Operation Potao Express: Analysis of a cyber-espionage toolkit

Attackers spying on high-value targets in Ukraine, Russia and Belarus, and their TrueCrypt-encrypted data

We presented our initial findings based on research into the Win32/Potao malware family in June, in our CCCC 2015 presentation in Copenhagen. Today, we are releasing the full whitepaper on the Potao malware with additional findings, the cyberespionage campaigns where it was employed, and its connection to a backdoor in the form of a modified version of the TrueCrypt encryption software.

Like BlackEnergy, the malware used by the so-called Sandworm APT group (also known as Quedagh), Potao is an example of targeted espionage malware directed mostly at targets in Ukraine and a number of other post-Soviet countries, including Russia, Georgia and Belarus.


ttack Timeline

The attacks conducted using the Win32/Potao malware family span the past 5 years, the first detections dating back to 2011. The attackers are, however, still very active, with the most recent infiltration attempts detected by ESET in July 2015.

The timeline below lists a selection of Potao attack campaigns and other related events.


Among the victims identified, the most notable high-value targets include Ukrainian government and military entities and one of the major Ukrainian news agencies. The malware was also used to spy on members of MMM, a Ponzi scheme popular in Russia and Ukraine.

Malware Techniques

When the criminals shifted their focus from attacking targets in Russia to others in Ukraine, they began sending personalized SMS messages to their potential victims to lure them to landing pages hosting the malware, disguised as postal tracking sites.

We haven’t noticed Win32/Potao employing any exploits and the malware isn’t particularly technically advanced. (Shouldn’t call it an APT then, right?) Yet it does contain a few other interesting techniques that ‘get the job done’, like the mechanism for spreading via USB drives and disguising executables as Word and Excel documents, as in the following examples:

Figure 3 – Potao droppers with MS Word icons and file names used in attacks against high-value Ukrainian targets to capture the interest of recipients

Trojanized TrueCrypt

An (A)PT malware family that has gone relatively unnoticed for five years and that has also been used to spy on Ukrainian governmental and military targets is certainly interesting in and of itself. However, perhaps the most attention-grabbing discovery related to this case was when we observed a connection to the popular open-source encryption software, TrueCrypt.

We found out that the website truecryptrussia.ru has been serving modified versions of the encryption software that included a backdoor to selected targets. Clean versions of the application are served to normal visitors to the website, i.e. people who aren’t of interest to the attackers. ESET detects the trojanized TrueCrypt as Win32/FakeTC. TrueCrypt Russia’s domain was also used as a C&C server for the malware.


The connection to Win32/Potao, which is a different malware family from Win32/FakeTC, is that FakeTC has been used to deliver Potao to victims’ systems in a number of cases.

FakeTC is not, however, merely an infection vector for Potao (and possibly other malware) but a fully functional and dangerous backdoor designed to exfiltrate files from the espionage victims’ encrypted drives.


In addition to the selective targeting (deciding to whom to serve the trojanized version instead of the clean one), the backdoor code also contained triggers that would only activate the malicious data-stealing functionality for active, long-term TrueCrypt users. These were surely contributing factors to the malware’s going unnoticed for such a long time.

Further details on both Win32/Potao and Win32/FakeTC, including a technical analysis of the malware, description of plugins, infection vectors, C&C communication protocol and other spreading campaigns not mentioned in this blog post are included in our comprehensive whitepaper.

Indicators of Compromise (IOC) that can be used to identify an infection can be found in the whitepaper or on github: https://github.com/eset/malware-ioc/tree/master/potao

Must-know security tips for non-technical fathers

Few people’s idea of relaxing Father’s Day involves getting to grips with IT security. However, with scammers typically targeting the holidays to catch out consumers, there’s never been a better time to scrub up on the basics and keep safe online. At least before the day itself, anyway.

Ahead of this coming Father’s Day, then, familiarize yourself with these top security tips and enjoy your technology with an all-new peace of mind.

Protect your PC

One of the very first things you should do when considering computer security is making sure that your own computer is running the latest operating system and software, and that it is also loaded with some Security Solution.

Doing all this will minimise the opportunities to outside hackers from the word go, who might look to use an underlying software vulnerability to get onto your system in order to steal data or money.

Updating your operating and software is imperative, as updates commonly include security bug fixes to stop such hackers getting in.

Improve passwords

You should take some time to review and update your passwords if necessary, or use a password manager if that process gets too fiddly. If you’ve done that, or feel you’re ready to get more techy, you may also want to add two-factor-authentication (2FA), which is essentially an additional security layer that reduces the chance of an impersonator accessing your online accounts.

You can update passwords easily enough, although password managers can remember them as you go along, remind you when logging in, and can even help you create new – and safe – ones.

Two-factor authentication gives you an extra level of security when logging in

Back up files

Backing up your machine protects you from the unexpected, including the unfortunate (like your hard-drive packing up) and the malicious (ransomware authors demanding money for encrypted files).

It’s worth backing up to another hard-disk drive (HDD) if you have one or to use one of the various cloud services available.

You should ideally back up files frequently and make sure these files can be easily retrieved if needed.

Trust in the digital world

When browsing online, checking emails and using social media accounts, you need to think of trust in the same way as you would in the ‘analogue’ world. For example, you probably wouldn’t let a stranger into your house uninvited so you should apply the same line of thinking when on the Internet.

You should ignore unsolicited emails, be wary of email attachments, links or forms, and ask yourself who you trust when looking at links shared on Twitter and Facebook . You also need to be wary of free downloads from freeware or shareware sites.

If you’ve got any concerns about the website or company you are being directed to, look them up online separately. If you’ve received a suspicious email from someone you know, call or text them to check.

Use tools and accessories to stay private online

You may feel safe when browsing online, but like walking down the street, you might still become a target for somebody. Some search engines can pick up your browsing habits and sell them onto marketing companies.

If you’re concerned about being tracked online, you need to prioritise online privacy and there are a number of easy ways that you can do this.

Even cheaper than a cover for your webcam, you can use a band aid or a small piece of black tape.

For starters, there are physical devices to stop tracking or ‘shoulder surfing’ in a physical environment. You can buy webcam covers, screen filters and laptop and PC locks to reduce the chance of peeping toms and device thefts.

When online, you may also want to consider downloading a Virtual Private Network (VPN) solution to hide online activities, or use plug-ins like Ghostery and DoNotTrack for tracking-free browsing, as well as the DuckDuckGo search engine.

There are also some excellent PGP encrypted email clients and privacy-friendly smartphone apps if you want to ensure that your call, message or email is only seen by your intended recipient.

by Karl Thomas, ESET

What is Cyber Insurance?

You may have heard the term “Cyber Insurance” in exceptionally glowing terms, describing it as the next big thing that no sensible business should be without. Or you may also have heard it described as something that is greatly hyped but which is not quite as awesome as all that. As with most things, the truth is somewhere in between these two extremes: It’s something that may be a great tool to help transfer risk in the event of a cybersecurity breach, but only if you apply it with adequate forethought.

Why would you want it?

As the situation was so eloquently described in last year’s Ponemon report on the rising cost of breaches, “Throughout the world, companies are finding that data breaches have become as common as a cold but far more expensive to treat.” How expensive is that? On average, this year it cost companies $3.8 million; 23 percent more than what it cost two years ago. Per record, this cost is about $217, though this cost varies by industry: Healthcare records cost companies $398 each. This is due in part to heavy regulation in the US around patient privacy and security, and because of a high level of customer turnover as a result of breaches.

One would hope that people would see these numbers and simply be motivated to apply the necessary tools to secure their businesses. But reality is seldom as uncomplicated as that. Many businesses are lacking in the understanding, skill or financial wherewithal to tackle this task adequately. If your business is in just such a situation – while it will not help if you have not yet begun the process of protecting your business – if you are improving your security situation, insurance may be a good way to help bridge the gap.

What types are there?

Before you go about looking for cyber insurance, it’s a good idea to become conversant with the two main types of coverage. The first type covers “first party” risks, which is to say loss of or damage to your own data. The second type covers “third party” risks, which involve liability to clients or government and regulatory entities.

In a typical breach scenario, first party coverage could help with the costs of breach notification, forensics, remediation or data restoration, and identity monitoring services for victims. Third party coverage could help with the costs of regulatory fines and fees, or lawsuits and claims brought by affected customers. Most businesses would likely benefit from both types of coverage. Businesses in heavily regulated industries such as Education and Healthcare will need to be sure to get adequate third-party coverage.

What not to do?

