Categories
Статьи

Ransomware Recap Clop, DeathRansom, and Maze Ransomware validccshoponline, ccshoponlineru

Updated on January 6, 2020 at 10:03 PM PST to change hashes to SHA-256 under IoCs.
As the new year rolls in, new developments in different ransomware strains have emerged. Clop ransomware has evolved to integrate a process killer that targets Windows 10 apps and various applications. DeathRansom, with initial versions that masqueraded as ransomware, now has the ability to encrypt files. Maze ransomware has been increasingly targeting U.S. companies for stealing and encrypting data, as alerted by the Federal Bureau of Investigation (FBI).
The latest Clop ransomware variant has been updated and is now capable of terminating a total of 663 Windows processes, including Windows 10 and Microsoft Office applications, before proceeding with its encryption routine. It is not uncommon for ransomware variants to terminate processes before encrypting files; some attackers even disable security software to evade detection. This action could either mean that configuration files used by some of the terminated processes are targeted for encryption or the threat actors are merely trying to ensure that the malware closes as many files as possible for successful encryption.
The Clop ransomware variant executes a “process killer” before starting the encryption processes. The disabled target processes include debuggers, text editors, and programming IDEs and languages running on the infected system. Security researcher Vitali Kremez enumerates the full list of terminated processes in his GitHub repository .
Clop first cropped up as a variant of the CryptoMix ransomware family. The ransomware has since been tweaked to reportedly target entire networks instead of individual machines and even attempt disabling Windows Defender and other security tools. Last December, the ransomware hit “almost all Windows systems” at Maastricht University.
Initially considered a joke, DeathRansom has now been found capable of encrypting files.
Initial versions of DeathRansom pretended to be a ransomware and did not encrypt anything. Operators would attempt to trick users by adding a file extension to all of a target’s files and dropping a ransom note on the computer asking for money. All a user had to do, however, was to remove the appended .wctc extension from any file to regain access to files.
But the newer versions are different. Fortinet researchers published a two-part analysis describing how DeathRansom now functions as an actual ransomware. The variant uses a combination of Curve25519 algorithm for the Elliptic Curve Diffie-Hellman (ECDH) key exchange scheme, Salsa20, RSA-2048, AES-256 ECB, and a simple block XOR algorithm for its encryption scheme. DeathRansom currently spreads through phishing campaigns.
The FBI has released an advisory concerning a spate of Maze ransomware attacks that increasingly focus on U.S. companies, stealing their information then encrypting it for extortion.
Distributed in late December 2019, the warning indicates that the Bureau first observed the ransomware being wielded against U.S. victims last November. Upon successfully breaching the network, threat actors exfiltrate company files before encrypting machines and network shares. The actors then demand a target-specific ransom in exchange for the decryption key.
Maze ransomware takes advantage of different methods to breach a network, including fake cryptocurrency sites, malspam campaigns, and even exploit kits . In the past, Maze ransomware operators have released stolen data from targets, ranging from a U.S. city’s computer systems to a wire and cable manufacturer , that did not pay the ransom.
Organizations can strengthen their defenses against ransomware by updating their systems and applications to the latest versions and using multi-factor authentication. In case of a ransomware infection, we advise against paying the ransom as this does not guarantee the recovery of the encrypted files and may only encourage threat actors to further attack organizations. Here are other measures users and organizations can take to protect against ransomware:
Trend Micro solutions such as the  Smart Protection Suites  and  Worry-Free™ Business Security  solutions, which have  behavior monitoring  capabilities, can protect users and businesses from these types of threats by detecting malicious files, scripts, and messages as well as blocking all related malicious URLs.  Trend Micro XGen™ security  provides a cross-generational blend of threat defense techniques against a full range of threats for  data centers ,  cloud environments ,  networks , and  endpoints . It infuses high-fidelity  machine learning  with other detection technologies and global threat intelligence for comprehensive protection against advanced malware.
