How to download the PEM file from aws ec2

Learn how to download and secure a PEM file from AWS EC2. Step-by-step guide, best practices, and troubleshooting to prevent lost key issues.

If you are working with AWS EC2 instances, you need a PEM file (Privacy Enhanced Mail) to connect securely via SSH. However, once an EC2 instance is launched, you cannot download the PEM file again from AWS. This guide will show you how to download and secure your PEM file correctly. Table of Contents Introduction to PEM Files Importance of PEM Files in AWS EC2 How to Download a PEM File from…

Living with CFS/ME overview (your mileage may vary):

Doctors: can’t live with ‘em, can’t live without ‘em. Do your own research if you can, if you can tell something is bad for you don’t do it, and if your doctor doesn’t believe anything is wrong with you get a new one (if at all possible.) Don’t expect perfect understanding, do deal with your feelings outside of appointments and not during them, do have clear requests as much as possible. Do expect competence: not dismissiveness, not ignoring what you say, not failing to do relevant lab tests. Write stuff down, before and after. If possible, have someone else come with you to appointments (especially if you have serious brain fog issues and/or are the sort of person doctors tend to not take seriously.) With emails, some doctors will only answer one question per email, so if you have five questions that means writing five separate emails. Don’t be afraid to be pushy, as long as you’re pushing for something the doctor can actually give you.

Getting stuff done. You can’t. At least, not as much. Do you need help with: housework, shopping, childcare, filing for benefits? Personal hygiene? Figure out how to get what you can and learn to live without what you can’t. Delegate as much as possible. Whatever weird feels you have about accepting help, figure out how to set them aside and accept help anyways.

Other people: in my experience most people will take your lead. If you tell them you’re not sure what’s going on or aren’t sure what to do about it, you will get more suggestions and advice than you know what to do with. If you want sympathy, you might get that (or you might get unwanted advice — sometimes saying explicitly what you want helps.) If you talk about your illness like a totally routine thing that you’ve totally got, the advice and general “oh shit I want to help but don’t know how” goes away. In my experience.

On that note: it’s OK and a good idea to tell people explicitly what you want from them. “If we’re going on vacation together I need a place to stay with no stairs.” “What would really help is if someone could run groceries once a week for me or pay for delivery.” “I could really use help from someone who knows how to read scientific articles.” “I could really use some patience and understanding about sometimes having to cancel plans at the last minute.” “I need a therapist who’s worked with people with chronic illness before.” Whatever.

Fuck exercise. Or rather: stretchy gentle exercise can be fine/good, strength exercises that you can do without raising your heart rate might be fine; anything that raises your heart rate is much higher risk. Walking is appropriate exercise for people with CFS, just be careful to not overdo it. (I am not joking.) Personally, I do a lot of yoga, but I’m not exactly doing sun salutations. It’s yin yoga and restorative yoga and a small amount of strength exercises. And...pranayama. Exercise for people with CFS/ME doesn’t look the same way as it does for people without it. That thing where it’s good for healthy people to take the stairs and this and that? Not for you. Be lazy. Do things the lowest energy way possible.

PEM and pacing: it’s all about the activity intolerance. Sometimes you run out of steam right away, sometimes it happens two days later. If your body says “stop” it means it; if it gives you a green light it might be lying. If you’re getting some days that feel almost normal and some days when sitting upright is a Herculean task, chances are if you do a lot less and try to do approximately the same amount of stuff each day, you’ll figure out what your sustainable “energy envelope” is. Or how many spoons you have, if you prefer that metaphor. And, most likely, you’ll end up with way fewer “can’t sit up” days.

Breaking things up means you can do more with less consequence. Eg: wash dishes until the first hint of feeling tired, take a break and sit or lie down for five minutes, then keep going. Pushing past the point you feel tired is risky.

In particular, in some situations you may be excited or stressed enough to not notice when you’re tired, so sometimes it makes sense to plan breaks rather than relying on the self awareness approach. When I play games with my partner, for instance, we set a timer for half an hour.

Adaptive equipment and behaviors: I use a folding stool in my everyday life and a wheelchair (provided by the airport) if I have to travel by plane. At one point I figured out how to wash dishes in a plastic basin sitting down (although, paper plates are an option too.) My partner and I leave a couple cooking pots on the stove and the things I use most often on the counter, since digging up a pot from the floor level cabinet that’s full of pots is much more tiring than the pot already being where I want it. In general, stuff above shoulder level or below waist level is significantly harder to get to. If showering standing is tiring, get a shower chair. Some grocery stores have motor scooters that can be used by disabled customers (that means you.) Grabbers can help with things like when a sock falls on the floor and you don’t want to have to bend to pick it up. If your walking is very limited, but you have someone who can push you around, a rolling walker with a seat may be more affordable than a wheelchair.

How to get your doctor to prescribe you a wheelchair so that your insurance will cover it: your doctor is worried you’ll lose mobility due to walking less, so if you actually want a wheelchair so that you can get outside and do more stuff for longer, focus on that. Ditto for a scooter. I’ve found writing a comprehensive list of what I can’t do or can only do with great difficulty, and handing the list to my doctor, is significantly more effective for getting taken seriously than mentioning one or two limitations and expecting the doctor to be able to extrapolate. Make it easy for them to do what you want them to. (Sorry if this sounds manipulative. My experience is that if you come in assuming your doctor will just give you what you need as long as you’re up front and trust them, you’re going to be sadly disappointed. I was not like this before I got CFS and spent months practically begging doctors to take me seriously.)

Taking naps or non-sleeping lying-down rests during the day might help. Yoga nidra, progressive muscular relaxation, or some sort of guided visualization can help with relaxation. You can also just lie there and let your mind wander, but if your mind tends to wander to sad or worrying sorts of places then you should give it something to do. One note of caution: if you’re near your limit you might feel more tired after a rest, that doesn’t mean the rest was bad for you but it does mean you gave the tired a chance to catch up with you. I do think the benefit comes as much from doing it regularly over time as from any one rest by itself though. (I can’t do anything on time, so for me “regularly” means “to within about two hours, most of the time.”)

On that note: your feelings matter. Stress and extreme emotions can take as much out of you as grocery shopping or a two hour zoom call. So...therapy if possible, self help books, doing things that help you feel calm and put things in perspective. You might need new coping strategies if your old ones take too much energy.

Some people with CFS have more energy/activity tolerance/spoons in the morning and less late in the day, others like me are the opposite. I couldn’t find my pattern when my energy levels were swinging wildly from day to day, but eventually when I got things more leveled off I figured it out. If this is the case for you, planning hard stuff for your best time of day and light stuff for your worst times is a good idea. For instance, I shower in the evenings rather than the mornings.

Once you’ve gotten your symptoms to more or less level off, if you get to that point, you can try very, very gradually expanding your activity levels. When I say gradually, I mean gradually, and be ready to go back to less activity any time things get worse again.

Thing is: if you don’t use all your energy, it does seem to sort of build up a “reserve” so you can bounce back from expected or unexpected stressors (illness, travel, etc.) But when your reserve runs out, it takes much longer to recover. So, there’s something to be said for not going at 100%.

In particular, don’t try to go back to 100% too quickly after one of those stressors, like a cold or (sigh, speaking from experience) a cross-country move, even if you feel like you can. Where 100% means using all of your spoons/energy envelope, not functioning at 100% of what a healthy person can do.

Plan ahead of time how you’re going to handle special occasions like holidays, a visiting friend or relative, or travel. “If the movie theater is too loud I will have to leave” etc. When I got married, I planned when and where I was going to take rests, and planned absolutely nothing for the days after. (Interestingly: I did better afterwards than I thought I would, even though I got major brain fog during the reception. Apparently the stress before the wedding was messing me up more than all the activity and socializing at the wedding itself.) We went on our honeymoon a full month later — even a relatively restful trip is still more tiring for me than staying home.

Get advice from multiple sources. This list is aimed at, well, basically myself and anyone with similar symptoms. I’m not addressing pain because that’s not one of my symptoms, but if it’s one of yours you should absolutely get advice from people who experience pain. Likewise, I’m not housebound so I’ve got limited advice there. I don’t have kids, so I don’t have much in the way of parenting advice, and I’m not working so I don’t have “how to handle a job when you have CFS” advice. Oh, and I’m in the United States, what you can expect the government, schools, businesses etc to do for you can vary considerably by country.

A lot of this comes from this website and backed up by my own experience. They have lots of easy to read articles and success stories, and email-based “classes” (think structured support group, not like college class) on living with CFS/ME or fibromyalgia. They don’t get money from promoting supplements or whatever, which is a thing I look for as a sign of integrity. (Not that supplements can’t help, but if someone is getting money from saying they do it’s harder to trust if they’re being fully honest.) There’s also groups on FB and I’m sure other places that are well suited for asking questions and getting advice. There’s books, both on the disease itself and possible treatments (mostly highly speculative and/or alternative) like Living Well with Chronic Fatigue Syndrome and Fibromyalgia, and on the “how do I live like this?” side of things, like How To Be Sick. Point is: you don’t have to go it alone.

