GetCrypt | CrySIS | Lokibot

Alert ID: 
JMCIRT-AL-2019.032
Alert Date: 
Wednesday, May 29, 2019
Threat Level: 
High

 

GetCrypt Ransomware


Original release date: May 28, 2019
Jamaica CIRT has become aware of a new ransomware family called GetCrypt being distributed through malvertising campaigns.

Overview
The campaigns redirected users to a site hosting the RIG exploit kit, which was used to try and exploit vulnerabilities found on the computer. Successful exploitation led to the download of the GetCrypt ransomware that first checks the victim host's language and terminates if it is set to Ukrainian, Belarusian, Russian, or Kazakh. If it is not terminated, it first clears all volume shadow copies to prevent potential recovery efforts. It then scans the system to identify files to be encrypted and performs the encryption using the Salsa20 and RSA-4096 encryption algorithms. A ransom note is left behind demanding payment in exchange for the decryption key. Along with encrypting accessible network drives, this malware is unique in its use of brute force attacks to attempt to mount shares requiring additional authentication. A decryption tool has been released to assist in the recovery of files without ransom payment.


Recommendations
• Ensure anti-virus software and associated files are up to date.
• Search for existing signs of the indicated IOCs in your environment.
• Block all URL and IP based IoCs at the firewall, IDS, web gateways, routers or other perimeter-based devices, a course of action, resources or applications to remediate this threat.
• Keep applications and operating systems running at the current released patch level.


CrySIS Ransomware Increase


Original release date: May 28, 2019
Jamaica CIRT has become aware of an increase in activity of the CrySIS Ransomware


Overview
The observed activity involving the ransomware increased significantly (148%) from February to April, 2019. The ransomware is primarily targeted at businesses and may be delivered as an email attachment or installable files masquerading as a legitimate application. It is most commonly delivered through RDP. The attackers obtain the RDP credentials through leaks or brute forcing weak credentials. Once installed the malware achieves persistence through registry entries and may, on certain versions of Windows, attempt to run with administrator privileges. This would allow for a greater number of files which it can encrypt. Once the encryption routines have been completed and certain details have been sent to a C&C server, a ransom note is put on the infected system's desktop.


Recommendations
• Ensure anti-virus software and associated files are up to date.
• Search for existing signs of the indicated IOCs in your environment.
• Block all URL and IP based IoCs at the firewall, IDS, web gateways, routers or other perimeter-based devices.
• Keep applications and operating systems running at the current released patch level.
• Exercise caution with emails.
• Ensure RDP credentials are strong and RDP is properly configured.


Lokibot Email Campaign


Original release date: May 29, 2019
Jamaica CIRT has become aware of an email campaign distributing the Lokibot malware via an .xls attachment.


Overview
A potential victim receives an email with a subject of "BBVA-Confirming transferencia de pago Translated BBVA-Confirming payment transfer". The sender was observed as "BBVA Banco Continental <pago1@expomaquinaria.es>". Within the body of the email, the adversary attempts to entice a user to open the attachment "Detalles de la transferencia de pago.xls " to review the transfer. The infection process begins once the .XLS attachment is opened, ultimately leading to the Lokibot malware being installed on the victim's system.  It reportedly abuses the NGROK service to establish a secure tunnel, and download the malware from the cloud. This technique makes detecting the malware extremely difficult.


Recommendations
• Ensure anti-virus software and associated files are up to date.
• Search for existing signs of the indicated IOCs in your environment.
• Block all URL and IP based IoCs at the firewall, IDS, web gateways, routers or other perimeter-based devices, a course of action, resources or applications to remediate this threat.
• Keep applications and operating systems running at the current released patch level.
• Always be suspicious of unsolicited email.