[ad_1]
Introduction
Going by latest headlines you could possibly be forgiven for pondering all ransomware operators are raking in thousands and thousands of ill-gotten {dollars} every year from their nefarious actions.
Lurking within the shadows of each large-scale assault by organized gangs of cybercriminals, nevertheless, there could be discovered a mess of smaller actors who shouldn’t have entry to the newest ransomware samples, the power to be associates within the post-DarkSide RaaS world or the monetary clout to instrument up at pace.
So what’s a low-paid ransomware operator to do in such circumstances?
By getting artistic and searching for the newest malware and builder leaks they are often simply as devastating to their victims and, on this weblog, we’ll monitor the prison profession of 1 such actor as they evolve from home made ransomware to using main ransomware by way of using publicly leaked builders.
The Wealthy Get Richer
For years, the McAfee Enterprise Superior Risk Analysis (ATR) group has noticed the proliferation of ransomware and the delivery and (obvious) loss of life of enormous organized gangs of operators. Probably the most infamous of those gangs have extorted enormous sums of cash from their victims, by charging for decryption of information or by holding the info itself to ransom in opposition to the specter of publication on their ‘leak’ web sites.
With the revenue of such ways generally working into the thousands and thousands of {dollars}, equivalent to with the Netwalker ransomware that generated 25 million USD between 1 March and 27 July 2020, we speculate that a lot of these ill-gotten funds are subsequently used to construct and keep arsenals of offensive cyber instruments, permitting probably the most profitable cybercriminals to remain one step forward of the chasing pack
Determine 1: Babuk group in search of a company VPN 0-Day
As seen within the picture above, cybercriminals with entry to underground boards and deep pockets have the means to pay prime greenback for the instruments they should frequently generate extra revenue, with this explicit Babuk operator providing up 50,000 USD for a 0-day concentrating on a company digital personal community (VPN) which might enable easy accessibility to a brand new sufferer.
The Lowly-Paid Don’t Essentially Keep That Method
For smaller ransomware operators, who shouldn’t have affiliation with a big group, the technical abilities to create their very own devastating malware or the monetary muscle to purchase what they want, the panorama seems to be slightly completely different.
Unable to construct equally efficient assault chains, from preliminary entry by way of to information exfiltration, their alternatives to make unlawful earnings are far slimmer compared to the behemoths of the ransomware market.
Away from the gaze of researchers who usually deal with the bigger ransomware teams, many people and smaller teams are toiling within the background, making an attempt to evolve their very own operations any approach they will. One such technique now we have noticed is thru using leaks, such because the latest on-line posting of Babuk’s builder and supply code.
Determine 2: Babuk builder public leak on Twitter
Determine 3: Babuk supply code leak on underground discussion board
McAfee Enterprise ATR has seen two distinct sorts of cybercriminal profiting from leaks equivalent to this. The primary group, which we presume to be much less tech-savvy, has merely copied and pasted the builder, substituting the Bitcoin handle within the ransom notice with their very own. The second group has gone additional, utilizing the supply materials to iterate their very own variations of Babuk, full with extra options and new packers.
Thus, even these operators on the backside of the ransomware meals chain have the chance to construct on others’ work, to stake their declare on a proportion of the cash to be produced from information exfiltration and extortion.
ATR’s Idea of Evolution
A Yara rule devoted to Babuk ransomware triggered a brand new pattern uploaded on VirusTotal, which brings us to our ‘lowly-paid’ ransomware actor.
From a fast look on the pattern we are able to deduce that it’s a copied and pasted binary output from Babuk’s builder, with an edited ransom notice naming the model “Delta Plus”, two restoration e-mail addresses and a brand new Bitcoin handle for funds:
Determine 4: Strings content material of “Delta Plus” named model of Babuk
We’ve seen the 2 e-mail restoration addresses earlier than – they’ve been used to ship random ransomware up to now and, through the use of them to pivot, we had been capable of delve into the actor’s resume:
The primary e-mail handle, retrievedata300@gmail.com, has been used to drop a .NET ransomware mentioning “Delta Plus”:
Determine 5: Strings content material of .NET ransomware associated to earlier Delta ransomware actions
Filename
Setup.exe
Compiled Time
Tue Sep 7 17:58:34 2021
FileType
Win32 EXE
FileSize
22.50 KB
Sha256
94fe0825f26234511b19d6f68999d8598a9c21d3e14953731ea0b5ae4ab93c4d
The ransomware is fairly easy to research; all mechanisms are declared, and command strains, registry modification, and so forth., are hardcoded within the binary.
Determine 6: .NET evaluation with command line particulars
In truth, the actor’s personal ransomware is so poorly developed (no packing, no obfuscation, command strains embedded within the binary and the truth that the .NET language is simple to research) that it’s hardly stunning they began utilizing the Babuk builder as an alternative.
By means of distinction, their new challenge is effectively developed, straightforward to make use of and environment friendly, no to say painful to research (as it’s written within the Golang language) and supplies executables for Home windows, Linux and community connected storage (NAS) methods.
The second e-mail handle, deltapaymentbitcoin@gmail.com, has been used to drop an earlier model of the .NET ransomware
Determine 7: Strings content material from first model of .NET ransomware
Filename
test2.exe
Compiled Time
Mon Aug 30 19:49:54 2021
FileType
Win32 EXE
FileSize
15.50 KB
Sha256
e1c449aa607f70a9677fe23822204817d0ff41ed3047d951d4f34fc9c502f761
Ways, Strategies and Procedures
By checking the relationships between “Delta ransomware”, the Babuk iteration and the domains contacted throughout course of execution, we are able to observe some domains associated to our pattern:
suporte01928492.redirectme.internet
suporte20082021.sytes.internet
24.152.38.205
Due to a misconfiguration, recordsdata hosted on these two domains are accessible by way of Open Listing (OpenDir), which is a listing of direct hyperlinks to recordsdata saved on a server:
Determine 8: Open Directories web site the place samples are hosted
bat.rar: A PowerShell script used to carry out a number of operations:
Attempt to disable Home windows Defender
Bypass Person Account Management (UAC)
Get system rights through runasti
Determine 9: Privilege escalation to get system rights
exe.rar: Delta Plus ransomware
reg.rar: Registry values used to disable Home windows Defender
Determine 10: Registry worth modifications to disable Home windows Defender
Different domains the place recordsdata are hosted comprise completely different instruments used throughout assault operations:
We’ve discovered two strategies employed by the operator, which we assume for use for preliminary entry: First, a faux Flash Participant installer and, secondly, a faux Anydesk distant instrument installer used to drop the ransomware. Our concept about Flash Participant preliminary entry has been confirmed by checking the IP that hosts a lot of the domains:
Determine 11: Pretend Flash web site used to obtain faux Flash installer
When logging in, the web site warns you that your Flash Participant model is outdated and tries to obtain the Pretend Flash Participant installer:
Determine 12: JavaScript variables used to drop faux Flash Installer
A secondary web site seems to have additionally been utilized in propagating the faux Flash Participant, although it’s at present offline :
Determine 13: JavaScript operate to obtain the faux Flash Installer from one other web site
Moveable Executable (PE) recordsdata used to launch PowerShell command strains to delete shadow copies, exclude Home windows Defender and import registry keys from “Replace.reg.rar” to disable Home windows defender.
A PE file used for a number of functions: Exfiltrating recordsdata from the sufferer, keylogging, checking if the system has already been held to ransom, getting system info, acquiring consumer info and to create and cease processes.
Determine 14: Features and C2 configuration from ransomware pattern
(host used for extraction)
Along with the above, we additionally discovered proof that this actor tried to leverage one other ransomware builder leak, Chaos ransomware.
Infrastructure
Nearly all of domains utilized by this actor are hosted on the identical IP: “24.152.38.205” (AS 270564 / MASTER DA WEB DATACENTER LTDA).
However as we noticed by “analyzing” the extraction instrument utilized by the actor, one other IP is talked about: “149.56147.236” (AS 16276 / OVH SAS). On this IP, some ports are open, equivalent to FTP (in all probability used to retailer exfiltrated information), SSH, and so forth.
By this IP with Shodan, we are able to get a devoted hash for the SSH service, plus fingerprints to make use of on this IP, after which discover different IPs utilized by the actor throughout their operations.
By utilizing this hash, we had been capable of map the infrastructure by in search of different IPs sharing the identical SSH key + fingerprintings.
Not less than 174 IPs are sharing the identical SSH sample (key, fingerprint, and so forth.); all findings can be found within the IOCs part.
Some IPs are internet hosting completely different file varieties, possibly associated to earlier campaigns:
Determine 15: Open Listing web site in all probability utilized by the identical actor for earlier campaigns
Bitcoin Pursuits
Many of the ransomware samples utilized by the actor point out completely different Bitcoin (BTC) addresses which we assume is an effort to obscure their exercise.
By in search of transactions between these BTC addresses with CipherTrace, we are able to observe that every one the addresses we extracted (see the circle highlighted with a yellow “1” beneath) from the samples we’ve discovered are associated and finally level to a single Bitcoin pockets, in all probability underneath management of the identical menace actor.
From the three samples we researched, we had been capable of extract the next BTC addresses:
3JG36KY6abZTnHBdQCon1hheC3Wa2bdyqs
1Faiem4tYq7JQki1qeL1djjenSx3gCu1vk
bc1q2n23xxx2u8hqsnvezl9rewh2t8myz4rqvmdzh2
Determine 16: Comply with the cash with CipherTrace
Ransomware Isn’t Simply About Survival of the Fittest
As now we have seen above, our instance menace actor has developed over time, shifting from simplistic ransomware and calls for within the lots of of {dollars}, to toying with no less than two builder leaks and ransom quantities within the 1000’s of {dollars} vary.
Whereas their exercise thus far suggests a low stage of technical ability, the earnings of their cybercrime could effectively show giant sufficient for them to make one other stage leap sooner or later.
Even when they keep on with copy-pasting builders and crafting ‘stagers’, they may have the means at their disposal to create an environment friendly assault chain with which to compromise an organization, extort cash and enhance their revenue to the purpose of changing into an even bigger fish in a small pond, similar to the bigger RaaS crews.
Within the meantime, such opportunitistic actors will proceed to bait their hooks and catch any fish they will as, in contrast to affiliated ransomware operators, they don’t have to comply with any guidelines in return for assist (pentest documentation, software program, infrastructure, and so forth.) from the gang’s operators. Thus, they’ve a free hand to hold out their assaults and, if a sufferer desires to chew, they don’t care about ethics or who they aim.
The excellent news for everybody else, nevertheless, is the truth that international legislation enforcement isn’t gonna want an even bigger boat, because it already casts its nets far and vast.
Mitre Att&ck
Method ID
Method Description
Observable
T1189
Drive By Compromise
The actor is utilizing a faux Flash web site to unfold faux a Flash installer.
T1059.001
Command Scripting Interpreter: PowerShell
PowerShell is used to launch command strains (delete shadow copies, and so forth.).
T1059.007
Command and Scripting Interpreter: JavaScript
JavaScript is used within the faux Flash web site to obtain the faux Flash installer.
T1112
Modify Registry
To disable Home windows Defender, the actor modifies registry. “HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows Defender” and “HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows DefenderReal-Time Safety”.
T1083
File and Listing Discovery
The actor is itemizing recordsdata on the sufferer system.
T1057
Course of Discovery
The actor is itemizing working processes on the sufferer system.
T1012
Question Registry
To carry out some registry modifications, the actor is first querying registry path.
T1082
System Info Discovery
Earlier than encrypting recordsdata, the actor is itemizing onerous drives.
T1056.001
Enter Seize: Keylogging
The exfiltration instrument has the potential to log consumer keystrokes.
