See Cynet’s Autonomous
Breach Protection in Action

Prefer a one-on-one demo? Click here

By clicking next I consent to the use of my personal data by Cynet in accordance with Cynet's Privacy Policy and by its partners

Monthly Ransomware Activity – September 2021 Pt. 2

Part 2

Monthly Ransomware activity

Written by: Maor Huli

Part two will introduce more ransomware activities detected in September

This report will discuss the following:

EXECUTIVE SUMMARY

What is Ransomware-as-a-Service (RaaS)?

Ransomware-as-a-Service (RaaS) is a subscription-based model that lets ransomware developers sell their malicious software to people without any experience in program development.

This model allows the people that bought the software to get constant updates and maintenance from the software developers and thus continue work on new ransomware variants and help with the spread of the existing ones.

The goals for the ransomware authors are either to share the profit from a successful attack or to gain a reputation. The creators consider this a win-win.

What are Ransomware extortions?

We have already observed an evolution in the modus operandi of ransomware. Targeted ransomware attacks by threat groups (also known as “big-game hunting), which include human operated schemes behind them, rely multiple types of extortion:

  1. Single extortion includes file encryption and demands payment to decrypt the files.
  2. Double extortion involves threat actors adding a new threat to victims, not only encrypting their files but also threatening to publish sensitive data should the victims refuse to meet threat actors’ demands.
  3. Triple extortion adds an extra layer by also deploying a distributed-denial-of-service (DDoS) attack on the victim’s encrypted endpoints with the goal of slowing down or preventing the organization’s daily workflow.
  4. Quadruple extortion adds pressure to pay on top of the previous types mentioned by connecting an organization’s stakeholders to the attack.

CYNET 360 VS RANSOMWARE

Black Matter Ransomware

  • Observed since: July 2021
  • Ransomware encryption method: Salsa20 + RSA-1024.
  • Ransomware extension: .K4Hlh4flg
  • Ransomware note: K4Hlh4flg.README.txt
  • Sample hash: 520bd9ed608c668810971dbd51184c6a29819674280b018dc4027bc38fc42e57

Cynet 360 Detections:

A screenshot of a computer Description automatically generated with medium confidence

A screenshot of a computer Description automatically generated with medium confidence

A screenshot of a computer Description automatically generated with medium confidence

Black Matter Overview

After execution, Black Matter ransomware renames the encrypted files with .K4Hlh4flg in the extension for each file:

A picture containing text, plaque, scoreboard Description automatically generated

Once a computer’s files have been encrypted and renamed, it drops the ransomware note as a text file with the same name of the extension – K4Hlh4flg.README.txt – in the victim’s encrypted folders. The note contains decryption instructions along with the communication details.Additionally, the ransomware changes the desktop background:

Graphical user interface, text, application Description automatically generatedGraphical user interface, text, application, email Description automatically generated

Text Description automatically generated

Sodinokibi (REvil) Ransomware

  • Observed since: Mid 2019
  • Ransomware encryption method: Salsa20.
  • Ransomware extension: .random 5-10 strings contains numbers and letters
  • Ransomware note: [Random string]-readme.txt
  • Sample hash: ab0aa003d7238940cbdf7393677f968c4a252516de7f0699cd4654abd2e7ae83

Cynet 360 Detections:

A screenshot of a computer Description automatically generated with medium confidence

A screenshot of a computer Description automatically generated with medium confidence

Graphical user interface, text, application, chat or text message Description automatically generated

A screenshot of a computer Description automatically generated with medium confidence

Sodinokibi (REvil) Overview

Please note that since we are running simulations in a virtual environment, some ransomware can distinguish between the real environment and a virtual one. In our case, the ransomware shuts itself down since it detected the virtual environment. The following screenshots are from different sources.

After execution, REvil ransomware renames the encrypted files with random 5-10 letters and numbers in the extension for each file.

