BlueCrab ransomware is distributed through forum posts disguised as file download pages. When users download and run the JS file, the script downloaded through C2 is executed, infecting the system with ransomware.
Because it targeted Korean users and created changes constantly aimed at AhnLab’s anti-threat products, AhnLab has been focusing on monitoring this ransomware. The ASEC analysis team is quickly responding to changes by establishing an automated monitoring system. This blog has multiple posts related to the changes as well.
- BlueCrab Ransomware’s Continuous Attempts to Bypass Detection
- BlueCrab Ransomware Installing Hacking Tool CobaltStrike in Corporate Environments
As for the distribution of the BlueCrab ransomware, the feature of redirection to malicious websites has not been working since July 13th, 2021. As such, accessing a malicious post now directs the user to a normal post.
Based on the sample of the last distribution date, there is no response from C2 at the moment. The ransom page that appears when the system is infected cannot be connected as well. Among domains for the ransom page, “decoder.re” which is not the onion domain, shows no response for the DNS query.
As websites related to BlueCrab (REvil) ransomware in the dark web were all reported to be shut down after attacks on US companies’ supply chains and ransomware infection incidents, it appears that the halted distribution may be related to the situation as well.
Since thousands of malicious posts created by the attacker stealing normal web servers still exist, distribution can resume at any time again.
Analyzing detection logs of the past 1 year yields the following list of keywords that are detected most often. Users usually download ransomware files when they search for games and utility programs. The distribution of BlueCrab has halted, malware programs being distributed in a similar method are multiplying, therefore, users need to take caution.
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.