Rewterz Threat Alert – Ryuk Evolved Its Encryption and Evasion Techniques
October 23, 2020Rewterz Threat Alert – Malware Leveraging XMRig Miner
October 26, 2020Rewterz Threat Alert – Ryuk Evolved Its Encryption and Evasion Techniques
October 23, 2020Rewterz Threat Alert – Malware Leveraging XMRig Miner
October 26, 2020Severity
High
Analysis Summary
Fresh IoCs have been retrieved from a campaign distributing the GandCrab ransomware. GandCrab campaigns typically involve emails designed to deceive a potential victim into downloading attached malicious files. The infection process begins once a victim opens the attachment. It is important to note that the malware, in order to be successfully installed, requires the victim to enable macros. As is customary with other ransomware, it aims to lock a victim’s files, and demand that a ransom amount be paid. GandCrab usually targets consumers and businesses with PCs running Microsoft Windows. GandCrab has been involved in some of the biggest ransomware attacks, causing massive monetary loss to victims.
Impact
- Files Encryption
- Data Exfiltration
Indicators of Compromise
Hostname
- ns1[.]wowservers[.]ru
- ns1[.]corp-servers[.]ru
- dns2[.]soprodns[.]ru
- dns1[.]soprodns[.]ru
MD5
- 7afebd1853e753b338f0d08d97fc5188
- 8ddd282381722e5550f51436127a7ce4
- 96051652799d1c6e1d3cabd260a651f7
- dec4ee964072e269911b24f7bf5b521c
- bc5dc83dad365ffbbb0677bc32f58e23
- e438e4e1a2a37e8f742a927782c93de3
- 10235215a4324e54cea71b9f3c7e22ca
- cab33343d673dec539a4062eecfe214c
- 99b06f8f29e3c8c1a5437ef2ee3d8f4a
- 1059a8c36d05a9c228e1fa880ddb2ce2
- 76f40a2d4cbdf72ddb131c72752961be
- 70a8189e3055b6b706f51cbdadd8833d
- 7ed3a9c10b88974f1f69ec634c6a841b
- 6e68033b74ea9f72edc31e85acefdf9c
- ab64ce62dbefbc538d43dc934856c938
SHA-256
- 3ffacac4692092bfdf1e8793e9dd7fbfda5844ae422649a6cb56f98a0e53fc03
- 7fc3b32ef1eb2111c2601c251645e9e7c57cea8f2e05a5999df19c4a7d19f514
- a255f75c0cc9e43d64935655b61da603d220ed2fb7f4d65aa5148424f890c1bc
- c74a07d9b50fa56d58056fdecca83e520e91ae3d4e49d5ea7617435075e62040
- 087bd85077a894263f29298870077ade3a117ae57e3e87f614c4a4ed3c525160
- 2a2cde098d81dd444eadda59f3d5a0af03e9956e5c3f6efcf7d7a799218fc847
- 0280e04537cdb7b25dabac3108e29a986ad7206e0f575539ec25870902b7d650
- 8ac8a6d9c5bfa6a00abf1266e501139198156d4b52aca535966bc45124c1b3c2
- ce91f43f13bb96fa8a3a54aa6710f6a09353d32fb033e5d4de6ed46aa1d0b712
- fe70f8da014b916a049fad0abec4124a6b16dc7820891b0c704b3eef84d0b888
- 2f8d3b774b42ef8198c5d9f76d139490b90e61d20342afb2d524793409ef5cfe
- 91056df61fa958d17a52e6eed114de7409f9111b86d22ac3ce8d722ae19d8de3
- 36780c43281071d5cc35aa1b81c2a412db1cb2be655412879c7de072eec66c29
- 88dc87856150d0cbcd67ecec0351da5e6f00aea3cf9bdd7826a709e9dff1d124
- 60eba6da9f731d6e24ecc0a533539d9df7036dff6344a4a904f3fa2111062645
SHA1
- e79d1eb554706d149af272aff679e930b44c9f61
- 5501afe2150ee721baa9d892221a192337f0f6c2
- 6b380af14cb8c92590bf1bf337c1db7e0d02b020
- 41d37cbc676812ec4ebf4afc43caf2d0cb078e94
- 2b1c15532ac9105707ea8fa38191479786bfe06d
- 056014bc106729a62a816d3a7a0cb2d561680e0c
- afc430e3ded36da03ea463ecd5d8203d7f458741
- bc6051cac3b3a7488008a0d206b6d1531df6bbcf
- 9f89c9c7b27d1c214d8fa81640f52eda778dc3ff
- 1136afd8c82e2b6a91a73c6b14c3f170822406f6
- eb358d7b9ee3b4f8d3fa8f9a4c0340037b356463
- d2f2e19f3f96c6bb7bb041dfc32d440d08fd1416
- dcdca923337dd66ce413cb64203345cdc180134c
- 181fcf14a7b83119eacaec354ec2c376258d1549
- bfa37f8e7c16f463b384387d11a0357b618be04f
Remediation
- Block all threat indicators at your respective controls.
- Do not respond to emails sent by unknown senders.
- Never click on the links/attachments in emails coming from unknown senders.