T1005
Information from Native System
T1571
Non-Customary Port
The actor is utilizing port “1177” to exfiltrate information.
T1048
Exfiltration Over Various Protocol
T1486
Information Encrypted for Influence
Information encrypted by ransomware.
T1490
Inhibit System Restoration
Delete Shadow Copies.
Detection Mechanisms
Sigma Guidelines
Yara Guidelines
Babuk Ransomware Home windows
rule Ransom_Babuk {
meta:
description = “Rule to detect Babuk Locker”
writer = “TS @ McAfee Enterprise ATR”
date = “2021-01-19”
hash = “e10713a4a5f635767dcd54d609bed977”
rule_version = “v2”
malware_family = “Ransom:Win/Babuk”
malware_type = “Ransom”
mitre_attack = “T1027, T1083, T1057, T1082, T1129, T1490, T1543.003”
strings:
$s1 = {005C0048006F007700200054006F00200052006500730074006F0072006500200059006F00750072002000460069006C00650073002E007400780074}
// How To Restore Your Recordsdata .txt
$s2 = “delete shadows /all /quiet” fullword vast
$pattern1 = {006D656D74617300006D65706F63730000736F70686F730000766565616D0000006261636B7570000047785673730000004778426C7200000047784657440000004778435644000000477843494D67720044656657617463680000000063634576744D67720000000063635365744D677200000000536176526F616D005254567363616E0051424643536572766963650051424944505365727669636500000000496E747569742E517569636B426F6F6B732E46435300}
$pattern2 = {004163725363683253766300004163726F6E69734167656E74000000004341534144324457656253766300000043414152435570646174655376630000730071}
$pattern3 = {FFB0154000C78584FDFFFFB8154000C78588FDFFFFC0154000C7858CFDFFFFC8154000C78590FDFFFFD0154000C78594FDFFFFD8154000C78598FDFFFFE0154000C7859CFDFFFFE8154000C785A0FDFFFFF0154000C785A4FDFFFFF8154000C785A8FDFFFF00164000C785ACFDFFFF08164000C785B0FDFFFF10164000C785B4FDFFFF18164000C785B8FDFFFF20164000C785BCFDFFFF28164000C785C0FDFFFF30164000C785C4FDFFFF38164000C785C8FDFFFF40164000C785CCFDFFFF48164000C785D0FDFFFF50164000C785D4FDFFFF581640}
$pattern4 ={400010104000181040002010400028104000301040003810400040104000481040005010400058104000601040006C10400078104000841040008C10400094104000A0104000B0104000C8104000DC104000E8104000F01040000011400008114000181140002411400038114000501140005C11400064114000741140008C114000A8114000C0114000E0114000F4114000101240002812400034124000441240005412400064124000741240008C124000A0124000B8124000D4124000EC1240000C1340002813400054134000741340008C134000A4134000C4134000E8134000FC134000141440003C144000501440006C144000881440009C144000B4144000CC144000E8144000FC144000141540003415400048154000601540007815}
situation:
filesize >= 15KB and filesize <= 90KB and
1 of ($s*) and three of ($sample*)
}
Exfiltration Software
rule CRIME_Exfiltration_Tool_Oct2021 {
meta:
description = “Rule to detect instrument used to exfiltrate information from sufferer methods”
writer = “TS @ McAfee Enterprise ATR”
date = “2021-10-04”
hash = “ceb0e01d96f87af0e9b61955792139f8672cf788d506c71da968ca172ebddccd”
strings:
$pattern1 = {79FA442F5FB140695D7ED6FC6A61F3D52F37F24B2F454960F5D4810C05D7A83D4DD8E6118ABDE2055E4DCCFE28EBA2A11E981DB403C5A47EFB6E367C7EC48C5EC2999976B5BC80F25BEF5D2703A1E4C2E3B30CD26E92570DAF1F9BD7B48B38FB522358}
$pattern2 = {B4A6D4DD1BBEA16473940FC2DA103CD64579DD1A7EBDF30638A59E547B136E5AD113835B8294F53B8C3A435EB2A7F649A383AA0792DD14B9C26C1BCA348920DFD37DA3EF6260C57C546CA51925F684E91239152DC05D5161A9064434}
$pattern3 = {262E476A45A14D4AFA448AF81894459F7296633644F5FD061A647C6EF1BA950FF1ED48436D1BD4976BF81EE84AE09D638BD2C2A01FA9E22D2015518280F6692EB976876C4045FADB71742B9579C13C7482A44A}
$pattern4 = {F2A113713CCB049AFE352DB8F99160855125E5A045C9F6AC0DCA0AB615BD34367F2CA5156DCE5CA286CCC55E37DFCDC5AAD14ED9DAB3CDB9D15BA91DD79FF96E94588F30}
situation:
3 of ($sample*)
}
IOCs
Infrastructure URLs
http://atualziarsys.serveirc.com/Update4/
http://services5500.sytes.internet/Update6/Replace.exe.rar
http://suporte20082021.sytes.internet/Update5/
http://atualziarsys.serveirc.com/update4/replace.exe.rar
http://suporte20082021.sytes.internet/Update3/
http://suporte01928492.redirectme.internet/
http://atualziarsys.serveirc.com/Update3/
http://services5500.sytes.internet/update8/replace.exe.rar
http://suporte20082021.sytes.internet/replace/
http://suporte20082021.sytes.internet/Update5/Replace.exe.rar
http://suporte01928492.redirectme.internet/AppMonitorPlugIn.rar
http://suporte01928492.redirectme.internet/Update5/Replace.exe.rar
http://services5500.sytes.internet/update7/replace.exe.rar
http://services5500.sytes.internet/Update8/Replace.exe.rar
http://services5500.sytes.internet/Update8/Replace.bat.rar
http://suporte01092021.myftp.biz/replace/
http://services5500.sytes.internet/Update7/Replace.exe.rar
http://suporte01928492.redirectme.internet/Update7/Replace.bat.rar
http://suporte01928492.redirectme.internet/Update7/Replace.exe.rar
http://services5500.sytes.internet/update6/replace.exe.rar
http://suporte01092021.myftp.biz/
http://services5500.sytes.internet/Update6/Replace.bat.rar
http://suporte01928492.redirectme.internet/update6/replace.exe.rar
http://suporte01928492.redirectme.internet/update5/replace.exe.rar
http://services5500.sytes.internet/
http://suporte01928492.redirectme.internet/Update6/Replace.exe.rar
http://atualziarsys.serveirc.com/Update3
http://atualziarsys.serveirc.com/update3/replace.reg.rar
http://24.152.38.205/pt/flashplayer28_install.zip
http://suporte01928492.redirectme.internet/Update7
http://atualziarsys.serveirc.com/
http://atualziarsys.serveirc.com/update3/mylink.vbs.rar
http://suporte01928492.redirectme.internet/update7/replace.exe.rar
http://atualziarsys.serveirc.com/Update4/Replace.exe.rar
http://suporte01928492.redirectme.internet/appmonitorplugin.rar
http://atualziarsys.serveirc.com/update3/replace.exe.rar
http://suporte20082021.sytes.internet/
http://suporte20082021.sytes.internet/update3/replace.exe.rar
http://atualziarsys.serveirc.com/Update4/Replace.exe2.rar
http://suporte20082021.sytes.internet/Update3/Replace.exe.rar
http://suporte20082021.sytes.internet/Update5/Replace.reg.rar
http://atualziarsys.serveirc.com/Update4/Replace.exe2.rar/
http://atualziarsys.serveirc.com/Update4
http://suporte01092021.myftp.biz/replace/WindowsUpdate2.rar
http://suporte01092021.myftp.biz/replace
http://atualziarsys.serveirc.com/Update3/Replace.reg.rar/
http://atualziarsys.serveirc.com/Update3/Replace.exe.rar
http://suporte20082021.sytes.internet/Update3/Replace.exe.rar/
http://suporte01092021.myftp.biz/replace/WindowsUpdate2.rar/
http://atualziarsys.serveirc.com/Update4/Replace.exe.rar/
http://atualziarsys.serveirc.com/Update3/mylink.vbs.rar
http://atualziarsys.serveirc.com/update4
http://atualziarsys.serveirc.com/update3
http://suporte01092021.myftp.biz/replace/Replace.rar
http://suporte01928492.redirectme.internet/AppMonitorPlugIn.rar/
http://suporte20082021.sytes.internet/update5/replace.exe.rar
http://suporte01092021.myftp.biz/update5/replace.exe.rar
http://atualziarsys.serveirc.com/update4/replace.exe2.rar
http://suporte01092021.myftp.biz/replace/windowsupdate2.rar
http://suporte20082021.sytes.internet/update2/replace.exe.rar
http://suporte20082021.sytes.internet/replace/windowsupdate2.rar
http://atualziarsys.serveirc.com/Update4/mylink.vbs.rar
http://atualziarsys.serveirc.com/favicon.ico
http://24.152.38.205/1.rar
http://24.152.38.205/1.exe
http://appmonitorplugin.sytes.internet/appmonitorplugin.rar
http://suporte20082021.sytes.internet/replace/WindowsUpdate2.rar
http://appmonitorplugin.sytes.internet/
http://suporte20082021.sytes.internet/appmonitorplugin.rar
http://suportmicrowin.sytes.internet/appmonitorplugin.rar
http://suportmicrowin.sytes.internet/
http://suportmicrowin.sytes.internet/AppMonitorPlugIn.rar
http://appmonitorplugin.sytes.internet/AppMonitorPlugIn.rar
http://24.152.38.205/pt/setup.zip
Infrastructure Domains
services5500.sytes.internet
atualziarsys.serveirc.com
suporte01092021.myftp.biz
suporte20082021.sytes.internet
suporte01928492.redirectme.internet
suportmicrowin.sytes.internet
appmonitorplugin.sytes.internet
Infrastructure IPs
149.56.147.236
24.152.38.205
54.38.122.66
149.56.38.168
149.56.38.170
24.152.36.48
66.70.170.191
66.70.209.174
142.44.129.70
51.79.107.245
46.105.36.189
178.33.108.239
54.39.193.37
24.152.37.115
144.217.139.134
24.152.36.58
51.38.19.201
51.222.97.177
51.222.53.150
144.217.45.69
87.98.137.173
144.217.199.24
24.152.37.19
144.217.29.23
198.50.246.8
54.39.163.60
54.39.84.55
24.152.36.30
46.105.38.67
24.152.37.96
51.79.63.229
178.33.107.134
164.132.77.246
54.39.163.58
149.56.113.76
51.161.120.193
24.152.36.210
176.31.37.238
176.31.37.237
24.152.36.83
24.152.37.8
51.161.76.193
24.152.36.117
137.74.246.224
51.79.107.134
51.79.44.49
51.222.173.152
51.79.124.129
51.79.107.242
51.222.173.148
144.217.117.172
54.36.82.187
54.39.152.91
54.36.82.177
142.44.146.178
54.39.221.163
51.79.44.57
149.56.38.173
24.152.36.46
51.38.19.198
51.79.44.59
198.50.246.11
24.152.36.35
24.152.36.239
144.217.17.186
66.70.209.169
24.152.36.158
54.39.84.50
51.38.19.200
144.217.45.68
144.217.111.5
54.38.164.134