Indicators of Compromise (IoCs)
Clop
Related hashes2ceeedd2f389c6118b4e0a02a535ebb142d81d35f38cab9a3099b915b5c274cb – detected as Ransom.Win32.CLOP.SMKa867deb1578088d066941c40e598e4523ab5fd6c3327d3afb951073bee59fb02 – detected as Ransom.Win32.CLOP.THCODAI
Related email addresseskensgilbomet@protonmail[.]comunlock@eqaltech[.]suunlock@royalmail[.]su
DeathRansom
Related hashes6247f283d916b1cf0c284f4c31ef659096536fe05b8b9d668edab1e1b9068762 – detected as Ransom.Win32.DEATHRANSOM.Cab828f0e0555f88e3005387cb523f221a1933bbd7db4f05902a1e5cc289e7ba4 – detected as Ransom.Win32.DEATHRANSOM.Cfedb4c3b0e080fb86796189ccc77f99b04adb105d322bddd3abfca2d5c5d43c8 – detected as Ransom.Win32.DEATHRANSOM.C66ee3840a9722d3912b73e477d1a11fd0e5468769ba17e5e71873fd519e76def – detected as Ransom.Win32.DEATHRANSOM.C0cf124b2afc3010b72abdc2ad8d4114ff1423cce74776634db4ef6aaa08af915 – detected as Ransom.Win32.DEATHRANSOM.C4bc383a4daff74122b149238302c5892735282fa52cac25c9185347b07a8c94c – detected as Ransom.Win32.DEATHRANSOM.C2b9c53b965c3621f1fa20e0ee9854115747047d136529b41872a10a511603df8 – detected as Ransom.Win32.DEATHRANSOM.C05b762354678004f8654e6da38122e6308adf3998ee956566b8f5d313dc0e029 – detected as Ransom.Win32.DEATHRANSOM.Cf78a743813ab1d4eee378990f3472628ed61532e899503cc9371423307de3d8b – detected as Ransom.Win32.DEATHRANSOM.C13d263fb19d866bb929f45677a9dcbb683df5e1fa2e1b856fde905629366c5e1 – detected as Ransom.Win32.DEATHRANSOM.Cdc9ff5148e26023cf7b6fb69cd97d6a68f78bb111dbf39039f41ed05e16708e4 – detected as Trojan.Win32.DEATHRANSOM.A7c2dbad516d18d2c1c21ecc5792bc232f7b34dadc1bc19e967190d79174131d1 – detected as Ransom.Win32.DEATHRANSOM.THKBOAIAe767706429351c9e639cfecaeb4cdca526889e4001fb0c25a832aec18e6d5e06 – detected as TSPY_EVRIAL.SMAa45a75582c4ad564b9726664318f0cccb1000005d573e594b49e95869ef25284 – detected as TROJ_DELF.XXWS1e1fcb1bcc88576318c37409441fd754577b008f4678414b60a25710e10d4251 – detected as Coinminer_MALXMR.SMBM-WIN32
Related malicious URLsbitbucket[.]org/scat01/gameshack[.]ruiplogger[.]org/1Zqq77scat01.mcdir[.]ruscat01[.]tk
Maze
Related hashe8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684 – detected as Ransom.Win32.MAZE.H
Related malicious network communicationhxxp://92.63.8.47hxxp://92.63.32.2hxxp://92.63.37.100hxxp://92.63.194.20hxxp://92.63.17.245hxxp://92.63.32.55hxxp://92.63.11.151hxxp://92.63.194.3hxxp://92.63.15.8hxxp://92.63.29.137hxxp://92.63.32.57hxxp://92.63.15.56hxxp://92.63.32.52hxxp://92.63.15.6
Related email addressfiledecryptor@nuke[.]africa
Like it? Add this infographic to your site:1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
In the first half of this year, cybersecurity strongholds were surrounded by cybercriminals waiting to pounce at the sight of even the slightest crack in defenses to ravage valuable assets. View the report
The upheavals of 2020 challenged the limits of organizations and users, and provided openings for malicious actors. A robust cybersecurity posture can help equip enterprises and individuals amid a continuously changing threat landscape. View the 2020 Annual Cybersecurity Report
validccshoponline ccshoponlineru