Varonis has uncovered a new strand of ransomware that encrypts files and adds the extension '.SaveTheQueen' to it
The ransomware infiltrated a standard component of the user's system, making it harder to detect.
The findings regarding this next-generation ransomware were put forward via a blog post by Varonis.
The progress of the newly uncovered malware was found to be tracked using the system volume (SYSVOL) folder found on active directory (AD) domain controllers.
The initially infected user, who contacted Varonis to report the ransomware, named a file hourly and saved it in the SYSVOL folder. This would be accessed by various IP addresses.
The ransomware was found to be concealed by ConfuserEX, an open source .NET protector.
Bill Conner, president and CEO of SonicWall, takes Information Age through the current cyber security landscape. Read here
However, while the way the malware infiltrated the system and the way it was made up was new, the payload was not.
The final payload is very plain ransomware. No persistence, no C2 connection just good old asymmetric encryption to make the victims files unreadable, the blog post from Varonis explained.
Its functions parameters allowed it to:
After looking for files within local and mapped drives to encrypt, attempts were made to close any process using those files.
Files were then renamed
Once the files were encrypted, their names were changed again to
Then, the ransom note was added to the directory.
This ransomware, according to Varonis, does not encrypt EXE, DLL, MSI, ISO, SYS or CAB file types, nor does it encrypt files in the following folders:
US Attorney General William Barr has reignited the debate over lawful access, but cybersecurity expert, Callum Tennent argues that if governments are given the power to break encryption these powers will be abused. Read here
Log files were created in the same folder by the person behind the attacks, each of which were named after a device within the affected domain.
We concluded that the log files were used to monitor the infection process on new devices, and that the hourly file was a scheduled task that ran malware on the new devices using a PowerShell script, samples v3 and v4, said the blog post.
The attacker had likely obtained and used domain admin privileges to write files to SYSVOL. The attacker ran PowerShell code on the infected hosts that created scheduled task to open, decode and run the malware.
Before trying and failing to decode the malware once they found it, Varonis staff opted to utilise the Magic method from GCHQs CyberChef app.
Using this, they found that the file responsible was Gzip under base64, after which the file was decompressed to reveal that the injector of the ransomware was an unprotected .NET file.
After reading the source code using DNSpy, we understood its sole purpose was to inject shellcode into the winlogon.exe process, said Varoniss blog post.
Injecting shellcode into winlogon.exe, a standard component of Windows operations, made it even harder than usual to detect.
The threats against organisations are growing in volume and success, but can AI in cyber security stop the rot and turn failure into success? Read here
We used Hexacorns shellcode2exe utility to compile the shellcode into an executable to debug and analyse. We then realised that the shellcode worked on both 32-bit and 64-bit machines, the post continued.
Writing even simple shellcode in native assembly can be difficult; writing full shellcode ransomware that works on 32-bit and 64-bit systems requires a high set of skills, so we started to wonder about the sophistication of the attacker.
After further digging, Varonis found that the shellcode was written with the aid of generic software for this task, and that it could be written in exactly the same way using a tool called Donut.
To confirm our theory, we compiled our own code using Donut and compare it with the sample it was a match, explained the blog post.
From there, the team unpacked the code using Elektrokill Unpacker.
This news comes following the recent discovery of the Ekans, or Snake, attack, which targets Windows systems used within industrial control infrastructures.
Designed to stop 64 different processes, something that makes the attack unique, its capable of attacking oil refineries, power grids and other high-value industrial systems.
Regarding how to stop new ransomware attacks such as these, Nick Palmer, technical director at Attivo Networks, said: No matter how good your cyber defences are, it is always a good idea to prepare for a ransomware attack by having a playbook that documents how to respond, to avoid a situation where employees are learning what to do as an attack is happening.
Companies can give themselves extra time to respond effectively with tools like deception technology that slow the ransomware down, and, where possible, divert it to non-critical systems.
In the event of a successful ransomware attack, determine ahead of time under what conditions, if any, you would pay. Discuss the pros and cons and the risks you are prepared to accept if you are unable to regain access to your files.
Read more from the original source:
New ransomware with '.SaveTheQueen' extension discovered by Varonis - Information Age
- Bill to protect children online ensnared in encryption fight | TheHill - The Hill - March 13th, 2020
- Child exploitation bill earns strong opposition from encryption advocates - Washington Examiner - March 13th, 2020
- Senators Pretend That EARN IT Act Wouldn't Be Used To Undermine Encryption; They're Wrong - Techdirt - March 13th, 2020
- Patent hints that encrypted displays could appear on future Apple devices - TechSpot - March 13th, 2020
- Senators dispute industry claims that a bill targeting tech's legal shield would prohibit encryption - CNBC - March 11th, 2020
- The EARN IT Act Is a Sneak Attack on Encryption - WIRED - March 11th, 2020
- Krk WiFi vulnerability affected WiFi encryption on over a billion devices - Privacy News Online - March 11th, 2020
- The Benefits of Encryption and the Implications of Creating Backdoors - American Action Forum - March 11th, 2020
- Big Boom in Encryption Key Management Software Market that is Significantly Growing with Top Key Players Netlib Security, Fortanix, Avery Oden, AWS -... - March 11th, 2020
- Mobile Encryption Market to Witness Robust Expansion throughout the Forecast 2020-2026: McAfee(Intel Corporation), Blackberry, T-Systems... - March 11th, 2020
- Email Encryption Market Rising Trends, Technology and Business Outlook 2020 to 2026 - Best Research Reports - March 11th, 2020
- Crypto, Encryption, and the Quest for a Secure Messaging App - Bitcoin News - March 8th, 2020
- Encryption Flaws Leave Millions of Toyota, Kia, and Hyundai Cars Vulnerable to Key Cloning - Gizmodo - March 8th, 2020
- IoT Security Solution for Encryption Market to Boom In Near Future by 2026 Industry Key Players: Cisco Systems, Intel Corporation, IBM Corporation -... - March 8th, 2020
- What are the top-rated encrypted texting apps? - Fox Business - March 8th, 2020
- Data Encryption Software Market: Future Forecast Assessed On The Basis Of How The Industry Is Predicted To Grow 2020-2025 - Bandera County Courier - March 8th, 2020
- How Encrypted Messaging Works And Why Australian Spies Are Trying To Break The Code - Gizmodo Australia - March 8th, 2020
- Why Britains new deal with Silicon Valley for stopping child abuse still has one big hole in it - Telegraph.co.uk - March 8th, 2020
- What the 2020 election means for encryption - The Verge - March 3rd, 2020
- Our guide to the 2020 election including Section 230 and encryption - The Verge - March 3rd, 2020
- Research: IT Managers Regard Encrypted Traffic as a Source of Cyberthreats, But Their Defenses Are Inadequate - Yahoo Finance - March 3rd, 2020
- Encryption Foes in Washington Won't Give Up - Reason - March 3rd, 2020
- BestCrypt by Jetico expands cross-platform protection to computers with T2 chip - Help Net Security - March 3rd, 2020
- Barr's Motives, Encryption and Protecting Children; DOJ 230 Workshop Review, Part III - Techdirt - March 3rd, 2020
- Comment: Its time for governments to learn how end-to-end encryption works - 9to5Mac - March 3rd, 2020
- Crypto AG Shows That US Concern Over Huawei Encryption Backdoors Comes From Long Experience Doing the Same Thing - CPO Magazine - March 3rd, 2020
- MI5 Still Thinks Encryption Backdoors are an Excellent Idea That Couldn't Possibly Go Wrong - Gizmodo UK - March 3rd, 2020
- Global Encryption Software Market is projected to reach a value of USD 20.44 billion by 2026 - WhaTech Technology and Markets News - March 3rd, 2020
- Exporters Should Be 'Very Careful' of Misusing New End-to-End Encryption Carve-Out in ITAR, Experts Say - Export Compliance Daily - March 3rd, 2020
- Encryption Software Market 2020 Analysis by Overview, Growth, Top Companies, Trends, Demand and Forecast to 2026 - Packaging News 24 - March 3rd, 2020
- If We Build It (They Will Break In) - Lawfare - March 3rd, 2020
- Why the US government is questioning WhatsApp's encryption - CNBC - February 25th, 2020
- No Backdoor on Human Rights: Why Encryption Cannot Be Compromised - Bitcoin News - February 25th, 2020
- Backdoor to encryption back on agenda in absurdly named bill - 9to5Mac - February 25th, 2020
- Signal is the European Union's encrypted messaging app of choice - Cult of Mac - February 25th, 2020
- cloudAshur, hands on: Encrypt, share and manage your files locally and in the cloud - ZDNet - February 25th, 2020
- ASIO: Relentless advance of technology was outstripping our capabilities - ZDNet - February 25th, 2020
- Cygilant to Highlight the Need for Encrypted Traffic Visibility at RSA Conference 2020 - Business Wire - February 25th, 2020
- Encryption Software Market 2020 Emerging Trends, Growing Demand, Leading Companies, Applications, Overview and Regional Analysis 2026 - News Times - February 25th, 2020
- US bill seen threatening encryption on tech platforms - EJ Insight - February 25th, 2020
