Monthly Ransomware Activity – February 2022

Monthly Ransomware Activity

Written by: Maor Huli

In February, we introduce the following types of ransomware:

  1. Crysis
  2. LockDown
  3. MonaLisa
  4. Phobos

EXECUTIVE SUMMARY

Bleeping computer is the most up-to-date website that summarizes the newest ransomware variants. Orion team is an integral department of Cynet’s research team. We in Orion’s team are working around the clock, tracking threat intelligence resources, analyzing payloads, automated labs to ensure that our customers are most protected against the newest ransomware variants.

Graphical user interface, application, website Description automatically generated

In this article, we have summarized ransomware variants from February based on bleepingcomputer.

We will present the recent ransomware and how Cynet 360 platform detects and prevents it via several mechanisms.

CYNET 360 VS RANSOMWARE

Crysis (dharma) Ransomware

Cynet 360 Detections:

Graphical user interface, text, application, chat or text message Description automatically generated

Graphical user interface, application Description automatically generated

Crysis Overview

Crysis ransomware renames the encrypted files with .kl in the extension:

Text Description automatically generated

Once a computer’s files have been encrypted and renamed, it drops a note as info.txt.

Upon execution, it immediately encrypts the endpoint and drops the ransomware note. The ransomware note contains the ID of the host and the amount of the files that were encrypted

A picture containing text Description automatically generated Graphical user interface, text, application, email Description automatically generated

Graphical user interface, text, application, email Description automatically generated

LockDown Ransomware

Cynet 360 Detections:

A screenshot of a computer Description automatically generated with medium confidence

Graphical user interface, application Description automatically generated

 

LockDown Overview

LockDown ransomware renames the encrypted files with .Cantopen in the extension, Once a computer’s files have been encrypted and renamed, it drops a note as HELP_DECRYPT_YOUR_FILES.txt.

Upon execution, it immediately encrypts the endpoint and drops the ransomware note. The ransomware note contains warnings and the attacker’s bitcoin address:

Text, letter Description automatically generated

 

 

MonaLisa Ransomware

Cynet 360 Detections:

 

A screenshot of a computer Description automatically generated with medium confidence

A screenshot of a computer Description automatically generated with medium confidence

MonaLisa Overview

MonaLisa ransomware renames the encrypted files with .nekochan in the extension, Once a computer’s files have been encrypted and renamed, it drops a note as info.txt.

Upon execution, it immediately encrypts the endpoint and drops the ransomware note. The ransomware note contains contact information:

A picture containing text, orange, dark, close Description automatically generated

Phobos Ransomware

Cynet 360 Detections:

Graphical user interface, text, application, chat or text message Description automatically generated

Graphical user interface, application Description automatically generated

Phobos Overview

Phobos ransomware renames the encrypted files with .ZOZL in the extension:

Text Description automatically generated

Once a computer’s files have been encrypted and renamed, it drops a note as info.txt.

Upon execution, it immediately encrypts the endpoint and drops the ransomware note. The ransomware note contains instructions and the attacker’s bitcoin address:

A picture containing application Description automatically generated Graphical user interface, text, application, email Description automatically generated

 

Search results for: