An update was released today that adds SHA-2 code signing support to Windows 7 SP1 and Windows Server 2008 R2 SP1. If this update is not installed, these Windows operating systems will no longer be able to receive Windows updates starting on July 16th, 2019. Currently, all Windows updates are dual signed with both SHA-1 and SHA-2 code signing certificates. As there are flaws in the SHA-1 algorithm that make it less secure, Microsoft has stated that starting on July 16th, 2019, Windows updates will only be signed using the SHA-2 algorithm going forward. As both Windows 7 SP1 and Windows Server 2008, R2 SP1 does not support SHA-2 code-signing certificates, Microsoft has stated that they were going to release an update that would introduce this feature into the operating systems. As part of the March 2019 Patch Tuesday updates, Microsoft released updates KB4490628 and KB4474419 to add SHA-2 support to both Windows 7 SP1 and Windows Server 2008 R2 SP1. These updates will be installed automatically and should not be prevented as doing so will cause Windows Update to no longer work in the future. For users who decide to not install this update, Microsoft will redeliver them again as security updates on April 9, 2019. Learn more by visiting OUR FORUM.

In addition to encrypting a victim's files, the STOP ransomware family has also started to install the Azorult password-stealing Trojan on victim's computer to steal account credentials, cryptocurrency wallets, desktop files, and more. The Azorult Trojan is a computer infection that will attempt to steal usernames and passwords stored in browsers, files on a victim's desktop, cryptocurrency wallets, Steam credentials, browser history, Skype message history, and more. This information is then uploaded to a remote server that is under the control of the attacker. When we first covered the DJVU variant of the STOP Ransomware being distributed by fake software cracks in January, we noted that when the malware was executed it would download various components that are used to perform different tasks on a victim's computer. These tasks include showing a fake Windows Update screen, disabling Windows Defender, and blocking access to security sites by adding entries to Windows's HOSTS file. When ransomware researcher Michael Gillespie tested some recent variants he noticed that an Any.Run install indicated that one of the files downloaded by the ransomware created traffic that was from an Azorul infection. Gillespie further told BleepingComputer that four different samples all showed network traffic associated with Azorult. The Promorad Ransomware variant samples we tested also download a file named 5.exe and executed it. When executed, the program will create network traffic that is identical to known command & control server communications for the Azorult information-stealing Trojan.  Learn more by visiting OUR FORUM.