One Article Review
| Source |  Fortinet ThreatSignal |
|---|---|
| Identifiant | 5066060 |
| Date de publication | 2022-06-09 18:46:13 (vue: 2022-06-10 02:06:00) |
| Titre | Ransomware Roundup – 2022/06/09 |
| Texte | FortiGuard Labs has become aware of several ransomware that caught public attention for the week of June 6th, 2022. It is imperative to raise awareness about ransomware variants because infections can cause severe damage to organizations. This week's Ransomware Roundup Threat Signal covers YourCyanide, LockBit, WhiteCat, and DeadBolt ransomware along with the Fortinet protections against them.What is YourCyanide ransomware?YourCyanide ransomware is a CMD-based ransomware variant still under development and abuses PasteBin, Discord, Telegram and Google services. The ransomware belongs to GonnaCope ransomware family that was discovered in April 2022.YourCyanide ransomware reportedly arrives as an LNK (Link) file that contains a PowerShell script that downloads and runs a malicious file from Discord. The downloaded file then drops and executes a CMD file. The CMD file downloads another CMD file from Pastebin, which performs several activities that include:Checks for usernames for which the ransomware avoids infection.Drops a Batch file that continues to open the Blank Screen Saver fileChecks for specific services and security applications which the ransomware tries to terminateSwaps the mouse buttonDisables TaskManagerRanames files in Desktop, Documents, Music, Pictures, Videos, and Downloads folders. Renamed files have a ".cyn" file extensionCreates two VBS files that send the ransomware as an email attachment Copies itself to D, E, F, G, and H drivers as well as UserProfile folderDrops a ransom note to DesktopDownloads a remote CMD file from DiscordThe CMD file downloaded from Discord steals access token from applications including Chrome, Discord, and Microsoft Edge, and collects information such as installed applications, and machine information from the compromised machine. The collected information will be then sent to a Telegram chat bot.It also reportedly downloads an executable file from Google Docs and executes it. The remote executable file is no longer accessible, however the file is likely used to steal credentials from various Web browsers.Screenshot of YourCyanide's ransom noteWhat is the Status of Coverage?FortiGuard Labs provides the following AV coverage against available samples associated with YourCyanide ransomware:BAT/Agent.QU!tr.dldrBAT/Agent.C20D!trLNK/Agent.AG!tr.dldrLNK/Agent.3D7B!tr.dldrPossibleThreatWhat is LockBit ransomware?LockBit is a ransomware that encrypts files in victims' machines and exfiltrate data. It then demands ransom in exchange for decrypting the affected files and not releasing the stolen data to the public. LockBit functions as Ransomware-as-a-Service (RaaS) that has been active for years and provides Lockbit ransomware, operates data leaks and ransom payment sites, and offers ransom negotiation service to its affiliate. Affiliates of LockBit typically earn approximately 70-80% of earnings, while the LockBit operators earn the rest.LockBit ransomware recently came to light again this week because Evil Corp reportedly switched their ransomware to LockBit in order to avoid sanctions imposed by the U.S. government. Evil Corp is a threat actor group that is known to have developed and use Dridex banking malware for financial gain. Dridex was also used to deliver another malware such as ransomware to victims' machines. Alleged ransomware that were previously associated with Evil Corp includes Bitpaymer, Doppelpaymer, Wastedlocker and Hades. FortiGuard Labs previously released a Threat Signal on LockBit. See the Appendix for a link to "LockBit 2.0 Ransomware as a Service (RaaS) Incorporates Enhanced Delivery Mechanism via Group Policy".What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against recent Lockbit ransomware samples:W32/LockBit.29EA!tr.ransomW32/Generic.AC.171!trMSIL/Generic.EBMY!trW32/Filecoder.NXQ!tr.ransomW32/Filecoder.OAN!tr.ransomWhat is WhiteCat ransomware?WhiteCat is a new Chaos ransomware variant. It checks for "forbidden country" by looking at the current input language/keyboard. If the current inpur/keyboard is set to "az-Latn- |
| Envoyé | Oui |
| Condensat | 117 152 171 19th 2022 2022/06/09 29ea 3d7b 6th about abuses access accessible active activities actor advisory affected affiliate affiliates again against all alleged along also another appendix applications apply approximately april are arrives associated asustor asustorwhat attached attachment attention available avoid avoids aware awareness azerbaijani backup banking based batch because become been belongs bitcoin bitpaymer blank bot browsers buttondisables bytes c20d came can caught cause chaos chat checks chrome cmd collected collects company compromised contains continues copies corp country courtesy coverage covers credentials curious current cyn damage data deadbolt decrypt decrypting decryption deliver delivery demands desktop desktopdownloads developed development devices directed discord discordthe discovered displays dldrbat/agent dldrlnk/agent dldrpossiblethreatwhat docs documents doppelpaymer downloaded downloads dridex drivers drops early earn earnings ebmy edge email encrypted encryption encrypts enhanced evil evolved exchange executable executes exfiltrate exploit exploited extension extensioncreates extra family file filechecks files financial first folderdrops folders following forbidden fortiguard fortinet from functions gain gonnacope google government group hades has have home however html imperative imposed include:checks includes including incorporates indication infect infection infections information inpur/keyboard input installed internet its itself june key known labs language/keyboard larger lastly latest latin latn leaks letter light likely link lnk lockbit locked longer looking machine machines malicious malware master may mechanism microsoft mouse music nas negotiation network new not note notewhat nxq oan obtain offers office office/home often open operates operators order organizations overwrites pastebin payment pays performs pictures policy powershell previously protections provides public purposes qnap raas raise random ransom ransomw32/filecoder ransomw32/generic ransomware ransomware:bat/agent ransomware:linux/filecoder ransomware:msil/clipbanker ransomwhat readmeplease receive recent recently released releasing remote remove renamed reportedly rest roundup runs samples samples:w32/lockbit sanctions saver screen screenshot script searches security see seen send sent service services set several severe sharing signal since sites small smaller soho specific states status steal steals stolen stops storage such switched targeted taskmanagerranames telegram terminateswaps than them then threat token tries trlinux/filecoder trlnk/agent trmsil/generic trw32/filecoder trwhat turkish two txt typically under unspecified update urges use used usernames userprofile users variant variants various vbs victim victims videos vulnerability warning wastedlocker web week well what which whitecat will years your yourcyanide |
| Tags | Threat Ransomware Malware Vulnerability |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.