Category Archives: Security alerts

SECURITY ALERT: GermanWiper Ransomware Erases Your Data Even If You Pay

German companies and employees of German companies, in particular, are faced with a devious wave of ransomware attacks. While the new ransomware strain has been targeting mostly German victims so far, there’s no telling how far it may spread. We should all be aware of how the ransomware infects devices and how it works.

The GermanWiper ransomware earned its name not just because of the German focus of its intended targets, but also because it’s particularly devious. It doesn’t really encrypt data with a secret key, like other ransomware, awaiting payment in order to decrypt it.

With this one, there’s a nasty twist. The GermanWiper ransomware overwrites the data with strings of zeroes, rendering it completely unusable (wiped) forever. Nevertheless, it still acts like typical ransomware, falsely promising the victims that their files will be back if they pay a fee.

How Does the GermanWiper Ransomware Spread?

The victims of the GermanWiper ransomware typically receive a German-language email on behalf of a phony job applicant. The spam email pretends to be from a certain Lena Kretschmer, who is looking for a job and is sending the target a job application.

This is how the typical GermanWiper email looks like:

germanwiper spam email

The common subject line of the email is “Ihr Stellenangebot – Bewerbung [Your job offer – Application] – Lena Kretschmer“. If the target opens it, they will notice that the email also contains an attachment named “

If the victim makes the mistake of opening the zip archive, they will then get what looks like PDF files (with the correct file extension, .pdf). The files are actually link files (LNK) masquerading as PDF files, and once opened they will begin running malicious commands on the machine, infecting it.

When the LNK files are opened, they execute a PowerShell Command which downloads a malicious HTA file from xpandingdelegation[.]top site (domain sanitized for your safety). The HTA file then downloads the main ransomware executable. It all takes place in a matter of seconds. So, once you open those fake PDF files, there’s no turning back.

What Happens Once Infected with the GermanWiper Ransomware

There are two types of ransomware, usually: file lockers and computer (or device) lockers. The first (and more common) just lock your important data with a secret encryption key. The second type renders your device as a whole unusable until the ransom is paid.

GermanWiper is the type which only locks the files, so it’s less severe than the ones which block any use of your device. But unlike file lockers the world has seen so far, GermanWiper doesn’t lock anything. It only claims to have locked (encrypted) your files.

What it actually does is rewrite them with zeroes, such as in the screenshot below:

germanwiper wiped file

Image source: BleepingComputer.

If you were so inclined to pay the required ransom, there’s no doubt it would be for nothing. We haven’t heard from people who fell for the scam so far, but since the files are actually rewritten with zeros, it’s clear that there is nothing to recover.

If you are in this situation and find yourself infected with GermanWiper, there’s nothing to do. Just count your losses and have a better protection system in place next time. Company-wide cybersecurity awareness training is also a must.

What to Do If Infected with Ransomware

Even though there are plenty of free ransomware decryption tools which can help victims of ransomware, in many cases there is nothing to do but pay the attackers.

I personally wouldn’t recommend it because this keeps feeding the malware economy. Unless the data you lost is a matter of life-and-death, if you can’t decrypt it just let it go. Don’t repay the attackers for their unethical work.

Still, I won’t judge if you do decide to pay the ransom in order to get your data back. Unfortunately, as mentioned above, payment is not an option with the GermanWiper ransomware. This malicious creation will just delete your data from the start, so even if you send the ransom money, you can’t get it back. It’s just falling for a scam.

Of course, the best way to not get infected with ransomware (and other malware in general) is prevention. Adopt a proactive stance to your online security and you’ll be safe instead of sorry.

Against new strains of ransomware such as this one, Antivirus is not enough. You also need a DNS traffic filtering layer on top, which is able to detect even unknown malware. Our flagship product, Thor Foresight Home, is an award-winning product exactly for this type of challenge. If you’d like to try it out, here’s one month on the house.

The easy way to protect yourself against malware
Here's 1 month of Thor Foresight Home, on the house!
Use it to: Block malicious websites and servers from infecting your PC Auto-update your software and close security gaps Keep your financial and other confidential details safe


Try Thor Foresight

Be vigilant and don’t open attachments in emails, no matter how legit they seem. If you’re located in Germany and receive a work proposal email, be extra-extra cautious. It may be GermanWiper looking for its next victim.

The post SECURITY ALERT: GermanWiper Ransomware Erases Your Data Even If You Pay appeared first on Heimdal Security Blog.

SECURITY ALERT: Android Ransomware FileCoder Strain Emerges

A new strain of ransomware emerged on Android mobile devices. It targets those who are running the operating system Android 5.1 and higher. This Android ransomware strain has been dubbed by security researchers FileCoder (Android/Filecoder.c) and it spreads via text messages containing a malicious link.

How Does the Android Ransomware FileCoder Spread?

The SMS messages which are spreading Filecoder contain an invitation to download and install a sex simulator game app. Here is an example of how such an SMS can look like.

Usually, the message will be clickbait-y and will mean to entice the recipient into installing the app at least out of curiosity. Part of the bait is the promise that the app will use the victim’s own photos in creating sex simulation imagery.

malicious sms sex simulator malware

Message screenshot via WeLiveSecurity

Furthermore, security researchers have detected 42 languages in which the malicious text messages were coming in. The reach and potential user pool of the infected app were thus pretty big.

If the recipient has doubts about the harmlessness of the app, they may then research it online. Unfortunately, some websites and forums (including Reddit) were advertising the app (the posts were malicious themselves). If this helped relax the user into trusting the invitation, they would then install the app and proceed to use it as advertised.

It seems that the sex simulator game promised will indeed work, as not to alert the user. Still, after a short time, the Android ransomware will send out these messages to the user’s entire list of phone contacts.

After sending out the malicious SMS messages, FileCoder will encrypt the user’s local files (photos, notes, login data, messages and so on), displaying a typical ransomware message.

filecoder ransom note

Ransom note screenshot

In the ransom note screen, the FileCoder creators threaten that the data will be permanently gone after 72 hours. However, security researchers have uncovered that the ransomware strain does not have the ability to delete the files.

Still, it will ask for a certain amount of money to be paid in Bitcoin before the user gets the decryption key. The equivalent in dollars for the Bitcoin money asked for ranges from $94 to $188.

Security researchers confirm that the FileCoder Android ransomware strain is not extremely dangerous. First of all, it doesn’t actually delete the locked data if the ransom is not paid within 72 hours.

Second of all, the value used for encrypting the key is hardcoded into the malware code, so with a bit of tech-savviness, the victims could decrypt the files themselves, without waiting for key.

Thirdly, unlike other strains of Android ransomware, the FileCoder infection doesn’t lock the screen of the phone. If your phone gets infected, you can still use it normally, it’s just the previously saved files that get locked.

The only thing which was coded into the malware in a more complex way was the Bitcoin address for payments. That one is dynamic, allowing the attackers to change it at any time and still get their money. This was probably a precaution, in case researchers or the police would get closer to uncovering the hackers’ identities.

Still, for most users, FileCoder poses a significant threat. If you receive a message inviting you to try a sex simulator app, don’t click it. Even if it comes from a friend you trust.

How to Stay Safe from FileCoder and Similar Threats

#1. Say no to steamy online proposals

First of all, learn to spot malicious proposals from the get-go. Sextortion is such a common tactic for scammers and hackers, that any invitation containing the promise of sexual images and content should raise the alarm.

Very few legitimate adult apps or websites are aggressive enough to invite you to use them directly. Most will simply rely on the fact that those who are interested will seek them out.

#2. Be Mindful of Messages from Friends: Not All Are Legit

Second of all, notice how devious the FileCoder strategy is: by sending you messages which are seemingly coming from friends, they make the message seem more trustworthy than if it came from a random spam address. Especially since the messages were targeting so many different languages.

Lots of other malware infections have a similar strategy, of sending malicious links to your list of online friends in order to infect them too. Stay on guard and don’t assume that all your messages from friends and contacts were really sent by them.

Tell-tale signs that a message from a friend might actually be malicious:

  • Besides sharing an invite to a link, the message doesn’t say much
  • The wording doesn’t necessarily sound like something your friend would use (just common words such as ‘cool’, ‘check this out’ etc.)
  • The link is shortened or doesn’t lead to any legitimate domain you already know (like YouTube or Facebook)
  • The message contains an attachment

These signs are just as suspicious whether it’s about a text message on your phone or an email and so on.

If you’re not sure whether a message is legit or not, just reach out to that friend and ask. You might alert them that their device is infected. Also, bear in mind that the same etiquette from real life should apply as netiquette, too: don’t open links from people you don’t really know.

#3. Keep Your Device Secure with a Mobile Security Product

With a good security suite for mobile devices, it’s much harder to become the victim of ransomware or any type of malware. Even if you do click on malicious links or make any other security mistakes, an intelligent cybersecurity product should still neutralize the threat.

Just like in the case of PCs and laptops, Antivirus is not enough, even if it’s next-gen. You also need a threat prevention solution, like our Thor Foresight Home (which can be installed on up to three devices, including Android mobile devices), or the stand-alone product, Thor Mobile Security.