Postscript: recovery. The odds that you will get somewhat better are pretty good. The odds that you will make a full recovery, given the current knowledge about CFS/ME, are low. I know that doesn’t feel good if you’re newly diagnosed (side note: you don’t need officiant diagnosis to start assuming that you’ve probably got CFS and looking for resources, I didn’t, official diagnosis can take a while.) I know when you’re new to this, all you want is to return to normal. (And you might; some people do.) Here’s the thing though: even if you don’t get back to normal, it’s not always going to feel this bad. What feels bad isn’t mostly the state you’re in, it’s mostly change: improvement feels good, getting worse feels bad. If you level off or get a bit better (super likely) and start comparing your current state to your low point, rather than when before you got sick, you’ll start to feel better again. It’s the adjustment period that’s rough, more than the illness itself.

It’s grief, it’s loss: grieving the life you had and the future you hoped for, and the way people respond to that is similar in many ways to how people respond to losing a loved one. Therapy might help, religious guidance if applicable to you might help (if not, perhaps consider this a good time for a deep dive into philosophy, or some form of creative self-expression like drawing or writing poetry); whatever you do, be aware that this is a huge thing to have to come face to face with, and it’s normal to struggle with it. (And: it’s not always going to feel this bad.)

It’s possible to have CFS/ME, and have a good life. It’s possible to have CFS/ME and have many sources of joy and delight and excitement and satisfaction and connection. It’s possible to have CFS/ME and have a deep sense of purpose and meaning, even if your old sources of purpose and meaning are no longer available. It’s possible to live well.

Recover EC2 Instance lost PEM key file

Recover EC2 Instance lost PEM key file

In this article, we are going to see the how-to recover if we lost your EC2 instance PEM key file.

How to Recover EC2 Instance lost PEM key file

1) Create an image of the EC2 Instances.

2) Launch new EC2 instance using the AMI image (from step 1) with a new key pair.

3) Log in to a new EC2 instance with a new key.

  Step 1: Create an Image of EC2 Instance follows below Steps:

Right Click  on…

View On WordPress

Original Post from Security Affairs Author: Pierluigi Paganini

A new Ransomware appeared in the threat landscape, the malware began to threats the digital world. This time using a nice but scary name: LooCipher.

Introduction

A new Ransomware began to threats the digital world. This time using a nice but scary name: LooCipher. The name is at the same time an allusion to its capabilities (thank to the term “Cipher”) and to the popular religious figure, Lucifer. Despite its evocative nickname, the functionalities of this malware are pretty straight forward, not very different from those belonging to many other ransomware families, but digging into its internals we also found elements suggesting its operators could be able to run large scale campaigns.  

Technical Analysis

Unlike most ransomware, LooCipher uses a macro-weaponized document as dropper of the real threat. We identified two different document files involved to deploy the ransomware, they are called: “Info_BSV_2019.docm” and “Info_Project_BSV_2019.docm”. Both files are very poor in design and contain a single text line inviting the user to enable macro execution.

Figure 1. Document content

Exploring the content in-depth, we retrieved its minimal macro code payload: its only purpose is to download the ransomware from the “hxxp://hcwyo5rfapkytajg.onion[.]pet/2hq68vxr3f.exe” dropurl and launch it.

The author did not care to obfuscate in any sophisticated way his malicious code, even some comment strings like “//binary” and “//overwrite” are still visible.

Figure 2. Macro code

Once run, it starts the encryption of all the victim’s files, except for the system and programs folders: “Program Files”, “Program Files (x86)”, “Windows”. Obviously, this trick allows to avoid the corruption of the files needed to start the operating system, letting the user login to its PC to see the ransom request. 

