This year has been a bumper year for ransomware and its operators. Ransomware gangs are demanding millions; if those millions are not paid in time, then data stolen before encryption is either released to the public or sold to the highest bidder. Big names in the cybercriminal underground have returned with an entirely new ransomware familynamely Evil Corp and its new creation WastedLocker. Not only is there a return to form for old hands, but new ransomware strains also seem to be bursting up like mushrooms after a spell of rain. NetWalker and Exorcist immediately come to mind. The latter is the subject of this article.
Discovered in late July by MalwareHunterTeam, the Exorcist ransomware is so new to the scene that information on it had been incredibly sparse. That was until Leandro Velasco published an article shedding much of the codes mysteryand in great depth. The article is a must-read for anybody wanting a technical analysis of the ransomware. In providing a brief overview of Exorcist, it seems to be distributed via a Pastebin PowerShell script that runs in memory. The script takes from lessons learned by Sodinokibi affiliates and is based on the Invoke-ReflectivePEInjection.ps1 script, further optimized to include a function that passes a base64 executable into the main function of the script. It is also possible that the script is generated by the no-longer-supported Empire framework.
The code itself is not obfuscatedwhile common practice with other types of malware, it is often not deemed necessary for ransomware by its developers. Part of the reason for this is that the encryption process is in itself very noisy and once that begins, any pretense of stealth is quickly forgotten and speed is the main requirement. Some ransomware strains do obfuscate their code, but it is not an unwritten rule that all malware be obfuscated.
The malwares first operation is to check the geolocation of the infected machine, which is done by checking the language and keyboard layout of the machine in question. If the result is any of the nations that make up the Commonwealth of Independent States (CIS)which includes many of the nations that made up the Eastern Block during the Cold War and now still have close ties to Russiathe malwares operations are immediately stopped. Why this is done is discussed in greater depth in the second part of this article.
Screenshot of a ransom demanding message displayed by Exorcist ransomware:
If the geolocation check returns a nation not making up a part of the CIS, the ransomware executes several commands that disable and remove system backups. The commands will also look to terminate any system processes that may prevent encryption of certain file types. This is followed by the malware writing the public encryption key and the private key, as well as the file extension used to disk. Before encryption occurs, the malware will extract information including the username, hostname, OS version and keyboard layout and send those to a server under the attackers control. Once this is complete encryption begins utilizing multiple threads to drastically decrease the time to encrypt data. Finally, the wallpaper of the system is changed and the ransom note is dropped.
If you feel that you may have suddenly become a victim of Exorcist, there are a few tell-tale signs. First, the wallpaper announcing youve become a victim reads as follows:
ENCRYPTEDREAD decrypt.htafile for details
When the ransom note is opened it will read:rnyZoV DecryptAll your data has been encrypted with Exorcist Ransomware.Do not worry: you have some hours to contact us and decrypt your data by paying a ransom.To do this, follow instructions on this web site: hxxp://126.96.36.199/payAlso, you can install Tor Browser and use this web site: hxxp://4dnd3utjsmm2zcsb.onion/payIMPORTANT: Do not modify this file, otherwise you will not be able to recover your data!
Your authorization key:
An authorization key will be provided by the attacker once the ransom is paid. However, to find out what the ransom is the victim needs to download a Tor browser and visit the address provided. It is unclear if the ransom amount is fixed at 5000 USD in Bitcoin or changes from victim to victim, depending on what the attacker perceives they can pay. The website reads as follows:Exorcist RansomwareOrderIf the payment isnt made until 2020-07-25 10:33:57, decryptor price will be increased 3 times
Whats the matter?All your files have been encrypted with Exorcist Ransomware.
The only way to decrypt them back is to buy Exorcist Decryption Tool.
The price is 5000$
It will scan all your network and check all encrypted files and decrypt them.
We accept Bitcoin (BTC) cryptocurrencies.
To be sure we have the decryptor and it works you can use Free Decrypt and decrypt only one file for free. But the only file you can decrypt is image (PNG, JPG, BMP), maximum size 3 MB, because they are usually not valuable.
Instruction:You need to create a crypto wallet. You can read more about crypto wallets here: hxxps://bit.ly/379vYBtLearn how to buy cryptocurrency (Bitcoin). Some links where you can find information here:Bitcoin: hxxps://bit.ly/38nohHMCopy the wallet number from the address field (depending on what you have chosen) and transfer the necessary amount of cryptocurrency to it. You can read more about translations here: hxxps://bit.ly/36br2dKAfter paying the ransom, your files will be decrypted and you will be able to continue your work.
IMPORTANT: When transferring funds, carefully check the details to avoid errors and loss of funds. Your files will be decrypted only when transferring funds to our wallet.
PaymentDecryptor price: 5000$Pay in Bitcoin:bc1qyzjj2hrjr3sspjwj9ckd02fz8kmynj9xkjrkgv0.561799 BTCWhen funds reach one of these addresses, you automatically get decryption tool.
Performing a search at the time of writing on the provided address in the ransom note reveals that no funds have been transferred to this address as of yet. Given how new the ransomware is, this is not a surprise. Further, no victims have announced publicly that they have fallen victim to Exorcist to the best of this writers knowledge. It may be that Exorcist has not seen wide distribution yet, as it may still be in development or slowly ramping up operations.
While there seem to be no active campaigns making headlines at the moment, this is probably not likely to last. One bit of news that emerged recently is that a hacker released a list of IP addresses for more than 900 Pulse Secure VPN enterprise servers. The list published in plaintext also included several usernames and passwords. The release was made on a Russian underground hacker forum, which is known to have multiple ransomware gangs contributing and actively posting. The list includes Sodinokibi, NetWalker, Lockbit, Avaddon, Makop and importantly for the purposes of this article Exorcist. In general, the forum is used by the gangs to hire more developers or affiliates tasked with distributing the ransomware.
The reason why the dump of Pulse Secure VPN credentials would make headlines is that many of the above-mentioned gangs have actively been targeting known vulnerabilities in VPNs to compromise an enterprise network. As the dump was done free of charge and in plain text, those using unpatched VPN products should be worried enough to patch them as a matter of priorityit may be that in the near future major enterprises will be seeing the Exorcists wallpaper and ransom note and be visiting their website.
The main reason why the developers behind Exorcist and several other malware families tend to not want to infect computers in Russia, its neighbors, and the countrys interest in the geopolitical stage is that the Russian government turns a blind eye to cybercrime conducted by nationals, as long as Russia and its interests are not targeted. This is why a quick internet search will reveal cybercriminals wanted in the U.S. or Europe posing in front of luxury cars bought with the proceeds from their criminal activity.
Further, it seems to be the case that rather than bringing these people to justice, Russian Intelligence will employ their expertise to supplement their own cyber warfare and cyber espionage operations. These rumors began some 20 years ago and recent events seem to prove they were closer to reality, further supported by skilled coders in the CIS and their earning potential. For many, it is far more lucrative to hack and be approached by the intelligence agencies in question than to work within the IT sector. Since immunity seems to be granted to hackers as long as they leave Russian interests alone, becoming a hacker seems to be more of a logical financial decision than the perceived view by most of society as hackers being social pariahs.
This scenario was further confirmed in 2019 when the Russian government passed laws that enabled the creation of a self-contained internet modeled after the one implemented successfully in China. A report published investigating the new law and its expected effects believed that the law would help further flame the flames of cybercrime, whether state-sponsored or independent, financially motivated hackers, and further the status quo mentioned above. The funny thing is the law would make it easier to crack down on hackers within Russian borders; however, attacks on Russias rivals such as the U.S. are seen as serving Russian interests even if done by cybercriminals.
An article about the relationship between the Russian government and its hackers, as well as hackers in neighboring states, concluded:
The availability of highly skilled and technically well-versed individuals also presents a pool of potential proxies that can be mobilized at a moments notice. Often, people will mobilize themselves and take political action in support of the government, as has happened in Estonia in 2007 and in Ukraine since 2014. Governments differ in their ability to catalyze such activity and the extent to which they are in a position to merely endorse, orchestrate, or actively direct their outcomes. In countries where public institutions and the states ability to exercise control have deteriorated, it is an uphill battle to break the increasingly entrenched incentive structures reinforcing existing proxy relationships. Meanwhile, the controversy over law enforcement cooperation, including mutual legal assistance and extradition, shows the limits of international cooperation and external influence. The phenomenon described in this chapter is therefore a cautionary tale of the potential pitfalls when a state significantly weakens or collapses and the consequences that will reverberate for decades to come.
For those tasked with defending networks against Exorcist and other ransomware gangs, expecting those who committed the crime to be arrested and brought to book is a pipe dream. Rather, the focus should be to do everything possible to prevent the attack in the first place.
Recent Articles By Author
Read the original here:
Exorcist Ransomware and CIS Exclusion - Security Boulevard
- US Department of Justice reignites the Battle to Break Encryption - Naked Security - October 17th, 2020
- Five Eyes Call for Tech World to Weaken Encryption - ClearanceJobs - ClearanceJobs - October 17th, 2020
- Zoom Begins Rollout of End-To-End Encryption - My TechDecisions - TechDecisions - October 17th, 2020
- Could homomorphic encryption be the solution to big data's problem? - Siliconrepublic.com - October 17th, 2020
- U.S., UK and other countries warn tech firms that encryption creates 'severe risks' to public safety - CNBC - October 17th, 2020
- Is Signal secure? How the messaging app protects privacy - Business Insider - Business Insider - October 17th, 2020
- AeroVironment and Viasat to aim to improve radio encryption for Puma AE - Flightglobal - October 17th, 2020
- Encryption Backdoor? The Trump Administration Wants It. - The National Interest - October 17th, 2020
- How to use private conversations on Skype to send encrypted calls and messages - Business Insider India - October 17th, 2020
- AES Encryption Software Industry Market 2020: Potential growth, attractive valuation make it is a long-term investment | Know the COVID19 Impact | Top... - October 17th, 2020
- Trustifi Named Overall Encryption Solution Provider of the Year in 2020 CyberSecurity Breakthrough Awards Program - GlobeNewswire - October 17th, 2020
- ACLU and EFF Call DOJ's Encryption Dream a Nightmare - L.A. Weekly - October 17th, 2020
- Global Database Encryption Market Expected to reach highest CAGR in forecast period : International Business Machines Corporation, Symantec... - October 17th, 2020
- Feds, 'Five Eyes' Allies Take Another Swing at Encryption Policy Changes - MeriTalk - October 13th, 2020
- Homomorphic encryption tools find their niche - CSO Online - October 13th, 2020
- Mission Impossible: 7 Countries Tell Facebook To Break Encryption - Forbes - October 13th, 2020
- Dutton pushes against encryption yet again but oversight at home is slow - ZDNet - October 13th, 2020
- Western governments double down efforts to curtail end-to-end encryption - The Daily Swig - October 13th, 2020
- Fuse Analytics integration with StrongSalt offers Enterprise Information Archiving with GDPR protections - PR Web - October 13th, 2020
- Is Signal Safe? What to Know About the New Encrypted Messaging App - Parentology - October 13th, 2020
- Five Eyes alliance warning: 'Encryption creates severe risks to public safety' - New Zealand Herald - October 13th, 2020
- Privateness or youngster safety? 7 governments, together with US & UK, argue Fb's new encryption plan would profit PEDOPHILES - Editorials 360 - October 13th, 2020
- Optical Encryption Market Analysis And Demand With Forecast Overview To 2025 - Express Journal - October 13th, 2020
- Encrypted messages don't always stay private. Here's what that means for you - CNET - October 11th, 2020
- EARN IT Act a Dire Threat to Encryption, Speech Online, Critics Say - Decrypt - October 11th, 2020
- Analyzing Impacts of Covid-19 on Cloud Encryption Software Market Effects, Aftermath, Global Industry Challenges, Business Overview and Forecast To... - October 11th, 2020
- Parts of the Election System Are Ripe for Hacking: 'Encryption? We Don't Do That' - Josh Kurtz - October 6th, 2020
- WikiLeaks led the way for newsrooms to use encryption to protect sources, says Italian journalist - ComputerWeekly.com - October 6th, 2020
- Global Encryption Software Market 2020 Industry Size, Shares and Upcoming Trends 2025 - Reported Times - October 6th, 2020
- Encryption Software Market 2020 2027: Recent Trends, Growth Opportunities and Business Development Strategies By IBM, Trend Micro, Symantec, McaFee,... - October 6th, 2020
- Encryption Key Management Market Research By Growth, Competitive Methods And Forecast To 2026 - The Daily Chronicle - October 6th, 2020
- Global Hardware-based Full Disk Encryption Market Size, Share, Trends, CAGR by Technology, Key Players, Regions, Cost, Revenue and Forecast 2020 to... - October 6th, 2020
- Global Encryption Software Market 2020 | Know the Companies List Could Potentially Benefit or Loose out From the Impact of COVID-19 | Top Companies:... - October 6th, 2020
- Stay Tuned with the Epic Battle in the Encryption Key Management Market - The Daily Chronicle - October 6th, 2020
- Hardware-based Full Disk Encryption Market To Drive Highest Growth By 2027 With Leading Key Players: Seagate Technology PLC, Western Digital Corp,... - October 6th, 2020
- Encrypted USB flash drive you can unlock with your smartphone (or Apple Watch) - ZDNet - October 6th, 2020
- Global Mobile Encryption Market is slated to grow rapidly in the coming years: McAfee(Intel Corporation), Blackberry, T-Systems International, ESET,... - October 6th, 2020
- Cloud Encryption Software Market Potential Growth, Size, Share, Demand and Analysis of Key Players Research Forecasts to 2026 - The Daily Chronicle - October 6th, 2020
- Best Encryption Software in 2020 - Latest Quadrant Ranking Released by 360Quadrants - PRNewswire - September 30th, 2020
- 4 Reasons Why Encryption Is a Must for Data Protection - CIOReview - September 30th, 2020
- Prospective Node Operators Stake $125M in ETH to Participate in NuCypher Encryption Network - CoinDesk - Coindesk - September 30th, 2020
- Fortanix Partners with VMware to Enable Cloud Service Providers to Deliver Data Security as a Service - GlobeNewswire - September 30th, 2020
- SanDisks latest portable SSDs have boosted speed and security - The Verge - September 30th, 2020
- What Facebook users need to know about end-to-end encryption - Fast Company - September 30th, 2020
- Whats really up with your secure WhatsApp chats - Mint - September 30th, 2020
- Hardware Encryption Technology Market Trends Together With Growth Forecast To 2026 - The Daily Chronicle - September 30th, 2020
- Global Cloud Encryption Market- Industry Analysis and forecast 2020 2027: By Industrial verticals, Services, and Region. - Unica News - September 30th, 2020
- Global Hardware-based Full Disk Encryption (FDE) Market to Witness a Pronounce Growth During 2020-2026 - The Daily Chronicle - September 30th, 2020
- Global Cloud Encryption Technology Market with (Covid-19) Impact Analysis: Growth, Latest Trend Analysis and Forecast 2026 - The Daily Chronicle - September 30th, 2020
- Global Email Encryption Software Market Report 2020-2027: Production Capacity and Consumption Analysis by Regions and Country Wise - Crypto Daily - September 30th, 2020
- Cloud Encryption Service Market 2020 | Detailed Analysis, Growth, Research and Forecast - The Daily Chronicle - September 30th, 2020
- Database Encryption Market Potential Growth, Size, Share, Demand and Analysis of Key Players Research Forecasts to 2027 - The Daily Chronicle - September 30th, 2020
- Optical Encryption Industry 2020 Includes The Major Application Segments And Size In The Global Market To 2026 - The Daily Chronicle - September 30th, 2020
- Hardware Based Encryption Market Projected to Be Resilient During 2020-2025 - The Market Records - September 30th, 2020
- Hardware Encryption Market (2020-2026) | Where Should Participant Focus To Gain Maximum ROI | Exclusive Report By DataIntelo - Crypto Daily - September 30th, 2020
- Ring plans to offer end-to-end encryption by the end of the year - The Verge - September 29th, 2020
- Encryption Software Market Comprehensive Study With Key Trends, Major Drivers And Challenges 2020-2026 - The Market Records - September 29th, 2020
- Ring to offer opt-in end-to-end encryption for videos beginning later this year - TechCrunch - September 29th, 2020
- WhatsApp Encryption Is Not Foolproof; Chats Can Be Accessed In These Ways - Yahoo India News - September 29th, 2020
- Hardware-based Full Disk Encryption (FDE) Market Forecast to 2027 Covid-19 Impact and Global Analysis by Type, Deployment Type and Industry Vertical... - September 29th, 2020
- EU Still Asking For The Impossible (And The Unnecessary): 'Lawful Access' To Encrypted Material That Doesn't Break Encryption - Techdirt - September 29th, 2020
- Encryption Software Market Report Examines Growth Overview And Predictions On Size, Share And Trend Through 2025 - The Daily Chronicle - September 29th, 2020
- Russia Is Trying Something New to Isolate Its Internet From the Rest of the World - Slate - September 29th, 2020
- Network Encryption Market From 2020-2026: Growth Analysis By Manufacturers, Regions, Types And Applications - The Daily Chronicle - September 29th, 2020
- Encryption Software Market Size, Analytical Overview, Key Players, Growth Factors, Demand, Trends And Forecast to 2027 - The Daily Chronicle - September 29th, 2020
- Top Technologies To Achieve Security And Privacy Of Sensitive Data In AI Models - Analytics India Magazine - September 29th, 2020
- Database Encryption Market Analysis and the Impact of COVID-19 Key Vendors, Growth Rate and Forecast To 2028 - The Daily Chronicle - September 29th, 2020
- Cloud Encryption Technology Market Size, Analytical Overview, Key Players, Growth Factors, Demand, Trends And Forecast to 2027 - The Daily Chronicle - September 29th, 2020
- Cloud Encryption Market 2020 Global Share, Growth, Size, Opportunities, Trends, Regional Overview, Leading Company Analysis And Forecast To 2026 |... - September 29th, 2020
- WhatsApp says end-to-end encryption to protects chats among app however not cloud backups - Stanford Arts Review - September 29th, 2020
- Cloud Encryption Market 2020-2028 Research Report| Know The Growth Factors and Future Scope - The Daily Chronicle - September 25th, 2020
- Cloud Encryption Market to Witness Astonishing Growth by 2026 | Ciphercloud, Gemalto, Hytrust and more - Crypto Daily - September 25th, 2020
- One Way to Prevent Police From Surveilling Your Phone - The Intercept - September 25th, 2020
- COVID-19 Impact on Global Encryption Software Market Report to Share Key Aspects of the Industry with the details of Influence Factors - Scientect - September 4th, 2020
- Encryption Software Market: Regional Overview and Trends Evaluation to 2026 - Fractovia News - September 4th, 2020
- Encryption Software Market is Expected to reach $2.16 billion by 2020| Growing at a CAGR (compounded annual growth rate) of CAGR of 14.27% from 2014... - September 4th, 2020
- WD unveils encrypted ArmorLock SSD that unlocks using your smartphone - 9to5Toys - September 4th, 2020
- Encryption Software Market report, upcoming trends, share report, growth size, industry players and global forecast to 2025 - Galus Australis - September 4th, 2020
- COVID-19 Impact on Global Encryption Software Market: Global Industry Analysis by Size, Share, Growth, Trends and Forecast 2020 2025 - The Daily... - September 4th, 2020
- Hardware Encryption Technology Steady Growth to be Witnessed by 2019-2029 - The News Brok - September 4th, 2020