• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – APT37 Thallium Broadens Target Industries Around the Globe
January 2, 2020
Rewterz Threat Advisory – Cisco NX-OS and Switches – Critical Vulnerabilities
January 6, 2020

Rewterz Threat Alert – DeathRansom Ransomware Encrypting Files – IoCs

January 3, 2020

Severity

High

Analysis Summary

DeathRansom has finally succeeded at encrypting files. At a high level, this ransomware follows a sensible design: it scans and encrypts files on local and network drives. To enumerate network resources, the malware uses standard Windows APIs (WNetOpenEnumW, WNetEnumResourceW etc.) It recursively scans network resources until it hits a normal directory, at which point it processes it like a directory (processDir). 
Following alterations have been made:
 

  • Excluding important Windows folders (Program Files, Windows, etc) to avoid rendering the system unusable 
  • When it comes to files, similar checks also occur. 
  • DeathRansom also avoids “encrypting” the systems files (ntuser.dat, etc)

The new version of this ransomware uses a combination of Curve25519 algorithm for the Elliptic Curve Diffie-Hellman (ECDH) key exchange scheme, Salsa20, RSA-2048, AES-256 ECB, and a simple block XOR algorithm to encrypt files.  

Impact

Files Encryption

Indicators of Compromise

Domain name

  • scat01[.]mcdir[.]ru
  • gameshack[.]ru
  • scat01[.]tk

MD5

  • a35596ed0bfb34de4e512a3225f8300a
  • 8ea78e5a123c13c3bda144d0fcf430c0
  • c50ab1df254c185506ab892dc5c8e24b
  • 6bf9bfc6253a598608a1ca7d0210689e
  • bde63acffd021580fe7c7f25243c9330
  • b7e323ac9390f0d81d18557fddaef4cf
  • c4964c9c2418d0a134130dab8f4cd1b8
  • 48f1200a88db21ca4a16dc908024f0f9
  • fdcdfc8eecff8eebd671cf934423710e
  • f9363e88fde74b43bd7da4528369d7e5
  • 886ee5834ae019a5c8bce4326b88cfb7
  • 38f52fac57482d77b960faff79f44474
  • 262fdac1291740ba9408d06da265dd9f
  • 4ba2e1d4cf7a86753f9f8174b3bc74c8
  • 74a30661098e0950ec845a54ad7059c6

SHA-256

  • 7c2dbad516d18d2c1c21ecc5792bc232f7b34dadc1bc19e967190d79174131d1
  • 13d263fb19d866bb929f45677a9dcbb683df5e1fa2e1b856fde905629366c5e1
  • ab828f0e0555f88e3005387cb523f221a1933bbd7db4f05902a1e5cc289e7ba4
  • dc9ff5148e26023cf7b6fb69cd97d6a68f78bb111dbf39039f41ed05e16708e4
  • 1e1fcb1bcc88576318c37409441fd754577b008f4678414b60a25710e10d4251
  • 4bc383a4daff74122b149238302c5892735282fa52cac25c9185347b07a8c94c
  • 05b762354678004f8654e6da38122e6308adf3998ee956566b8f5d313dc0e029
  • a45a75582c4ad564b9726664318f0cccb1000005d573e594b49e95869ef25284
  • 6247f283d916b1cf0c284f4c31ef659096536fe05b8b9d668edab1e1b9068762
  • 2b9c53b965c3621f1fa20e0ee9854115747047d136529b41872a10a511603df8
  • fedb4c3b0e080fb86796189ccc77f99b04adb105d322bddd3abfca2d5c5d43c8
  • 0cf124b2afc3010b72abdc2ad8d4114ff1423cce74776634db4ef6aaa08af915
  • f78a743813ab1d4eee378990f3472628ed61532e899503cc9371423307de3d8b
  • 66ee3840a9722d3912b73e477d1a11fd0e5468769ba17e5e71873fd519e76def
  • e767706429351c9e639cfecaeb4cdca526889e4001fb0c25a832aec18e6d5e06

URL

  • hxxp://iplogger[.]org/1Zqq77
  • hxxps://iplogger[.]org/1Zqq77

Remediation

  • Block the threat indicators at their respective controls.
  • Do not download files attached in untrusted emails.
  • Do not download software from random sources on the internet.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.