87.98.171.7
51.79.124.130
66.70.148.142
51.255.119.19
66.70.209.168
54.39.239.81
24.152.36.98
51.38.192.225
144.217.117.10
144.217.189.108
66.70.148.136
51.255.55.134
54.39.137.73
66.70.148.137
54.36.146.230
51.79.107.254
54.39.84.52
144.217.61.176
24.152.36.150
149.56.147.236
51.38.19.196
54.39.163.57
46.105.36.133
149.56.68.191
24.152.36.107
158.69.99.10
51.255.55.136
54.39.247.244
149.56.147.204
158.69.99.15
144.217.32.24
149.56.147.205
144.217.32.213
54.39.84.53
79.137.115.160
144.217.233.98
51.79.44.56
24.152.36.195
142.44.146.190
144.217.139.13
54.36.82.180
198.50.246.14
137.74.246.223
24.152.36.176
51.79.107.250
51.161.76.196
198.50.246.12
66.70.209.170
66.70.148.139
51.222.97.189
54.39.84.49
144.217.17.185
142.44.129.73
144.217.45.67
24.152.36.28
144.217.45.64
24.152.37.39
198.27.105.3
51.38.8.75
198.50.204.38
54.39.221.11
51.161.76.197
54.38.122.64
91.134.217.71
24.152.36.100
144.217.32.26
198.50.246.13
54.36.82.188
54.39.84.25
66.70.209.171
51.38.218.215
54.39.8.92
51.38.19.205
54.39.247.228
24.152.36.103
24.152.36.104
51.79.44.43
54.39.152.202
66.70.134.218
24.152.36.25
149.56.113.79
178.32.243.48
144.217.45.66
66.70.173.72
176.31.37.239
54.38.225.81
158.69.4.173
24.152.37.189
54.36.146.129
198.50.246.15
51.222.102.30
51.79.105.91
51.79.9.91
51.222.173.151
51.79.107.124
51.222.173.142
144.217.17.187
149.56.85.98
51.79.107.244
144.217.158.195
24.152.36.178
192.95.20.74
51.79.117.250
Ransomware Hashes
106118444e0a7405c13531f8cd70191f36356581d58789dfc5df3da7ba0f9223
e1c449aa607f70a9677fe23822204817d0ff41ed3047d951d4f34fc9c502f761
ae6020a06d2a95cbe91b439f4433e87d198547dec629ab0900ccfe17e729cff1
c3776649d9c0006caba5e654fa26d3f2c603e14463443ad4a5a08e4cf6a81994
63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85
94fe0825f26234511b19d6f68999d8598a9c21d3e14953731ea0b5ae4ab93c4d
c8d97269690d3b043fd6a47725a61c00b57e3ad8511430a0c6254f32d05f76d6
67bc70d4141d3f6aaf8f17963d56df5cee3727a81bc54407e90fdf1a6dc8fe2a
98a3ef26b346c4f47e5dfdba4e3e26d1ef6a4f15969f83272b918f53d456d099
c3c306b2d51e7e4f963a6b1905b564ba0114c8ae7e4bb4656c49d358c0f2b169
Bitcoin Addresses
3JG36KY6abZTnHBdQCon1hheC3Wa2bdyqs
1Faiem4tYq7JQki1qeL1djjenSx3gCu1vk
bc1q2n23xxx2u8hqsnvezl9rewh2t8myz4rqvmdzh2
PDB
C:UsersworkdreamsDesktopTestesCrypt_FInalCrazy_CryptCrazyobjDebugAppMonitorPlugIn.pdb
C:UsersworkdreamsDesktoptestNopyfy-Ransomware-masterNopyfy-RansomwareNopyfy-RansomwareobjDebugNopyfy-Ransomware.pdb
PowerShell Script
a8d7b402e78721443d268b682f8c8313e69be945b12fd71e2f795ac0bcadb353
Exfiltration Software
ceb0e01d96f87af0e9b61955792139f8672cf788d506c71da968ca172ebddccd
c3323fbd0d075bc376869b0ee26be5c5f2cd4e53c5efca8ecb565afa8828fb53
Pretend Flash Participant installer
d6c35e23b90a7720bbe9609fe3c42b67d198bf8426a247cd3bb41d22d2de6a1f
Pretend Anydesk Installer
e911c5934288567b57a6aa4f9344ed0f618ffa4f7dd3ba1221e0c42f17dd1390
x3Cimg top=”1″ width=”1″ model=”show:none” src=”https://www.fb.com/tr?id=766537420057144&ev=PageView&noscript=1″ />x3C/noscript>’);
[ad_2]