Monthly Ransomware Activity – January 2022

Monthly Ransomware Activity

Written by: Maor Huli

 

In January, we introduce the following types of ransomware:

  1. Golang
  2. WaspLocker
  3. NightSky
  4. Chaos
  5. Paradise
  6. Exploit

EXECUTIVE SUMMARY

Here at Orion, an integral part of Cynet’s research team, we are working around the clock to ensure our customers are protected against the most recent ransomware variants. We track threat intelligence sources, analyze payloads and automate labs. In this article, we bring to you the latest ransomware variants from January, based on Bleeping Computer – the most up-to-date ransomware news website. We explain how these ransomware variants operate and how the Cynet 360 platform detects and prevents them via several mechanisms.

Bleeping computer is the most up-to-date website that summarizes the newest ransomware variants. Orion team is an integral department of Cynet’s research team. We in Orion’s team are working around the clock, tracking threat intelligence resources, analyzing payloads, automated labs to ensure that our customers are most protected against the newest ransomware variants. Graphical user interface, text, website Description automatically generated

In this article, we have summarized ransomware variants from January based on bleepingcomputer.

We will present the recent ransomware and how Cynet 360 platform detects and prevents it via several mechanisms.

CYNET 360 VS RANSOMWARE

Golang Ransomware

Cynet 360 Detections:

A screenshot of a computer Description automatically generated with medium confidence

A screenshot of a computer Description automatically generated with medium confidence

Golang Overview

Golang ransomware renames the encrypted files with .xyz in the extension:

Text Description automatically generated

Once a computer’s files have been encrypted and renamed, it drops a note as _Readme_.txt.

Upon execution, it immediately encrypts the endpoint and drops the ransomware note. The ransomware note contains the decryption price (XMR) and the attacker’s wallet address.

Graphical user interface, application Description automatically generated Graphical user interface, text, application Description automatically generated with medium confidence

WaspLocker Ransomware

Cynet 360 Detections:

A screenshot of a computer Description automatically generated with medium confidence

Graphical user interface, text, application Description automatically generated

 

WaspLocker Overview

BlueLocker ransomware renames the encrypted files with a .locked extension for each file:

Text Description automatically generated

 

Once a computer’s files have been encrypted and renamed, the ransomware pops up a window with a text within that contains the BTC address and a timer:

Graphical user interface, text, application Description automatically generated

 

 

 

 

 

 

 

 

 

 

 

 

 

 

NightSky Ransomware

Cynet 360 Detections:

Graphical user interface Description automatically generated

A screenshot of a computer Description automatically generated with medium confidence

 

NightSky Overview

After execution, NightSky ransomware renames the encrypted files with the .nightsky extension.

Text Description automatically generated

Once a computer’s files have been encrypted and renamed, it drops a note as an hta file named NightSkyReadMe.hta. The file contains instructions on how to pay to get the encrypted files back.

Graphical user interface, application, Teams Description automatically generated Graphical user interface, text, application, email Description automatically generated

 

Chaos Ransomware

Cynet 360 Detections:

Graphical user interface, text, application Description automatically generated

A screenshot of a computer Description automatically generated with medium confidence

Chaos Overview

After execution, Chaos ransomware renames the encrypted files with the .GoldenWolf42 extension for each file:

Text Description automatically generated

Once a computer’s files have been encrypted and renamed, it drops a note as a text (.txt) file named read_it.txt. In the text file are instructions on how to pay to get the encrypted files back.

Text Description automatically generated with medium confidence Text Description automatically generated

Paradise Ransomware

Cynet 360 Detections:

Graphical user interface, application Description automatically generated

Graphical user interface, application Description automatically generated

 

Paradise Overview

After execution, Paradise ransomware renames the encrypted files with .prt in the extension for each file:

Text Description automatically generated

Once a computer’s files have been encrypted and renamed, it drops a note as a text (.txt) file named instructions with your files.txt. In the text file there are instructions on how to pay to get the encrypted files back.

Graphical user interface, text, application Description automatically generated Graphical user interface, text Description automatically generated

 

Exploit Ransomware

Cynet 360 Detections:

A screenshot of a computer Description automatically generated

A screenshot of a computer Description automatically generated with medium confidence

Exploit Overview

After execution, Exploit ransomware renames the encrypted files with .exploit in the extension for each file:

Text Description automatically generated

Once a computer’s files have been encrypted and renamed, it drops a note as a text file named RECOVERY INFORMATION.txt. The text file has instructions explaining how to pay to get the encrypted files back.

Text, application Description automatically generated Graphical user interface, text, application Description automatically generated

 

 

 

Search results for: