{"id":84574,"date":"2017-07-25T11:58:38","date_gmt":"2017-07-25T06:28:38","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=84574"},"modified":"2017-07-25T12:12:47","modified_gmt":"2017-07-25T06:42:47","slug":"malware-alert-beware-btcware-aleta-ransomware","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/malware-alert-beware-btcware-aleta-ransomware\/","title":{"rendered":"Malware alert! Beware of the BTCWare Aleta Ransomware"},"content":{"rendered":"

Quick Heal Security Labs has observed the entry of a new BTCWare ransomware (first observed at the beginning of 2017) variant called \u2018Aleta\u2019. This ransomware is called so because it appends a \u201c.aleta\u201d <\/strong>extension to files it encrypts in an infected computer. Although BTCWare ransomware variants do not seem to use any special techniques or exploits like WannaCry or NotPetya ransomware did, it uses RDP Brute-Force attacks to gain access to the infected system.<\/p>\n

Read more on how RDP is exploited by attackers to spread ransomware and other malware<\/a>.<\/p>\n

BTCWare Aleta ransomware uses the AES256 encryption scheme. An interesting IOC (indicator of compromise) observed with the ransomware is the email ID associated with requesting the decryption key – black.mirror@qq.com. This email has been previously reported to have been associated with different variants of Amnesia & BTCWare ransomware. Spam emails with malicious attachments containing malicious script, doc, and executable files are used by this ransomware as its carrier.<\/p>\n

\"Ransom
Ransom note<\/figcaption><\/figure>\n

Quick Heal Protection against BTCWare (Aleta) Ransomware<\/strong><\/p>\n

\"btcware-aleta-ransomware1\"
Fig 1. Quick Heal IDS\/IPS Protection<\/figcaption><\/figure>\n

 <\/p>\n

\"Fig
Fig 2. Quick Heal Signature Detection<\/figcaption><\/figure>\n

 <\/p>\n

\"Fig
Fig 3. Quick Heal Virus Protection (Script File)<\/figcaption><\/figure>\n

 <\/p>\n

\"Fig
Fig 4. Quick Heal Advanced Behavior Detection System<\/figcaption><\/figure>\n

Stay away from ransomware with these security tips<\/strong><\/p>\n

    \n
  1. Back up your files on a regular basis. A ransomware goes after your files when it infects your computer. If you have a backup of all your important files, there is no reason why you should give in to the ransomware\u2019s demands. Remember to disconnect the Internet while you are backing up on an external hard drive. Unplug the drive before you go online again. Several free and paid Cloud backup services available on the market that can take data backup periodically.<\/li>\n
  2. Provide Read\/Write privileges to network shares only when required. Try not to keep open shares as they are likely to fall prey to encryption if there is a ransomware infection.<\/li>\n
  3. Use strong login credentials for both the user and administrator. Weak credentials can be easily brute forced to gain system access.<\/li>\n
  4. Use an antivirus softwar<\/a>e that gives multilayered protection against infected emails, malicious websites, and stop infections that can spread through USB drives. Keep the software up-to-date.<\/li>\n
  5. Apply recommended security updates for your computer\u2019s Operating System and all other programs such as Adobe, Java, Internet Browsers, etc.<\/li>\n
  6. Do not click on links or download attachments that arrive in emails from unwanted or unexpected sources. Even if such emails seem to be from a known source, it is better to call up the sender and verify them first.<\/li>\n<\/ol>\n

     <\/p>\n

    Acknowledgement<\/strong><\/p>\n

    Subject Matter Expert<\/p>\n

    – Shantanu Vichare | Quick Heal Security Labs<\/p>\n

     <\/p>\n","protected":false},"excerpt":{"rendered":"

    Quick Heal Security Labs has observed the entry of a new BTCWare ransomware (first observed at the beginning of 2017) variant called \u2018Aleta\u2019. This ransomware is called so because it appends a \u201c.aleta\u201d extension to files it encrypts in an infected computer. Although BTCWare ransomware variants do not seem to use any special techniques or […]<\/p>\n","protected":false},"author":29,"featured_media":84585,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[910,5],"tags":[1479,50],"class_list":["post-84574","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ransomware","category-security","tag-btcware-aleta-ransomware","tag-ransomware"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/84574"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/29"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=84574"}],"version-history":[{"count":5,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/84574\/revisions"}],"predecessor-version":[{"id":84587,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/84574\/revisions\/84587"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/84585"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=84574"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=84574"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=84574"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}