This article summarizes the popular malware hits during July and August 2019. These malware hits use several and advance techniques such as Changing hashes via file obfuscation to evade AVs, Using encrypted communication with C2 servers to foil EDRs, and Using feature manipulation and tampering to trick AI, machine-learning engines, and sandboxes. The following malware and ransomware attacks are listed;
– Fileless Attacks and Living-Off-The-Land (LOTL)
– (Jack-in-the-box)2
– Astaroth Malware
– Sodinokibi Exploits
– GermanWiper Ransomware
– MegaCortex Ransomware
– Silence APT Spreads Malware
– Turla Attacks
Source: https://thehackernews.com/2019/09/its-been-summer-of-ransomware-hold-ups.html
The flow chart in the article did a pretty cool job explaining how it works. The deadliest of them I think is the Germanwiper one which doesn’t encrypt anything but ends up overwriting all the content with zeroes and then eventually destroying the data. I read about this one last month which had been wreaking havoc in Germany. From what I remember one of the article had mentioned that if the users don’t have “offline backups” then the data is destroyed. Think about this – also how many companies now do offline backups especially when cloud backup is taking over all of it.
It all starts with emails. According to zdnet “These emails claim to be job applications from a person named “Lena Kretschmer.” A CV is attached as a ZIP file to these emails, and contains a LNK shortcut file. The LNK file is boobytrapped and will install the GermanWiper ransomware.
When users run this file, the ransomware will rewrite the content of various local files with the 0x00 (zero character), and append a new extension to all files. This extension has a format of five random alpha-numerical characters, such as .08kJA, .AVco3, .OQn1B, .rjzR8, etc..
After it “encrypts” all targeted files, GermanWiper will open the ransom note (an HTML file) inside the user’s default browser.”
Article link: https://www.zdnet.com/article/germanwiper-ransomware-hits-germany-hard-destroys-files-asks-for-ransom/