Authors: Anandeshwar Unnikrishnan, Rishika Desai, Benila Susan Jacob
Executive Summary
CloudSEK’s contextual AI digital risk monitoring platform XVigil came across CMD-based Ransomware strain YourCyanide being exploited in the wild. YourCyanide uses Discord, Microsoft Office and Pastebin as part of its payload download mechanism by making Discord attachments and URL requests.
An analysis into the impacts of the ransomware reveals that it can be utilized to compromise confidential business details, practices and IP. There is also a potential risk of takeover or shutdown of company operations resulting in loss of revenue and reputation.
The mitigation measures consist of auditing and monitoring logs of events and incidents to identify unusual patterns and behaviour. There has to be a systematic mechanism of enforcing data protection, back and recovery. Additionally security configurations on network infrastructure devices like firewall and routers have to be implemented.
Analysis and Attribution of YourCynaide
CloudSEK’s Threat Research team has conducted an investigation into the new and sophisticated ‘YourCyanide’ ransomware, which is being exploited in the wild.
This CMD-based ransomware strain is distributed primarily as a Discord attachment and makes URL requests to Microsoft Office and Pastebin. Researchers at Trend Micro discovered that the roots of YourCyanide can be traced back to the GonnaCope ransomware family that first surfaced in April, 2022.
The ransom note is dumped by the malware into “YcynNote.txt”
Features of the Malware
CloudSEK’s Threat Research team discovered the following features of YourCyanide ransomware and its operators:
The ransomware execution file is delivered as a Discord attachment as shown below:
The obfuscated file of YourCyanide, when deobfuscated fetches the executable GetToken.exe.
The ransomware encrypts files and renames them with a .cyn extension.
The .cmd file of YourCyanide module is dropped by another malicious file CaffeJuice.exe.
The ransom note path is C:\Users\Admin\Desktop\YcynNote.txt.
YourCyanide ransomware note
The threat actor shares their name, BTC wallet address, contact channel and number of files encrypted in the ransom note.
The ransomware group usually demands USD 500 from their victims to restore their files.
Association with APT/ Other ransomware groups
The YourCyanide sample available, indicates that it could be a variant of the Kekpop ransomware (also known as Kekware); the ransomware drops an ‘other.txt’ file that mentions Kekpop. Our research also confirms that the same Get.exe executable is used to deliver Kekpop and YourCyanide ransomware.
One of the files that get dropped during YourCyanide ransomware attack
Another similarity that links Kekpop and YourCyanide is the ‘black.bat’ file that is dropped in both instances.
Technical Analysis of the YourCyanide Ransomware
Initial Execution
Flowchart of the attack
A malicious LNK file “powershell.exe.lnk” executes a Powershell command that retrieves the executable “YourCyanide.exe” from the Discord server, and executes it on the victim system to launch YourCyanide ransomware.
The malicious binary YourCyanide.exe, downloaded by the LNK file, acts as a ransomware dropper. It performs the following operations on the system:
YourCyanide.exe creates a new directory “IXP000.TMP” in the user’s Temp directory.
It dumps YourCyanide.cmd into the newly created directory. The contents of the file are shown in the following image.
The dropper executes the batch script to fetch contents from Pastebin and saves it as YourCyanide.cmd, which is the actual ransomware written in batch script.
Contents of the file
Before exiting, the dropper deletes the dropped file and the directory in Temp.
Persistence
The main ransomware code fetched from Pastebin is heavily obfuscated with multiple layers of string substitutions and slicing, to hinder its analysis or detection.
Ransomware code
A further analysis of the deobfuscated code shows that the batch program sets its system and hidden attributes as shown below:
Image of the batch program
The hidden attribute, when set, hides the corresponding file from the user, while the system attribute deceives the operating system to treat the file as crucial. Thus, at the event of alteration or deletion, such files remain unaffected similar to system files.
The malware achieves persistence through the following AutoStart Extensibility Points:
Run Registry Key
Startup Folder
Encryption Process
The malware creates a new value “rundll32_474_toolbar” under Run Key in the registry and provides the name of the malicious batch file as data for the new registry entry. Finally, a copy of the malware is saved in the Startup folder. Once the malware achieves persistence, it creates a new batch file “AuToexEc.BAT” in the C:\ drive.
The BAT file consists of the command to start a new process of the same malware copy. Later the Task Manager is disabled through the registry. All of these operations are shown in the image below.
