• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Maze Ransomware – IoCs
April 22, 2020
Rewterz Threat Alert – Malspam NanoCore RAT Malware
April 23, 2020

Rewterz Threat Alert – DopplePaymer Ransomware hits Banka Ekonomike in Kosovo

April 22, 2020

Severity

High

Analysis Summary

DopplePaymer is a variant of Bitpaymer ransomware. The first known victim of DoppelPaymer was targeted in June 2019. DoppelPaymer is an enterprise-targeting ransomware that compromises a corporate network, eventually gains access to admin credentials, and then deploys the ransomware on the network to encrypt all devices. As these attacks encrypt hundreds, if not thousands of devices, they tend to have a huge impact on operators and the attackers demand a very huge ransom. DopplePaymer also threatens victims to breach their confidentiality by posting their sensitive information online. In this case, it has been proved that the threat actors are not bluffing as the threat actor has actually released confidential information of the bank online.  

Banka Ekonomike has been operating since 2001 in Prishtinë, Kosovo, as the only 100 percent local bank. Banka Ekonomike has operated a total of 30 branches, which are divided into 7 main regions within which 23 sub-branches operate. According to the statistics from the total bank end-of-year 2018 report, out of 201 branches / sub-branches present in the banking market in Kosovo, Banka Ekonomike ranked 3rd or about 15 percent participation in the total number. 

The DopplePaymer has released the data of the Banka Ekonomike which includes over 2GB of files with information of financial transactions and Database backup files. Some of the screenshots are below:

tzLqCYD0o_lOp91iCibqcLmLl8K3aKynh_yQXbVGmTjACTYLCq1wewXr9EoNcIMLdVNXy9cmpKRFuLHY54S4EIpO__weXluhTUrNDSjmOCtas-8S2QY-3HrowI-Y7DQUQZy3YpTT
aPcLLeth14mD0ibANS3if-6skfLil7Imk4x8tEaGSaQee0jzCeAw1CCQLpiyB9K2FUqp7FGq3HOiX9oc5FQtCsMPceTgWG44ndl5pL-cr_t4ei2xkiSL3mVp2NGZA1gBkD4EU1Qr

Impact

  • Unauthorized access
  • Data Loss

Indicators of Compromise

Domain Name

  • ms-audit-server[.]pro
  • ms-dll-windows-rop[.]club
  • ms-audit-server[.]club
  • ms-dll-windows-ror[.]club
  • ms-dll-com[.]info
  • ms-dll-service[.]website
  • ms-dll-com[.]space
  • ms-dll-com[.]club
  • ms-dll-windows-agent[.]club
  • ms-audit-server1[.]club
  • ms-dll-service[.]site
  • dll-windows-server[.]xyz

From Email

  • btpsupport@protonmail[.]com

Hostname

  • www[.]yourkemptville[.]com
  • www[.]dll-windows-server[.]xyz

SHA-256

  • f658ddcf8e87de957a81bb92d44ce02913b427e8bccbe663669ee2613d355555
  • b9a8710e55bb2d55bbeed9cebb83ac2f18f78818f0c05f18c96f766c8c47e2d9
  • 92e498e500d0e465f898c0119a9f55e2210dc383adfb0f5c654ff5c5ad6a5f83
  • d77a93ac60536f3706e8a0154c0c2199e888b7748c84db7437254ff175f4df55
  • 650926ff85163cef3288e3f32575851458a45361ade9207dcde3923d22771644

Remediation

Organizations can be targeted specifically by attackers, or they can be caught in the wide net cast by cyber crime operations. Large organizations are high value targets and attackers can demand bigger ransoms.

We recommend 

  • Back up important files regularly. Use the 3-2-1 rule. Keep three backups of your data, on two different storage types, and at least one backup offsite.
  • Apply the latest updates to your operating systems and apps.
  • Educate your employees so they can identify social engineering and spear-phishing attacks.
  • Controlled folder access. It can stop ransomware from encrypting files and holding the files for ransom.
  • Block the threat indicators at their respective controls.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.