When choosing any type of insurance, the most important things to be aware of are Limitations and Exclusions. These are the “gotcha” items that could invalidate your entire plan. You will want to ascertain whether your plan includes the following:

  • Retroactive coverage
    If you discover a months-old breach the day after your coverage begins it’s likely that your policy will not pay out for your present situation. Some plans may allow you to backdate coverage to improve the likelihood of being covered in such situations.
  • Unencrypted data
    Even if your main databases are encrypted, if an employee or contractor loses sensitive data that is not encrypted (such as in a spreadsheet or document file), this may not be covered.
  • Negligence
    Cyber insurance is not a license to practice poor security – there will be an expectation that you will adhere to reasonable data and network security standards. We’re seeing more and more insurers refusing to pay out or even initially insure businesses that they deem to have insufficient defenses. It is important to determine what your insurer considers reasonable standards.
  • Data given to a 3rd party
    Many policies do not include data that are in the care of outside parties such as outsourced support groups, cloud services, external vendors or marketing and PR groups. It is important, in these instances, for those parties to carry their own liability insurance.
  • Cloud and mobile data, and records on paper
    This may seem obvious to some, but records that are physical hardcopies on paper are not typically covered by cyber insurance. What may be less obvious is that data on mobile devices (including laptops, as well as smartphones or tablets) or in the cloud also may not be covered.
  • 1st party notification
    While it may seem like a given that first party coverage would include notifying the customers affected by a breach, it may not be covered. This is something you should double-check before committing to a plan.
  • Credit monitoring services
    As major breaches become a quotidian occurrence, certain aspects of an appropriate response have become standard. In the event of a breach involving payment card or social security numbers, customers will expect to receive credit-monitoring services. Because of the long-lasting effects of medical data theft, customers may expect monitoring services for longer timespans: Anthem, Premera and CareFirst all offered monitoring for two years after their recent breaches. Because this can be such a large expense, this is an important item to check.
  • Data restoration
    If a breach involves data damage rather than (or in addition to) theft, you may wish to pursue restoration services. Depending on the nature and extent of the damage, this can get very costly very quickly, so some policies may not include it. If you do wish to forgo this item, be diligent with regular backups.

Regardless of the size of your business or which industry you’re in, it is best to begin your search with a thorough risk assessment to determine how much coverage you really need. Be sure to include all the groups within your organization to make sure as many risks as possible are included.

It is important to remember that you cannot insure against loss of business due to damaged reputation in the aftermath of a breach. And those costs can be significant; according to this year’s Ponemon report, a breach can cost businesses up to an average 4% of customers, in some industries. It is better to avoid being breached in the first place rather than relying on insurance to cover damages.

by Lysa Myers, ESET

How did the Internet change the everyday work of a security researcher?

Every May 17th is World Telecommunication and Information Society Day, which attempts to raise global awareness on how the Internet and new technologies changed our society, and the opportunities they gave to improve our lifestyle. This special date, also known as Internet Day in some Spanish-speaking countries, is an opportunity for us at ESET to celebrate its existence by remembering what it was like to work in security before the Internet appeared.

What do you think it was like to do the everyday work of a security researcher in the 1980’s? What has changed in terms of protection against threats? And, how has the procedure to find and investigate security issues changed?

This and other queries were answered by two of ESET’s respected security researchers, with decades of experience and a lot of stories to tell: Aryeh Goretsky and David Harley.

ESET’s Distinguished Researcher Aryeh Goretsky has been around technology and computers ever since he used a Commodore PET for the first time in the late 1970’s. H having worked now for some two-and-a-half decades in this industry, he has an interesting point of view when it comes to the rise of the Internet:

“We used to say that computer viruses spread at the speed at which courier and postal services could ship and deliver infected floppies.”

I suppose the Internet has been something of a mixed blessing for me. While it has enabled all sorts of means of communication that simply were not possible before (think instant messaging) as well as allowing existing lines of communication to occur at faster rates, it has also allowed malicious code to spread orders of magnitude more quickly than it previously could: before that, network connections often meant computers calling each other with  modems over telephone lines, or overnighting a set of floppy diskettes or CDs by courier, since that was faster than the network communications we had.

In the beginning, we used to say that computer viruses spread at the speed at which courier and postal services could ship and deliver infected floppies. Nowadays, a worm or other malware can become globally pandemic in an hour or two.”

