Rewterz Threat Alert – New Linux Malware – Kaiji
May 6, 2020Rewterz Threat Advisory – Security Issues in SAP’s Cloud-Based Products
May 7, 2020Rewterz Threat Alert – New Linux Malware – Kaiji
May 6, 2020Rewterz Threat Advisory – Security Issues in SAP’s Cloud-Based Products
May 7, 2020Severity
High
Analysis Summary
The latest version of REvil ransomware brings about significant changes from the last released version. REvil and RaaS. Version 2.2 boasts a new persistence mechanism that is implemented if the arn configuration field is set to true. If it is, a path is written to the registry key SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Version 2.1 did not contain this mechanism. Additionally, version 2.2 makes use of the Windows Restart Manager to terminate any services that may lock files identified for encryption. REvil developers implemented strategies used by other ransomware such as SamSam and LockerGoga to perform this operation. Should a file be open when attempting to encrypt it, a sharing violation will occur, triggering the Restart Manager. Also among the changes is a new -silent flag that skips termination of blacklisted processes, services, and shadow copy deletion. It does not, however, impact the Restart Manager functionality.
Impact
File encryption |
Indicators of Compromise
MD5
cce629db2606ae98ba6e931adbf1aeae
63a945da1a63a8e56e8220c4ccf7fd0c
SHA-256
774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d
ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195
SHA1
2649ce761c00f4505758e20580e8bdf3e8d559d1
a99cf1a2426edeac97c789d0a4b7d38606d7aa45
Remediation
Block all threat indicators at your respective controls. Always be suspicious about emails sent by unknown senders. Never click on the links/attachments sent by unknown senders. |