Nevada Ransomware Being Distributed in Korea Posted By ASEC_SK , March 23, 2023 AhnLab Security Emergency response Center (ASEC) discovered cases of the Nevada ransomware being distributed during the team’s internal monitoring. Nevada is a malware written using Rust as its basis and its tendency of adding the “.NEVADA” extension to the files it infects is its defining trait. After encrypting directories, it generates ransom notes with the filename “README.txt” in each directory. These notes contain a Tor browser link for ransom payments. 1. Main Features of Nevada Ransomware As shown in the…
Threat Trend Report on Region-Specific Ransomware Posted By ahnlabti , March 16, 2023 Background Currently, ransomware creators include individuals, cyber criminal gangs and state-supported groups. Out of these individuals and groups, cyber criminal gangs are the most proactive in ransomware development, while individuals and state-supported groups are less so. Privately developed ransomware is most often for research purposes with the intention of destroying data. Some state-sponsored threat groups also develop ransomware. The purpose of these cases is not for financial gain either but for data destruction, and Wipers, which do not allow recovery,…
Mallox Ransomware Being Distributed in Korea Posted By kwonxx , March 14, 2023 AhnLab Security Emergency response Center (ASEC) has recently discovered the distribution of the Mallox ransomware during the team’s monitoring. As covered before, Mallox, which targets vulnerable MS-SQL servers, has historically been distributed at a consistently high rate based on AhnLab’s statistics. The malware disguised as a program related to DirectPlay is a file built in .NET which, as shown in Figure 3, connects to a certain address, downloads additional malware, and runs it in the memory. If this address cannot…
Decryptable iswr Ransomware Being Distributed in Korea Posted By song.th , March 9, 2023 ASEC (AhnLab Security Emergency response Center) has recently discovered the distribution of the iswr ransomware during the team’s monitoring. A characteristic of iswr is the fact that it adds the iswr extension at the end of filenames after the files have been encrypted. The ransom note of this ransomware has the same format as the STOP ransomware, but when it comes to its encryption method along with the extensions and folders that are targeted, its operation routine differs greatly from…
Magniber Ransomware’s Relaunch Technique Posted By ohmintaek , February 24, 2023 ASEC (AhnLab Security Emergency Response Center) has been constantly monitoring the Magniber ransomware which has been displaying a high number of distribution cases. It has been distributed through the IE (Internet Explorer) vulnerability for the past few years, but stopped exploiting the vulnerability after the support for the browser ended. Recently, the ransomware is distributed as a Windows installer package file (.msi) in Edge and Chrome browsers. There have been recent reports of systems being reinfected by Magniber. Analysis revealed…