- AES Encryption Software Market to Witness Increased Incremental Dollar Opportunity During the Forecast Period 2020 2026 | Dell, Eset, Gemalto, IBM,... - February 25th, 2020
- Malware and HTTPS a growing love affair - Naked Security - February 25th, 2020
- Hardware-based Full Disk Encryption Market To Witness Growth Acceleration During 2020-2026 | Western Digital Corp, Samsung Electronics, Toshiba,... - February 25th, 2020
- Encryption Software Market are anticipated to lucrative growth opportunities in the future by Product Type, Structure, End-user and Geography to 2027... - February 25th, 2020
- Proposed Bill Could Threaten Apple, Facebook Messaging Platforms - MSSP Alert - February 25th, 2020
- Zettaset to Participate in Cybersecurity Forum at Annual HIMSS 2020 Conference - Business Wire - February 25th, 2020
- Cloud Encryption Technology Market Analysis with Key Players, Applications, Trends and Forecasts to 2025 | Gemalto, Sophos, Symantec - Nyse Nasdaq... - February 25th, 2020
- US legislation to fend off end-to-end encryption of Facebook, Google and others - Financial World - February 25th, 2020
- Encryption on Facebook, Google, others threatened by planned new bill - Reuters - February 22nd, 2020
- What Is an Encryption Backdoor? - How-To Geek - February 22nd, 2020
- Sophos Takes On Encrypted Network Traffic With New XG Firewall 18 - CRN: Technology news for channel partners and solution providers - February 22nd, 2020
- Last Week In Venture: Eyes As A Service, Environmental Notes And Homomorphic Encryption - Crunchbase News - February 22nd, 2020
- CIA Encryption Meddling and Chinese Espionage Allegations Make It Clear: We All Need Strong Data Protection - Reason - February 12th, 2020
- Congress, Not the Attorney General, Should Decide the Future of Encryption - Lawfare - February 12th, 2020
- The code breakers: This vault is the epicenter in law enforcement's battle to unlock encrypted smartphones - USA TODAY - February 12th, 2020
- Enea Announces New Smart Tools to Identify Encrypted and Evasive Network Traffic - Yahoo Finance - February 12th, 2020
- Encryption Vs. Decryption: What's the Difference? - Techopedia - February 12th, 2020
- Labor Bill to fix Australian encryption laws it voted for hits second debate - ZDNet - February 12th, 2020
- Encryption Software Market Growth by Top Companies, Trends by Types and Application, Forecast to 2026 - News Parents - February 12th, 2020
- Mobile Encryption Market to Grow Massively (2020-2025) By Size, Share, Price, Trend and Forecast | Blackberry, T-Systems International, ESET, Sophos,... - February 12th, 2020
- Child-Welfare Activists Attack Facebook Over Encryption Plans - The New York Times - February 9th, 2020
- How Attorney General Barr's War On Encryption Will Harm Our Military - Techdirt - February 9th, 2020
- Strong Opinions on Whether Police Calls Should be Encrypted - Government Technology - February 9th, 2020
- The EARN IT Act is the latest clueless attack on encryption, do not fall for it - Privacy News Online - February 9th, 2020
- Republican Senator Lindsey Graham introduces bill that threatens end-to-end encryption - World Socialist Web Site - February 9th, 2020
- Activists write to Facebook against encryption, says it will dent bid to curb child pornography - Hindustan Times - February 9th, 2020
- BBB Offers the Following Tips for National Clean Out Your Computer and Safer Internet Day WKTN- A division of Home Town Media - WKTN Radio - February 9th, 2020
- Optical Encryption Market Booming by Size, Revenue, Trends and Top Growing Companies 2026 - Instant Tech News - February 9th, 2020
- Federal government warning of voter coercion, foreign election interference through private messaging services - CBC.ca - February 9th, 2020
- Mobile Encryption Market 2020 Recent Industry Developments and Growth Strategies Adopted by Top Key Players Worldwide and Assessment to 2025 -... - February 9th, 2020
- Well-meaning charities urge Facebook to halt encryption plan to protect kids - 9to5Mac - February 6th, 2020
- How the B-Team watches over Australia's encryption laws and cybersecurity - ZDNet - February 6th, 2020
- Kids Need End-to-End Encryption for Protection Against Corporations - The Mac Observer - February 6th, 2020
- Encryption Backdoors: The Achilles Heel to Cybersecurity? - Techopedia - February 6th, 2020
- US Lawmakers Seeking to Ban Companies From Using End-to-End Encryption With a New Draft Bill - Bitcoin Exchange Guide - February 6th, 2020
- United States: a invoice towards end-to-end encryption? - Sahiwal Tv - February 6th, 2020
- TLS 1.0/1.1 end-of-life countdown heads into the danger zone - The Daily Swig - February 6th, 2020
- How Would a US Ban on End to End Encryption Affect Cryptocurrency? - Bitcoinist - February 5th, 2020
- Officials Ask Public to Weigh in on Encrypting Police Calls - Government Technology - February 5th, 2020
- Bluefin and FroogalPay Partner to Provide PCI-Validated Point-to-Point Encryption (P2PE) - Benzinga - February 5th, 2020