Updated on 21 April 2021 – extended IOC List
To the warning of 16.04.2021, the National Cyber Security Centre SK-CERT (hereinafter referred to as SK-CERT) publishes the following additional information and technical identifiers:
SK-CERT observed in a short time sequence ransomware infections in a number of organisations in IT sectors of public administration, telecommunications, energy and smart industry with potential impacts on the functioning of the state’s critical infrastructure.
They include several types of ransomware mainly from the EKING/PHOBOS family. The ransomware from the Hakbit family was also observed.
These ransomware families use different attack vectors, a particular vector is varying from case to case. They usually abuse publicly available remote access via Remote Desktop Protocol and use various forms of phishing campaigns.
Encrypted file extensions:
.eking, .eight, .CRYSTAL
E-mail contacts of attackers:
The malware can cause the following:
- deactivate antivirus software (by disabling functions, antivirus software continues to appear functional after deactivation but the changes can be observed in its settings),
- delete local data structures that could help with the recovery (shadow copies),
- encrypt local files,
- identify and encrypt folders available over the network.
The process is present in memory and after new files are created they are automatically encrypted.
MD5 hashes of this type of ransomware (including open source data):
Recommended procedures in case of infections (encryption) in progress:
- These ransomware versions use asymmetric encryption, and a decryption key required for full recovery is never present in the computer in which the infection is currently in progress. Thus, in this specific case, the usual recommendation not to shut down the computer does not apply. If you observe ransomware activity, accompanied by high disk and CPU usage, with suspected PHOBOS family ransomware, shut down the computer immediately and disconnect it from the network.
- If it is a virtual server, it is recommended, before shutting down the computer, to create a snapshot that contains both the disk status and the server memory image (i.e. captures the live system in operation).
- In any case, separate a device and other affected devices from network segments.
- have backups available, preferably in offline form (cold stand-by);
- never back up by copying the data to a network folder but use backup software that downloads data from computers;
- disable login to backup software, virtualisation platform and disk storage using domain accounts. Use unique passwords that are not stored at workstations.
- do not publish services such as RDP and/or VNC on public IP addresses. For remote access, use encrypted VPN access, which is a common part of network firewalls. It is also possible to select one of the freely available VPN tools such as OpenVPN, WireGuard and so on.
- make sure you have applied patches to recent MS Exchange and Fortinet vulnerabilities against which the warnings have been issued:
« Späť na zoznam