CryptXXX RansomwareProofpoint [1] believe that the group tied to Reveton [2] are distributing a new ransomware dubbed CryptXXX [3] via the Bedep trojan [4] and Angler exploit kit.CryptXXX will scan for virtual machines and for mouse and keyboard input to avoid sandboxes. It also incorporates a timed delay before encrypting files, presumably to make it more difficult to figure out which sites are compromised by Angler.The ransom price for CryptXXX is $500, which is fairly high. Given that Angler is the most commonly used exploit kit around and the payment page is available in numerous different languages, it's a safe bet that the Reveton team are expecting a windfall. Shenron debutsLizard Squad [5] has launched a new service called Shenron LLC [6], which will take the place of the infamous Lizard Stresser. Shenron is intended to be 'a booter, spammer, vpn provider and drugs marketplace' according to Lizard Squad's twitter account, and was launched only recently. The stresser login page is available on the open web at shenron.lizardsquad.org [7].The SS7 phone vulnerabilityA CBS 60 minutes investigation [8] has reignited debate on the Signaling System Number 7 (SS7) phone exploitation originally demonstrated in 2014. The SS7 system is a protocol used to set up and reset calls made on public switched telephone networks, and to coordinate services such as billing and SMS. Exploiting a vulnerability within SS7 allows actors to eavesdrop on conversations using only the number of the phone in question. Because this type of attack exploits the phone network rather than a physical device, there is a little that a user can do to prevent eavesdropping apart from switching off the phone itself. It is believed that intelligence services around the world make use of this exploit for espionage.Kovter malware evolves (again)The Kovter [9] click-fraud malware has returned to its roots, and is now exhibits the same behaviour as crypto-ransomware, albeit with an easily breakable encryption.As Check Point reports [10], Kovter began as locker-type ransomware, exploiting people's fear of the authorities by masquerading as a law enforcement sanctioned 'fine' for illegal activity. In 2014, Kovter began to operate as click-fraud malware. In 2015 it became 'fileless', using registry keys and a PowerShell script to run without leaving traditional indicators of compromise on the disk.As of 2016, Kovter has switched back to ransomware but remains fileless. It will encrypt only the first bytes of each file on its list of extensions, making the format unreadable and file unopenable through normal means. Luckily, these .crypted files can be decrypted with this [11] tool that compares pre- and post-encrypted files to determine the key.The Silobreaker Team
[1] https://www.proofpoint.com/us/threat-insight/post/cryptxxx-new-ransomware-actors-behind-reveton-dropping-anglerutm_source=twitter.com&utm_campaign=buffer
[2] https://my.silobreaker.com/searcholdlayout.aspx?q=keyphrase:%22Reveton%20Ransomware%22&
[3] https://my.silobreaker.com/view360Old.aspx?Item=11_997696789
[4] https://my.silobreaker.com/view360old.aspx?item=11_328589320
[5] https://my.silobreaker.com/view360old.aspx?item=11_768575768
[6] https://my.silobreaker.com/view360old.aspx?item=11_997924535
[7] http://shenron.lizardsquad.org/
[8] http://www.cbsnews.com/news/60-minutes-hacking-your-phone/
[9] https://my.silobreaker.com/view360Old.aspx?Item=11_566487795
[10] http://blog.checkpoint.com/2016/04/15/kovter-ransomware-the-evolution-from-police-scareware-to-click-frauds-and-then-to-ransomware/
[11] http://www.bleepingcomputer.com/news/security/decryptor-released-for-the-nemucod-trojans-crypted-ransomware/
↧