Search This Blog

Showing posts with label Data Encrypting Malware. Show all posts

LockBit Ransomware Emerging as a Dangerous Threat to Corporate Networks


LockBit, a relatively new Ransomware that was first identified performing targeted attacks by Northwave Security in September 2019 veiled as.ABCD virus. The threat actors behind the ransomware were observed to be leveraging brute-force tactics and evasion-based techniques to infect computers and encrypt files until the victim pays the ransom.

LockBit enables attackers to move around a network after compromising it quickly; it exploits SMB, ARP tables, and PowerShell to proliferate the malware through an infected network.

The developers rely on third parties to spread the malware via any means the third party devises. After successfully infecting the network, the attacker redirects the victim to a payment site operated by them. The victim is then subjected to threats of data leak until the ransom is paid to the attackers.

Modus operandi of the attack

The attackers drop the payload that is hidden under the '.text' sections, evading conventional AV's mechanism from catching the file while running a scan in the disk, the file is compressed by the attackers with a unique format.

Upon being executed, the file runs a scan on the entire LAN network and attempts to establish a connection to the hosts via SMB port (445) to spread the infected file across the entire internal network.

Then in order to bypass the need for User Control, the command "C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}" is run by an instance of SVCHOST.exe which is running by the process DLLhost.exe.

After that, the 'backup.exe' file executes the payload and encrypts most of the victim's files, changing their extensions to 'lockbit'. In the end, leaving a ransom note under the name 'Restore-My-Files.txt' in various folders on the host.

As per sources, the top targets of LockBit were located in the U.S., the U.K, China, India, Germany, France, and Indonesia. Experts suggest that users worldwide should strengthen their security defenses. It is also recommended to store the backups of important files separately so that it's hard to be accessed through a network.

Giving insights into a particular case, Patrick Van Looy, a cybersecurity specialist for Northwave, told BleepingComputer, "In this specific case it was a classic hit and run. After gaining access through brute-forcing the VPN, the attacker almost immediately launched the ransomware (which he could with the administrator account that he had access to). It was around 1:00 AM that the initial access took place, after which the ransomware was launched, and at around 4:00 AM the attacker logged off. This was the only interaction that we have observed."

Home Routers Hijacked to Deliver Info-Stealing Malware 'Oski'


The spread of malware through apps being downloaded by users in the name of 'the latest information and instructions about COVID-19' is amongst one of the most prevalent threats that have been observed since the outbreak of the novel Coronavirus. As a result, users were forced to download apps such as COVID19Tracker or Covid Lock from a website, the app locked victims outside their smartphones and asked for a ransom of $100 in Bitcoin for the release of their data. Consequently, attackers threatened them to leak all their contacts, media, and social media accounts online in case they failed to pay the ransom in due time.

Users are being severely targeted amid the COVID-19 themed malware and data exploit attacks, another example resides in the discovery of a new type of attack that is targeting home routers. It redirects victims to an infected website after altering the DNS settings and then drops a file-encrypting malware 'Oski' that encrypts the important files on a victim's system. It employs a sophisticated algorithm to encrypt the files and append .Osk extension to each file. After successfully carrying out the encryption process, the malware leaves a ransom note in all the folders containing encrypted, reading, "HOW TO RECOVER ENCRYPTED FILES.TXT.'

"To make the file seem legitimate (as if the filename is any indication of legitimacy), attackers named it “runset.EXE”, “covid19informer.exe”, or “setup_who.exe”." states the Bitdefender's report on the subject.

Attackers with the malicious intent of compromising the routers go around the internet searching for the exposed home routers that are consequently subjected to 'password brute-forcing attack' with DNS IP settings being altered alongside.

DNS is an internet service that plays a crucial role in translating domain names to IP addresses and as it assists browsers in loading internet resources if the cybercriminals alter the DNS IP address from a vulnerable router they are meaning to attack, they resolve the victim's request to any website under their control. The targeted domains in this campaign include aws.amazon.com, tidd.ly, goo.gl, bit.ly, fiddler2.com, washington.edu, winimage.com, imageshack.us, ufl.edu, disney.com, cox.net, xhamster.com, pubads.g.doubleclick.net and redditblog.com. As per sources, most of the aforementioned routers that made to the attacker's target list are based in France, Germany, and the US.

"It’s recommended that, besides changing the router’s control panel access credentials (which are hopefully not the default ones), users should change their Linksys cloud account credentials, or any remote management account for their routers, to avoid any takeovers via brute-forcing or credential-stuffing attacks," Bitdefender warns.

New Malicious Program 'Nefilim' Threatens to Release Stolen User Data


Nefilim, a new malicious program that basically is ransomware that functions by encrypting files on affected systems, has become active in the cyber ecosystem since February 2020. After encryption of the files, it demands a ransom from the victims for the decryption of files, tools, and software. However, it is still unclear how the ransomware is being spread, sources reckon that it's distributed via susceptible Remote Desktop Services.

As per the head of SentinelLabs, Vitali Krimez and Michael Gillespie from ID Ransomware, the code employed in Nefilim resembles much that of Nemty's, another file-encrypting ransomware that steals user data by restricting access to documents and multimedia using the AES-256 algorithm. As to the speculations of security researchers, it is likely that the authors of the first ransomware have a role to play in Nefilim's creation and distribution. However, due to the uncertainty revolving around the operation source of the new ransomware, experts also point towards a possibility of the source code being somehow obtained by the new malicious actors to develop a new variant.

While the encryption is underway, all the affected files are added with ".NEFILIM" extension. For instance, a file previously named "xyz.png" would start appearing as "xyz.png.NEFILIM" after the encryption takes place. The completion of the process is followed by a ransom note being created on the infected user's desktop titled "NEFILIM-DECRYPT.txt", "A large amount of your private files have been extracted and is kept in a secure location. If you do not contact us in seven working days of the breach we will start leaking the data. After you contact us we will provide you proof that your files have been extracted." the note reads.

As per the sources, for money matters, Nefilim primarily pins its hopes on email communications instead of a Tor payment site after the removal of the Ransomware-as-a-Service (RaaS) component and it stands out as one major difference. According to the analysis carried out by Gillespie, it has been made clear that as of now there exists no way to retrieve files without paying the ransom because the ransomware is reported to be completely secure. As a result of that, victims are being threatened to pay the demanded amount within a week or else the data stolen will be exposed by the attackers.

Cyber security Team Identified Ransomware Utilized to Compromise City Power



Residents of Johannesburg using pre-paid electricity meters were not able to load the electricity purchased from City Power and were also unable to purchase further electricity due to a ransomware attack which compromised City Power's database.

Earlier, City Power said while the variant of ransomware utilized to carry out the attack remains unknown, they have the encrypted network, applications, and database being restored and rebuilt by their ICT department.

Easing off the customers, Isaac Mangena, the utility's spokesperson, said, "We want to assure residents of Johannesburg that City Power systems were able to proactively intercept this and managed to deal with it quicker."

"Customers should also not panic, as none of their details were compromised," Mangena assured.

On Friday, City Power announced that their cybersecurity team identified the variant of malware which temporarily paralyzed the city's computer systems.

Reportedly, the email systems took the hardest hit by the ransomware and were taking a while to recover and be functional again.

While giving updates, Mangena said “The virus samples have been taken to the external labs for analysis and testing,”

“Our IT technicians have also recovered and, in [a] few instances, reconstructed most of the systems,, applications, and data that was threatened, using backup files.”

Victims of the cyber power attack along with the customers, have been raging since the incident happened and encrypted the computer databases, applications and network.

City Power turned to external cyber security experts who worked in association with their team to tackle the issue.


Website of Chelyabinsk court hits by data-encrypting malware



Attackers hacked into the website of Arbitration court of Chelyabinsk( a federal subject of Russia, on the border of Europe and Asia) and infected the server with a data encrypting malware.

The malware encrypted the information and files on the server. This incident took place on 4th October. By 10th October, the experts have managed to restore the website from previously saved backup.

However, the court lost all the information that was published on their website for this year, as the last backup operation was done only in January. The online resources including news, charts, video of conferences, information about bureau and judicial appointments were irretrievably lost.

According to the local report, the court is still trying to recover the information using their own sources.  There is no detailed information about the malware variant used in the attack.

- Christina