1 TI&R © Data Security Council of India 2020 Threat Advisory

`

Threat Identification – DTINRS002

DSCI

THREAT INTELLIGENCE

AND RESEARCH INITIATIVE

THREAT ADVISORY

Special Advisory

2 TI&R © Data Security Council of India 2020 Threat Advisory

New Ransomware: FastWind, Pysa, Spade, Nefilim

Threat Identification – DTINRS0025

Synopsis:

FastWind is a ransomware, which belongs to the GlobeImposter malware family. It is designed to encrypt the victim’s files, modify their filenames, and generate a ransom note. This ransomware mainly targeted Windows users in August 2020. A user cannot open the files which were saved on their computers after the virus infected the user’s computer. Therefore, the attackers demand a high ransom to unlock their files. Infection and Propagation:

This ransomware usually spreads via infected email attachments, torrent websites, and

malicious ads. As soon as the encryption is done, the ransomware creates the "HOW TO BACK

YOUR FILES[.]exe" executable file, which is designed to open a ransom note with instructions

to contact its developers with some other details (Fig.1).

Fig.1. A ransom note!

https://www.pcrisk.com/removal-guides/18583-fastwind-ransomware

https://www.pcrisk.com/removal-guides/18583-fastwind-ransomware

3 TI&R © Data Security Council of India 2020 Threat Advisory

To receive instructions on how to purchase the decryption tool, its price and other details are

required to send one image, text file, or a document to fastwindGlobe@mail[.]ee or

fastwindglobe@cock[.]li email address. Also, the victims must include the assigned personal

ID.

Characteristics and Symptoms:

The email containing the malicious contents are often disguised as official, important to

deceive the recipients. If the computer is infected with virus, it appends the ".FastWind"

extension to the filename of all the encrypted files. For example, it renames a file named

"5.jpg" to "5.jpg.FastWind", "6.jpg" to "6.jpg.FastWind", and so on (Fig.2). The main variables

are usually the size and the encryption algorithm (symmetric or asymmetric) which the

ransomware uses for encryption. Although, if the ransomware has bugs, then the files can be

decrypted without having to pay a huge amount.

Fig.2.https://www.pcrisk.com/removal-guides/18583-fastwind-ransomware

https://www.pcrisk.com/removal-guides/18583-fastwind-ransomware

4 TI&R © Data Security Council of India 2020 Threat Advisory

Signature/ IoCs:

Cyber Criminal Contact fastwindGlobe@mail[.]ee fastwindglobe@cock[.]li MD5 02a9b8cfef0087da161c8017a20e79 SHA1 E292edd0f120e714e728bd6147dbeabdfa65341 SHA256 3681c3082133e5ca60d307f6beb0330c36d48745612a6cdda200475d5b44234b SSDEEP

3072:WUuBqOyv18RQBDiMW0tZA4M0FDJWBbFPkoidKh3XKso0WVgPihwNKYfU2ZS:GBwv2

y9m0DK5PkocsTegdN/fn

Recommendation:

• Do not open suspicious and irrelevant emails/links, especially those received from unknown/suspect senders

• Block the installation of programs from unknown sources

• Download from relevant and trusted sources only

• Regular backup of your data should be done

• Perform full scan to detect the malware

Threat Identification – DTINRS0026

Synopsis:

The Pysa Ransomware is the latest variant of Mespinoza ransomware. It was found to be

active around Oct. 2019 and then in early-2020, it was targeting the networks of the local

government authorities in France. Pysa gang installed a version of the PowerShell Empire

penetration-testing tool which stopped many antivirus products and uninstalled Windows

Defender.

mailto:fastwindGlobe@mail[.]eemailto:fastwindglobe@cock[.]li

5 TI&R © Data Security Council of India 2020 Threat Advisory

Infection and Propagation:

Pysa launches brute-force attacks against Active Directory and management consoles and

accounts. Brute-force attacks were performed along with the escape of a company's accounts

& passwords database. It also makes a text file named "Readme.README.txt" having the

ransom message with instructions on how to recover the files. (Fig.3). It basically encrypts the

file using a strong algorithm. Thus, making it difficult for the victims to regain access to their

files.

