noodls browser compatibility check

The security settings of your browser are blocking the execution of scripts.

To use noodls, javascript support must be enabled. Please change your browser's security settings to enable javascript.

If you have changed your browser's security settings, you can click here.

related announcements

News

NetApp Inc.

New era of security | NetApp Blog
NIST - National Institute of[...]

Implementing the Risk Management Framework for Additive Manufacturing[...]
NIST - National Institute of[...]

Maximally efficient exchange in thin flow cells using density gradients

Politics and Policy

SonicWALL Inc.

10/25/2024 | Press release | Distributed by Public on 10/26/2024 02:07

New Iranian-based Ransomware Group Charges $2000 for File Retrieval

The SonicWall Capture Labs threat research team has encountered a recently released ransomware from an Iranian team of hackers. The group has named themselves hackersadism. The group does not appear to be targeting large corporations at this time as they only charge $2000 in BNB (Binance coin crypto) for file restoration. The price for file retrieval is also negotiable. During our analysis, we were able to converse directly with the malware operator and negotiate payment.

Infection Cycle

Upon executing the malware, files on the system are encrypted. Each file is given a new file extension consisting of 4 alphanumeric characters. When the encryption phase is complete, the following image is displayed on the desktop background:

[Link]

Figure 1: Desktop image

A file named read_it.txt is dropped on to the desktop and contains the following message in Farsi:

[Link]

Figure 2: Ransom message

A rough translation from Farsi to English is as follows:

[Link]

Figure 3: Translation

The malware is easy to decompile and contains no obfuscation. After decompiling the code, we can see its inner workings and intentions.

Before encryption, a region check is performed. If az-Latn-AZ (Latin, Azerbaijan), tr-TR (Turkish) locales are detected on the system, the program exits:

[Link]

Figure 4: Region check

If the following system files and directories are encountered during the encryption process, they are ignored:

[Link]

Figure 5: Ignored system files

The following file types are targeted for encryption:

[Link]

Figure 6: Targeted file types

Anti-virus, system administration, databases and backup tools are disabled if found to be running:

[Link]

Figure 7: Targeted services to shut down

System recovery features that are built into Windows are disabled:

[Link]

Figure 8: Disabling system recovery

The ransom message tells the victim to communicate with the operator @hackerSadism using Telegram. The Operator uses the following user image:

[Link]

Figure 9: Telegram user image

We had the following conversation with the operator to negotiate payment for file retrieval:

[Link]

Figure 10: Chat with operator

SonicWall Capture Labs provides protection against this threat via the following signature:

GAV: Sadism.RSM(Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.

Sharing and Personal Tools

Please select the service you want to use:

Back

View original format