Catching Cerber Ransomware

/0 Comments/in /by

Since the release of SonicWall Capture Advanced Threat Protection (Capture ATP) in August 2016 on SonicWall firewalls, we have seen a lot of unique behavior from authors of malicious code, namely ransomware.

Up until Christmas 2016, Locky received a lot of attention from security firms but then took a backseat during the holiday season. One thing I noticed around that time was that a ransomware variant called Cerber would actually be one of the more persistent pups in the litter.  I started seeing Cerber show up on Capture ATP’s daily reports and wanted to understand why we were still catching this on the sandbox instead of the firewall.

In short, we were catching this on the firewall because SonicWall’s Capture Labs research team was creating a large amount of signatures for Cerber, but what I was seeing were “updated” versions of Cerber being caught in the wild; as many as two versions a day.  This was done to get around Cerber signatures created to stop older versions of itself. To make things more interesting, these Cerber variants were utilizing seven different tactics to evade detection.

The image above is a snippet of a very long report that partly shows what Cerber wants to do. Did you notice the seven different evasion tactics?  Malware did not do this in the past; at least one that I remember fondly. In that past, the security industry was really trying to get the upper hand with the “explosive growth” of malicious code that was being authored and wanted to use virtual environments to run and test code.  About five years ago, the industry introduced the network sandbox to the market and it was a hit, because we now had a tool where we could run potentially malicious code in an isolated environment to see if we could white or blacklist it.

So, do you think that attackers folded up their laptops and found real jobs? Nope, they learned how to evade them, the real essence of what a hacker truly is. If you read third-party reports on network sandboxing, you will read skeptical and bearish reports about its effectiveness and ability to evade a sandbox at a medium difficulty. When you see the image above, you have to believe that the reports are real and Cerber’s evasion tactics rank up there with some of the best I have seen recently; truly an advanced persistent threat. So why am I able to show this to you? Although it is evading other sandboxes, it is not able to get past ours. But how?

In short, we leverage Capture ATP, a multi-engine sandbox that first runs suspicious code through a set of pre-filters that analyzes the code and compares it against a real-time list to see if anyone we collaborate with knows about it.  This step eliminates a lot of newly minted malware within milliseconds; almost at the same speed as lightning strikes the Earth.

After that, the code will go through a parallel set of engines that will help us determine what a new batch of code wants to do from the application, to the OS, to the software that resides on the hardware. We run it through real-time deep memory inspection, virtualized sandboxing, hypervisor level analysis and full-system emulation. Naturally, when we get to this point it does take a little time but it’s worth it.

Download a Ransomware eBook

TrumpLocker makes you pay to bring down its cyber walls (Mar 03, 2017)

/in /by

It has been clear that Ransomware is here and is not going away anytime soon. This week, SonicWALL Threats research team has received reports of yet another variant calling itself the Trumplocker. Cybercriminals are clearly taking advantage of all the buzz going on around in the news about the current US President’s administration and are using a very common ploy of customizing malware to capitalize on current events.

Infection Cycle:

This Trojan uses the following file properties:

Upon execution, it makes the following DNS query:

And establishes a connection to a remote server:

It also drops the following files:

  • %Desktop%RansomNote.exe [Detected as GAV: Trumplocker.A (Trojan)]
  • %Desktop%What happen to my files.txt

The file “What happen to my files.txt” contains the instructions on how to pay to get your files back. The note was rather long and reads:

--- The Trump Locker --- Unfortunately, you are hacked. 1. What happened to my files? Your personal files, including your photos, documents, videos and other important files on this computer, have been encrypted with RSA-4096, the strongest encryption algorithm. RSA algorithm generates a public key and a private key for your computer. The public key was used to encrypt your files a moment ago. The private key is necessary for you to decrypt and recover your files. Now, your private key is stored on our secret Internet server. And there is no doubt that no one can recover your files without your private key. For further information about RSA algorithm, please refer to https://en.wikipedia.org/wiki/RSA_(cryptosystem) 2. How to decrypt my files? To decrypt and recover your files, you have to pay #ramt# US Dollars for the private key and decryption service. Please note that you have ONLY 72 HOURS to complete your payment. If your payment do not be completed within time limit, your private key will be deleted automatically by our server. All your files will be permanently encrypted and nobody can recover them. Therefore, it is advised that you'd better not waste your time, because there is no other way to recover your files except making a payment. 3. How to pay for my private key? There are three steps to make a payment and recover your files: 1). For the security of transactions, all the payments must be completed via Bitcoin network. Thus, you need to exchange #ramt# US dollars (or equivalent local currencies) to Bitcoins, and then send these Bitcoins (about #btc# BTC) to the following address. 1N82pq3XovKoJYqUmTrRiXftpNHZyu4jyv 2). Send your personal ID to our official email: TheTrumpLocker@mail2tor.com Your personal ID is: #id# 3). You will receive a decryptor and your private key to recover all your files within one working day. 4. What is Bitcoin? Bitcoin is an innovative payment network and a new kind of money. It is based on an open-source cryptographic protocol that is independent of any central authority. Bitcoins can be transferred through a computer or a smartphone withour an intermediate financial institution. 5. How to make a payment with Bitcoin? You can make a payment with Bitcoin based on Bitcoin Wallet or Based on Perfect Money. You can choose the way that is more convenient for you. About Based on Bitcoin Wallet 1) Create a Bitcoin Wallet. We recommend Blockchain.info (https://blockchain.info/) 2) Buy necessary amount of Bitcoins. Our recommendations are as follows. LocalBitcoins.com -- the fastest and easiest way to buy and sell Bitcoins. CoinCafe.com -- the simplest and fastest way to buy, sell and use Bitcoins. BTCDirect.eu -- the best for Europe. CEX.IO -- Visa / MasterCard CoinMama.com -- Visa / MasterCard HowToBuyBitcoins.info -- discover quickly how to buy and sell Bitcoins in youWr local currency. 3) As mentioned above, send about #btc# BTC (equivalent to #ramt# USD) to our Bitcoin receiving address. 4) As mentioned above, and then, send us your personal ID via email, you will receive your private key soon. About Based on Perfect Money 1) Create a Perfect Money account. (https://perfectmoney.is) 2) Visit to PMBitcoin.com. (https://pmbitcoin.com/btc) input our Bitcoin receiving address in the "Bitcoin Wallet" textbox. input #ramt# in the "Amount" textbox, the amount of Bitcoin will be calculated automatically. click "PAY" button, then you can complete you payment with your Perfect Money account and local debit card. 6. If you have any problem, please feel free to contact us via official email. Best Regards The Trump Locker Team

The trojan changes the desktop wallpaper of the victim machine and displays a warning with instructions on how to pay.

It then executes the file RansomNote.exe which displays a splash page with the photo of the US President. A few seconds later it then switches to another warning page and again with instructions on how to pay.

To ensure that this warning page is displayed upon reboot, it adds the following key to the registry:

  • HKCUSoftwareMicrosoftWindowsCurrentVersionRunTheTrumpLocker %Desktop%RansomNote.exe

Because of the prevalence of these types of malware attacks, we urge our users to back up their files regularly.

SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: Trumplocker.A (Trojan)

General Availability of SonicWall Email Security 9.0 with Capture ATP at Virtual PEAK 2017

/0 Comments/in /by

SonicWall Email Security 9.0 with Capture ATP Service is available worldwide today. Leveraging a highly-scalable and redundant architecture, SonicWall Email Security 9.0 integrates with our award-winning Capture Advanced Threat Protection (ATP) Service, to deliver a cloud-based, multi-engine sandbox that not only inspects email traffic for suspicious code, but also blocks ransomware, zero-day and other malicious files from entering the network until a verdict is reached. I am excited to be joining hundreds of our channel partners for SonicWall’s Virtual PEAK 2017 this Thursday, March 2, 2017 from 8 am to 1 pm Pacific time. Learn more about all of SonicWall solutions and Email Security 9.0 that continues to offer an array of deployment options, including on-premises appliances, virtual machine, software and cloud-hosted solutions.

SonicWall Virtual Peak Keynote Speakers at Virtual PEAK 2017

According to the 2017 SonicWall Annual Threat Report, ransomware attacks grew at a tremendous rate in 2016 with email as one of main attacks vectors used by cyber criminals. Our response to this growing threat is SonicWall Email Security 9.0, which integrates our award-winning Capture Advanced Threat Protection Service.

SonicWall Email Security 9.0 with Capture Advanced Threat Protection Service provides comprehensive next-generation email security protection to prevent ransomware and emerging zero-day attacks.

This exciting new release demonstrates SonicWall’s continuing efforts to enhance our security portfolio and introduce innovation to our solutions to protect customers against new and evolving threats in 2017 and beyond.

Innovative features of SonicWall Email Security 9.0 include:

  • Advanced Threat Protection: Integrates Capture cloud-based sandboxing technology for detection of zero-day threats such as ransomware, for fine-grained inspection of SMTP traffic
  • Next-generation Email Protection: Incorporates anti-spam, anti-virus and anti-spoofing functionalities to not only detect and prevent spam and other unwanted email, but also scan email messages and attachments for ransomware, Trojan horses, worms and other types of malicious content.
  • Improved Office 365 Support: Enhances security by for multi-tenant environments by providing a method for ensured, mapped delivery of emails for SonicWall Hosted Email Security environments
  • Updated Line of Appliances: Refreshes SonicWall’s line of Email Security hardware appliances, helping customers to better face threats delivered by email.
  • Encryption Protection: Supports not only SMTP Authentication, but also the encryption service feature enables any email containing protected data to be automatically encrypted, routed for approval or archived.
  • Policy and Compliance Management: Enables an administrator to enact policies that filter messages and their contents as they enter or exit the organization. This allows organizations to meet regulatory requirements based on government legislation, industry standards or corporate governance activities.

SonicWall ESA Series at Virtual PEAK 2017

To learn more about Email Security 9.0, be sure to attend the upcoming SonicWall Virtual PEAK 2017, March 2, 2017. Join my session: Using SonicWall Email Security 9 with Capture ATP to Drive New Opportunity at 8 am. Don’t miss this opportunity to network and learn from our experts and your peers. Register today!

SonicWall Virtual Peak

Malicious Android banker for Serbank (February 24, 2017)

/in /by

Sonicwall Threats Research team observed reports of another Android banker that targets a specific bank, this time the target is a Russian bank – Serbank.

Infection Cycle

Once the apk is installed and opened we see an overlay that covers the entire screen, this overlay asks for Administrative access and the language used is Russian. There is no way for the user to close this overlay and he is forced to grant the privileges. Upon receiving administrative access however the app displays an error message (shown in the images below) and closes the User Interface. This gives an impression to the user that the app stopped working but in reality the app keeps running in the background.

The app initiates a WebSocket connection with the attacker and uses this protocol to perform further communication:

The app transmits sensitive data stored on the device to the attacker:

  • Sensitive device related data is transmitted to the attackers:
    • IMEI
    • Operator Name
    • Phone number
    • Country
  • User’s contact list:

During our analysis the app attempted to send SMS to Sberbank which is a Russian banking and financial services company. As seen in the image below the app sends a message “balance” to the number 900, this is a facility provided by Sberbank to its customers for checking their balance:

The code in the app is obfuscated to make it difficult for automated tools and security analysts to easily understand/analyze its real motives:

This app has an image for the logo of Serbank in its resources folder:

We installed the official Serbank app on the device but did not see any activity that would use this image. In the past we have seen apps that would show a custom overlay image when a particular targeted app is opened on an infected device, however that was not the case here. Perhaps there will be some additions to this app in the future.

Overall this is yet another targeted Android banker malware that attempts to extract sensitive user information and send SMS messages to perform specific activities.

MD5 with package name com.jfaxw.azatbtvf:

  • a52d34bc0271b5668b42346fec9df662

SonicWALL provides protection against this threat via the following signature:

  • GAV: AndroidOS.Banker.SB (Trojan)

The sample communicated with the following domain/ip:

  • jkj13kfhk2j42fo17h2deh3lk3hkl4gk.com
  • 185.110.132.96

Microsoft Security Bulletin Coverage (Feb 23, 2017)

/in /by

Though Microsoft delayed the Feb patch Tuesday, this week they released a patch for security update resolving vulnerabilities in Adobe Flash Player.This patch updates the affected Adobe Flash libraries contained within Internet Explorer 10, Internet Explorer 11, and Microsoft Edge.

SonicWall has analyzed and addressed Microsoft’s security advisory for the month of February 2017. A list of issues reported, along with SonicWall coverage information are as follows:

MS17-005 Security Update for Adobe Flash Player

  • CVE-2017-2982 Adobe Flash Player Vulnerability
    ASPY:1387 “Malformed-File swf.MP.535”

  • CVE-2017-2984 Adobe Flash Player Vulnerability
    ASPY:1388 “Malformed-File mp4.MP.0 “

  • CVE-2017-2985 Adobe Flash Player Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-2986 Adobe Flash Player Vulnerability
    ASPY:1390 “Malformed-File flv.MP.0 “

  • CVE-2017-2987 Adobe Flash Player Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-2988 Adobe Flash Player Vulnerability
    ASPY:1391 “Malformed-File swf.MP.536”

  • CVE-2017-2990 Adobe Flash Player Vulnerability
    ASPY:1392 “Malformed-File mp4.MP.1 “

  • CVE-2017-2991 Adobe Flash Player Vulnerability
    ASPY:1396 “Malformed-File swf.MP.537”

  • CVE-2017-2992 Adobe Flash Player Vulnerability
    ASPY:1397 “Malformed-File swf.MP.538”

  • CVE-2017-2993 Adobe Flash Player Vulnerability
    ASPY:1398 “Malformed-File swf.MP.539”

  • CVE-2017-2994 Adobe Flash Player Vulnerability
    ASPY:1399 “Malformed-File swf.MP.540”

  • CVE-2017-2995 Adobe Flash Player Vulnerability
    ASPY:1400 “Malformed-File swf.MP.541”

  • CVE-2017-2996 Adobe Flash Player Vulnerability
    ASPY:2061 “Malformed-File swf.MP.542”

New variants of Sage ransomware Spotted in the Wild. (Feb 17, 2017)

/in /by

The SonicWall Threats Research team observed reports of a new variant family of Sage Ransomware [GAV: Suspicious#polycrypt.1_2 and Sage.B] actively spreading in the wild.

Sage 2.0 encrypts the victims files with a strong encryption algorithm until the victim pays a fee to get them back.

Infection Cycle:

The Malware uses the following icon:

The Malware adds the following files to the system:

  • Malware.exe

    • %Userprofile%Application DataW3UoRbov.exe

The Trojan adds the following files to the Windows to ensure persistence upon reboot:

  • %Userprofile%Start MenuProgramsStartup6OICFYbI

    • “%Userprofile%Application DataW3UoRbov.exe”

The Trojan adds the following keys to the Windows registry:

Once the computer is compromised, the malware copies its own executable file to %Userprofile% Application Data folder and deletes its own executable file.

The Malware encrypts all personal documents and files it shows the following webpage:

It demands that victims pay using Bitcoin in order to receive the decryption key that allows them to recover their files.

Command and Control (C&C) Traffic

The Malware performs C&C communication over TCP and UDP ports. The malware sends your system UID to its own C&C server via following format, here are some examples:

We have been monitoring varying hits over the past few days for the signature that blocks this threat:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Suspicious#polycrypt.1_2 (Trojan)

  • GAV: Sage.B (Trojan)

SonicWall is on a Winning Streak in the Cyber Arms Race at RSA 2017

/0 Comments/in /by

As we wrap up a “winning” week at the 2017 RSA conference in San Francisco, attended by more than 45,000, I am excited to highlight incredible momentum from our Threat Report, recent industry awards, and most importantly the conversations with our loyal customers and partners. We are excited to hear the overwhelming enthusiasm for the 2017 Annual Threat Report, the launch of Email Security 9.0 with Capture, the technical preview of SonicOS 6.2.7 and our SecureFirst Partner Program. In the kiosks in our booth, we demoed solutions to prevent breaches, stop phishing attacks, block ransomware, uncover SSL encrypted threats and identify compromised IoT devices.

All of the innovation to get ahead of the cyber arms race we are delivering to the marketplace has resulted in four awards. Just yesterday, SonicWall won the prestigious SC Magazine Trust Award for Best UTM Security Solution for our SonicWall TZ Firewall Series. The TZ is the most secure, sophisticated and widely deployed small-business firewall platforms on the market today. The TZ Series offers a range of Unified Threat Management solutions for SMB and distributed enterprises across retail, government, remote sites and branch offices. SonicWall also won in three categories from InfoSecurity Products Guide – Global Excellence Awards:

New Products and Services

Bring Your Own Device (BYOD) Security

  • SILVER for SonicWall Secure Mobile Access 1000 Series (version OS 12.0)
    Info Security Products Guide 2017 - Global Excellence Silver Award

Advanced Persistent Threat Detection and Response

The conference was also an opportunity to showcase our ground breaking 2017 SonicWall Annual Threat Report. We continue to build on the momentum of the unique threat data presented in the report. Among the findings discussed were:

  • Volume of unique malware samples declined to 60 million, a 6.25 percent decrease.
  • Point-of-sale malware creation declined by 93% percent since 2014.
  • Secure Sockets Layer/Transport Layer Security encrypted traffic increased by 34 percent year-over-year.
  • Cyber criminals shifted their focus to new threats, including ransomware attacks which grew by 167x year-over-year. Internet of Things devices created a new attack vector opening the door for large scale distributed denial-of-service attacks.