Once a computer’s files have been encrypted and renamed, it drops the ransomware note as a text file with the same name of the random extension [5-10 random numbers and letters]-README.txt in the victim’s encrypted folders. The note contains decryption instructions along with the communication details. Additionally, the ransomware changes the desktop background as well.

Graphical user interface, application Description automatically generated

Graphical user interface, application, Word Description automatically generated

Text Description automatically generated

 

Chaos Ransomware

  • Observed since: June 2021
  • Ransomware encryption method: AES + RSA.
  • Ransomware extension: .CRYPTEDPAY
  • Ransomware note: README.txt
  • Sample hash: c48303fef90e8358c5ce71aba5ab94d567c96a7882abb039eb9583e41218bab0

Cynet 360 Detections:

A screenshot of a computer Description automatically generated with medium confidence

A screenshot of a computer Description automatically generated with medium confidence

Chaos Overview

After execution, Chaos ransomware renames the encrypted files to CRYPTEDPAY in the extension for each file:

Once a computer’s files have been encrypted and renamed, it drops the ransomware note as a text file README.txt in the victim’s encrypted folders. The note contains decryption instructions along with the communication details and the final price for decryption (the attacker asks for the payment with the cryptocurrency Monero). Additionally, the ransomware changes the desktop background as well.

Text Description automatically generated with medium confidenceText Description automatically generated with medium confidence

Text Description automatically generated

James Bond Ransomware

  • Observed since: Late 2021
  • Ransomware encryption method: AES + RSA.
  • Ransomware extension: [email protected]_jamesbond
  • Ransomware note: read_it.txt
  • Sample hash: 1ae72d4c4ecb9d2e61f9dde30292d06231b799e92bcbf49f5aa655179805d010

Cynet 360 Detections:

A screenshot of a computer Description automatically generated with medium confidence

Graphical user interface, application Description automatically generated

Graphical user interface, text, application, chat or text message Description automatically generated

Graphical user interface, application, chat or text message Description automatically generated

James Bond Overview

JamesBond ransomware renames the encrypted files to the attacker’s email and the name of the ransomware .jamesbond in the extension for each file:

Text Description automatically generated

Once a computer’s files have been encrypted and renamed, it drops the ransomware note as a text file read_it.txt in the victim’s encrypted folders and the desktop. The note contains the communication details. Additionally, the ransomware changes the desktop background as well.

Text, application Description automatically generated

 

Text Description automatically generated with low confidence

Atom Silo Ransomware

  • Observed since: September 2021
  • Ransomware encryption method: AES + RSA.
  • Ransomware extension: .ATOMSILO
  • Ransomware note: README-FILE-[hostname]-[time].hta
  • Sample hash: d9f7bb98ad01c4775ec71ec66f5546de131735e6dba8122474cc6eb62320e47b

Cynet 360 Detections:

Graphical user interface, application Description automatically generated

A screenshot of a computer Description automatically generated with medium confidence

A screenshot of a computer Description automatically generated with medium confidence

Atom Silo Overview

AtomSilo ransomware renames the encrypted files to .ATOMSILO in the extension for each file:

Text Description automatically generated

Once a computer’s files have been encrypted and renamed, it drops the ransomware note as an html file that contains the hostname and the time in the name “README-FILE-[hostname]-[time].hta in the victim’s encrypted folders and the desktop. The note contains the communication details along with a demand for $1 million and with a timer that indicates the ransomware will eventually delete the files permanently and will publish the user’s sensitive information as well.