Figure 3. Ransomware excluded folders

After a long files enumeration phase, the ransomware encrypts all files ending with the following extensions:

.jpg, .jpeg, .xml, .xsl, .wps, .cmf, .vbs, .accdb, .cdr, .svg, .conf, .config, .wb2, .msg, .azw, .azw1, .azw3, .azw4, .lit, .apnx, .mobi, .p12, .p7b, .p7c, .pfx, .pem, .cer, .key, .der, .mdb, .htm, .html, .class, .java, .asp, .aspx, .cgi, .php, .py, .jsp, .bak, .dat, .pst, .eml, .xps, .sqllite, .sql, .jar, .wpd, .crt, .csv, .prf, .cnf, .indd, .number, .pages, .x3f, .srw, .pef, .raf, .rf, .nrw, .nef, .mrw, .mef, .kdc, .dcr, .crw, .eip, .fff, .iiq, .k25, .crwl, .bay, .sr2, .ari, .srf, .arw, .cr2, .raw, .rwl, .rw2, .r3d, .3fr, .eps, .pdd, .dng, .dxf, .dwg, .psd, .png, .jpe, .bmp, .gif, .tiff, .gfx, .jge, .tga, .jfif, .emf, .3dm, .3ds, .max, .obj, .a2c, .dds, .pspimage, .yuv, .3g2, .3gp, .asf, .asx, .mpg, .mpeg, .avi, .mov, .flv, .wma, .wmv, .ogg, .swf, .ptx, .ape, .aif, .av, .ram, .m3u, .movie, .mp1, .mp2, .mp3, .mp4, .mp4v, .mpa, .mpe, .mpv2, .rpf, .vlc, .m4a, .aac, .aa3, .amr, .mkv, .dvd, .mts, .vob, .3ga, .m4v, .srt, .aepx, .camproj, .dash, .zip, .rar, .gzip, .mdk, .mdf, .iso, .bin, .cue, .dbf, .erf, .dmg, .toast, .vcd, .ccd, .disc, .nrg, .nri, .cdi, .ai, .doc, .docm, .docx, .dxg, .odb, .odm, .odp, .ods, .odt, .orf, .ppt, .pptm, .pptx, .rtf, .xlk, .xls, .xlsb, .xlsm, .xlsx, .pdf, .mobi, .epub, .sage

During the encryption phase, for each file to be encrypted, the malware creates the encrypted copy of the files but it does not delete the original ones, rather it empties them and forces a 0-byte size.

Figure 4. Example of ciphered file with empty original file

It is not clear if this mechanism derives from buggy code or it is a specific peculiarity of this malware, intentionally introduced by the author.

Figure 5. Actions during encryption phase

When the encryption phase ends, it creates a FAQ folder within victim’s desktop reporting the instructions to proceed with ransom payment in a “friendly” Q&A form.

Figure 6. File containing the payment instructions

As stated in the payment instruction file, the victim has only five days to proceed with the payment. After this period, the key will be automatically destroyed, preventing any way to recover the user content. Similar information is also displayed in the image set as background and into the interactive pop-up window. 

Figure 7. Background image and pop-up window reporting info about the payment

As soon as the encryption phase is ended, the malicious process contacts its C2 sending information about the infected machine and retrieving the BTC address to display in the pop-up window. 

Figure 8. Example of HTTP request to retrieve the BTC address

The C2 is hosted in the TOR Network, at the “hxxp://hcwyo5rfapkytajg[.]onion” address, so the malware uses some services which act as proxies between the Darknet and clearnet to easily perform its malicious actions, avoiding the installation of TOR libraries on the victim machine. The abused services are:

https://onion.pet

https://darknet.to/

https://onion.sh/

http://tor2web.xyz/

The request sent by the malware includes information like the User-ID assigned to the victim machine during the encryption phase “u=rEui7jhIJk6SaRTyhL08N7h1Sft” and its public IP address “i=xxx.xxx.xxx.xxx”. The C2 server replies specifying the BTC Address the user will pay the requested amount to, for instance “BTC_ADDR: 16HDCwCuy2R5b7YFCmsidXzHQrvHmT7VHGG”.

We noticed that every time the ransomware contacts its C2 at the “k.php” resource, the server generates a new BTC Address. Probably, the backend embeds a BTC wallet factory able to register a new wallet on the blockchain for each ransomware infection. This trick surely allows to make more stealthy BTC transactions, avoiding a huge number of transactions towards the same wallet and hardening the cash flow reconstruction. In the following table we inserted some of the BTC addresses generated by the C2:

1LhT45NdcrRBeFfxp67gcKteKp7K5BR374 1QGq13GGdDtfUiBKLS4Re8fdYlVkK8Zbe 1M1ZS5QfZ3Z3ufFagJ455QDqkMvHJhNkwT 15XWd5ixtznsinWFZ9YEk8HUCaMqcm4SiZ 1AUfa421Huj5Hmh5JDFmg36X8VmJPHy7LS 17BvolK1P1kFQq7BPB4iNocisdqE6sEKkv 1UwSDTuTkbPxQt7zglQVsigQunpxhL9Qk 13YNF7U7VTt9DGw7QNWpTEGCrYEmV2qjcx 1MPKAcpe8pnZubBQgUuw3k8wfkTB6sFYAT 16HDCwCuy2RSb7YFCwwdXzHQrvilmT7VHGG …

Table. Example of Generated BTC Addresses

However, if the victim machine is offline the ransomware is not able to download the BTC address to display in the window. For this reason, the malware also embeds a fallback addresses list to use when it fails to reach the C2.