In the early days of malware, floppy disks were the main means of distribution.

Meanwhile, ESET Senior Research Fellow David Harley started his career in information technology in the 1980’s and, ever since, he says industry puts up with him because, well, he’s been around so long –having written a number of Internet FAQs and articles on programming and security back when those were issues that most people didn’t think of as being important to them.

“In the 1980s, when I moved into information technology as a career, the Internet had already existed for a couple of decades – in fact, some of its underlying technologies, notably the telephone system, are far older. Nonetheless, it was a very different environment. There was no World Wide Web as such, though there were protocols and utilities subsequently assimilated into and/or replaced by web browser technology (archie, gopher, veronica).

“I first began to work from home – using a US Robotics modem borrowed from work that cost more than my own PC and occupied almost as much space as a trio of 12” baguettes.”

Access to the handful of machines that were permanently connected to the Internet was usually filtered for home users through services like AOL. Until I left the UK’s National Health Service in 1989, my online communications with the outside world were mostly restricted to services that sidestepped the ‘proper’ Internet – bulletin boards and the UK’s Prestel videotex/Viewdata system (rather like the teletext systems that have been gradually vanishing from television in recent years).

Moving to the Imperial Cancer Research Fund (now merged into Cancer Research UK) gave me direct access to more hardware – one of the (then) new 80386-driven PCs, a Mac IIcx, and a Sun workstation – but even when we got our own permanent connection to the Internet, it was limited to terminal access to a server in the NOC (Network Ops Centre) via telnet, kermit, and FTP. Still, it gave me access to useful resources such as mailing lists, security newsgroups, and vendor web sites.

And when I first began to work from home – using a US Robotics modem borrowed from work that cost more than my own PC and occupied almost as much space as a trio of 12” baguettes – I was able to add those resources to my home access to CIX and Compuserve (which both already gave me email, and access to various useful forums). Indeed, it’s through all these resources that I first met (virtually at any rate) many of the people I work with now (inside and outside ESET), and work I did on Internet FAQs provided a basis for some of my early articles, papers and books.”

Dial up modems were once our main way of accessing the internet.

So how did the Internet change our lives and what new possibilities emerged? Aryeh Goretsky says:

“Most financial crimes use computers instead of guns to accomplish their thefts.”

The Internet changed not just how people did existing things on their computers, like writing letters or drawing pictures, but gave rise to new services as well. Electronic banking existed well before—it was available on some dial-up services like CompuServe, Prodigy and QuantumLink, to name a few—but it was not until ISPs came onto the scene that banking followed, eager to give their customers new conveniences and services.

PayPal emerged as the de-facto standard for person-to-person financial transactions, and even criminals had their own payment systems, like e-gold and Liberty Reserve. With all of this money moving around the web, it wasn’t long before criminals looked for ways to steal it, and today, most financial crimes use computers instead of guns to accomplish their thefts.”


While according to David Harley:

“By 2001, Windows and Mac machines were able to make good use of the Internet and the Web in and out of the office. Indeed, working from home (which I’ve done full-time since 2006) tends to give the computer user more control and wider scope in terms of the services and applications used, at any rate if s/he uses his or her own device and is not reliant on an employer for Internet access.

The flipside is that users were more able to put themselves in harm’s way when the IT unit wasn’t responsible for their connection: by that time there was a lot more to worry about than infected floppy disks, with threats of all sorts capable of traversing the ether almost instantaneously, and keeping up with security news and having good network protection was more important than ever. Of course that hasn’t changed with the onset of BYOD/CYOD.”


And what does this mean for a security researcher? Aryeh Goretsky says there’s a challenge:

“It means that things move much faster, and as a result, we have to respond more quickly.”

It means that things move much faster, and as a result, we have to respond more quickly.  Fortunately, the same Internet which empowers all the positive things allows us to communicate more efficiently as well, sharing threat intelligence and data.

And that means we can do things like leverage the power of the advances in networking, software and hardware that allow the Internet to run at scale not just to distribute things like updates more quickly than before, but reduce false positives, compatibility issues and other types of problems that plagued the old reactive kinds of anti-virus software that were reactive.”

The always-on internet connections mean that it's easier than ever to keep software updated.

That being said, David Harley concludes:

“The interactive nature of today’s web means that there is more information (and misinformation) out there than any one person can ever hope to gather and verify.”

The Internet gives me access to my colleagues at ESET, specialist mailing lists that share threat intelligence (and much else), the media, and a multitude of resources that simply didn’t exist or were impossible to find in the early 90s. Of course it’s easier to publish timely commentary (or papers, manuals, FAQs and so forth) with standard blogging and CMS tools than it was with lynx on a Unix server, and researching the topics for that content is far easier.

However, those advantages also have a flipside. The interactive nature of today’s web means that there is more information (and misinformation) out there than any one person can ever hope to gather and verify, unless it concerns an unusually esoteric topic.

It’s easier for someone who already has expertise in a particular field to select and evaluate information from that field, of course, but what is the everyday user supposed to do when anyone with a laptop – or even a cell phone – can find somewhere to say what they like?”

Rob Wilson / Shutterstock.com
by Sabrina Pagnotta, ESET

CPL Malware in Brazil: somewhere between banking trojans and malicious emails

When we analyze the most prevalent threats in Latin America, we see the same malware families across the region. In Brazil, however, there is a different situation. Not only is Brazil one of the most populated countries in the world, but it is also one of the countries with the highest percentage of Internet users using online banking. That is why Brazil is the country where banking trojans are the number one threat.

Throughout 2013 and 2014, we received and analyzed a considerable amount of CPL malware in our Latin American Research Lab, 90% of which came from Brazil. Of those malicious files, 82% of them are some variant of Win32/TrojanDownloader.Banload family; their main goal is to download and install banking trojans in infected systems.

Why do cybercriminals in Brazil use CPL files more and more? What advantages do they provide? The results of this investigation and the answers to several of these questions are in our white paper “CPL malware in Brazil: somewhere between banking trojans and malicious emails”.

First we discuss what CPL files are, how they work and how cybercriminals use them. We show the different methods used to propagate these threats and provide examples of emails, institutions and names of the files used to deceive users by means of Social Engineering techniques.

Then, we analyze the different routines that are executed in these files when a system is infected, as well as the purpose behind the attack, detailing some tricks used to complicate analysis, hide information and frustrate execution in virtualized environments.

Finally, we discuss the scope, statistics and impact of this attack, detailing how, over time, the use of CPL files by cybercriminals in Brazil has ceased to be a new or an isolated event, and has become a trend in itself.

This paper will help you understand the use of CPL files as a threat to users in Brazil, and the different techniques cybercriminals utilize to propagate them. Learn not only how to understand how CPL malware works, but also how to learn to protect yourself from these attacks.

Read the white paper: CPL Malware in Brazil.

Picture Credits: Flickr/Mike Vondran
by Matías Porolli, ESET

Unboxing Linux Malware: Spam from your servers

Today, ESET researchers reveal a family of Linux malware that stayed under the radar for more than 5 years. We have named this family Linux/Mumblehard. A white paper about this threat is available for download on WeLiveSecuriy.

There are two components in the Mumblehard malware family: a backdoor and a spamming daemon. They are both written in Perl and feature the same custom packer written in assembly language. The use of assembly language to produce ELF binaries so as to obfuscate the Perl source code shows a level of sophistication higher than average.

Monitoring of the botnet suggests that the main purpose of Mumblehard seems to be to send spam messages by sheltering behind the reputation of the legitimate IP addresses of the infected machines.

The relationship between the components and their command and control servers are illustrated in the following diagram:


ESET Researchers were able to monitor the Mumblehard backdoor component by registering a domain name used as one of the C&C servers. More than 8,500 unique IP addresses hit the sinkhole with Mumblehard behavior while we were observing the requests coming in. The following chart shows the number of unique IP addresses seen each day over that period.


We can see from the chart that during the first week of April, more than 3,000 machines were affected by Mumblehard. The number of infected hosts is slowly decreasing, but the overall view shows that infection happens at specific times and that the botnet size has doubled over a 6-month period.

A quick look at the list of victims suggests that Mumblehard mostly targets web servers.

Links with Yellsoft

Our analysis and research also shows a strong link between Mumblehard and Yellsoft. Yellsoft sells software, written in Perl, designed to send bulk e-mails. This program is called DirectMailer. The first link between them is that the IP addresses used as C&C servers for both the backdoor and spamming components are located in the same range as the web server hosting yellsoft.net. The second link is that we have found pirated copies of DirectMailer online that actually silently install the Mumblehard backdoor when run. The pirated copies were also obfuscated by the same packer used by Mumblehard’s malicious components.