If your Android phone and other devices aren’t already protected by some other solution, here’s a month on the house for Thor Foresight Home.

The easy way to protect yourself against malware
Here's 1 month of Thor Foresight Home, on the house!
Use it to: Block malicious websites and servers from infecting your PC Auto-update your software and close security gaps Keep your financial and other confidential details safe


Try Thor Foresight

#4. Stay Up to Speed with the Latest Threats

We at Heimdal Security and we in the cybersecurity world, broadly speaking, have stressed time and time again how important education is. Cybersecurity training and a bit of self-learning are the best strategies for staying safe in the long run.

No cybersecurity software is infallible if the user behaves recklessly or doesn’t practice the most basic online security hygiene. For example (an oversimplified example), you can have the best-protected computer in the world, but a hacker will still be able to get into it if your password is ‘password123’.

By reading about the latest threats and how they work, you will soon discover that you’ve built a solid knowledge base. Armed with it, you should be able to tell if something is fishy as soon as you encounter a new threat.

Of course, I can wholeheartedly recommend our own educational resources to start with, but don’t stop there. Stay in the loop regardless of where you get your info and you’ll become less and less vulnerable to scams and malware.

The post SECURITY ALERT: Android Ransomware FileCoder Strain Emerges appeared first on Heimdal Security Blog.

SECURITY ALERT: VLC Flaw Allows Remote Code Execution on Machine

VideoLan Player, one of the most popular and ‘modable’ open-source video players, may be prone to backdoor attacks. A company release note stated that the flaw, coined CVE-2019-13615, allowed malicious remote code execution on the machine. This, in turn, would grant cybercriminals rights to download, install, write, and rename software without authorization. VLC set on to address the issue but disclosed that the patch is about 60% complete.

Deconstructing VLC’s CVE-2019-13615

Initially flagged by CERT-Bund on July the 19th, the VLC flaw, known by its technical name of CVE-2019-13615, received a 9.8 vulnerability score. This translates to a critical, zero-day flaw. However, upon closer inspection, VLC’s debug team traced the flaw to a defective library, managed by a third-party.

The library in question, called Libebml was found to contain a vulnerability which potentially allowed malicious actors to run code in the background. CERT-Bund analysis revealed that the backdoor agent would have allowed anyone to write/read memory, inject code, deactivate AV software, and steal data without the user being aware of the intrusion.

VLC later invalidated CERT-Bund’s appraisal, saying that the issue isn’t that critical. Interestingly enough, the library found to be responsible for the flaw received a fix approximately a year ago. With VLC’s ad-libs, the bug’s been downgraded from 9.8 to 5.5, which translates to “medium” on the vulnerability scale.

MITRE’s description of the VLC flaw reads:

VideoLAN VLC media player has a heap-based buffer over-read in mkv::demux_sys_t::FreeUnused() in modules/demux/mkv/demux.cpp when called from mkv::Open in modules/demux/mkv/mkv.cpp.

To be able to exploit this defect, the malicious agent would to craft a .mp4 file. Upon decoding, the file would have injected code in the system, leading to denial-of-access or complete data loss.

How to deal with the VLC Flaw

The easy way to protect yourself against malware
Here's 1 month of Thor Foresight Home, on the house!
Use it to: Block malicious websites and servers from infecting your PC Auto-update your software and close security gaps Keep your financial and other confidential details safe


Try Thor Foresight

Unfortunately, VLC is still far behind on delivering a fix for the CVE-2019-13615 issue. Per the company’s statement, the patch is about 60 percent complete, but no development timeline has been posted so far. In the meantime, VLC advises its customers to use as many security layers as possible and to uninstall the product until the patch is released.

Now, if you really want to buck up on your cybersecurity, you could also try these tips:

1. Don’t download and open videos from untrusted sources

VLC is, without a doubt, one of the most ‘abused’ open-source players. There’s a perfectly good reason why so many choose VLC over BSPLayer or other video decoders: it’s light, runs on almost every platform, and can play any video extension. However, VLC is quite appreciated  by people who pirate content instead of paying for it. My advice to you: stick with original content and stream whenever you can. By downloading and playing a .mp4 or .mkv from an untrusted source like Pirate Bay, you risk triggering the VLC flaw.

2. Patch any outdated software

Over 80% of malware infiltrations occur due to outdated or unpatched software. Of course, you can always try to manually patch every bit of software you have on your device. However,that will take a very long time since you would have to actually seek out the outdated apps and compare versions. Yes, that will be a nuisance, but there’s actually a quicker way to do that – AV solutions like Thor Free feature automatic software patching engine that scans your PC and updates all your favorite apps.

