Friday 30 June 2017

The WannaCry-like ransomware attack against Ukraine via MEDoc preceding EternalPetya/NotPetya

This week, MalwareHunterTeam discovered next in a row ransomware clone after XData that targeted Ukrainian users presumably through MEDoc software updates this Monday (June 26, 2017) before EternalPetya/NotPetya was launched (June 27, 2017). The new ransomware is a .NET version of WannaCry. The ransomware has the ‘kill process to unlock file’ feature introduced for the first time by ransomware and a bug that reduces demolishing power allowing the cryptolocker to harm only network drives. Let us take a look under the hood.

Wednesday 28 June 2017

EternalPetya / NotPetya Ransomware Analysis



The new modification of Petya, which we named EternalPetya (because of using EternalBlue and EternalRomance exploits), caused surprisingly big infection outbreak in Ukraine and Russia.

Tuesday 6 June 2017

Chthonic Trojan is back in nation-state cyberattack against Ukraine

Recently, we discovered a nation-state cyber attack against one government institution in Ukraine. 
The attackers sent a spear phishing email that contained the archived JavaScript used to download and execute the Chthonic backdoor that belongs to the Zeus family.

Saturday 3 June 2017

XData ransomware attacked users in Ukraine


On May 18, the author(s) of XData ransomware ran the massive attack against Ukrainian users supposedly leveraging the EternalBlue exploit as well as an ordinary spearphishing email delivery method. A week later, an anonymous user, supposedly the author of AES-NI ransomware the XData is based on, released the master private key. Currently, the XData decryption tools are available. We analysed the XData code and found two host-based 'kill-switches', one of them is about detecting an antivirus running on an infected machine.