Next-Gen Ransomware

[Batu69]

The one thing about cybercriminal is that they are persistent and always finds a new a way to attack. And they tend to improve themselves staying ahead of cyber defenders.

 

Recently we have received one malware sample and the infected PC too. So we take a look at the malware sample. At first, we thought this is just another variant of ransomware but after doing some analysis, we found that this malware does not encrypt any files but still ask for ransom. Below are the pictures of the ransom note.

 

 

 

Most of the previous ransomware note includes encryption methods, the deadline to decrypt the file, bitcoin address for payment etc. But this ransom note is different and has the title “Notice of Imposition of File”. This ransom looks like the notice sent from the federal office and has the following notice.

1. Materials that Violates the Intellectual Property Right
2. Suspicious Activity

After reading the note, we can come to the conclusion that this note has the threatening message to the victim to pay the fine to settle the pre-trial within 24 hours with the following note.

“You must pay penalty within 24 hours to settle the case out of court. Incase of failure to comply claims”

ALL COLLECTED DATA WILL BE MADE PUBLIC AND THE CASE GOES TO THE TRIAL.

And this note also provides all the details of the victim which includes

• Name
• Birthday
• Phone
• Email
• Location Area
• Skype Account Details
• Facebook Account Details
• Linkedin Account Details
• IP Address
• CPU Details
• System Details
• PC Name
• Username

And with note contain the victim images from facebook, LinkedIn, and picture taken from webcams.

And when victims click the payment options, then it will take to the payment page where victims are requested to fill up their basic details and the credit card details.

 

.

 

In short, when this malware is infected in the PC, it will collect all the data of the victim, even capture the picture from the webcam and creates a ransom note which I described above and threatens the victim to pay ransom or they will leak their private data in public.

 

More About This Malware

This malware is distributed via Nuclear Exploit Kit and the users become a victim when they visit compromised WordPress website which redirects to Nuclear Exploit Kit Server. To spread this malware, we have identified one IP 128.31.0.39 that have been used by cybercriminals.

 

Analyzed Samples

d5738a0199b58a754b03980349a66b89

 

Behavioural Analysis

After being deployed malware disappears and runs it by dropped copy  from the hidden folder created in C:\\Users\Username\AppData\Local\Temp\Low

 

 

It also creates a link to the dropped malware in \AppData\Roaming\Microsoft\Windows\StartMenu\Programs\Startup

 

 

And it also drops other files

• z32jwcdbdaz7ab52tyxhr7x2smatqp2k
• zqweejj6blyvyxxq4da4rzvh3un5pzvv.exe
• __config3271.bat

And then this malware starts to talk with Command and Control(C&C) server.  We have identified two C&C server

• 89.163.144.64
• 136.243.147.14 

When the victim PC starts to communicate with C&C, then malware starts to collect data from the victim PC which can be used for the ransom note. After the data is collected to create a ransom note, then the malware becomes active to lock the screen with the ransom note. The following picture shows the malware process running in the background.

 

 

And when a victim sends the requested ransom to cyber criminals, then the request is sent to the crooks server via a secure communication (TLS). The server IP is 91.194.90.103 which is behind the TOR.

 

Find the Malware Analysis details here

https://malwr.com/analysis/MGVjYmJjY2I4ZTMwNDMwOWE5MDkzMWFmZTk5MDE4YTI/

This malware has evolved to another level and has become the next-generation ransomware.

 

How to Protect yourself from malware?

1. Install Anti-Virus/Malware Software.
2. Keep Your Anti-Virus Software Up to Date.
3. Run Regularly Scheduled Scans with Your Anti-Virus Software.
4. Use updated version Operating System.
5. Back up your file.
6. Think Before you click.
7. Use Strong Password with two-step verification.
8. Cover up your webcam.

 Article source

[tiliarou]

It's not really a new kind of ransomware. The threat and consequences are different, however the mechanism of infection and spread is the same: an executable in the Appdata folder, like every know ransomware.

So by blocking executable in this location (through group policy or using crypto prevent), you can avoid this infection.

[straycat19]

3 hours ago, Batu69 said:

How to Protect yourself from malware?

1. Install Anti-Virus/Malware Software.
2. Keep Your Anti-Virus Software Up to Date.
3. Run Regularly Scheduled Scans with Your Anti-Virus Software.
4. Use updated version Operating System.
5. Back up your file.
6. Think Before you click.
7. Use Strong Password with two-step verification.
8. Cover up your webcam.

 

How many ways can I say bullshit?  I don't do any of those things, because the first four will not protect you from malware, that has been proven time and time again, the next three are just common sense, and I have the webcams on laptops disconnected physically. I use external webcams that are only hooked up when I need to use it.  At work we do the same thing.  The cost of buying an external webcam and disconnecting internal webcams is part of the cost of securing a system.  I do one thing that will stop all malware, and that is block anything from running from the appdata folder.  If you notice in the article above, the malware is in  C:\\Users\Username\AppData\Local\Temp\Low  and if you block anything from running from the appdata folder it can download all it wants anywhere in that folder and the software cannot run.  This has been tested time and time again using actual malware and attempting to infect a PC, and though the downloads are there, all attempts to run them, even right clicking and run as administrator, results in the malware not running.  

[Notam]

1 hour ago, straycat19 said:

 

 I do one thing that will stop all malware, and that is block anything from running from the appdata folder.  If you notice in the article above, the malware is in  C:\\Users\Username\AppData\Local\Temp\Low  and if you block anything from running from the appdata folder it can download all it wants anywhere in that folder and the software cannot run.  This has been tested time and time again using actual malware and attempting to infect a PC, and though the downloads are there, all attempts to run them, even right clicking and run as administrator, results in the malware not running.  

And how do we do that