Task manager disabled
The malware also checks for the existence of AUTOEXEC.BAT on the victim system. And if found, it is replaced with itself as shown below. In the older DOS system AUTOEXEC.BAT was used as an auto execution mechanism, post the system boot.
Autoexec.bat
Additionally, the ransomware checks for the analysis environment by verifying the username. These usernames are all taken from popular sandboxes on the internet. The malware exits the system if the username matches any of the usernames mentioned in the code below.
Username matching
A file named “black.bat” is dropped in the user’s Documents directory. The contents are dynamically written into the dropped batch as shown below. The dropped batch file executes a black screensaver by calling the scrnsave.scr file. The execution of the file causes the user’s screen to go blank.
Black.bat
Target Services
The malware terminates the following services on the target system:
Services Targeted
WinDefend
Wuauserv
Norton AntiVirus Firewall Monitor Service
McAfee SecurityCenter Update Manager
crmonsvc
ccSetMGR
Symantec Network Drivers Service
MpfService
helpsvc
*Symantec*
Symantec Core LC
Norton AntiVirus Auto Protect Service
Norton AntiVirus Server
McShield
InoRT
Norton AntiVirus Client
PC-cillin Personal Firewall
McAfee.com VirusScan Online Realtime Engine
Sophos Anti-Virus
eTrust Antivirus Realtime Server
net stop netsvcs
Security center
Automatic Updates
McAfee Spamkiller Server
Symantec SPBBCSvc
MonSvcNT
ccEvtMGR
Norton Unerase Protection
mcupdmgr.exe
ERSvc
*McAfee*
navapsvc
Norton AntiVirus Client
NAV Alert
DefWatch
InoTask
norton AntiVirus Corporate Edition
Trend Micro Proxy Service
SyGateService
Sophos Anti-Virus Network
Sygate Personal Firewall Pro
Spoolnt
Symantec Core LC
SAVScan
McAfee Personal Firewall Service
Ahnlab Task Scheduler
NProtectService
srservice
MskService
McAfeeAntiSpyware
*norton*
ccPwdSvc
Serv-U
Symantec AntiVirus Client
Nav Auto-Protect
eventlog
norton AntiVirus Auto Protect Service
ViRobot Professional Monitoring
McAfee.com McShield
Sygate Personal Firewall Pro
eTrust Antivirus Job Server
eTrust Antivirus RPC Server
Tasks
The malware terminates the following running processes on the system:
Running Processes Targeted
MSASCui.exe
Excel
Msaccess
Outlook
Fiirefox
Iexplore
ITunes
Safari
tskill WINWORD
LimreWire
Msnmsgr
Calc
Mspaint
Msnmsgr
Data Manipulation
After terminating various protective services and running tasks, the malware locks the data on the target system as shown below. The following directories and its sub directories are traversed to perform locking:
Desktop
Documents
Music
Pictures
Videos
Downloads
Locking of data on target systems
The files are renamed to a random number obtained from multiplying random numbers, followed by which an extension of “cyn” is appended. Once the files are renamed, random data is written to the user file.
The malware drops another batch file named “2b2crypt.cmd” to lock Minecraft related data as shown below. The logic used for locking is the same as seen before. The “.minecraft” and “.minecraft\mods” directories are targeted by the malware as shown below. After writing the contents of the batch file, it is executed to initiate locking of the data.
2b2crypt.cmd for minecraft related data
The Logger Script
Using Powershell, the malware retrieves another batch file “ycynlog.cmd” and executes it on the target system.
Ycynlog.cmd batch file executed
The “ycynlog.cmd” is heavily obfuscated with the same logic used for the main ransomware batch file. The batch instructions hosted on Pastebin are shown below. This malicious script acts as a user data logger and sends the data to a Telegram bot (https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538).
Image of Operations
The ycynlog.cmd script just like the main ransomware script initiates the execution by setting Run registry keys to achieve persistence on the target system and also drops the ycynlog.cmd file in the Startup folder.
The logger script downloads an additional executable file hosted on Discord CDN and executes it on the system.
GetToken Binary
GetToken is a C#/ .NET program used to steal users’ Discord tokens. The stealer contains hard coded directory paths to Discord and various web browser’s local storage as shown in the image below.
GetToken Image
The tokens are identified by using Regex pattern matching as shown below. If a match is found, the stealer checks the validity of the token by calling the function TokenUtil.checkToken.
tokenutil.check token operations
The token validity is performed by connecting to the Discord server and monitoring the server response. The token checking routine is shown below. The valid tokens are returned to the caller function.
Token checking routine
The stealer creates a file Tokens.txt on the victim system and dumps all valid tokens found. If there are no tokens present, the value that gets written into Tokens.txt is “Retard Has No tokens.” The ransomware finally sends the Token.txt to the Telegram bot.
Image of Operations
The global IP address of the victim is retrieved by sending a request to https://ipv4.wtfismyip.com/text through curl and the output is stored as IP.txt.
The script retrieves a list of installed applications on the system and stores it in apps.txt to later send it to the Telegram bot.
WMI is used extensively to retrieve system level information from the user. The following list summarizes the data enumerated by the script:
Username
IP address (local)
Network configuration data
MAC information
CPU data
Physical memory data
Disk information like partition details
Windows system information
Windows license information (Product Key)
The above data along with Tokens.txt generated by GetToken.exe are sent to the Telegram bot. Additionally, the logger scripts steal the following Minecraft specific user data:
Image of Operations
Launcher_msa_credentials.bin
Launcher_msa_credentials_microsoft_store.bin
Launcher_accounts.json
Launcher_accounts_microsoft_store.json
Launcher_product_state.json
launcher_profiles.json
Using Powershell the logger script downloads ForMe.txt from Google Cloud and executes it on the system.
Image of Operations
The ForMe.exe dumps data into ForMe.txt which is later pushed to the Telegram bot. Unfortunately, at the time of our analysis the Google Cloud link did not serve the file. Our research indicates that it could be a browser password stealer.
The ransomware script then drops a batch file named “fuckports.cmd.” Instructions to add custom firewall rules are written into the batch file as shown below. The following firewall rules allow inbound UDP traffic to port 2835 and outbound UDP traffic through 16981.
Fuckports.cmd batch file dropped
The malware adds itself into the win.ini and system.ini files. These files contain configuration files to start up programs and other settings after a system boot. The malware drops two batch files, “confession.bat” and “Check This Out.bat,” that have identical purposes.
confession.bat
checkthisout.bat
YourCyanide is also capable of spreading via mail. It utilizes Visual Basic APIs to communicate with Microsoft Outlook and sends out a copy of itself as mail attachment. The malware then drops “loveletter.vbs” in the Documents directory.
The VB script retrieves the user’s address list and sends out an email with the subject “I have a crush on you” and a message that states “read me.” The mail attachment contains a copy of the ransomware batch program.
Love letter
Ransom Collection
The malware drops an additional vbs file named “mail.vbs” with the same contents as mentioned above. However, it will send an email with the subject line “Check This Out.”
Check this out
The ransomware uses the Powershell Out-Printer commandlet to print out multiple copies of the ransom note.
Ransom note
The malware also copies itself to other drives present on the system as shown below:
Copying itself to other drives
Notably, YouCyanide changes the file association of vbs, sln, js, css, and ini. Upon opening such files, the system transfers their control to an associated program. The malware associates listed file types with itself. The malware is executed when similar file types are opened.
List of associated files
The malware enables remote desktop on the target system as shown below and starts the TermService or terminal service which is responsible for handling RDP related tasks.
Terminal service
Finally the ransom note is displayed to the user and creates an autorun configuration for available drives on the system that leads to execution of the malware itself as shown below.
Impact & Mitigation
Impact
Mitigation
Stolen credentials could allow access to the organization’s networks.
Exposed Personally Identifiable Information (PII) could be used to orchestrate social engineering schemes, phishing attacks, and even identity theft.
Exposed credentials could be leveraged to access users’ other accounts, owing to password reuse.
Exposed data could reveal business practices and intellectual property.
Use proactive threat intelligence to prevent and alert users of potential threats and to strengthen external security posture.
Reset compromised login credentials and implement a strong password policy for user accounts.
Use MFA (multi-factor authentication) across logins.
Check for possible workarounds and patch all vulnerable and exploitable endpoints while keeping ports open.
Monitor for anomalies that could be indicators of possible takeovers.
On 23 October 2023, CloudSEK’s Threat Intelligence Team detected a Ransomware-as-a-Service (RaaS) group, named QBit introducing a newly developed ransomware written in Go, boasting advanced features to optimize its malicious operations.
Cyclops, now renamed as Knight also known as Cyclops 2.0, debuted in May 2023. The Cyclops group has successfully developed ransomware that can infect all three major platforms: Windows, Linux, macOS, ESXi and Android.
