Monthly Ransomware Activity – September 2021 Pt. 1

Written by: Maor Huli

This report will split in two parts, that cover ransomware activities for September 2021.

Part one will introduce the following ransomware:

  1. LockFile
  2. Locky
  3. Black Kingdom
  4. Conti
  5. Dharma
  6. Phobos
  7. Sanwai
  8. STOP

EXECUTIVE SUMMARY

 

What is ransomware?

Ransomware is a type of malware used to digitally extort victims into paying a ransom. It is also used to prevent or limit users from accessing their files or systems.

The most known targeted files by ransomware are: .doc, .xls, .jpg, .zip, .pdf, and other data files.

Ransomware has become more sophisticated over time. While the original ransomware was limited to encrypting a single endpoint, current variants have advanced distribution mechanisms.

Recently, attackers have targeted large corporations and we wanted to share a few examples of ransomware attacks that affected massive organizations:

Who is targeted by ransomware groups and why?

We think that the easy answer is everyone, but the truth is that the answer is more complex. Keep in mind that Ransomware is a lucrative business model. Most of the threat groups that use ransomware are trying to infect as many computers as possible to hit an organization that will probably pay the ransom.

The Cynet 360 platform detects and prevents ransomware attacks via several technology mechanisms. Cynet NGAV integrates multiple prevention technologies to maximize the defense of our customers’ environments. Additionally Cynet’s threat intelligence utilizes over 30 live feeds of various Indicators of Compromise

Text, timeline Description automatically generated

BleepingComputer is the most up-to-date website that summarizes the newest ransomware variants.

The Cynet Orion Threat Research team is an integral department of Cynet’s research organization. The Orion team works around the clock to add more rules that strengthen Cynet 360’s detection capabilities. Part of Orion’s team tasks include following posts on BleepingComputer about new ransomware variants and threats. Our overall goal is to detect every threat that appears.

Graphical user interface, website Description automatically generated

In this article, we have summarized ransomware variants from September based on BleepingComputer. We will present recent ransomware and how Cynet 360 platform detects them via several mechanisms.

 

CYNET 360 VS RANSOMWARE

 

LockFile Ransomware

Cynet 360 Detections:

Graphical user interface Description automatically generated

Graphical user interface, text, application Description automatically generated

LockFile Overview

LockFile ransomware renames the encrypted files with a .lockfile extension:

Text Description automatically generated

Once a computer’s files have been encrypted and renamed, it drops a note as an .hta file that also contains the hostname in it. Upon execution, it uses mshta.exe to open the ransomware note. The ransomware note has the email address of threat actors, the ransom demand and the instructions on how to pay the demand.

Graphical user interface, text, application Description automatically generatedGraphical user interface, text, application, Teams Description automatically generated

 

Locky Ransomware

Cynet 360 Detections:

Graphical user interface, text, application Description automatically generated

Graphical user interface, text, application Description automatically generated

Locky Overview

Locky ransomware renames the encrypted files with a .odin extension for each file:

A screenshot of a computer Description automatically generated with low confidence

Once a computer’s files have been encrypted and renamed, it drops a note as an HTML file that contains random numbers and the string “HOWDO_text. Upon execution, it uses the default browser of the host to open the ransomware note.

The note itself contains two links to the attackers’ website with further instructions. The first link is for the “clear web” and the second one is for the “dark web”,

The note also contains the victim’s ID

Graphical user interface, text, application, Teams Description automatically generatedText Description automatically generated

 

Black Kingdom Ransomware

Cynet 360 Detections:

Graphical user interface, text, application Description automatically generated

A screenshot of a computer Description automatically generated with medium confidence

Black Kingdom Overview

Blackkingdom ransomware mostly targets executables, pictures, and documents in folders such as Downloads, Documents, and the desktop. It renames encrypted files with a .svyx extension for each file:

Text Description automatically generated

Once a computer’s files have been encrypted and renamed, it drops a note (.txt) file named README.txt. In the text file it writes instructions on how to pay to get the encrypted files back.

Also, the ransomware opens a process named “Tango Down!” that will always be on top of everything including the taskbar so the user might think it changed the background and eliminated the shortcuts on the desktop. Additionally, this process also contains a timer that the attacker promises to delete the files if the timer goes down to zero.

A picture containing text Description automatically generatedGraphical user interface, text, application, email Description automatically generated

Text Description automatically generated

 

Conti Ransomware

Cynet 360 Detections:

A screenshot of a computer Description automatically generated with medium confidence

Graphical user interface, text, application, chat or text message Description automatically generated

Graphical user interface, application Description automatically generated

Conti Overview

Conti ransomware renames the encrypted files to a random extension with five different letters each time.

Please note that since we are running simulations in a virtual environment, some ransomware can distinguish between the real environment and a virtual one. In our case, the ransomware shuts itself down since it detected the virtual environment. The following screenshots are from different sources.

A picture containing table Description automatically generated

Once a computer’s files have been encrypted and renamed, it drops a note as a text (.txt) file named Readme.txt. In the text file it writes instructions on how to pay to get the encrypted files back.

Graphical user interface, application Description automatically generatedGraphical user interface, text, application, email Description automatically generated

Dharma (Crysis) Ransomware

Cynet 360 Detections:

A screenshot of a computer Description automatically generated with medium confidence

Graphical user interface, text, application, chat or text message Description automatically generated

A screenshot of a computer Description automatically generated with medium confidence

Dharma (Crysis) Overview

Dharma ransomware renames the encrypted files with a personal ID of the victim and the attacker email address and .dts extension for each file:

A picture containing text Description automatically generated

Once a computer’s files have been encrypted and renamed, the only way to communicate with the attacker is to send them an email by looking at the encrypted files as shown above.

 

Phobos Ransomware

Cynet 360 Detections:

A screenshot of a computer Description automatically generated with medium confidence

 

Phobos Overview

After execution, Phobos ransomware renames the encrypted files with the victim ID, the communication information, and the variant name in the extension for each file:

Text Description automatically generated

Once a computer’s files have been encrypted and renamed, it pops up a message with the ransomware note and the communication details. Additionally, it drops the ransomware note as a text file named info.txt on the victim’s desktop.

Graphical user interface, application Description automatically generatedGraphical user interface, text, application, email Description automatically generated

Graphical user interface, text, application, email Description automatically generated

Sanwai Ransomware

Cynet 360 Detections:

A screenshot of a computer Description automatically generated with medium confidence

A screenshot of a computer Description automatically generated with medium confidence

Sanwai Overview

After execution, Sanwai ransomware renames the encrypted files with sanwai and random number in the extension for each file:

Text Description automatically generated

Once a computer’s files have been encrypted and renamed, it drops the ransomware note as a text file named IMPORTANT.txt in the victim’s encrypted folders. The note contains the price to decrypt the files and the attacker’s public address for the bitcoin wallet

Text Description automatically generated with low confidenceText Description automatically generated

 

STOP Ransomware

Cynet 360 Detections:

Graphical user interface, application Description automatically generated

STOP Overview

After execution, STOP ransomware renames the encrypted files with .nusm in the extension for each file:

Text Description automatically generated

Once a computer’s files have been encrypted and renamed, it drops the ransomware note as a text file named _readme.txt in the victim’s encrypted folders, the note contains decryption instructions along with the price and the communication details

Graphical user interface, text, application, email Description automatically generated Graphical user interface, application Description automatically generated

CYNET’S VARIOUS MECHANISMS

 

Search results for: