Ransomware

Kaseya VSA Supply Chain Ransomware Attacks (REvil Gang)

The ransomware attack by leveraging a vulnerability in VSA (a cloud-based management service that can manage various patches and perform client monitoring) made by Kaseya, an IT solutions developer for enterprises and managed service providers (MSPs), turned out to be BlueCrab (Sodinikibi) ransomware that is being actively distributed in korea as well. The figure below shows a desktop infected with the ransomware, which flashes the same screen like that of BlueCrab being widely spread in Korea. Unlike BlueCrab well-known in…

Detection of JavaScript Vulnerability (CVE-2021-26411) via V3 Behavior Detection (Magniber)

Attackers are using the CVE-2021-26411 JavaScript vulnerability to actively distribute fileless Magniber ransomware via IE browser. Its internal code flow is changing rapidly, and there are still numerous damage reports that involve Magniber ransomware in Korea. As it is being distributed via an IE vulnerability (CVE-2021-26411), it is absolutely crucial for IE users to apply the security patch. Currently, V3 products can detect and block the latest Magniber ransomware using the ‘Behavior Detection’ feature. Figure 1 shows the infection process of…

Makop Ransomware Distributed As Copyright Violation Related Materials

The ASEC analysis team has recently shared information about the distribution of Makop ransomware disguised as job applications. This week, the team confirmed that the ransomware is being distributed via e-mails that contain materials related to copyright violation. Unlike the last time, the compressed file is attached with the .dat extension instead of .zip and to avoid the e-mail attachment scan, the date the mail was distributed was used as a password. Inside the attached file, there is a file…

[Caution] Makop Ransomware Disguised as Job Application E-mail Being Distributed!

ASEC analysis team has recently discovered ransomware disguised as job application being distributed via e-mail. It appears that the attacker is targeting recruitment managers of various companies amidst the recruitment season of the first half of the year. Hence, recruiters must pay particular attention when managing their e-mail accounts. The distributed e-mails had titles with names which can be perceived as the applicant’s name, and compressed attachments. The names of the distributed files are as follows: ● ResumeandPortfolio_210412 (If you…

Caution! Magniber Ransomware Being Distributed in Korea Using CVE-2021-26411 Vulnerability

The distributor of Magniber ransomware has continued to evolve to avoid V3’s detection. It goes without saying that subscribers of ASEC Blog are well aware of the fact that AhnLab has been fighting the developers of Magniber ransomware for a long time, and that the history almost resembles a cat-and-mouse chase. This time, the distributor of Magniber waited for the anniversary day of AhnLab (March 15th), which is also a traditional holiday for AhnLab. On this day, the distributor swiftly…