Rewterz Threat Advisory – Multiple Google Chrome Vulnerabilities
February 3, 2022Rewterz Threat Advisory – Multiple Advantech Zero-days
February 3, 2022Rewterz Threat Advisory – Multiple Google Chrome Vulnerabilities
February 3, 2022Rewterz Threat Advisory – Multiple Advantech Zero-days
February 3, 2022Severity
High
Analysis Summary
The crypter being used reuses the code from the ransomware itself. According to the security Researchers, the crypter is a modified form of RC4 encryption and written in Delphi.
Ransom Note:
—=== Welcome. Again. ===—
[-] Whats HapPen? [-]
Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension csruj.
By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).
[+] What guarantees? [+]
Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities – nobody will not cooperate with us. Its not in our interests.
To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee.
If you will not cooperate with our service – for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice – time is much more valuable than money.
[+] How to get access on website? [+]
You have two ways:
1) [Recommended] Using a TOR browser!
a) Download and install TOR browser from this site:
b) Open our website:
2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this:
a) Open your any browser (Chrome, Firefox, Opera, IE, Edge)
b) Open our secondary website:
Warning: secondary website can be blocked, thats why first variant much better and more available.
When you open our website, put the following data in the input form:
Key:
—————————————————————————————–
!!! DANGER !!!
DON’T try to change files by yourself, DON’T use any third party software for restoring your data or antivirus solutions – its may entail damage of the private key and, as result, The Loss all data.
!!! !!! !!!
ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere.
!!! !!! !!!
Researchers believe that the ransomware is linked to REvil Ransomware group.
The interface is similar to the Cl0p ransomware.
Impact
- Data Theft
- File Encryption
- Financial Loss
- Security Bypass
Indicators of Compromise
Domain Name
- bottomcdnfiles[.]com
- cdnmegafiles[.]com
- chat5sqrnzqewampznybomgn4hf2m53tybkarxk4sfaktwt7oqpkcvyd[.]onion
- sugarpanel[.]space
IP
- 179[.]43[.]160[.]195
- 82[.]146[.]53[.]237
MD5
- 2777e8741fa2fd754d20489295b62c12
- f67f72cb76d5bfc3461277b72e83f2a3
- 0260832cee87619332599f7d5c43bdd9
- 598529f5a52d25329ebdef602fcb39a0
- 17c7b47b68f75df9eec21698decad5b4
- 1cc5b508da9567f032ed78375bb45959
SHA-256
- 5816a77bf4f8485bfdab1803d948885f76e0c926fed9da5ac02d94e62af8b145
- 18cb9b218bd23e936128a37a90f2661f72c820581e4f4303326705b2103714a9
- 1318aeaea4f2f4299c21699279ca4ea5c8fa7fc38354dd2b80d539f21836df5a
- aa41e33d3f184cedaaaabb5e16c251e90a6c4ff721a599642dc5563a57550822
- 4a97bc8111631795cb730dfe7836d0afac3131ed8a91db81dde5062bb8021058
- 315045e506eb5e9f5fd24e4a55cda48d223ac3450037586ce6dab70afc8ddfc9
SHA-1
- 15a7fb45f703d5315320eef132f3151873055161
- 320eefd378256d6e495cbd2e59b7f205d5101e7f
- e835de2930bf2708a3a57a99fe775c48f851fa8f
- 98137dd04e4f350ee6d2f5da613f365b223a4f49
- a4854ce87081095ab1f1b26ff16817e446d786af
- c31a0e58ae70f571bf8140db8a1ab20a7f566ab5
Remediation
- Never open attachments or links received by unknown senders.
- Emails from unknown senders should always be treated with caution.
- Look for IOCs in your surroundings.
- At your respective controls, disable all threat indicators.