Showing posts with label ransomeware. Show all posts
Showing posts with label ransomeware. Show all posts

Sunday, November 12, 2017

COBRA - Crysis / Dharma Ransomware


New variant of the Crysis / Dharma ransomware that adds the .cobra extension to the encrypted files

Recently, security researcher Jakub Kroustek discovered a new ransomware sample that appears to be a new variant of the ransomware Crysis that appends the .cobra extension to the file name of the encrypted file.

It is not known exactly how this variant is distributed, but in the past Crysis is normally propagated by piracy in remote desktop services and manually installs the ransomware.
When this variant of Cobra ransomware is installed, a computer will be scanned for data files and encryption of them. When you encrypt a file, an extension will be added in the .id- [id]. [E-mail] .cobra format .id- [id]. [E-mail] .cobra .id- [id]. [E-mail] .cobra . For example, a file called pepe.jpg was encrypted and the name was changed to[].cobra .

It should be noted that this ransomware will encrypt assigned network drives and unassigned network shares. Therefore, it is important to make sure that the actions of your network are blocked so that only those who really need access have permission.
When this variant encodes a computer, it will also remove all plumes from volume snapshots on the machine so that they can not be used to recover encrypted files. It is removed by running the vssadmin delete shadows /all /quiet .
This ransomware will also create two different rescue notes on the infected machine. One of them is the file info.hta , which was launched by an automatic execution when a user initiates a session on the computer.

The other note is called encrypted files !!. Txt and can be found on the desktop.
Both rescue notes contain instructions to contact in order to obtain payment instructions.
Finally, the ransomware will be configured to start automatically when it connects to Windows. This allows you to encrypt new files that are created since the last time executed.

It is not possible to decipher the new variant of Crysis Cobra

Unfortunately, at this time it is not possible to decrypt the files encrypted by the .cobra Crysis ransomware for free. The only way to recover the encrypted files is through a backup, or if you are unbelievably lucky, through volume snapshots. Although Crysis does not attempt to remove volume snapshots, in rare cases, ransomware infections do not do so for any reason.

How to protect yourself from the Crysis ransomware

In order to protect yourself from Crysis, or from any ransomware, it is important that you use good computer habits and security software. First and foremost, you should always have a reliable and proven backup of data that can be restored in the event of an emergency, such as an attack on the ransomware. You must also have security software that contains behavioral detections such as squared Anti-Malware, Malwarebytes, or HitmanPro


COBRA SHA256: de6376e23536b3039afe6b0645da4fc180969b1dc3cc038b1c6bd5941d88c4d8

Cobra Associated Emails:
 Ref Link :

Thursday, October 26, 2017

Updated IOC's - Bad Rabbit Ransomware

A new ransomware worm named "Bad Rabbit" began spreading across the world Last Tuesday (Oct. 24), and it appeared to be a much-modified version of the NotPetya worm that hit eastern Europe in June.

This ransomware attack is most likely hitting computers in Russia and Ukraine, bearing similarities to the NotPetya outbreak that caused billions of pounds of damage in June.

The self-titled “Bad Rabbit” malware encrypts data on infected machines before demanding a payment of 0.05 bitcoin (£250) for the decryption key. The ransom demand is phrased similarly to that of June’s outbreak, and researchers at Russian security firm Kaspersky say that the malware uses “methods similar to those used” during the NotPetya attack.

Briefly about yesterday's events :

  • The initial infection was due to compromised websites and a fake update to Flash Player, which required user interaction to activate and continue exploitation (the user had to confirm the agreement to install the update);
  • Distribution on the local network was done by scanning the internal network for open SMB-open access files, as well as an attempt to use the HTTP-based WebDAV protocol based on HTTP and allowing the use of the Web as a resource for reading and writing;
  • Mimikatz was used to extract user credentials from the memory of an infected PC;
  • Legitimate DiskCryptor software used to encrypt files;
  • Types of file extensions that were encrypted on a user's PC:
#Bad-Rabbit encrypts following files: .dib.disk.djvu.doc.docx.dwg.eml.fdb .odt.ora.ost.ova.ovf.p12.p7b.p7c .tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd

Original Name 
de5c8d858e6e41da715dca1c019df0bfb92d32c0– SHA1
79116fe99f2b421c52ef64097f0f39b815b20907 – SHA1
DLL payload
DiskCryptor Driver (x64)
DiskCryptor Client
16605a4a29a101208457c47ebfde788487be788d – SHA1
Mimikatz (x64)
413eba3973a15c1a6429d9f170f3e8287f98c21c -SHA1
Mimikatz (x32)
DiskCryptor driver x86
DiskCryptor driver x86

C&C servers

Payment site: http://caforssztxqzf2nm[.]onion
Inject URL: http://185.149.120[.]3/scholargoogle/
Distribution URL: hxxp://1dnscontrol[.]com/flash_install.php

Scheduled Tasks names:

In Taskschd.msc, look for and remove these tasks
  • viserion_
  • rhaegal
  • drogon

List of compromised web sites


 Distribution Paths:

  • /flash_install.php
  • /index.php

Intermediary Server:
  • 185.149.120[.]3

Hidden service:
  • caforssztxqzf2nm[.]onion

Kill Switch: to create read-only file C:\windows\infpub.dat. In case of infection files won't be encrypted

Restrict Scheduled Tasks: viserion_, rhaegal, drogon
Make backup of important data
Update operation systems and security systems
Isolate infected PCs
Block IP-addresses and domain names from Indicators list
Block inbound SMB
Use Credential Guard in Windows
Control # of admins
 Monitor scheduled tasks and service creation