Figure 9. Other BTC addresses embedded in ransomware binary

1Ps5Vd9dKWuy9FuMDkec9qquCyTLjc2Bxe 19YmdTjw7ZWHEDac8wWzCNdZT8oXsDedtV 1CrdZvvtzrZTJ78k92XuPizhhgtDxQ8c4B 1JHEqi4QsTWz4gB9qZTACP7JggJzAmf6eA 1Azfk7fWwCRynRk8p7qupLqqaADsjwFm4N

Table. Hardcoded BTC Addresses on sample

An interesting peculiarity of this ransomware is its capability to work both as encryptor and as decryptor. The last answer of the instruction file, in fact, reports that the decryptor software is embedded into the ransomware binary in order to make the decryption process as simple as possible.

In fact, after the payment the victim can click on “Check Payment” button included in the pop-up window, and so, if the transaction has been confirmed, the “DECRYPT” button will be enabled. Moreover, if the user accidentally closes the pop-up window needed to trigger the decryption, he can download a new copy of the ransomware and use it as decryptor. That copy is hosted on the MEGA repository “hxxps://mega [.nz/#!KclRVIRY!YrUgGjvldsoTuNZbCOjebAz5La7hbB41nJHk1mlgqZo”.

Clicking the “Check Payment” button, the process sends a new HTTP request to its C2 to “/d.php” in order to check if the payment related to the specific User-ID has been received.

Figure 10. Example of HTTP request to check if the payment has been executed

In the specific case, the server replies with the “0” value, indicating the payment has not been approved, so the “DECRYPT” button will not be enabled. Moreover, if the contacted server is down, the malware tries to reach its TOR C2 using one of the other above-mentioned proxies, avoiding proxy service failures. 

Figure 11. HTTP-TOR proxy services used by the malware

Conclusion

In the nowadays, Ransomware is one of the quickest ways to monetize cyber-criminal activities, and for this reason a wide-range of threat actors, including micro cyber-criminals, leverage these “tools” to threaten organizations and companies. LooCipher is a new entry in this sector: it’s a Ransomware family spreading through malicious emails embedding infected Office documents, differently from the recent Sodinokibi campaign that used redirectors to land the victims on Exploit Kits infected pages (eg RIG EK).

LooCipher encrypts all files on victim computer, it abuses Clearnet-to-Tor proxy services to connect to its Command and Control hidden behind onion sites. Cybaze-Yoroi ZLAB advises to always keep a recent, tested and offline backup of all the business critical data.

Technical details, including IoCs and Yara Rules, are available in the analysis published in the Yoroi blog.

https://blog.yoroi.company/research/loocipher-the-new-infernal-ransomware/

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199";

try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – loocipher, ransomware)

The post LooCipher: The New Infernal Ransomware appeared first on Security Affairs.

#gallery-0-6 { margin: auto; } #gallery-0-6 .gallery-item { float: left; margin-top: 10px; text-align: center; width: 33%; } #gallery-0-6 img { border: 2px solid #cfcfcf; } #gallery-0-6 .gallery-caption { margin-left: 0; } /* see gallery_shortcode() in wp-includes/media.php */

Go to Source Author: Pierluigi Paganini LooCipher: The New Infernal Ransomware Original Post from Security Affairs Author: Pierluigi Paganini A new Ransomware appeared in the threat landscape, the malware began to threats the digital world.

Financial records filed last year in the secretive tax haven of Cyprus, where Paul J. Manafort kept bank accounts during his years working in Ukraine and investing with a Russian oligarch, indicate that he had been in debt to pro-Russia interests by as much as $17 million before he joined Donald J. Trump’s presidential campaign in March 2016.

The money appears to have been owed by shell companies connected to Mr. Manafort’s business activities in Ukraine when he worked as a consultant to the pro-Russia Party of Regions. The Cyprus documents obtained by The New York Times include audited financial statements for the companies, which were part of a complex web of more than a dozen entities that transferred millions of dollars among them in the form of loans, payments and fees.

