Monthly Ransomware Activity – September 2021 Pt. 2

Part 2

Monthly Ransomware activity

Written by: Maor Huli

Part two will introduce more ransomware activities detected in September

This report will discuss the following:

EXECUTIVE SUMMARY

What is Ransomware-as-a-Service (RaaS)?

Ransomware-as-a-Service (RaaS) is a subscription-based model that lets ransomware developers sell their malicious software to people without any experience in program development.

This model allows the people that bought the software to get constant updates and maintenance from the software developers and thus continue work on new ransomware variants and help with the spread of the existing ones.

The goals for the ransomware authors are either to share the profit from a successful attack or to gain a reputation. The creators consider this a win-win.

What are Ransomware extortions?

We have already observed an evolution in the modus operandi of ransomware. Targeted ransomware attacks by threat groups (also known as “big-game hunting), which include human operated schemes behind them, rely multiple types of extortion:

  1. Single extortion includes file encryption and demands payment to decrypt the files.
  2. Double extortion involves threat actors adding a new threat to victims, not only encrypting their files but also threatening to publish sensitive data should the victims refuse to meet threat actors’ demands.
  3. Triple extortion adds an extra layer by also deploying a distributed-denial-of-service (DDoS) attack on the victim’s encrypted endpoints with the goal of slowing down or preventing the organization’s daily workflow.
  4. Quadruple extortion adds pressure to pay on top of the previous types mentioned by connecting an organization’s stakeholders to the attack.

CYNET 360 VS RANSOMWARE

Black Matter Ransomware

Cynet 360 Detections:

A screenshot of a computer Description automatically generated with medium confidence

A screenshot of a computer Description automatically generated with medium confidence

A screenshot of a computer Description automatically generated with medium confidence

Black Matter Overview

After execution, Black Matter ransomware renames the encrypted files with .K4Hlh4flg in the extension for each file:

A picture containing text, plaque, scoreboard Description automatically generated

Once a computer’s files have been encrypted and renamed, it drops the ransomware note as a text file with the same name of the extension – K4Hlh4flg.README.txt – in the victim’s encrypted folders. The note contains decryption instructions along with the communication details.Additionally, the ransomware changes the desktop background:

Graphical user interface, text, application Description automatically generatedGraphical user interface, text, application, email Description automatically generated

Text Description automatically generated

Sodinokibi (REvil) Ransomware

Cynet 360 Detections:

A screenshot of a computer Description automatically generated with medium confidence

A screenshot of a computer Description automatically generated with medium confidence

Graphical user interface, text, application, chat or text message Description automatically generated

A screenshot of a computer Description automatically generated with medium confidence

Sodinokibi (REvil) Overview

Please note that since we are running simulations in a virtual environment, some ransomware can distinguish between the real environment and a virtual one. In our case, the ransomware shuts itself down since it detected the virtual environment. The following screenshots are from different sources.

After execution, REvil ransomware renames the encrypted files with random 5-10 letters and numbers in the extension for each file.

Once a computer’s files have been encrypted and renamed, it drops the ransomware note as a text file with the same name of the random extension [5-10 random numbers and letters]-README.txt in the victim’s encrypted folders. The note contains decryption instructions along with the communication details. Additionally, the ransomware changes the desktop background as well.

Graphical user interface, application Description automatically generated

Graphical user interface, application, Word Description automatically generated

Text Description automatically generated

 

Chaos Ransomware

Cynet 360 Detections:

A screenshot of a computer Description automatically generated with medium confidence

A screenshot of a computer Description automatically generated with medium confidence

Chaos Overview

After execution, Chaos ransomware renames the encrypted files to CRYPTEDPAY in the extension for each file:

Once a computer’s files have been encrypted and renamed, it drops the ransomware note as a text file README.txt in the victim’s encrypted folders. The note contains decryption instructions along with the communication details and the final price for decryption (the attacker asks for the payment with the cryptocurrency Monero). Additionally, the ransomware changes the desktop background as well.

