The National Cyber Security Centre SK-CERT analysed recently published attacks. Details and recommendations are the following

Updated on 21 April 2021 – extended IOC List

To the warning of 16.04.2021, the National Cyber Security Centre SK-CERT (hereinafter referred to as SK-CERT) publishes the following additional information and technical identifiers:

SK-CERT observed in a short time sequence ransomware infections in a number of organisations in IT sectors of public administration, telecommunications, energy and smart industry with potential impacts on the functioning of the state’s critical infrastructure.

They include several types of ransomware mainly from the EKING/PHOBOS family. The ransomware from the Hakbit family was also observed.

Attack vectors:

These ransomware families use different attack vectors, a particular vector is varying from case to case. They usually abuse publicly available remote access via Remote Desktop Protocol and use various forms of phishing campaigns.

Encrypted file extensions:

.eking, .eight, .CRYSTAL

E-mail contacts of attackers:

[email protected][.]li

[email protected][.]com

[email protected][.]com

[email protected][.]com

[email protected][.]com

[email protected][.]io

[email protected][.]io

[email protected][.]io

The malware can cause the following:

  • deactivate antivirus software (by disabling functions, antivirus software continues to appear functional after deactivation but the changes can be observed in its settings),
  • delete local data structures that could help with the recovery (shadow copies),
  • encrypt local files,
  • identify and encrypt folders available over the network.

The process is present in memory and after new files are created they are automatically encrypted.

MD5 hashes of this type of ransomware (including open source data):

  • b3a5ba623d739ee76f05dc6b2b7f9fee
  • f0dcbc8651bcf391cb1556cf823314a8
  • 840d99c89f366505d06259a89273f8b
  • 128d013b0c3c605cbf9f902f8a7a5fe0
  • 11de7230a2f300393d7b47983885e9ce
  • 217c7b112bc3651f9c91fc7f8ca773d7
  • 1d5535c855ae098ab7d0d7350e13df96
  • a34ceb9c75ceaceb5998ca0af804c50a
  • 840d99c89f366505d06259a89273f8b1
  • 77d594f3eeb39cce1158f70924f61443
  • 4bfe4cbed3483c62789724e827bd1fa9
  • be13334c44f2e0331a6d1d6460ff9359
  • d62a9ae1380402cc467cced405ba4aa0
  • be13334c44f2e0331a6d1d6460ff9359

Recommended procedures in case of infections (encryption) in progress:

  • These ransomware versions use asymmetric encryption, and a decryption key required for full recovery is never present in the computer in which the infection is currently in progress. Thus, in this specific case, the usual recommendation not to shut down the computer does not apply. If you observe ransomware activity, accompanied by high disk and CPU usage, with suspected PHOBOS family ransomware, shut down the computer immediately and disconnect it from the network.
  • If it is a virtual server, it is recommended, before shutting down the computer, to create a snapshot that contains both the disk status and the server memory image (i.e. captures the live system in operation).
  • In any case, separate a device and other affected devices from network segments.

Preventive measures:

« Späť na zoznam