The records, which include details for numerous loans, were certified as accurate by an accounting firm as of December 2015, several months before Mr. Manafort joined the Trump campaign, and were filed with Cyprus government authorities in 2016. The notion of indebtedness on the part of Mr. Manafort also aligns with assertions made in a court complaint filed in Virginia in 2015 by the Russian oligarch, Oleg V. Deripaska, who claimed Mr. Manafort and his partners owed him $19 million related to a failed investment in a Ukrainian cable television business.

After The Times shared some of the documents with representatives of Mr. Manafort, a spokesman, Jason Maloni, did not address whether the debts might have existed at one time. But he maintained that the Cyprus records were “stale and do not purport to reflect any current financial arrangements.”

“Manafort is not indebted to Mr. Deripaska or the Party of Regions, nor was he at the time he began working for the Trump campaign,” Mr. Maloni said. “The broader point, which Mr. Manafort has maintained from the beginning, is that he did not collude with the Russian government to influence the 2016 election.” (Mr. Manafort resigned as campaign manager last August amid questions about his past work in Ukraine.)

Still, the Cyprus documents offer the most detailed view yet into the murky financial world inhabited by Mr. Manafort in the years before he joined the Trump campaign.

Mr. Manafort is one of several former Trump associates known to be the focus of inquiries into Russian meddling in the presidential election. He was among those in attendance at a meeting in June 2016 at which Donald Trump Jr. was told they would receive compromising information on Hillary Clinton from a Russian lawyer connected to the Kremlin.

Mr. Manafort’s Cyprus-related business activities are under scrutiny by investigators looking into his finances during and after his years as a consultant to the Party of Regions in Ukraine. He recently filed a long-overdue report with the Justice Department disclosing his lobbying efforts in Ukraine through early 2014, when his main client, President Viktor F. Yanukovych of Ukraine, was ousted in a popular uprising and fled to Russia.

The Cyprus documents detail transactions that occurred in 2012 and 2013, during the peak of Mr. Manafort’s decade-long tenure as a political consultant and investor in the former Soviet republic, where his past work remains a source of controversy. Last year, his name surfaced in a handwritten ledger showing $12.7 million designated for him by the Party of Regions, and documents recovered from his former office in Kiev suggest some of that money was routed through offshore shell companies and disguised as payment for computer hardware.

The byzantine nature of the transactions reflected in the Cyprus records obscures the reasons that money flowed among the various parties, and it is possible they were characterized as loans for another purpose, like avoiding taxes that would otherwise be owed on income or equity investments.

One of the Manafort-related debts listed in the Cyprus records, totaling $7.8 million, was owed to Oguster Management Limited, a company in the British Virgin Islands connected to Mr. Deripaska. The debtor was a Cyprus company, LOAV Advisers, that the Deripaska court complaint says was set up by Mr. Manafort to make investments with Mr. Deripaska, a billionaire close to President Vladimir V. Putin of Russia. The loan is unsecured, bears 2 percent interest and has “no specified repayment date,” according to a financial statement for LOAV.

The other debt, for $9.9 million, was owed to Lucicle Consultants, a Cyprus company that appears to have ties to a Party of Regions member of Parliament, Ivan Fursin. Lucicle, whose precise ownership is unclear, is linked to Mr. Fursin through another offshore entity, Mistaro Ventures, which is registered in St. Kitts and Nevis and listed on a government financial disclosure form that Mr. Fursin filed in Ukraine. Mistaro transferred millions to Lucicle in February 2012 shortly before Lucicle made the $9.9 million loan to Jesand L.L.C., a Delaware company that Mr. Manafort previously used to buy real estate in New York. The loan to Jesand was unsecured, with a 3.5 percent interest rate, and payable on demand. 

There is no indication from the financial statements that the loans had been repaid as of the time they were filed in December 2015. The statements contain a note saying that as of January 2014, the debts and assets for Lucicle and LOAV had been assigned to “a related party,” which is not identified. The records define related parties as entities that are under common control, suggesting that the assignment did not affect the ultimate debtors and creditors. The statements also said there had been no other changes after the financial reporting period covered by them, which was for the 2013 calendar year.

A spokeswoman for Mr. Deripaska declined to comment. Mr. Deripaska appears to have stopped pursuing his court action against Mr. Manafort and his former investment partners, Rick Gates and Rick Davis, in late 2015. In addition to the $19 million he said he had invested with Mr. Manafort, Mr. Deripaska claimed he paid Mr. Manafort an additional $7.3 million in management fees.

Mr. Manafort has previously said any payments he received for his Ukraine activities were aboveboard and made via wire transfers to an American bank. The Cyprus records suggest that at least some transactions originated with shell companies in tax havens like the Seychelles and the British Virgin Islands, and passed through financial institutions on Cyprus, including Hellenic Bank and Cyprus Popular Bank.

Mr. Manafort’s name does not show up in the Cyprus records. However, hints of his dealings in Ukraine appear throughout.

A 23-page financial statement for a Cyprus shell, Black Sea View Limited, lists transactions that include one with Pericles Capital Partners. Both Black Sea View and Pericles Capital are identified in court papers filed by Mr. Deripaska in the Cayman Islands as part of the corporate structure that Mr. Manafort put together to invest in a Ukrainian telecommunications business, Black Sea Cable. The same statement also reports what are described as $9.2 million in loans received in 2012 from four other entities, including one controlled by two Seychelles companies, Intrahold A.G. and Monohold A.G., which Ukrainian authorities have asserted were involved in the looting of public assets by allies of the Yanukovych government. The Black Sea Cable business was controlled at one point by Monohold and Intrahold.

Similarly, Manafort-connected entities appear in the financial records for Lucicle Consultants, the Cyprus shell that received financing from a company associated with Mr. Fursin, the Party of Regions politician in Ukraine. Mr. Fursin did not respond to a request for comment. Lucicle received money from Black Sea View and PEM Advisers Limited, another firm identified in court papers as controlled by Mr. Manafort. It also made the $9.9 million loan to Jesand L.L.C.

Jesand appears to be a conflation of Jessica and Andrea, the names of Mr. Manafort’s two daughters. In hacked text messages belonging to Andrea Manafort that were posted last year on a website used by Ukrainian hackers, Jesand is mentioned in the context of financial dealings involving the Manaforts. Jesand was used by Mr. Manafort and his daughter Andrea in 2007 to buy a Manhattan condominium for $2.5 million.

The condo was one of several expensive pieces of real estate that Mr. Manafort bought, often with cash, during and after his time in Ukraine. He also invested millions with his son-in-law, Jeffrey Yohai, who set up a business to buy and redevelop luxury properties in the Los Angeles area. The business failed amid accusations of fraud by another former investor, who claimed Mr. Yohai had exploited his connection to Mr. Manafort to raise funds.

Last year, while trying to salvage his investments with Mr. Yohai, Mr. Manafort embarked on a borrowing spree in the United States, obtaining mortgages totaling more than $20 million on properties controlled by him and his wife. The F.B.I. and the New York attorney general’s office are investigating some of Mr. Manafort’s real estate dealings, including the loans he obtained last year.

Ransomware, fala sério!

Recently, a user contacted me in regards to what looks like a new, Brazilian ransomware. In this blog post, we're taking a quick look at the ransom and how to unlock or decrypt your files. TL;DR: to unlock your files, you can use the key or password: 123 Para desbloquear seus arquivos, você pode usar a chave ou a senha: 123 The title of this blog loosely translates to: ransomware, no way! (excuse my Portuguese) The ransomware appears to call itself 'Sem Solução'; which translates to 'Hopeless' or 'No Solution'. I propose we call it 'Hopeless ransomware':

Figure 1 - 'Seus arquivos foram criptografados'

Sua IDNão a formas de recuperar sem comprar a senha, ser tenta eu apago tudo!O método de pagamento é via Bitcoins.  O preço é: 600,00 REAIS =  Bitcoins Não tem Bitcoins?, pesquise no google e aprenda comprar ou clique em Compra Bitcoinsenvie os bitcoins para: 1LULpQbdvoAWqKzhe8fuMiPQ8iGdW36pk1Para receber a senha, voce precisa criar uma e-mail em https://mail.protonmail.comE enviar SUA ID para [email protected] em 24h ou mais voce receberá a sua senha!, Obrigado..

Translated:

Your IDNot the ways to recover without buying the password, be try I delete everything!The method of payment is via Bitcoins. The price is: 600,00 REAIS = Bitcoins Do not have Bitcoins ?, search google and learn how to buy or click Buy BitcoinsSend the bitcoins to: 1LULpQbdvoAWqKzhe8fuMiPQ8iGdW36pk1To receive the password, you need to create an email at https://mail.protonmail.comAnd send YOUR ID to [email protected] in 24h or more you will receive your password !, Thank you ..

