Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label RansomExx Gang. Show all posts

RansomEXX Comes into Action Encrypting Files Using AES-CBC

 

In the latest Profero report - Senior Incident Responder Brenton Morris states that RansomeXX decryptors have failed to encrypt different files for the victims that have paid for the ransom demanded by the Linux Vmware ESXI malicious attacker. Profero has found that this RansomExx organization does not lock Linux files appropriately, which might contribute to damaged data during encryption. 

Following a reverse engineering process of the RansomExx Linux encrypter, Profero found that perhaps the problem was created by the inadequate encryption of Linux files. The encrypted file would have included encrypted data and unencrypted data afterward if the ransomware were to encrypt a Linux file simultaneously.’ 

RansomEXX encrypts the disc data and thereafter demands a ransom to acquire the key to decode. Encryption is arranged using the Open Source mbedtls package, so when the virus is activated, it produces a 256-bit key and encodes all the existing files in ECB mode using AES block encryption. Then after, each second, a new AES key will be produced, i.e. various files with different AES keys will be encrypted. 

Each AES key is encrypted and connected to every encrypted file via a public RSA-4096 key included in malware code; the ransomware might purchase a private key from the victim for decryption. 

"Some strains of Linux ransomware will attempt to acquire a file lock using fcntl while others will often not attempt to lock files for writing, and instead either knowingly choose to take the risk of corrupting the files or do so unknowingly due to lack of Linux programming experience," Morris told. "The Linux version of RansomEXX did not attempt to lock the file at all." 

If RansomExx encrypts a document, an RSA encrypted decryption key will be added to each file's end. The person who collects a ransom provides a decryptor that can decrypt the encoded decryption key of each file and then use that to decipher the contents of the file. 

However, since unencrypted material is annexed to the file end in these problematic encrypted files, the decrypter couldn't read the encrypted key correctly and the file will not be decrypted. 

"Because the attackers provide paying victims with a decryption tool they must run to decrypt their files there is a risk that the decryption tool may be malicious. This requires affected victims to reverse engineer the provided decryption tool to ensure there is no hidden payload or malicious features, a time investment that can be problematic for some organizations during a ransomware incident," explains Profero's blog post. 

Profero has published a RansomEXX open-source decryptor that can decrypt encrypted files with the file lock problem to assist its customers and the cyber security industry at large. 

Victims still have to have a decryption key from the malicious attacker, although now they can take time to evaluate one given by actors who are confronted with it instead.

RansomExx Gang Target French Health Insurance Company in a Ransomware Attack

 

Mutuelle Nationale des Hospitaliers (MNH), a French health insurance company has been hit by a ransomware attack that has severely affected the company’s operations. French health insurance company MNH provides health insurance services and has plans focused on the health department.

The company’s website mnh.fr displays a notice stating that it has been affected by a cyberattack that began on February 5. Due to this attack, the computer system and telephone services are unavailable. Members of the insurance company use the MNH website to design insurance quotes or to manage services and benefits.

Gerard Vuidepot, CEO of MNH, stated that “the MNH has been undergoing a cyber-attack since Friday, February 5, 2021. Computer systems have been disconnected for security reasons. Our websites (mnh.fr, member area, corresponding and elected extranets) and our telephone platform (3031) are temporarily unavailable. The processing times for your requests are being extended”.

As per the reports of BleepingComputer, an independent security expert shared a Tor web page that acts as a ransom negotiation page for the MNH attack that connects to the mnh.fr website. The page directs how the cybercriminals will negotiate with the firm and also advises MNH to employ a protonmail account while negotiating and not to reach out to the cops, or the cops will seize their bank accounts.

The site provides the ability to send a single email to the ransomware gang and perform test decryption of a single file. According to BleepingComputer, this Tor site is operated by ‘RansomExx’, a rebranded version of the Defray777 ransomware. This ransomware group has been operating since 2018, after updating their name to RansomExx in June 2020 it’s modus operandi has become more potent and are targeting high-profile companies.

Some of the high-profile organizations targeted by the RansomExx group in the past include the Texas Department of Transportation (TxDOT), Konica Minolta, Brazilian government networks, IPG Photonics, and Tyler Technologies. RansomExx has designed its own Linux version to make certain that they target all critical servers and data in a firm.