Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
A recent version Kraken Cryptor 1.5 poses as SuperAntiSpyware program, to manipulate users into installing it.
IMPACT: CRITICAL
PUBLISH DATE: 17-09-2018
OVERVIEW:
August 2018 saw the advent of a newer ransomware called Kraken Crypto, whose latest version Kraken Crypto 1.5 masquerades as the legitimate SuperAntiSpyware anti-malware program so users may be tricked into installing it. Once your files are encrypted, there’s no free way of getting them decrypted.
ANALYSIS:
All this fiasco started when someone with a malicious intent got access to the superantispyware.com site and distributed the ransomware from there.
The Kraken Cryptor installer spotted by VirusTotal was called SUPERAntiSpywares.exe which is an imitation of the original super anti-spyware filename with an additional s. However, this malicious executable has now been removed from the website. Not only the filename, but the ransomware also uses the icon of the SuperAntiSpyware.
People who were redirected to SUPERAntiSpywares.exe executable and installed it, found their computer files encrypted due to an easily exportable embedded configuration file containing a list. It contained a detail of modules and if they are enabled, processes to stop, the public encryption key, emails, ransom prices, extensions to encrypt, files and folders to be skipped, countries and languages that won’t be encrypted, and more.
A portion of this configuration is given below.
These include:
agntsvcagntsvc, agntsvcencsvc, agntsvcisqlplussvc, dbeng50, dbsnmp, firefoxconfig, msftesql, mydesktopqos, mydesktopservice, mysqld, mysqld-nt, mysqld-opt, ocomm, ocssd, oracle, sqbcoreservice, sqlagent, sqlbrowser, sqlservr, sqlwriter, sqlwb, synctime, tbirdconfig, and xfssvccon
INDICATORS OF COMPROMISE
Hash:
Files:
The ransom note contains a unique victim key and instructions on how to make a 0.125 bitcoin ransom payment.
Associated emails:
MITIGATION