Thursday, 10 August 2017

Serpent Ransomware Analysis

The new Octopus cryptolocker being an offspring of the Serpent/Zyklon/WildFire/HadesLocker families shows that .NET ransomware can be not an easy meat for a reverse engineer. It leverages several types of obfuscation, code encryption, and anti-debugging to protect its C# code from decompilation and analysis.

See our analysis in the Acronis blog.

Monday, 7 August 2017

Spora Ransomware Analysis

Similar to Cerber (Ferber) ransomware, Spora has its own intricate encryption file format and does not encrypt the whole file. The encryption block size varies depending on a file size.

Read our analysis of Spora ransomware for Acronis

Friday, 28 July 2017

New variant of Cerber ransomware (Ferber) analyzed

This summer Cerber is on duty. It comes via spear-phishing emails, bypasses antiviruses leveraging polymorphic encryption and API calls obfuscation. The cryptolocker can be easily customized for every target by embedding the JSON-formatted configuration data encrypted with RC4-128 (the decrypted config is on Github for cfd2d6f189b04d42618007fc9c540352). The file encryption scheme 'master RSA-2048 key'-> 'session RSA-880' -> 'file's RC4-128' used by Cerber is not breakable. Cerber scans the IP ranges specified by CIDRs in the config for the C&C server. 

Read our detailed analysis in the Acronis blog.

Wednesday, 12 July 2017

Targeted attack with PowerShell ransomware comes undetected

The undetected PowerShell ransomware was used to attack the popular German car dealer. The attack launched through the spear phishing email looked like a mail delivery notification.

Saturday, 8 July 2017

New Cyber Security Course for Master Students

I'm happy to announce the new Malware Analysis course I've been working for eight years is coming out soon as a part of the EU academic project ENGENSEC financed by the European Commission. In light of the recent nation-state cyber attacks, I'm glad for being related to educating the next generation of cyber security experts being able to counteract cyber attacks at any level.

Wednesday, 5 July 2017

Comparing MEDoc backdoors in 176, 186, and 189 updates

To complement Anton Cherepanov's analysis of Telebot backdoor, I decided to compare the backdoor functionality of different MEDoc versions to figure out which my personal data might have been already leaked from the MEDoc installation I use now.

Friday, 30 June 2017

The WannaCry-like ransomware attack against Ukraine via MEDoc preceding EternalPetya/NotPetya

This week, MalwareHunterTeam discovered next in a row ransomware clone after XData that targeted Ukrainian users presumably through MEDoc software updates this Monday (June 26, 2017) before EternalPetya/NotPetya was launched (June 27, 2017). The new ransomware is a .NET version of WannaCry. The ransomware has the ‘kill process to unlock file’ feature introduced for the first time by ransomware and a bug that reduces demolishing power allowing the cryptolocker to harm only network drives. Let us take a look under the hood.