Victims are urged to contact Pysa's developers via the aireyeric@protonmail.com or

ellershaw.kiley@protonmail.com email address. After which the attackers send instructions

on how to pay the ransom. However, getting personal files leaked is even a bigger issue,

especially for the companies. The developers of Pysa ransomware have leaked data of around

20 victims (Fig.4).

Fig.3: A ransom note!

Fig.3. A ransom note!

https://www.pcrisk.com/removal-guides/16594-pysa-ransomware

https://www.pcrisk.com/removal-guides/16594-pysa-ransomware

6 TI&R © Data Security Council of India 2020 Threat Advisory

Characteristics and Symptoms:

This ransomware mainly encrypts files and adds the ".pysa" extension to filenames. For

instance, "1.jpg" becomes "1.jpg.pysa", and so on. (Fig.5). Victim organizations have reported

observing unauthorized RDP connections to their domain controllers, and the deployment of

Batch and PowerShell scripts. Also, they deployed a version of the PowerShell Empire

penetration-testing tool, refrained various antivirus products, and uninstalled Windows

Defender in few places. It encrypts files and adds the ".pysa" extension to filenames.

Fig.5. https://www.pcrisk.com/removal-guides/16594-pysa-ransomware

Fig.4. https://www.pcrisk.com/removal-guides/16594-pysa-ransomware

https://www.pcrisk.com/removal-guides/16594-pysa-ransomwarehttps://www.pcrisk.com/removal-guides/16594-pysa-ransomware

7 TI&R © Data Security Council of India 2020 Threat Advisory

Signature/ IoCs:

Cyber Criminal Contact aireyeric@protonmail[.]com ellershaw[.]kiley@protonmail[.]com minginskilian@protonmail[.]com schofield_niko@protonmail[.]com lambchristoffer@protonmail[.]com MD5 9ff0f8785b73ce6e86b0a269e44c6d1b SHA1 e524a3f30f42676a38660373c99ad1d919b45202 SHA256 a18c85399cd1ec3f1ec85cd66ff2e97a0dcf7ccb17ecf697a5376da8eda4d327 e9662b468135f758a9487a1be50159ef57f3050b753de2915763b4ed78839ead SSDEEP 12288:aVchT6oi+OeO+OeNhBBhhBBpiOTn5CjGGc4dXOsOjKf:aVc1Jiin5yGpMIj Recommendation:

• Do not download attachments or click on links received from unwanted/untrusted sources

• Keep your antivirus updated and ensure you are using the latest version

• Network intrusion prevention systems and systems designed to scan and remove malicious email attachments can be used to block the activity

• Disable Windows PowerShell, which is a task automation framework

• Backup your data regularly

• Use strong passwords that cannot be brute-forced

Threat Identification – DTINRS0027

Synopsis:

The Spade Ransomware is a malicious program, was spotted in Aug. 2020. It is designed to encrypt data to demand ransoms for the decryption tools/software. The ransomware was spreading to infect mainly Windows-based system users.

8 TI&R © Data Security Council of India 2020 Threat Advisory

Infection and Propagation:

This ransomware spreads via infected email attachments (macros), torrent websites, and malicious ads. Additionally, password-stealing Trojans and malware infections can also be installed with the ransomware infection. Once the encryption process is complete, ransom notes, "Read-For-Decrypt[.]HTA," are dropped into compromised folders (Fig.6).

The message notifies victims that their files have been encrypted, and the filenames are

modified. To recover or decrypt the files, victims are told that they must pay an unspecified

ransom in Bitcoin cryptocurrency.

Characteristics and Symptoms:

The ransomware occasionally masquerades as illegal activation "cracking" tools, third-party

updaters or use suspicious spam emails to trick the users into installing it. In the encryption

process, all of the affected files are retitled in the following this pattern: original filename,

cybercriminals email address, unique ID and the ".Spade" extension.

For instance, a file named "Ten.jpg" would appear as something similar to

"Ten.jpg.[VoidDeceryptor@tutanota.com][MTAF39BGL1YEZ75].Spade" following encryption

(Fig.7).

Fig.6. A ransom note!

https://www.pcrisk.com/removal-guides/18513-spade-ransomware

https://www.pcrisk.com/removal-guides/18513-spade-ransomware

9 TI&R © Data Security Council of India 2020 Threat Advisory

Signature/ IoCs

Cyber Criminal Contact VoidDeceryptor@tutanota[.]com VoidDeceryptor@protonmail[.]com MD5 62ae12ef05bb6ad38cf30d8c35efd416

SHA1 90049acd442225de16124a89835eed61f4202a8b SHA256 a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461

SSDEEP 24576:WV5cfb0e1sXbNM6JMwgbXzGq3Cx3YJLfhv/wKvl:WVtPbO6qXGhpgLfh3wKv

Fig.7. https://www.pcrisk.com/removal-guides/18513-spade-ransomware

mailto:VoidDeceryptor@protonmail[.]comhttps://www.pcrisk.com/removal-guides/18513-spade-ransomware

10 TI&R © Data Security Council of India 2020 Threat Advisory

Recommendation:

● Back up your most important files on a regular basis

● Personalize your anti-spam settings

● Block known-malicious IP addresses

● Use proper antivirus so that the unwanted execution doesn’t take place

● Do not click on suspicious links

Threat Identification – DTINRS0028

Synopsis:

Nefilim classified as ransomware, is a malicious program which was spotted in March 2020,

when the ransomware had launched a site called "Corporate Leaks." In July 2020, the Nefilim

ransomware operators breached The Dussmann Group and own the company’s important

data. The cybercriminals have published the data leak part 1 of the company which was

around 15.7 GB. In total, 16,805 company’s data files had leaked.

Infection and Propagation:

It usually spreads via Trojans, spam campaigns, illegal activation tools ("cracks"), fake

updaters, and untrustworthy download sources. These malicious programs within this

classification encrypt data and demand payment for decryption. Once the attack is complete,

a ransom message within "NEFILIM-DECRYPT.txt" is created on the victims' desktops. This

message basically states that their files have been compromised. Cybercriminals usually

prefer digital currencies for ransom, as these transactions are almost impossible to trace.

11 TI&R © Data Security Council of India 2020 Threat Advisory

Characteristics and Symptoms:

Attackers accessed the organizations' networks through remote access systems and VPNs to

create ransomware attack opportunities. During the encryption process, all infected files are

renamed with the ".NEFILIM" extension. For example, a file named something like "1.jpg"

would appear as "1.jpg.NEFILIM" following encryption (Fig.9).

Fig.8. A ransom note!

https://www.pcrisk.com/removal-guides/17305-nefilim-ransomware

Fig.9. https://www.pcrisk.com/removal-guides/17305-nefilim-ransomware

https://www.pcrisk.com/removal-guides/17305-nefilim-ransomwarehttps://www.pcrisk.com/removal-guides/17305-nefilim-ransomware

12 TI&R © Data Security Council of India 2020 Threat Advisory

Signature/ IoCs

Cyber Criminal Contact jamesgonzaleswork1972@protonmail[.]com pretty_hardjob2881@mail[.]com dprworkjessiaeye1955@tutanota[.]com MD5 5ff20e2b723edb2d0fb27df4fc2c4468 SHA1 e53d4b589f5c5ef6afd23299550f70c69bc2fe1c SHA256 08c7dfde13ade4b13350ae290616d7c2f4a87cbeac9a3886e90a175ee40fb641 SSDEEP

768:CXStkFWTBhyugDC60CPJkEBx9w7mSDh3vkkjvshT3ED18nv04ZPqpb348Uq1kFjs:CiMWV3gDCk6EBwT/kJbvkbuq1kFjp

Recommendation

● Do not open suspicious emails ● Use spam filters and an antivirus program to detect and filter malicious emails ● Enable an endpoint security product or endpoint protection suite ● Keep your software up-to-date ● Back up data on a regular basis and keep archived copies offsite