The price is 600 REAIS (Brazilian Real), which currently amounts to 0.15 BTC. (176 EUR | 155 GBP | 199 USD) Interestingly enough, the ransomware has a built-in function to detect whether or not your machine belongs to a domain, and if so, will increase the amount of ransom to be paid to a whopping 1000 REAIS, or 0.25 BTC. (293 EUR | 259 GBP | 333 USD)

Figure 2 - Func _get_bitcoin_value()

The ransomware author or authors is/are definitely not kidding: if you enter a wrong password, the ransom will start deleting files.

Figure 3 - 'Error!", "Senha de descriptografia errada, NA PROXIMA 500 ARQUIVOS SERÃO EXCLUIDOS!'

Files to encrypt, including those used in virtualization software such as VMware for example:

zip, 7z, rar, pdf, doc, docx, xls, xlsx, pptx, pub, one, vsdx, accdb, asd, xlsb, mdb, snp, wbk, ppt, psd, ai, odt, ods, odp, odm, , , odc, odb, docm, wps, xlsm, xlk, pptm, pst, dwg, dxf, dxg, wpd, rtf, wb2, mdf, dbf, pdd, eps, indd, cdr, dng, 3fr, arw, srf, sr2, bay, crw, cr2, dcr, kdc, erf, mef, mrw, nef, nrw, orf, raf, raw, rwl, rw2, r3d, ptx, pef, srw, x3f, der, cer, crt, pem, pfx, p12, p7b, p7c, abw, til, aif, arc, as, asc, asf, ashdisc, asm, asp, aspx, asx, aup, avi, bbb, bdb, bibtex, bkf, bmp, bpn, btd, bz2, c, cdi, himmel, cert, cfm, cgi, cpio, cpp, csr, cue, dds, dem, dmg, dsb, eddx, edoc, eml, emlx, EPS, epub, fdf, ffu, flv, gam, gcode, gho, gpx, gz, h, hbk, hdd, hds, hpp, ics, idml, iff, img, ipd, iso, isz, iwa, j2k, jp2, jpf, jpm, jpx, jsp, jspa, jspx, jst, key, keynote, kml, kmz, lic, lwp, lzma, M3U, M4A, m4v, max, mbox, md2, mdbackup, mddata, mdinfo, mds, mid, mov, mp3, mp4, mpa, mpb, mpeg, mpg, mpj, mpp, msg, mso, nba, nbf, nbi, nbu, nbz, nco, nes, note, nrg, nri, afsnit, ogg, ova, ovf, oxps, p2i, p65, p7, pages, pct, PEM, phtm, phtml, php, php3, php4, php5, phps, phpx, phpxx, pl, plist, pmd, pmx, ppdf, pps, ppsm, ppsx, ps, PSD, pspimage, pvm, qcn, qcow, qcow2, qt, ra, rm, rtf, s, sbf, set, skb, slf, sme, smm, spb, sql, srt, ssc, ssi, stg, stl, svg, swf, sxw, syncdb, tager, tc, tex, tga, thm, tif, tiff, toast, torrent, txt, vbk, vcard, vcd, vcf, vdi, vfs4, vhd, vhdx, vmdk, vob, wbverify, wav, webm, wmb, wpb, WPS, xdw, xlr, XLSX, xz, yuv, zipx, jpg, jpeg, png, bmp

Additionally, Steam users aren't spared of getting their files encrypted either:

Figure 4 - Executable files in Steam's games directory will be encrypted

In reality, it appears all files are encrypted, regardless of extension. The ransomware ultimately calls home and leverages Pastebin to do so. However, when analysing the ransomware, none of the Pastebin links were online as they had been removed.

$data = "pcname=" & @ComputerName & "&hwid=" & $key & "&version=Locker"

At time of writing, no payments have been made as of yet to the Bitcoin address: 1LULpQbdvoAWqKzhe8fuMiPQ8iGdW36pk1 The ransomware encrypts files prepending the original extension with '.encrypted.'. For example; image.png would become: image.encrypted.png The ransomware is based on CryptoWire, an open-sourced ransomware written in AutoIT. Decryption To unlock your files, you can use the key or password: 123 Para desbloquear seus arquivos, você pode usar a chave ou a senha: 123 Note: as always, prevention is more important than decryption or disinfection! Have a look at the dedicated page I've set up here. Conclusion While ransomware is anything but uncommon, ransomware likely stemming from Brazil and specifically targeting Brazilian users and businesses, is less likely to happen. In fact, the only notable example, as far as I know, is TeamXRat also known as Xpan ransomware. Below you may find IOCs. IOCs from Ransomware, fala sério!