Rewterz Threat Alert – Remcos RAT – Active IOCs
February 21, 2022Rewterz Threat Alert – BazarLoader Malware – Active IOCs
February 21, 2022Severity
High
Analysis Summary
The crypter being used reuses the code from the ransomware itself. According to the security Researchers, the crypter is a modified form of RC4 encryption and written in Delphi.
Ransom Note:
—=== Welcome. Again. ===—
[-] Whats HapPen? [-]
Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension csruj.
By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).
[+] What guarantees? [+]
Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities – nobody will not cooperate with us. Its not in our interests.
To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee.
If you will not cooperate with our service – for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice – time is much more valuable than money.
[+] How to get access on website? [+]
You have two ways:
1) [Recommended] Using a TOR browser!
a) Download and install TOR browser from this site:
b) Open our website:
2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this:
a) Open your any browser (Chrome, Firefox, Opera, IE, Edge)
b) Open our secondary website:
Warning: secondary website can be blocked, thats why first variant much better and more available.
When you open our website, put the following data in the input form:
Key:
—————————————————————————————–
!!! DANGER !!!
DON’T try to change files by yourself, DON’T use any third party software for restoring your data or antivirus solutions – its may entail damage of the private key and, as result, The Loss all data.
!!! !!! !!!
ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere.
!!! !!! !!!
Researchers believe that the ransomware is linked to REvil Ransomware group.
The interface is similar to the Cl0p ransomware.
Impact
- Data Theft
- File Encryption
- Financial Loss
- Security Bypass
Indicators of Compromise
MD5
- 9b22e10431fe7b9bacf7781326cc31a5
SHA-256
- 09ad72ac1eedef1ee80aa857e300161bc701a2d06105403fb7f3992cbf37c8b9
SHA-1
- 737457effda8ffe27dbdf28423f471c5574478f4
Remediation
- Never open attachments or links received by unknown senders.
- Emails from unknown senders should always be treated with caution.
- Look for IOCs in your surroundings.
- At your respective controls, disable all threat indicators.