3. Seek an alternative video player

Another way to ensure that malware doesn’t seep into your machine due to the VLC flaw is to delete the software altogether and to use a different player. There are tons of open-source video players like VLC on the web – KM Player, GOM Player, DivX, RealPlayer, XBMC Media Player, just to name a few. If you plan on uninstalling VLC, don’t forget to use a tool like CCleaner to get rid of any residue hiding in the registry.

4. Use a Mac instead of Windows or Android

I know that it sounds a little off, but according to VLC, the bug’s confined to Windows, Linux, and Android. So, if you want watching your favorite videos without having to worry about malware, use a Mac. You don’t need to make the switch for good; just until the infection’s contained.


What we know so far is that the very same 3rd party library which VLC ‘fixed’ 16 months ago appears to be backfiring. VLC promised a patch, but it’s still pretty far behind on actually delivering it. The only true fix offered so far is to uninstall VLC and to wipe-clean the system’s registry to deal with any residues.

The post SECURITY ALERT: VLC Flaw Allows Remote Code Execution on Machine appeared first on Heimdal Security Blog.

Security Alert: Malvertising campaign using SundownEK drops SEON ransomware

The advertising systems of several popular websites have been compromised by an injection of a malicious script that redirects random visitors to a SundownEK gateway.

Then, non-updated systems are prone to ransomware infections.

The respective injection redirects the traffic via the following chain (sanitized by CSIS):


–> adsfast[.]site

–> accomplishedsettings.cdn-cloud[.]club

The latter acts as SundownEK payload delivery and it is by no means the only subdomain that uses this FQDN for this kind of activity (sanitized by CSIS):












































The domain (sanitized by CSIS) mtproto[.]world could be activated in case the domain previously mentioned is disabled.

SundownEK will try to exploit vulnerabilities in Adobe Flash Player and Internet Explorer.

If the machine has not been properly updated, a binary payload will be delivered. This will run a ransomware of the SEON class, namely version 0.2 of this malicious ransomware.

Not only that, but a slightly modified version of data stealer Pony will also be dropped.

This SEON variant adds the file extension .FIXT to all data files, both locally and on all available network drives.

Criminals request that the victims contact them via several email addresses listed in the SEON ransomware message.

All folders that have had data encrypted by SEON ransomware contain a text file with the following note:


    all your files has been encrypted

    there is only way to get your files back: contact with us, get decryptor software and pay

    We accept Bitcoin and other cryptocurrencies

    You can decrypt 1 file for free

    Our contact emails:

    [removed by CSIS]-

Heimdal blocks the related domains, so all Thor Home and Thor Enterprise users are safe.

The security guide you need to follow so you don’t risk losing your data

There is no guarantee that a key for the SEON Ransomware will be provided by this group in exchange for money.

And even if the malicious group actually provided a key that decrypts your files, you should not be paying them. By offering them money, you are encouraging this type of criminal online behavior.

As per our knowledge, currently, there is no free decryption tool available for SEON.

So, here are the steps you need to follow to stay protected against the SEON ransomware (and other ransomware strains in general):

#1. Make sure you always apply updates to your system, software, and apps.

In this specific case, check if you are running the latest version of Adobe Flash Player and IE. Or use a solution that closes security holes in your software through automatic patching, like Thor Free.

#2. Always back up your files.

If you have a copy of your files stored somewhere, either on an external hard drive or in the Cloud, the ransomware attack wouldn’t mean that much to you. Well, of course, you would have to start out with a fresh PC installation, but at least you still have access to your backed-up important documents.

This guide will show you how to back up your files.

#3. Have a good security solution running on your PC.

Use a proactive, anti-malware solution that detects threats before they happen. Malware is specially developed to bypass your traditional antivirus, but if you add additional security layers, you can rest assured you are safe.

For example, Thor Foresight Home always protects you against ransomware attacks, because it filters your Internet traffic and blocks ransomware distribution sources. Also, it automatically updates your apps, so you don’t have to worry about it. And it works great alongside any other antivirus software.

The easy way to protect yourself against malware
Here's 1 month of Thor Foresight Home, on the house!
Use it to: Block malicious websites and servers from infecting your PC Auto-update your software and close security gaps Keep your financial and other confidential details safe


Try Thor Foresight

#4. DO NOT pay the ransom.

I’ve said this before and I’ll say it again: whatever you do, just don’t pay the ransom!

*This article features cyber intelligence provided by CSIS Security Group researchers. 


The post Security Alert: Malvertising campaign using SundownEK drops SEON ransomware appeared first on Heimdal Security Blog.