RSA 2017 Awards

Because email is a constant target for attacks, we had a kiosk presenting our new SonicWall Email Security 9.0 with Capture ATP. The cloud sandboxing allows you to deploy a next-gen solution for protecting email files, stop phishing and block zero-day attacks and ransomware.

We are also celebrating the launch of our SonicWall Secure First Partner Program. As a 100% channel company, SecureFirst is the way our channel partners access the entire SonicWall portfolio of technology and solutions. With the different levels of commitment to the program come various levels of rewards and benefits. Central to the new program is Reward for Value, SonicWall’s partner profitability framework that rewards partners for the value they bring to selling, implementing, and supporting SonicWall solutions. And SecureFirst is off to a really fast start. In the first 90 days:

  • SecureFirst program registrations reached 8,563 across 90 countries
  • SecureFirst registrations in North America exceeded 5,400
  • SecureFirst New Partner Registrations more than 1,500
  • SecureFirst partner deal registrations spike 66% since divestiture

At SonicWall, we are committed to helping our customers and partners fight the attacks to get ahead of the cyber arms race with the intelligence of our GRID Network, next-gen firewalls, extending our award-winning Capture capabilities with our Email Security solutions, and IoT security to protect the enterprise and drive business productivity. Our goal is to have our award-winning breach prevention, IoT device security and encrypted threat solutions reinforce each other and defend independently to ensure we are setting the highest level of protection for value for our customers and partners.

Microsoft Postpones February Security Updates to March

/in /by

SonicWall has worked closely with Microsoft to provide real-time protection to our customers. Recently Microsoft had announced that February patches will be delayed “due to a last minute issue that could impact some customers”. Microsoft must have considered all options and chosen the best approach.

Back in November 2016, Microsoft announced overhaul of Patch Tuesday. The new system is scheduled to go online this month, and we are not sure if these two incidents are related. Hope Microsoft can fix the root problem ASAP that it won’t affect future security releases.

Practical Defense for Cyber Attacks and Lessons from 2017 SonicWall Annual Threat Report

/0 Comments/in /by

The 2017 SonicWall Annual Threat Report, published last week, covers the evolution of the cybersecurity landscape through 2016. Based on the data from the SonicWall Capture Labs Threat network, the report highlights the advances of the criminal and the defense sides of the global cyber security landscape.

For example, law enforcement apprehended the writers of the popular Angler exploit kit and POS malware dropped significantly, as the industry adopted better security practices and technology. This prompted a wholly expected move from the malware writers as they shifted their efforts into new opportunities ripe for profit –such as ransomware, which emerged as the attack of choice for 2016. Read SonicWall President and CEO, Bill Conner’s, Annual Threat Report blog from last week for a great overview.

We can track much of this evolution in the cybersecurity landscape with the mantra “follow the [easy] money.” In other words, the majority of attacks will move to where the attackers can make the most money with the least amount of effort. A good method of defensive security thinking, therefore, is “How can I make it significantly more difficult for someone to make money off me and my network than from someone else on the Internet?” This may remind some readers about the joke where you have to outrun the other person, not the bear, in order to survive.

So how do you stay ahead?

Go through the following checklist and evaluate whether you are an easy target:

  1. Cover the known attacks: This is foundational. Prevent previously seen malware from being deployed against your users by the lazy attackers who are just looking for an easy opportunity. Protect *all* networks in your organization including small branch offices and remote workers. You must treat those as you would treat your primary corporate site; otherwise, you have a soft side in your defense with a direct route back to your network. Top-notch gateway anti-malware, intrusion prevention and botnet traffic filtering will help you cover these previously-seen threats.
  2. Cover the unknown attacks: Now you are looking for advanced malware. This is the cutting edge. Network sandboxing technology analyzes suspicious files to detect malware that has not yet been observed, studied and classified. For example, if network sandboxing observes bad behavior from a suspicious file, such as encrypting everything in sight or an MS Word document that opens network connection, it can rule with a high degree of confidence that the file is malicious.
    • A few critical points about network sandboxing:
    • a. Invest in evasion-resistant sandboxing technologies. By combining multiple sandboxing technologies, you reduce the probability of evasion virtually to zero. This is analogous to running an MRI, a CAT scan and an X-ray simultaneously. Attackers know that sandboxing is starting to be widely deployed, so they look to evade low-tech “checklist” type sandboxes.
    • b. Invest in sandboxing that does not just ring the alarm, but also blocks the threat. Otherwise, you just receive a notification that an advanced piece of malware got through two minutes ago and “Good Luck!” Technology must work for you – sandboxing must block until it reaches a verdict on the unknown file.
    • c. Deploy everywhere – network and email: Our Threat Report found that the most popular payload for malicious email campaigns in 2016 was ransomware (Locky, deployed by Nemucod). You must look for known and unknown malware in your network and email/messaging traffic to cover all your bases.
  3. Cover known and unknown attacks inside encrypted traffic: How much of your traffic is SSL/TLS or SSH? 20%? 50%? 70%? Whichever percentage is correct for you, that is the amount of network traffic that you’re letting in un-inspected if you do not actively intercept that traffic. Malware writers know that this is emerging as the soft spot in many networks. Cover all your bases by looking for known and unknown malware inside of encrypted channels.
  4. Establish a ring of trust by segmenting off your IoT devices: A camera is a computer that can record and send video. A thermostat is a computer that controls temperature. A phone is a computer that can make phone calls. A “smart” refrigerator is a… you get the point. You cannot escape the proliferation of IoT devices in your network, and while the IoT vendors are wrapping their heads around security, you can control your IoT risk by segmenting those devices from the rest of your real network. Grant access on an as-needed basis.

Ransomware Attack Attempts

After reading the full 2017 SonicWall Annual Threat Report, evaluate whether your current network, email and mobile defenses cover the points above and keep you ahead of the attackers. Can they make easy money off you and your users?

SonicWall has technologies that can make you a significantly more difficult target by automating advanced protection and by turning breach detection into breach prevention.

SonicWall Next-Generation and UTM firewalls help to look for known and unknown threats on the network, on both unencrypted and on SSL/TLS encrypted traffic. SonicWall’s line of Access Security solutions can secure mobile users and facilitate proper network and IoT device segmentation.

SonicWall Capture ATP is an award-winning network sandboxing service that runs on SonicWall firewalls and Email Security 9.0 products. Capture utilizes multiple analysis engines with block-until-verdict capability, ensuring that unknown malware does not get through and impact your business. Due to the cloud nature of the service, the intelligence collected from the SonicWall Email Security product line strengthens the protection for firewall users and vice versa – it is a self-reinforcing, learning network.

DOWNLOAD SONICWALL ANNUAL THREAT REPORT

Cancer Ransomware forgets how to ransomware (Feb 10, 2017)

/in /by

With Locky ransomware activity at an all time low, new smaller players in this scam has been observed to continue to proliferate in the wild. This week, SonicWALL Threats research team has received reports of yet another variant seemingly still in its early stages. This Trojan behaves like a ransomware, but during our analysis it failed to show a warning or instructions on how to regain files and send the payment – the most common sign of a ransomware infection. It ended up being more of an annoyance than a Trojan trying to defraud its victim.

Infection Cycle:

This Trojan arrives as a fake VirusTotal-related file. It uses the following icon and file properties:

Upon execution, it tries to send an ID to a remote server presumably to “register” the infection.

It creates a copy of itself in the AppData directory and also drops the following files:

  • %APPDATA%Local~~42340900CANCER~~.dat
  • %APPDATA%Localewwwwww~cancer.png

The png file looks like an image that will be used to change the victim’s desktop background after a successful infection:

While the dat file has nothing but some strings with no use. This might be a placeholder for a file that can later be used to log infection data.

During infection, an image of a face will start floating on the desktop like a screensaver.

At this point, the victim’s files are not encrypted but they are overwritten.

Filenames stay the same as well as file extensions but they will no longer function as expected. File associations are modified and any overwritten file will now have the fake Virustotal icon and will launch the Trojan when executed.

The following registry changes were also made:

When opened with a text editor, the victim’s files will now just bear the string “_cancer” and nothing else.

At this point, the machine became so unstable that it bluescreened. No warning note or any file with payment instructions has been observed during the analysis. The victim will be unable to reboot his machine since operating system boot related files are also encrypted which will render the machine useless.

Because of the prevalence of these types of malware attacks, we urge our users to back up their files regularly.

SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: Cancer.KOI (Trojan)