Victims should look for unsolicited cronjob entries for all the users on their servers. This is the mechanism used by the Mumblehard backdoor to activate the backdoor every 15 minutes. The backdoor is usually installed in /tmp or /var/tmp. Mounting the tmp directory with the noexec option prevents the backdoor from starting in the first place.

The white paper with all the technical details is available for download on WeLiveSecurity.

Picture Credits: Flickr/Christian Barmala
by Marc-Etienne M.Léveillé, ESET

Ransomware: Should you pay the cybercriminals?

Ransomware is a growing threat, threatening to take over your machine, encrypt your files and demand payment in exchange for their safe return. But, as we explore below, paying the ransom is rarely the solution.

What is ransomware?

Ransomware is a type of malware, or malicious software, which has exploded in notoriety in recent years.

The malware is often installed on your machine via a phishing email or a drive-by-download on a compromised website, and a short time later a pop-up message will appear on screen telling the user to pay a ransom (in some cases as much as $300) in order to ‘unlock’ their stolen documents.

Fortunately, the severity of ransomware varies considerably. At the lower-end, most variants simply bombard the user with ‘scareware’ pop-up messages, telling them to pay up to restore normal service. However, these variants  haven’t actually encrypted any files.

That said, there are other versions which block access to the start screen, while ‘filecoders’, like CryptoLocker, will encrypt documents stored on the system’s hard drive.

These warning messages typically claim to be from law enforcement agencies, warning of illegal activities or content. They may alternatively claim that the system’s operating system is a forfeit, or pretend to be an anti-virus solution that has identified an infection.

To date, the most prolific variants of ransomware been CryptoLocker, TorrentLocker, Reveton and CryptoWall although newer versions like CryptoFortress, CoinVault and others have emerged in recent months, sporting newer tactics like making emails appear quarantined and running operations through the Tor or Invisible Internet Project (I2P) anonymizing networks. As ESET found with Virlock, ransomware is increasingly polymorphic, which makes it harder to detect and remove.

Ransomware, described by one malware analyst as a “polished and finished product for the bad guys”, is so widespread now that it’s a big concern for businesses. One study earlier this year found that ransomware had a bigger impact on organizations than widely-publicized advanced persistent threat (APT) attacks.

What you should do

Paying for the ransom is a dangerous option. For starters, there is no guarantee your files will be returned or that the malware has been removed. Will the hacker exploit you again in six months’ time? The truth is you don’t know.

Instead, information security professionals recommend a few useful tips, such as regularly backing up your data and ensuring your computer is running the latest software and anti-virus (ESET protects against CryptoLocker, Cryptowall, CTB locker and many other types of ransomware).

If you do get infected, and haven’t followed the advice above, all is not lost; your best bet is contacting an IT professional although there are free decryption tools online, and ways you can remove the malware via the operating system.

For less sophisticated ransomware that hasn’t encrypted files, you can enter Windows Safe Mode and run an on-demand virus scanner to hopefully remove the malware. Alternatively, you could try and do the same by logging onto the computer from another user account (hopefully bypassing the malware on the start screen), or by accessing the infected PC from a ‘clean’ PC on the same network.

If you can’t get onto the home screen, another option is System Restore, which will restore system files and programs to a state they were in previously. To do this, shut down your computer, reboot and hit the F8 key continuously to enter advanced boot options. You should see an option to repair your computer.

ESET security expert and Editor in Chief of We Live Security says users shouldn’t pay for the following reasons: “If you pay, you will support cybercrime activities by funding them with money; you don’t have any guarantee that your information is going to be decrypted again. Remember, this is not a service, they are cybercriminals. [And] even if you pay, you are not going to be ‘whitelisted’ so you could get infected again so it’s not a real solution for the future either. Prevention is the most important tool against Ransomware, since the infection can be usually cleaned afterwards but not always the information restored.”

Labaca Castro recommends using a security solution to prevent computer getting infected, frequently back-up information so it is somewhere safe and recover it easily, and avoid opening attached files in emails from unknown senders. Additionally, ESET also offers a decryptor for specific variants from Simplocker to recover your information.

by Karl Thomas, ESET


Get every new post delivered to your Inbox.

Join 103 other followers