Graphical user interface, text, application, email Description automatically generated

 

Kcry Ransomware

  • Observed since: September 2021
  • Ransomware encryption method: AES + RSA.
  • Ransomware extension: .kcry
  • Ransomware note: kcry-info.txt
  • Sample hash: d1d1f2984d23b53c022e454b0736b65375926d73c7db299f4a931c974ad9a8b4

Cynet 360 Detections:

A screenshot of a computer Description automatically generated with medium confidence

A screenshot of a computer Description automatically generated with medium confidence

A screenshot of a computer Description automatically generated with medium confidence

Kcry Overview

Kcry ransomware changes the host screen for a few seconds to a fake windows update screen, in the meantime, it renames the encrypted files to .kcry in the extension for each file:

A picture containing graphical user interface Description automatically generated

Text Description automatically generated

Once a computer’s files have been encrypted and renamed, it drops the ransomware note as a text file that contains the name of the ransomware “kcry-info.txt” in the startup directory for along with a copy of the ransomware executable (for persistence). The note contains the attacker’s itcoin address and a demand for $200 with no guarantee of restoring the files.

Text Description automatically generated

Graphical user interface, text, application, email Description automatically generated

Redeemer Ransomware

  • Observed since: September 2021
  • Ransomware encryption method: AES + RSA.
  • Ransomware extension: .redeem
  • Ransomware note: Read Me.TXT
  • Sample hash: c74873d7b8cc622379ed49bd0b0e477167ae176aa329b01338666ec4c1a4426b

Cynet 360 Detections:

A screenshot of a computer Description automatically generated

A screenshot of a computer Description automatically generated with medium confidence

A screenshot of a computer Description automatically generated with medium confidence

Redeemer Overview

Redeemer ransomware renames the encrypted files to .redeem in the extension for each file:

Text Description automatically generated

Once a computer’s files have been encrypted and renamed, it drops the ransomware note as a text file “Read Me.TXT” in the encrypted folders. The note contains the attacker’s Bitcoin address and the public encryption key. The note also includes a demand for ransom paid in Monero.

Graphical user interface, application Description automatically generatedA picture containing table Description automatically generated

 

Yandex Ransomware

  • Observed since: September 2021
  • Ransomware extension: .yandex
  • Ransomware note: READ_ME_NOW.txt
  • Sample hash: 85e70eb088b0a36ab3947491789a024b1055c81984114834acd35c79958b5aa5

Cynet 360 Detections:

A screenshot of a computer Description automatically generated with medium confidence

A screenshot of a computer Description automatically generated with medium confidence

A screenshot of a computer Description automatically generated with medium confidence

Yandex Overview

Yandex ransomware renames the encrypted files to .yandex in the extension for each file:

Text Description automatically generated

Once a computer’s files have been encrypted and renamed, it drops the ransomware note as a text file “READ_ME_NOW.txt” in the encrypted folders and changes the desktop background. The note contains the attacker’s Bitcoin address and the decryption price

Text Description automatically generatedText Description automatically generated

Text Description automatically generated with medium confidence

CYNET VARIOUS MECHANISMS

  • AV/AI – This alert triggers when Cynet’s AV/AI engine detects a malicious file that was either dumped on the disk or executed
  • Malicious Binary – This alert triggers when Cynet detects a file that is flagged as malicious in Cynet’s EPS (endpoint scanner) built-in threat intelligence database. This database contains only critical IoCs (such as IOCs of ransomware, hacking tools, etc.).
  • Memory Pattern – This alert triggers when Cynet detects memory strings that are associated with Malware or with malicious files
  • Ransomware Heuristic – This alert triggers when Cynet detects suspicious behavior which can be associated with Ransomware (such as changing file extensions to “.Lock”).
  • Malicious Binary – Process Create Malicious File – This alert triggers when Cynet detects a process that creates a file that is either flagged as malicious in Cynet’s Threat Intelligence database, or associated with suspicious patterns (such as loaded to sensitive directories).
  • Process Monitoring – This alert triggers when a process runs with certain parameters which can indicate suspicious activity (for example, a vssadmin with suspicious parameters such as delete shadow copies).
  • Threat Intelligence Detection – Malicious Binary – This alert triggers when Cynet detects a file that is flagged as malicious in Cynet’s internal threat intelligence database.