0405119483 [email protected]

FluBot malware  poses as Flash Player app

Computer Repairs Flubot Malware

FluBot is  banking malware that attacks Android phones that attempts to obtain banking credentials. The attack occurs by overlaying FALSE login forms against many banks worldwide. It is distributed by smishing (SMS phishing)  including fake security updates, fake Adobe Flash Players, voicemail memos, and impersonating parcel delivery notices.

Once in the device, FluBot will steal online banking credentials, send or intercept your SMS messages (and one-time passwords), and capture screenshots. The malware will also  send new smishing messages to all their contacts. Note that in many cases, a link to download FluBot will arrive on your device via one of your contacts, maybe even a friend or family. As such, if you receive an unusual SMS that contains a URL and urges you to click it, it’s likely a message generated by FluBot. Finally, avoid installing APK files from unusual sources, regularly check that Google Play Protect is enabled on your Android device, and use a mobile security solution from a reputable vendor.

FinalSite ransomware attack shuts down thousands of school websites

Finalsite Ransomware Computer Repairs

FinalSite, a leading school website services provider, has suffered a ransomware attack disrupting access to websites for thousands of schools worldwide including Australia. FinalSite provides website design, hosting, and content management solutions for K-12 school districts and universities. FinalSite provides solutions for over 8,000 schools and universities across 115 different countries. Schools  that hosted their websites with FinalSite found that they were no longer reachable or were displaying errors.

A school IT administrator said that FinalSite did not provide them with a time frame as to when services would be restored and were forced to send emails to parents alerting them of the outage. “Our website is currently down due to an issue that our service provider is experiencing. We apologize for any inconvenience this may cause you,” .

In addition to the website outages, a system administrator shared on Reddit that the attack prevented schools from sending closure notifications due to weather or COVID-19. “Many districts are complaining that they are unable to use their emergency notification system to warn their communities about closures due to weather or COVID-19 protocol,” .

Outages caused by a ransomware attack

After three days of disruption, FinalSite confirmed today that a ransomware attack on their network is causing the outages. “We are incredibly sorry for this prolonged outage and fully realize the stress it is causing your organizations. While we have made progress overnight to get all websites up and running, full restoration has taken us longer than anticipated,” FinalSite apologized in a status update today.

NightSky Ransomware Computer Repairs

Night Sky is the latest ransomware targeting corporate networks

It’s a new year, and with it comes a new ransomware to keep an eye on called ‘Night Sky’ that targets corporate networks and steals data in double-extortion attacks.

One of the victims has received an initial ransom demand of $800,000 to obtain a decryptor and for stolen data not to be published.

When launched, the ransomware will encrypt all files except those ending with the .dll or .exe file extensions. The ransomware will also not encrypt files or folders in the list below:

AppData
Boot
Windows
Windows.old
Tor Browser
Internet Explorer
Google
Opera
Opera Software
Mozilla
Mozilla Firefox
$Recycle.Bin
ProgramData
All Users
autorun.inf
boot.ini
bootfont.bin
bootsect.bak
bootmgr
bootmgr.efi
bootmgfw.efi
desktop.ini
iconcache.db
ntldr
ntuser.dat
ntuser.dat.log
ntuser.ini
thumbs.db
Program Files
Program Files (x86)
#recycle

When encrypting files, Night Sky will append the .nightsky extension to encrypted file names, as shown in the image below.

NightSky encrypted files - computer repairs
In each folder a ransom note named NightSkyReadMe.hta contains information related to what was stolen, contact emails, and hard coded credentials to the victim’s negotiation page.
NightSky Ransom note - computer repairs
Instead of using a Tor site to communicate with victims, Night Sky uses email addresses and a clear web website running Rocket.Chat. The credentials are used to log in to the Rocket.Chat URL provided in the ransom note.

Double-extortion tactic

A common tactic used by ransomware operations is to steal unencrypted data from victims before encrypting devices on the network.

The threat actors then use this stolen data in a “double-extortion” strategy, where they threaten to leak the data if a ransom is not paid.

To leak victim’s data, Night Sky has created a Tor data leak site that currently includes two victims, one from Bangladesh and another from Japan.