Post thumbnail

Written by: Maor Huli, Research Analyst

The ransomware from November to introduce are:

  1. CrySpheRe
  2. Inlock
  3. Anon_by
  4. Faust

EXECUTIVE SUMMARY

As an integral department in Cynet’s research team, Orion works around the clock to track threat intelligence resources, analyze payloads, and automate labs to ensure that our customers are protected against the newest ransomware variants. In these monthly reports, Orion reviews the latest trends identified in Bleeping Computer — the most up-to-date website that summarizes the newest ransomware variants — and shares how Cynet detects these threats.

Graphical user interface, text, application, email Description automatically generated


CYNET 360 AutoXDR™ VS RANSOMWARE

CrySpheRe Ransomware

  • Observed since: Nov 2022
  • Ransomware encryption method: AES + RSA
  • Ransomware extension: .CrySpheRe
  • Ransomware note: КАК РАСШИФРОВАТЬ ФАЙЛЫ.txt
  • Sample hash: 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63

 

Cynet 360 AutoXDR™ Detections:

Graphical user interface, text Description automatically generated

CrySpheRe Overview

CrySpheRe ransomware renames the encrypted files with .CrySpheRe in the extension:

Graphical user interface, application Description automatically generated

Once a computer’s files have been encrypted and renamed, it drops a note as “КАК РАСШИФРОВАТЬ ФАЙЛЫ.txt”(No Russian Languange in the machine):

Graphical user interface, text Description automatically generated

The ransomware note contains general information, warnings, and the attacker’s email address:

Text Description automatically generated


Inlock Ransomware

  • Observed since: Nov 2022
  • Ransomware encryption method: AES + RSA
  • Ransomware extension: .inlock
  • Ransomware note: READ_IT.txt
  • Sample hash: 96e48ea92e40ebe25e26aa769b38cbe27f26f2718d184a6ba2fd3bb900992ebd

 

Cynet 360 AutoXDR™ Detections:

Graphical user interface, text, website Description automatically generated

Graphical user interface, text Description automatically generated

Inlock Overview

Inlock ransomware renames the encrypted files with .inlock in the extension:

Text, letter Description automatically generated

Once a computer’s files have been encrypted and renamed, it drops a note named “READ_IT.txt”:

Graphical user interface, text, application Description automatically generated

The ransomware note contains general information and warnings, seemingly in Spanish:

Text Description automatically generated

After Translation:

The attacker says the decryption key will be sent once the payment arrives.

Text Description automatically generated


Anon_by Ransomware

  • Observed since: Nov 2022
  • Ransomware encryption method: AES + RSA
  • Ransomware extension: .anon_by
  • Ransomware note: anon_by.txt
  • Sample hash: 057824bbb1dca42df1af0cacde596f8a5d3bbf09a71bdbee5d2b48168b533e35

Cynet 360 AutoXDR™ Detections:

Graphical user interface, text Description automatically generated

Graphical user interface, text, application Description automatically generated

Anon_by Overview

Anon_by ransomware renames the encrypted files with .anon_by in the extension:

Text Description automatically generated

Once a computer’s files have been encrypted and renamed, it drops a note named “anon_by.txt”:

Graphical user interface, application Description automatically generated

Upon execution, it immediately encrypts the endpoint and drops the ransomware note. The ransomware note contains vague general information, as well as the attacker’s tags:

Graphical user interface, text, application, email Description automatically generated

Translated:

Graphical user interface, text, application Description automatically generated


Faust Ransomware

  • Observed since: Nov 2022
  • Ransomware encryption method: AES + RSA
  • Ransomware extension: .faust
  • Ransomware note: info.txt | .hta
  • Sample hash: 0385dd2419adf0fe1a1e5d5ed28aaecbceb1411010fb06a1b0798d84eca4732e

 

Cynet 360 AutoXDR™ Detections:

Graphical user interface, text Description automatically generated

Faust Overview

Faust ransomware renames the encrypted files with the attacker’s contact email and .faust in the extension:

Text Description automatically generated

Once a computer’s files have been encrypted and renamed, it drops a note named “info.txt”:

Text Description automatically generated with low confidence

And opens the note as a .hta file:

Graphical user interface Description automatically generated

Upon execution, it immediately encrypts the endpoint. Then, after a while (approximately 15 minutes), it drops the ransomware note. The ransomware note contains general information and the attacker’s contact information:

Graphical user interface, text, application Description automatically generated

The hta file contains additional information, along with the general information in the text file. It also contains information on a free decryption option, how to buy bitcoins, and generic warnings:

Graphical user interface, application, Teams Description automatically generated