Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Severity
High
Analysis Summary
A new family of ransomware named LooCipher has emerged. The researchers note that LooCipher’s functionality is not significantly different than other ransomware families. Infection of the victim is achieved through emails with attached Word documents (.DOCM) that contain macros that download the ransomware. The documents contain a single line of text which states “ENABLE MACROS TO VIEW THIS DOCUMENT”. When executed, the ransomware scans files on the system and then encrypts all files except those in the Windows system and programs folders. When the encryption process is completed, the ransomware provides information to the victim, including instructions on how to make payment for the decryption key. The instructions note that the victim has only five days to pay or the decryption key will be destroyed, making the files unrecoverable. The ransomware sends the victim’s details to a C&C server on the TOR network. From there it also provides the Bitcoin address to make payments to. Communication with the TOR network is conducted through proxy services which avoids the ransomware having to install TOR libraries on the victim system. A new Bitcoin address is created each time the ransomware contacts the C&C server. However, there are also hard coded wallet addresses in case the C&C server cannot be contacted. Unusually, the ransomware is also the decryptor, but it requires that the C&C server confirms payment has been received before it can function in the decryption mode.
Impact
File encryption
Indicators of Compromise
Malware Hash (MD5/SHA1/SH256)
Remediation