Feliz 2017, lleno de salud y felicidad para sus seres queridos¡¡¡

Buenos tardes, Uno de los tipos de ataques más peligrosos, captura tus archivos de tu PC, encripta y luego te pide un rescate, dinero/bitcoins.

Ramsoware Merry X-Mas, primero te llega un correo:

Image for post
Image for post

Donde, básicamente la secuencia de pasos son:

Image for post
Image for post

Luego te aparece la siguiente pantalla:

Image for post
Image for post

Te recomiendo, identificar y bloquear en tus dispostivos perimetrales, el siguiente trafico:

Image for post
Image for post

192.185.18.204 port 80 — neogenomes.com — GET /court/PlaintNote_12545_copy.zip

81.4.123.67 port 443 — onion1.host:443 — GET /temper/PGPClient.exe

168.235.98.160 port 443 — onion1.pw — POST /blog/index.php

Como sabes si tu PC está comprometida:

  • 192.185.18.204 port 80 — neogenomes.com — GET /court/PlaintNote_12545_copy.zip [initial zip download]
  • 81.4.123.67 port 443 — onion1.host:443 — GET /temper/PGPClient.exe [ransomware binary]
  • 168.235.98.160 port 443 — onion1.pw — POST /blog/index.php [post-infection callback]
  • YOUR_FILES_ARE_DEAD.HTA [ransom notification]
  • @comodosecurity [Telegram POC from ransom notification]
  • comodosec@yandex.com [email POC from ransom notification]
  • File name: PlaintNote_12545_copy.zip
  • SHA256 hash: 86e98f1ddbb2953a5de8b3d550ac2fb45fd20d1305a12dfebc2ccb6e80717631
  • File description: Zip archive from link in malspam
  • File name: PlaintNote_12545_copy.doc
  • SHA256 hash: 244b4205acb416700bec459c8b36be379c0b7e3d2a21a57c4a121ba95d229bc4
  • File description: Word document with malicious macro
  • File name: C:\Users\[username]\AppData\Roaming.eXe
  • SHA256 hash: 78cc9626bb8d6f9d8ddf8236c197894a86f9d54a294b38c9c0b82744496b3fae
  • File description: Merry X-Mas Ransomware

Fuente: https://isc.sans.edu//

Fuente: https://www.bleepingcomputer.com/news/security/-merry-christmas-ransomware-now-steals-user-private-data-via-diamondfox-malware/

Written by

Blog de Ciberseguridad, Hacking, Recomendaciones de Protección y Buenas Practicas para las Empresas.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store