Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
A new variant of the Dharma Ransomware has been identified that appends the .brrr extension to encrypted files.
IMPACT: CRITICAL
PUBLISH DATE: 17-09-2018
OVERVIEW
The new variant Brrr of the Dharma ransomware is dropped by hacking Remote Desktop services that are directly connected to the internet. After encryption, it sends two ransom notes explaining how to proceed with payments. Unfortunately, there is no free way to decrypt files infected with the Dharma Brrr Ransomware variant. Therefore, taking precautions is extremely important.
ANALYSIS
This Brrr variant along with the entire Dharma ransomware family needs manual installation by attackers who hack into Remote Desktop Services connected directly to the Internet. These attackers scan the internet to find the computers running RDP, usually on TCP port 3389, and then attempt to gain access of the computer through brute force. Known credentials can also be bought from some underground sites for publicly available computers that run remote desktop services.
Once having the access, they can install the ransomware which will proceed to encrypt the computer. The Brrr variant will append an extension in the format of .id-[id].[email].brrr when encrypting a file. For example, a file called test.jpg would be encrypted and renamed to test.jpg.id-BCBEF350.[paydecryption@qq.com].brrr.
Mapped network drives, shared virtual machine host drives, and unmapped network shares can be the potential target. Therefore, securing your network’s shares from unauthorized access is important.
This variant creates two different ransom notes on the targeted computer. One is the Info.hta file launched by an autorun when a user logs into the computer. The HTML version of the ransom note can be seen below.
It says:
“All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail paydecryption@qq.com
Write this ID in the title of your message [id]
In case of no answer in 24 hours write us to these e-mails: paydecryption@qq.com
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non-archived), and files should not contain valuable information. (databases, backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is Local Bitcoins site. You have to register, click ‘Buy bitcoins’, and select the seller by payment method and price.
https://localbitcoins.com/buy_bitcoins
Also, you can find other places to buy Bitcoins and beginners guide here:
http://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss.”
The other note is called FILES ENCRYPTED.txt and can be found on the desktop.
Both of the ransom notes communicate what has happened to the files and how to proceed for getting them decrypted.
The ransomware configuration will automatically execute it when you log-in to Windows, attempting to encrypt any new files created since the last execution.
INDICATORS OF COMPROMISE
MITIGATION