One Article Review
| Source |  Fortinet ThreatSignal |
|---|---|
| Identifiant | 5208470 |
| Date de publication | 2022-06-16 21:35:48 (vue: 2022-06-17 05:06:42) |
| Titre | Ransomware Roundup – 2022/06/16 |
| Texte | FortiGuard Labs has become aware of several ransomware strains that caught the public's attention for the week of June 13th, 2022. It is imperative to raise awareness about ransomware variants because infections can cause severe damage to organizations. This week's Ransomware Roundup Threat Signal covers Nyx, Solidbit, RobbinHood and HelloXD ransomware along with the Fortinet protections against them.What is Nyx ransomware?Nyx is a double-extortion ransomware that was recently discovered. It steals data from the victim and encrypts files on the compromised machine and then demands a ransom from the victim in exchange for file recovery and not leaking the stolen information to the public. It leaves a ransom note in a file called READ_ME.txt that includes the victim's unique ID, the attacker's contact email address as well as secondary email address which the victim should use in case the attacker did not respond within 48 hours of the first email being sent to the attacker. Nyx ransomware's ransom noteThe ransomware adds the following file extension to the files it encrypts:[victim's unique ID].[the attacker's primary contact email].NYX Files encrypted by Nyx ransomwareWhat is the Status of Coverage?FortiGuard Labs provides the following AV coverage against Nyx ransomware:W32/Filecoder.NHQ!tr.ransomWhat is Solidbit ransomware?Solidbit is a ransomware that encrypts files on the compromised machine and demands a ransom from the victim for file recovery. Solidbit ransomware's lock screenSolidbit ransomware drops a ransom note in a file named RESTORE-MY-FILES.txt, which includes Solidbit's own TOR site where the victim is asked to visit to contact the attacker along with the decryption ID. Solidbit ransomware's ransom noteThe TOR site offers free decryption of a file (up to a maximum file size of 1MB) to prove that decryption works properly. The Solidbit threat actor also provides chat support for victims. Solibit ransomware's TOR siteWhat is the Status of Coverage?FortiGuard Labs provides the following AV coverage against Solidbit ransomware:MSIL/Filecoder.APU!tr.ransomWhat is RobbinHood ransomware?RobbinHood is a ransomware has been in the wild since at least 2019. This ransomware is covered in this week's ransomware roundup given a report recently surfaced that it was responsible for infecting an auto parts manufacture in February, 2022 which resulted in shutdown of the factories.Written in Golang, RobbinHood is a simple ransomware that encrypts files on the compromised machine and demands ransom for decrypting the affected files. A typical ransom note left behind by RobbinHood ransomware has the attacker's bitcoin address and asks the victim to pay the ransom within 3 to 4 days depending on the ransomware variant. The attacker warns that the ransom amount increases by $10,000 each day if the payment is not made during the specified window. However, some RobbinHood ransom notes state that the victim's keys will be removed after 10 days. This makes file recovery impossible in order to add pressure to the victim to pay the ransom. Also, the attacker asks the victim not to contact law enforcement or security vendors.Known file extensions that RobbinHood ransomware adds to encrypted files include ".enc_robbin_hood" and ".rbhd".It also deletes shadow copies, which makes file recovery difficult.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against RobbinHood ransomware:W32/Robin.AB!tr.ransomW32/Robin.A!trW32/RobbinHood.A!tr.ransomW32/RobbinHood.A!trW32/Ransom_Win32_ROBBINHOOD.SMW32/Filecoder_RobbinHood.D!tr.ransomW32/Filecoder_RobbinHood.D!trW32/Filecoder_RobbinHood.C!trW32/Filecoder_RobbinHood.B!tr.ransomW32/Filecoder_RobbinHood.B!trW32/Filecoder_RobbinHood.A!trWhat is HelloXD ransomware?HelloXD is a ransomware that targets both Windows and Linux systems. The ransomware has been in the field since at least November 2021 and typically comes with a logo having a red face with horns. HelloXD ransomware logoIn order to inhibit file recovery, it deletes shadow copies before encryptin |
| Envoyé | Oui |
| Condensat | $10 000 13th 1mb 2019 2021 2022 2022/06/16 2362 about according activities actor actors add additional address adds adversaries advisory affected after against allows along also amount and/or apu are asked asks assets attacker attackers attention auto aware awareness backdoor because become been before behind being bitcoin both called can case caught cause cautioned chat cisa comes compromised contact contains control copies could coverage covered covers criminal damage data day days decrypting decryption deletes demands department depending deploy did difficult discovered distribution does double download drops during each ejer else email embolden enc encourage encrypted encrypting encrypts encrypts: enforcement engage even exchange extension extensions extortion face factories fbi february field file files first following foothold foreign fortiguard fortinet fpij free from fund given golang guarantee has have having hello helloxd hhs hood horns hours however illegal illicit imperative impossible include includes increase increases infecting infection infections information inhibit install instruction june keep keys known labs law leaking least leaves left likely linux lock logo logoin machine made makes manufacture maximum may microbackdoor named ncsc needs nhq not note notes notethe november nyx ofac offers office open order organizations other own parts pay paying payment personal potentially pressure primary properly protections prove provides public raise ransom ransommsil/filecoder ransoms ransomw32/filecoder ransomw32/genkryptik ransomw32/robbinhood ransomw32/robin ransomware ransomware:msil/filecoder ransomware:w32/filecoder ransomware:w32/robin ransomwarewhat ransomwhat rbhd read recently recovered recovery red removed report reportedly respond responsible restore resulted robbin robbinhood roundup samples screensolidbit secondary security sent several severe shadow should shutdown signal simple since site sitewhat size smw32/filecoder solibit solidbit some source specified state states status steals stolen strains such support surfaced systems target targets them then threat tor tox treasury trw32/filecoder trw32/possiblethreatanything trw32/ransom trw32/robbinhood trw64/coinminer trw64/filecoder trwhat txt typical typically unique use variant variants vendors victim victims visit warns week well what where which wild will win32 window windows within works written |
| Tags | Ransomware Threat |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.