard. Perhaps initiatives like that can help stop the epidemic in its tracks. Meanwhile, to stay away from the rampant ransomware frenzy use reliable security software, run operating system updates on time, and most importantly, be sure to keep those files backed up.
About the Author: David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the www.Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.