Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label RansomEXX. Show all posts

RansomEXX Comes into Action Encrypting Files Using AES-CBC

 

In the latest Profero report - Senior Incident Responder Brenton Morris states that RansomeXX decryptors have failed to encrypt different files for the victims that have paid for the ransom demanded by the Linux Vmware ESXI malicious attacker. Profero has found that this RansomExx organization does not lock Linux files appropriately, which might contribute to damaged data during encryption. 

Following a reverse engineering process of the RansomExx Linux encrypter, Profero found that perhaps the problem was created by the inadequate encryption of Linux files. The encrypted file would have included encrypted data and unencrypted data afterward if the ransomware were to encrypt a Linux file simultaneously.’ 

RansomEXX encrypts the disc data and thereafter demands a ransom to acquire the key to decode. Encryption is arranged using the Open Source mbedtls package, so when the virus is activated, it produces a 256-bit key and encodes all the existing files in ECB mode using AES block encryption. Then after, each second, a new AES key will be produced, i.e. various files with different AES keys will be encrypted. 

Each AES key is encrypted and connected to every encrypted file via a public RSA-4096 key included in malware code; the ransomware might purchase a private key from the victim for decryption. 

"Some strains of Linux ransomware will attempt to acquire a file lock using fcntl while others will often not attempt to lock files for writing, and instead either knowingly choose to take the risk of corrupting the files or do so unknowingly due to lack of Linux programming experience," Morris told. "The Linux version of RansomEXX did not attempt to lock the file at all." 

If RansomExx encrypts a document, an RSA encrypted decryption key will be added to each file's end. The person who collects a ransom provides a decryptor that can decrypt the encoded decryption key of each file and then use that to decipher the contents of the file. 

However, since unencrypted material is annexed to the file end in these problematic encrypted files, the decrypter couldn't read the encrypted key correctly and the file will not be decrypted. 

"Because the attackers provide paying victims with a decryption tool they must run to decrypt their files there is a risk that the decryption tool may be malicious. This requires affected victims to reverse engineer the provided decryption tool to ensure there is no hidden payload or malicious features, a time investment that can be problematic for some organizations during a ransomware incident," explains Profero's blog post. 

Profero has published a RansomEXX open-source decryptor that can decrypt encrypted files with the file lock problem to assist its customers and the cyber security industry at large. 

Victims still have to have a decryption key from the malicious attacker, although now they can take time to evaluate one given by actors who are confronted with it instead.

RansomEXX Ransomware Hits Ecuador’s State-Run CNT Telco

 

Ecuador's state-run Corporación Nacional de Telecomunicación (CNT) suffered a massive ransomware attack causing havoc in the business operations, the payment gateway, and the company's customer support portal.

The public telecommunications organization is a state-run telecommunication carrier that provides fixed-line phone service, mobile, satellite TV, and internet connectivity. Following a ransomware attack, CNT displayed an alert warning on its website about a ransomware attack they suffered and that the customer support and online payment are no longer accessible. 
 
"The National Telecommunications Corporation, CNT EP, filed a protest to the State Attorney General's Office regarding the ransomware attacks on company's computer systems. The initial investigation is going on and, the person behind this incident will be held responsible," read the alert notification translated into English. 

“This attack affected the care processes in our Integrated Service Centers and Contact Center; In this regard, we indicate to our users that their services will not be suspended for non-payment. We must inform our clients, massive and corporate, that their data is They are duly protected. We also inform that services such as calls, internet and television, operate normally," company further added.

CNT has not revealed any details regarding the attack timeline yet, but Bleeping computer reported that the attack was organized by a ransomware operation called RansomEXX. The gang claims to have stolen 190 GB of data and shared screenshots of some of the documents on the hidden data leak page. These pages are only accessible via these links hidden in ransom notes. 

The RansomEXX gang is responsible for numerous high-profile attacks, including Brazil's Rio Grande do Sul court system, Texas Department of Transportation (TxDOT), Konica Minolta, IPG Photonics, nuclear weapons contractor Sol Oriens, and JBS, the world's largest meat producer. 

The ransomware gang first started operating under the name Defray in 2018 but became more active in June 2020 when it changed its name to RansomEXX and began to target big organizations. Like other ransomware gangs, RansomEXX will abuse a network via purchased credentials, brute-forced RDP servers, or by utilizing exploits.

Once the attackers secure access to a network, they will silently spread throughout the network while stealing unencrypted files to be used for extortion attempts. After gaining access to an administrator password, they deploy the ransomware on the network and encrypt all of its devices.