Build of open source AresCrypt ransomware on github seen in the wild

/in /by

The SonicWall Capture Labs Threat Research Team have recently discovered a build of an open source ransomware known as Arescrypt in the wild.  The source code is hosted on github and is promised to be feature packed.  In the authors own words:  “Well, Arescrypt is one of my first large-scale ransomware malware’s I’ve ever hand-crafted. So, I tried going all out for it, in hopes that it may be developed better in time.”

The author lists the following features for the malware:

  • All-in-one (encryption, verification, and decryption) of files.
  • Unique API calls to configurable server (standalone PHP script included)
  • Information stored in DAT (configuration) file – obfuscated too 😉
  • Extensive configuration file
  • Sandboxing capabilities

Infection Cycle:

The Trojan uses the following icon:

 

The file contains the following metadata:

 

Upon infection, the Trojan shows the following messagebox in order to ease suspicion:

 

The following audio message is played in the background:

 

The Trojan adds the following files to the filesystem:

  • C:\Users\<user>\files.txt
  • <run location>.arescrypt.dat (hidden file)

files.txt contains a list of files that were encrypted.

.arescrypt.dat contains the following data:

{"uniqueKey":"62vq6T5Y27aO","encKey":null,"encIV":null}

 

During the infection cycle, files are encrypted and are given a .OOFNIK extension.  The author may have chosen this extension based on the fictional character Moishe Oofnik from Rechov SumSum, an Israeli version of the popular childrens television series Sesame Street.

 

The Trojan obtains the vicims public IP address by querying ipinfo.io

 

The Trojan reports the infection to a remote server:

 

After the audio message is played, the screen is locked with the following image:

The Trojan demands $40 in bitcoin for file recovery.

 

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: AresCrypt.RSM (Trojan)
  • GAV: AresCrypt.RSM_2 (Trojan)

 

Cyber Security News & Trends – 02-01-19

/0 Comments/in /by

This week, Collections #2-5 drop over 2 billion stolen logins, Bangladesh is suing a Philippines bank over cybertheft and SonicWall CEO Bill Conner discusses keeping up with the cybersecurity market.

SonicWall Spotlight

Could Cash-Rich Facebook Be Considering Acquisition Targets? – Real Money

  • SonicWall CEO Bill Conner is quoted by Real Money talking about Facebook’s need for cybersecurity acquisitions in a piece that speculates where the company might go next.

Are We Really Aware of What Mobile Malware Is? – VarIndia

  • SonicWall’s Debasish Mukherjee is interviewed as part of a panel discussing the mobile malware. He talks about the data SonicWall Capture Labs found on the Android platform throughout 2018.

SonicWall Aims to Build Brand in Critical Two Years – IT Europa

  • Bill Conner, CEO of SonicWall, lends his thoughts to IT Europa talking about the future of the fast-moving cybersecurity market and why not every security company is able to keep up.

Cyber Security News

Hackers are Passing Around a Megaleak of 2.2 Billion Records – Wired

  • After the leak of Collection # 1 earlier in the year Collections #2-5 continue the data dump of hacked records, largely information that has been leaked previously.

Airbus Reports Breach Into Its Systems After Cyber Attack – Reuters

  • Airbus detected a cyberattack which resulted in a data breach of mostly employee data. It says the incident did not affect commercial operations.

What Was the Cybersecurity Impact of the Shutdown? – FCW

  • With the Government shutdown over, the cybersecurity impact is still being worked out. FCW discuss the possible knock-on effects and how long they might last.

IT Spending Expected to Rise in 2019 Amid Shift to Cloud Services – Wall Street Journal

  • Forecasts for IT enterprise spending say there will be an 8.5% growth this year, and overall IT spending is expected to rise 3.2%.

Too Few Cybersecurity Professionals Is a Gigantic Problem for 2019

  • There is a global gap of nearly 3 million cybersecurity positions. In the USA alone 314,000 jobs were posted in a one-year period between 2017 and 2018. Cybersecurity training itself is a new area and almost no cybersecurity professional over 30 today has a formal cybersecurity degree.

Bangladesh to Sue Philippine Bank Over $81M Cyber Heist – Security Week

  • A digital heist in 2016 led to the successful theft of $81 million from the Bangladesh central bank’s account with the US Federal Reserve. Bangladesh is now attempting to retrieve the funds by suing the Philippines bank that facilitated the transfer. The Federal Reserve denies that it was hacked.

Massive DDoS Attack Generates 500 Million Packets per Second – Dark Reading

  • A DDos attack on Github in 2018 made headlines as the biggest ever DDos attack, but it was only a quarter of the size of the attack stopped earlier this month.

Cryptocurrency Thefts, Scams Hit $1.7 Billion in 2018: Report – Reuters

  • Cryptocurrency theft rose 400 percent in 2018, with up to $1.7 billion stolen by the end of the year. $950 million of this was theft from cryptocurrency exchanges and digital wallets.

In Case You Missed It