Text Description automatically generated with medium confidenceText Description automatically generated with medium confidence

Text Description automatically generated

James Bond Ransomware

Cynet 360 Detections:

A screenshot of a computer Description automatically generated with medium confidence

Graphical user interface, application Description automatically generated

Graphical user interface, text, application, chat or text message Description automatically generated

Graphical user interface, application, chat or text message Description automatically generated

James Bond Overview

JamesBond ransomware renames the encrypted files to the attacker’s email and the name of the ransomware .jamesbond in the extension for each file:

Text Description automatically generated

Once a computer’s files have been encrypted and renamed, it drops the ransomware note as a text file read_it.txt in the victim’s encrypted folders and the desktop. The note contains the communication details. Additionally, the ransomware changes the desktop background as well.

Text, application Description automatically generated

 

Text Description automatically generated with low confidence

Atom Silo Ransomware

Cynet 360 Detections:

Graphical user interface, application Description automatically generated

A screenshot of a computer Description automatically generated with medium confidence

A screenshot of a computer Description automatically generated with medium confidence

Atom Silo Overview

AtomSilo ransomware renames the encrypted files to .ATOMSILO in the extension for each file:

Text Description automatically generated

Once a computer’s files have been encrypted and renamed, it drops the ransomware note as an html file that contains the hostname and the time in the name “README-FILE-[hostname]-[time].hta in the victim’s encrypted folders and the desktop. The note contains the communication details along with a demand for $1 million and with a timer that indicates the ransomware will eventually delete the files permanently and will publish the user’s sensitive information as well.

Graphical user interface, text, application, email Description automatically generated

 

Kcry Ransomware

Cynet 360 Detections:

A screenshot of a computer Description automatically generated with medium confidence

A screenshot of a computer Description automatically generated with medium confidence

A screenshot of a computer Description automatically generated with medium confidence

Kcry Overview

Kcry ransomware changes the host screen for a few seconds to a fake windows update screen, in the meantime, it renames the encrypted files to .kcry in the extension for each file:

A picture containing graphical user interface Description automatically generated

Text Description automatically generated

Once a computer’s files have been encrypted and renamed, it drops the ransomware note as a text file that contains the name of the ransomware “kcry-info.txt” in the startup directory for along with a copy of the ransomware executable (for persistence). The note contains the attacker’s itcoin address and a demand for $200 with no guarantee of restoring the files.

Text Description automatically generated

Graphical user interface, text, application, email Description automatically generated

Redeemer Ransomware

Cynet 360 Detections:

A screenshot of a computer Description automatically generated

A screenshot of a computer Description automatically generated with medium confidence

A screenshot of a computer Description automatically generated with medium confidence

Redeemer Overview

Redeemer ransomware renames the encrypted files to .redeem in the extension for each file:

Text Description automatically generated

Once a computer’s files have been encrypted and renamed, it drops the ransomware note as a text file “Read Me.TXT” in the encrypted folders. The note contains the attacker’s Bitcoin address and the public encryption key. The note also includes a demand for ransom paid in Monero.

Graphical user interface, application Description automatically generatedA picture containing table Description automatically generated

 

Yandex Ransomware

Cynet 360 Detections:

A screenshot of a computer Description automatically generated with medium confidence

A screenshot of a computer Description automatically generated with medium confidence

A screenshot of a computer Description automatically generated with medium confidence

Yandex Overview

Yandex ransomware renames the encrypted files to .yandex in the extension for each file:

Text Description automatically generated

Once a computer’s files have been encrypted and renamed, it drops the ransomware note as a text file “READ_ME_NOW.txt” in the encrypted folders and changes the desktop background. The note contains the attacker’s Bitcoin address and the decryption price

Text Description automatically generatedText Description automatically generated

Text Description automatically generated with medium confidence

CYNET VARIOUS MECHANISMS

 

Search results for: