Rewterz Threat Alert – Trickbot – Banking Trojan IOCs
July 9, 2020Rewterz Threat Advisory – CVE-2020-0592 – F5 BIG-IP remote command execution vulnerability
July 9, 2020Rewterz Threat Alert – Trickbot – Banking Trojan IOCs
July 9, 2020Rewterz Threat Advisory – CVE-2020-0592 – F5 BIG-IP remote command execution vulnerability
July 9, 2020Severity
High
Analysis Summary
A new ransomware named FileCry, named after WannaCry, has been discovered and analyzed by researchers. Upon successful encryption, the virus asks for 0.035 BTC to decrypt the files. After the ransomware is run, all files and subfolder files are encrypted with a suffix (.filecry) is appended to each file. A box is displayed directing victims to a Bitcoin wallet and email address for payment. The actors will then send a decryption key. The actual encryption algorithm is simplistic in nature and only adds 1 to each byte of data of the victim’s computer. The decryption key appears to be written directly into the decryption key judgment function.
The current version of the FileCry ransomware encryption algorithm is very “plain”. Directly add 1 to each byte of the file data of the victim’s computer according to the ASCII code, and then add the encrypted file suffix as .filecry to end the file encryption operation.
Impact
File encryption
Indicators of Compromise
MD5
- 4899accb55b148537d9b02232cb665a4
- d8f7cc08aec6f3ca5d8a45a02f928b8e
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.