A new targeted attack has infected several organizations in Taiwan with a new ransomware family, which researchers have dubbed ColdLock. The ransomware appears to target databases and email servers for encryption. It is believed the threat actors somehow gained access to the Active directory servers of the targeted organizations and there they were able to set Group Policies that led to the ransomware file being downloaded and run onto machines within the affected domain.
The payload arrives as a .NET executable (as a .DLL file), which has been packed/protected using the ConfuserEx packer. It uses PowerShell reflective loading of .NET executables to run the said .DLL file:
It also contains two checks to verify if it’s running. Firstly, it checks for the presence of %System Root%\ProgramData\readme.tmp, which is used by the ransom note. This check prevents a system from being reinfected by the same threat:
The ransomware also terminates several processes before encryption starts if they are running to prevent file access violations. These services are:
The ransomware note looks very much alike the other ransomware notes.
The ransomware changes the system’s wallpaper for all users; it now contains an instruction to read a text file (the ransom note). It does this by changing several registry settings.