Join 10,000+ subscribers
Keep up with the latest news about strains of Malware, Phishing Lures, Indicators of Compromise, and Data Leaks.
Take action now
Secure your organisation with our Award winning Products
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Get the latest industry news, threats and resources.
Authors: Anandeshwar Unnikrishnan, Rishika Desai, Benila Susan Jacob
Executive Summary
CloudSEK’s contextual AI digital risk monitoring platform XVigil came across CMD-based Ransomware strain YourCyanide being exploited in the wild. YourCyanide uses Discord, Microsoft Office and Pastebin as part of its payload download mechanism by making Discord attachments and URL requests.
An analysis into the impacts of the ransomware reveals that it can be utilized to compromise confidential business details, practices and IP. There is also a potential risk of takeover or shutdown of company operations resulting in loss of revenue and reputation.
The mitigation measures consist of auditing and monitoring logs of events and incidents to identify unusual patterns and behaviour. There has to be a systematic mechanism of enforcing data protection, back and recovery. Additionally security configurations on network infrastructure devices like firewall and routers have to be implemented.
Analysis and Attribution of YourCynaide
CloudSEK’s Threat Research team has conducted an investigation into the new and sophisticated ‘YourCyanide’ ransomware, which is being exploited in the wild.
This CMD-based ransomware strain is distributed primarily as a Discord attachment and makes URL requests to Microsoft Office and Pastebin. Researchers at Trend Micro discovered that the roots of YourCyanide can be traced back to the GonnaCope ransomware family that first surfaced in April, 2022.
The ransom note is dumped by the malware into “YcynNote.txt”
Features of the Malware
CloudSEK’s Threat Research team discovered the following features of YourCyanide ransomware and its operators:
The ransomware execution file is delivered as a Discord attachment as shown below:
The obfuscated file of YourCyanide, when deobfuscated fetches the executable GetToken.exe.
The ransomware encrypts files and renames them with a .cyn extension.
The .cmd file of YourCyanide module is dropped by another malicious file CaffeJuice.exe.
The ransom note path is C:\Users\Admin\Desktop\YcynNote.txt.
YourCyanide ransomware note
The threat actor shares their name, BTC wallet address, contact channel and number of files encrypted in the ransom note.
The ransomware group usually demands USD 500 from their victims to restore their files.
Association with APT/ Other ransomware groups
The YourCyanide sample available, indicates that it could be a variant of the Kekpop ransomware (also known as Kekware); the ransomware drops an ‘other.txt’ file that mentions Kekpop. Our research also confirms that the same Get.exe executable is used to deliver Kekpop and YourCyanide ransomware.
One of the files that get dropped during YourCyanide ransomware attack
Another similarity that links Kekpop and YourCyanide is the ‘black.bat’ file that is dropped in both instances.
Technical Analysis of the YourCyanide Ransomware
Initial Execution
Flowchart of the attack
A malicious LNK file “powershell.exe.lnk” executes a Powershell command that retrieves the executable “YourCyanide.exe” from the Discord server, and executes it on the victim system to launch YourCyanide ransomware.
The malicious binary YourCyanide.exe, downloaded by the LNK file, acts as a ransomware dropper. It performs the following operations on the system:
YourCyanide.exe creates a new directory “IXP000.TMP” in the user’s Temp directory.
It dumps YourCyanide.cmd into the newly created directory. The contents of the file are shown in the following image.
The dropper executes the batch script to fetch contents from Pastebin and saves it as YourCyanide.cmd, which is the actual ransomware written in batch script.
Contents of the file
Before exiting, the dropper deletes the dropped file and the directory in Temp.
Persistence
The main ransomware code fetched from Pastebin is heavily obfuscated with multiple layers of string substitutions and slicing, to hinder its analysis or detection.
Ransomware code
A further analysis of the deobfuscated code shows that the batch program sets its system and hidden attributes as shown below:
Image of the batch program
The hidden attribute, when set, hides the corresponding file from the user, while the system attribute deceives the operating system to treat the file as crucial. Thus, at the event of alteration or deletion, such files remain unaffected similar to system files.
The malware achieves persistence through the following AutoStart Extensibility Points:
Run Registry Key
Startup Folder
Encryption Process
The malware creates a new value “rundll32_474_toolbar” under Run Key in the registry and provides the name of the malicious batch file as data for the new registry entry. Finally, a copy of the malware is saved in the Startup folder. Once the malware achieves persistence, it creates a new batch file “AuToexEc.BAT” in the C:\ drive.
The BAT file consists of the command to start a new process of the same malware copy. Later the Task Manager is disabled through the registry. All of these operations are shown in the image below.
Task manager disabled
The malware also checks for the existence of AUTOEXEC.BAT on the victim system. And if found, it is replaced with itself as shown below. In the older DOS system AUTOEXEC.BAT was used as an auto execution mechanism, post the system boot.
Autoexec.bat
Additionally, the ransomware checks for the analysis environment by verifying the username. These usernames are all taken from popular sandboxes on the internet. The malware exits the system if the username matches any of the usernames mentioned in the code below.
Username matching
A file named “black.bat” is dropped in the user’s Documents directory. The contents are dynamically written into the dropped batch as shown below. The dropped batch file executes a black screensaver by calling the scrnsave.scr file. The execution of the file causes the user’s screen to go blank.
Black.bat
Target Services
The malware terminates the following services on the target system:
Services Targeted
WinDefend
Wuauserv
Norton AntiVirus Firewall Monitor Service
McAfee SecurityCenter Update Manager
crmonsvc
ccSetMGR
Symantec Network Drivers Service
MpfService
helpsvc
*Symantec*
Symantec Core LC
Norton AntiVirus Auto Protect Service
Norton AntiVirus Server
McShield
InoRT
Norton AntiVirus Client
PC-cillin Personal Firewall
McAfee.com VirusScan Online Realtime Engine
Sophos Anti-Virus
eTrust Antivirus Realtime Server
net stop netsvcs
Security center
Automatic Updates
McAfee Spamkiller Server
Symantec SPBBCSvc
MonSvcNT
ccEvtMGR
Norton Unerase Protection
mcupdmgr.exe
ERSvc
*McAfee*
navapsvc
Norton AntiVirus Client
NAV Alert
DefWatch
InoTask
norton AntiVirus Corporate Edition
Trend Micro Proxy Service
SyGateService
Sophos Anti-Virus Network
Sygate Personal Firewall Pro
Spoolnt
Symantec Core LC
SAVScan
McAfee Personal Firewall Service
Ahnlab Task Scheduler
NProtectService
srservice
MskService
McAfeeAntiSpyware
*norton*
ccPwdSvc
Serv-U
Symantec AntiVirus Client
Nav Auto-Protect
eventlog
norton AntiVirus Auto Protect Service
ViRobot Professional Monitoring
McAfee.com McShield
Sygate Personal Firewall Pro
eTrust Antivirus Job Server
eTrust Antivirus RPC Server
Tasks
The malware terminates the following running processes on the system:
Running Processes Targeted
MSASCui.exe
Excel
Msaccess
Outlook
Fiirefox
Iexplore
ITunes
Safari
tskill WINWORD
LimreWire
Msnmsgr
Calc
Mspaint
Msnmsgr
Data Manipulation
After terminating various protective services and running tasks, the malware locks the data on the target system as shown below. The following directories and its sub directories are traversed to perform locking:
Desktop
Documents
Music
Pictures
Videos
Downloads
Locking of data on target systems
The files are renamed to a random number obtained from multiplying random numbers, followed by which an extension of “cyn” is appended. Once the files are renamed, random data is written to the user file.
The malware drops another batch file named “2b2crypt.cmd” to lock Minecraft related data as shown below. The logic used for locking is the same as seen before. The “.minecraft” and “.minecraft\mods” directories are targeted by the malware as shown below. After writing the contents of the batch file, it is executed to initiate locking of the data.
2b2crypt.cmd for minecraft related data
The Logger Script
Using Powershell, the malware retrieves another batch file “ycynlog.cmd” and executes it on the target system.
Ycynlog.cmd batch file executed
The “ycynlog.cmd” is heavily obfuscated with the same logic used for the main ransomware batch file. The batch instructions hosted on Pastebin are shown below. This malicious script acts as a user data logger and sends the data to a Telegram bot (https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538).
Image of Operations
The ycynlog.cmd script just like the main ransomware script initiates the execution by setting Run registry keys to achieve persistence on the target system and also drops the ycynlog.cmd file in the Startup folder.
The logger script downloads an additional executable file hosted on Discord CDN and executes it on the system.
GetToken Binary
GetToken is a C#/ .NET program used to steal users’ Discord tokens. The stealer contains hard coded directory paths to Discord and various web browser’s local storage as shown in the image below.
GetToken Image
The tokens are identified by using Regex pattern matching as shown below. If a match is found, the stealer checks the validity of the token by calling the function TokenUtil.checkToken.
tokenutil.check token operations
The token validity is performed by connecting to the Discord server and monitoring the server response. The token checking routine is shown below. The valid tokens are returned to the caller function.
Token checking routine
The stealer creates a file Tokens.txt on the victim system and dumps all valid tokens found. If there are no tokens present, the value that gets written into Tokens.txt is “Retard Has No tokens.” The ransomware finally sends the Token.txt to the Telegram bot.
Image of Operations
The global IP address of the victim is retrieved by sending a request to https://ipv4.wtfismyip.com/text through curl and the output is stored as IP.txt.
The script retrieves a list of installed applications on the system and stores it in apps.txt to later send it to the Telegram bot.
WMI is used extensively to retrieve system level information from the user. The following list summarizes the data enumerated by the script:
Username
IP address (local)
Network configuration data
MAC information
CPU data
Physical memory data
Disk information like partition details
Windows system information
Windows license information (Product Key)
The above data along with Tokens.txt generated by GetToken.exe are sent to the Telegram bot. Additionally, the logger scripts steal the following Minecraft specific user data:
Image of Operations
Launcher_msa_credentials.bin
Launcher_msa_credentials_microsoft_store.bin
Launcher_accounts.json
Launcher_accounts_microsoft_store.json
Launcher_product_state.json
launcher_profiles.json
Using Powershell the logger script downloads ForMe.txt from Google Cloud and executes it on the system.
Image of Operations
The ForMe.exe dumps data into ForMe.txt which is later pushed to the Telegram bot. Unfortunately, at the time of our analysis the Google Cloud link did not serve the file. Our research indicates that it could be a browser password stealer.
The ransomware script then drops a batch file named “fuckports.cmd.” Instructions to add custom firewall rules are written into the batch file as shown below. The following firewall rules allow inbound UDP traffic to port 2835 and outbound UDP traffic through 16981.
Fuckports.cmd batch file dropped
The malware adds itself into the win.ini and system.ini files. These files contain configuration files to start up programs and other settings after a system boot. The malware drops two batch files, “confession.bat” and “Check This Out.bat,” that have identical purposes.
confession.bat
checkthisout.bat
YourCyanide is also capable of spreading via mail. It utilizes Visual Basic APIs to communicate with Microsoft Outlook and sends out a copy of itself as mail attachment. The malware then drops “loveletter.vbs” in the Documents directory.
The VB script retrieves the user’s address list and sends out an email with the subject “I have a crush on you” and a message that states “read me.” The mail attachment contains a copy of the ransomware batch program.
Love letter
Ransom Collection
The malware drops an additional vbs file named “mail.vbs” with the same contents as mentioned above. However, it will send an email with the subject line “Check This Out.”
Check this out
The ransomware uses the Powershell Out-Printer commandlet to print out multiple copies of the ransom note.
Ransom note
The malware also copies itself to other drives present on the system as shown below:
Copying itself to other drives
Notably, YouCyanide changes the file association of vbs, sln, js, css, and ini. Upon opening such files, the system transfers their control to an associated program. The malware associates listed file types with itself. The malware is executed when similar file types are opened.
List of associated files
The malware enables remote desktop on the target system as shown below and starts the TermService or terminal service which is responsible for handling RDP related tasks.
Terminal service
Finally the ransom note is displayed to the user and creates an autorun configuration for available drives on the system that leads to execution of the malware itself as shown below.
Impact & Mitigation
Impact
Mitigation
Stolen credentials could allow access to the organization’s networks.
Exposed Personally Identifiable Information (PII) could be used to orchestrate social engineering schemes, phishing attacks, and even identity theft.
Exposed credentials could be leveraged to access users’ other accounts, owing to password reuse.
Exposed data could reveal business practices and intellectual property.
Use proactive threat intelligence to prevent and alert users of potential threats and to strengthen external security posture.
Reset compromised login credentials and implement a strong password policy for user accounts.
Use MFA (multi-factor authentication) across logins.
Check for possible workarounds and patch all vulnerable and exploitable endpoints while keeping ports open.
Monitor for anomalies that could be indicators of possible takeovers.