Security Affairs

DECEMBER 22, 2022

The Vice Society ransomware group has adopted new custom ransomware, with a strong encryption scheme, in recent intrusions. SentinelOne researchers discovered that the Vice Society ransomware gang has started using a custom ransomware that implements a robust encryption scheme, using NTRUEncrypt and ChaCha20-Poly1305 algorithms.

Ransomware 118

Ransomware Encryption File names Education 118

Security Affairs

MAY 20, 2021

The Java-based STRRAT RAT was distributed in a massive spam campaign, the malware shows ransomware-like behavior of appending the file name extension.crimson to files without actually encrypting them. G DATA experts discovered that the malware only renames files by appending the .crimson crimson extension.

Ransomware 115

Ransomware File names Encryption Passwords 115

Security Affairs

JULY 15, 2022

RedAlert is human-operated ransomware, the ransomware uses NTRUEncrypt public key encryption algorithm for encryption. The ransomware targets a limited types of files, including log files (.log), log), swap files(.vswp), vmdk), snapshot files (.vmsn) vmsn) and memory files(.vmem) It appends a “.crypt[Random

Ransomware 120

Ransomware Encryption File names Risk 120

Security Affairs

MARCH 19, 2022

. “The decryptor requires access to a file pair consisting of one encrypted file and the original, unencrypted version of the encrypted file to reconstruct the encryption keys needed to decrypt the rest of your data. This file must be roughly 20KB or larger in size.

Ransomware 84

Ransomware File names Encryption Cybersecurity 84

Security Affairs

JUNE 6, 2023

The ransomware supports a complex encryption process “The encryption is complex; all functions statically implemented using a combination of asymmetric and symmetric encryptions.” “After encryption in both Windows and Linux using the public key, CRC32 and a file marker are appended to the end of the file. .

Ransomware 69

Ransomware Encryption Archiving File names 69

Schneier on Security

JANUARY 26, 2022

There’s a new ransomware that targets NAT devices made by QNAP: The attacks started today, January 25th, with QNAP devices suddenly finding their files encrypted and file names appended with a.deadbolt file extension.

Ransomware 85

Ransomware File names Encryption Access 85

eSecurity Planet

MAY 24, 2023

At a high level, DKIM enables an organization to provide encryption hash values for key parts of an email. Using public-private encryption key pairs, receiving email servers can compare the received email hash value against the received hash value to validate if any alterations took place in transit.

Encryption 75

Encryption Security Authentication File names 75

Security Affairs

JANUARY 7, 2022

Once encrypted a file, the ransomware appends the ‘ nightsky ‘ extension to encrypted file names. According to BleepingComputer , the group demanded one of its victims, the payment of an initial ransom of $800,000 to recover the encrypted data. Program Files Program Files (x86) #recycle.

Ransomware 125

Ransomware Encryption File names Communications 125

Security Affairs

JUNE 30, 2022

The agency released an executable along with a user manual that provides step-by-step instructions to recover encrypted data for free. Hive ransomware uses a hybrid encryption scheme, but uses its own symmetric cipher to encrypt files. The offset is stored in the encrypted file name of each file.

Ransomware 104

Ransomware Cybersecurity Encryption Blockchain 104

Security Affairs

FEBRUARY 7, 2022

. “On the final wizard page, you can opt-in whether you want to backup encrypted files. TargetCompany has been active since June 2021 , once encrypted a file it adds.mallox,exploit,architek, or.brg extension to the filenames of encrypted files. TXT” in all folders containing encrypted files.

Ransomware 97

Ransomware Encryption Passwords File names 97

Security Affairs

AUGUST 23, 2023

Cobra DocGuard Client is software produced by a Chinese firm EsafeNet, it is used to protect, encrypt, and decrypt software. This downloader was used to install the Korplug backdoor on the infected systems. “The downloader attempted to download a file named update.zip from the following location: [link] continues the report.

File names 74

File names Encryption Archiving Information Security 74

Security Affairs

JUNE 5, 2021

. “The WHOIS information for the domain reveals that the domain of the BlackCocaine ransomware was registered on May 28, 2021” The researchers reported that a file named a.BlackCocaine was recently submitted to different public sandboxes. BlackCocaine ” to the filenames of encrypted files. Pierluigi Paganini.

Ransomware 120

Ransomware Encryption File names Financial Services 120

Security Affairs

AUGUST 18, 2023

Each of the archives we were able to retrieve consists of a legitimate executable vulnerable to DLL search order hijacking, a malicious DLL that gets sideloaded by the executable when started, and an encrypted data file named agent.data.” ” reads the analysis published by SentinelOne. IP-based geolocation service.

Archiving 88

Archiving File names Encryption Passwords 88

Security Affairs

SEPTEMBER 10, 2023

. “When receiving a message, uploadTextMessageToService collects its contents, chat/channel title and ID, as well as sender’s name and ID. The collected information is then encrypted and cached into a temporary file named tgsync.s3. The app sends this temporary file to the command server at certain intervals.”

File names 115

File names Personal data Encryption Security 115

eSecurity Planet

JULY 19, 2022

The malware exfiltrates data before encrypting the targeted devices to provide additional means of extortion. lilith” extension to rename encrypted files. Besides, the files are encrypted using local Windows cryptographic APIs and random keys generated on the fly. The malware uses a custom “.lilith”

Ransomware 111

Ransomware Encryption File names Government 111

Security Affairs

MARCH 2, 2020

. “Attached to each email is a ZIP archive with a name formatted as with only the #s changing,” reads the advisory published by IBM X-Force IRIS. “The hash of the file contained within each of these archives remains the same and is associated with a highly obfuscated JavaScript file named LOVE_YOU.

Ransomware 116

Ransomware File names Archiving Encryption 116

Security Affairs

FEBRUARY 25, 2019

The ransom encrypts all files and renames them by appending. rontok extension to the file names. According to the popular malware researcher Michael Gillespie , when the B0r0nt0K ransomware encrypts a file it will base64 the encrypted data. ” reported Bleeping Computer.

Ransomware 89

Ransomware File names Encryption Access 89

Security Affairs

JUNE 3, 2023

ReadMe file name: README.BlackSuit.txt. blacksuit extension to the name of the encrypted files, drops a ransom note into each directory containing the encrypted files, and adds the reference to its TOR chat site in the ransom note along with a unique ID for each of its victims. Extension: blacksuit.

Ransomware 92

Ransomware Encryption File names Cybersecurity 92

Security Affairs

MARCH 17, 2020

Nefilim will encrypt a file using AES-128 encryption, then the AES encryption key is encrypted using an RSA-2048 public key that is embedded in the ransomware executable. The encrypted AES key will be included in the contents of each encrypted file. Nefilim appends the.

Ransomware 102

Ransomware Encryption File names Access 102

Security Affairs

SEPTEMBER 17, 2020

The Maze ransomware operators now use a virtual machine to encrypt a computer, a tactic previously adopted by the Ragnar Locker malware. The Maze ransomware operators have adopted a new tactic to evade detection, their malware now encrypts a computer from within a virtual machine. ” reads the analysis published by Sophos. .’

Ransomware 143

Ransomware Encryption File names Security 143

Security Affairs

OCTOBER 21, 2021

The Macaw Locker ransomware encrypts victims’ files and append the .macaw macaw extension to the file name of the encrypted files. Bleeping Computer, citing Emsisoft CTO Fabian Wosar, reported that the Macaw Locker ransomware is the latest rebrand of Evil Corp.

Ransomware 106

Ransomware File names Encryption Government 106

Security Affairs

SEPTEMBER 27, 2019

The Avest ransomware encrypts victim’s files and appends the extension “ ckey().email().pack14” The decryption tool could be used by the victims only after they have successfully removed the malware from their system to avoid that the Avest ransomware will repeatedly lock the machine or will encrypt files.

Ransomware 69

Ransomware File names Encryption Security 69

Security Affairs

NOVEMBER 26, 2019

Layers of obfuscation, encryption, and the use of randomized file names hid the installation process. Dexphot makes heavy use of polymorphism and encryption to avoid detection, this means that it constantly changes its identifiable features. . Doxphot stands out for its evasion techniques and its level of sophistication.

File names 115

File names Encryption Mining Security 115

Security Affairs

MAY 13, 2023

After gaining access to SMB shares, threat actors encrypt all files and leave a ransom note demanding payment in exchange for the decryption key. Once the attacker successfully logs in to a device, they encrypt data in shared folders and leave a ransom note with the file name “!CHECKMATE_DECRYPTION_README”

Ransomware 87

Ransomware Encryption Passwords File names 87

Security Affairs

MARCH 26, 2021

Then the malware perform a scan in local directories and network shares for content to encrypt. Experts noticed that each Hades ransomware sample uses a different extension to files that it encrypts and drops a ransom note with file name “HOW-TO-DECRYPT-[extension].txt”. ” concludes the report.

Ransomware 136

Ransomware Encryption File names Manufacturing 136

Security Affairs

JULY 8, 2022

“Once the attacker successfully logs in to a device, they encrypt data in shared folders and leave a ransom note with the file name “!CHECKMATE_DECRYPTION_README” ” The ransomware appends the.checkmate extension to the filenames of encrypted files, it drops a ransom note named !CHECKMATE_DECRYPTION_README

Ransomware 88

Ransomware Encryption Passwords File names 88

Security Affairs

AUGUST 25, 2023

This data identifies the encryption methods used by the access points.” In turn the server reply with a success message and a secret unique identifier that is saved in a file named “%APPDATA%Roamingwlanstr-12.bin.” ” The experts noticed that the Whiffy Recon’s main code runs as two loops.

File names 88

File names Access Encryption IT 88

Security Affairs

NOVEMBER 5, 2020

The attackers use a simple XOR encryption algorithm with the string “Hapenexx is very bad” as a key. The APT group uses the same payload and key of the previous scenario, the only difference is that both the file name and decryption key are encrypted with a one-byte XOR algorithm.

File names 104

File names Encryption Libraries IT 104

Security Affairs

OCTOBER 18, 2022

Spyder Loader loads AES-encrypted blobs to create the wlbsctrl.dll which acts as a next-stage loader that executes the content. The variant used in recent attacks against Hong Kong relies on ChaCha20 algorithm encryption for string obfuscation. . ” continues the report.

File names 101

File names Encryption Manufacturing Libraries 101

Security Affairs

OCTOBER 27, 2021

Metropolitan Police Department, encrypted its files and demanded a $4 million ransom. Once encrypted files, Babuk appends one of the following extensions to the file name: babuk.babyk.doydo. The ransomware gang broke into the Washington, D.C., Some members of the group gang relaunched the RaaS as Babuk V2.

Ransomware 84

Ransomware File names Encryption Cybersecurity 84

Security Affairs

JULY 28, 2021

In the attacks investigated by Palo Alto Networks, the APT group leveraged legitimate executables such as BITSAdmin to download an innocuous file named Aro.dat from a GitHub repository under the control of the threat actors. The analysis of the file revealed that it includes the encrypted and compressed PlugX payload.

Encryption 107

Encryption File names Communications IT 107

Security Affairs

MARCH 17, 2022

The malware was first spotted on February 9, 2022, when 360Netlab’s honeypot system captured an unknown ELF file that was spreading by exploiting the Log4J vulnerability. The name B1txor20 is based on the file name “b1t” used for the propagation and the XOR encryption algorithm, and the RC4 algorithm key length of 20 bytes.

Honeypots 121

Honeypots File names Communications Encryption 121

Security Affairs

SEPTEMBER 10, 2020

To avoid detection of malicious functionalities, the authors encrypted all suspicious-looking strings with the Corrected Block TEA (XXTEA) cipher and then running Base64 encoding. To access the internal MySQL database, the malware reads credentials from Linknat VOS2009 and VOS3000 configuration files. ” continues the analysis.

Metadata 111

Metadata Encryption File names Passwords 111

Schneier on Security

MAY 4, 2022

Customized versions of the backdoor that use file names and creation dates that are similar to legitimate files used on a specific infected device. This makes detection through traditional means difficult. Unpacking this threat group is difficult.

IoT 98

IoT File names Encryption Access 98

Security Affairs

APRIL 8, 2019

The name Planetary ransomware comes from the use of the names of planets for the extensions the malicious code adds to the file names of encrypted files (i.e.mira,yum , Pluto, or. The latest variant of the Planetary malware appends the.mira extension to the names of the encrypted files.

Ransomware 84

Ransomware Encryption File names Security 84

Security Affairs

MARCH 3, 2020

Nemty ransomware first appeared on the threat landscape in August 2019, the name of the malware comes after the extension it adds to the encrypted file names. The ransomware deletes shadow copies of encrypted files to make in impossible any recovery procedure.

Ransomware 97

Ransomware File names Encryption Archiving 97

Security Affairs

JUNE 26, 2021

We believe Hive to be a ransomware group, because it currently states the data to be “encrypted”, potentially suggesting that Altus Group is given an opportunity to pay itself out of further trouble. The provided sample of exfiltrated files includes business data and documents, as well as Argus certificates and development files.

Ransomware 94

Ransomware File names Archiving Encryption 94