![]() ![]() These steps are very common in most ransomware samples. TOX is used to chat end-to-end encrypted via peer-to-peer connections.Īlthough different variants were analyzed, the amount and BTC address stayed the same, which in most Ransomware-as-a-Service operations changes, using bit mixers to obfuscate transactions.Īnalysing the code, no code was observed to delete volume shadow copies or block the recovery mode boot process, which is often used to remove malware and/or restore operations. In this case, which is rare, a TOX ID is included. After running the malware in a VM and rebooting the machine, the following note appears:Īs with most ransomware notes, the usual language is in there: a notification that the device has been encrypted, and that files are being held hostage, together with a payment address to send the demanded amount to, in the requested currency. When starting with the first stage, “Stage1.exe”, it imposes itself as ransomware after execution, where it overwrites the Master Boot Record (MBR). All jokes aside, the files were actually named like this.īoth files have a destructive character as we observed during our analysis of the samples. The file path of both executables was “C:\”. The attack consists of three stages, as can be seen below. Campaign detailsįirst samples and indicators were reported on Thursday the 13rd of January in the late evening UTC time, which is around 1AM in the morning and onwards in the Ukraine. Furthermore, work continues to ensure that we can identify any new elements to this attack as they arise. Indicators of Compromise for active hunting are available within the preview, and we have incorporated all known indicators into our products. Subsequently we would strongly recommend organizations ensure that their security posture has the necessary controls to protect and detect against the threat. Whilst the campaign is targeting largely one country, the Trellix Advanced Threat Research team have published an MVISION Insights campaign to track the threat which highlights what indicators have been found in other countries. In other words, its intention is likely to cause destruction of infected systems since the wiper at Stage 4 simply overwrites data on the victim’s system, meaning no decryption is possible. Unlike traditional ransomware campaigns where the motive is obvious, this particular campaign is believed to be pseudo in nature 1. Recent news reports of a “ransomware” campaign targeting Ukraine has resulted in significant press coverage regarding not only attribution but also possible motive. By Christiaan Beek, Max Kersten and Raj Samani Īrnab Roy, Filippo Sitzia and Mo Cashman contributed to the research supporting this blog
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |