The Ransomware Epidemic is Spreading Again!

16/04/2018 09:52:34
*|MC:SUBJECT|*
Recently, a series of Ransomware variants are being spread through the “Eternal Blue” exploit, with more and more people getting infected. Urgent warning from Sangfor to all organizations: pay more attention to network security protection!
NEW RANSOMWARE VARIANTS
Globelmposter 2.0
Recently, Sangfor Security team found out that more and more companies are being infected by a particular ransomware.

After some research, Sangfor found out that this is a new variant of the Globelmposter 2.0 ransomware. After being infected, it will encrypt all files with a suffix such as .FREEMAN, ACL0, ACL02, ACL03, etc.
There is currently no decryption method available for this ransomware, and a large number of users have been blackmailed with a ransom of 1 bitcoin. Many users have been so angry that they send out emails shouting at the hackers!

Here we would like to remind our users when dealing with such extortion: do not give in to their demands or they will continue to extort many other victims!
Satan
Once users are infected by Satan, the important files and database will be encrypted and a ransom of 0.3 bitcoin will be asked.

The whole attack process is described as below:
Once users are infected by Satan, the important files and database will be encrypted and a ransom of 0.3 bitcoin will be asked.

The whole attack process as follow:
1. St.exe is the mother file, after execution it will download ms.exe and Client.exe.
2. ms.exe is a self-extracting file including blue.exe and star.exe, which perform the attack on the Eternal Blue vulnerability.
3. Once it succeeds, star.exe loads payload (down64.dll) which is responsible to download and operate st.exe.
4. Client.exe is the Satan ransomware virus, which performs files encryption and pops up ransom information.
5. After each infection, steps 1,2,3 and 4 are repeated to quickly spread over the LAN network.

WannaMine
WannaMine is ransomware variant used to hijack users' computers to mine a cryptocurrency called Monero. After it successfully infected the user's computer, it will send all gain to a digital wallet belonging to the hackers. WannaMine can make user server and PC to freeze severely and consumes enormous CPU resources from the host computer, which can affect the productivity of an organization.
PowerShellMinner
PowerShellMiner is a ransomware that use Windows' WMI + Powershell to target organizations. PowershellMinner does not have local malicious files (fileless attack), which makes it very hard for organizations to detect After being infected, hackers will use the victim's computer to mine cryptocurrencies. It usually consumes the resources of the host computer up to 90% & more, which causes sever freezing.
WannaCry 2.0
This new variant of the well-known WannaCry is not really doing his job right. Due to improper use of the “Eternal Blue” exploit, this Ransomware often causes the host to crash rather than successfully infect the host. The whole business of an organization can be greatly affected if the servers have been infected.
HOW TO PROTECT YOUR ORGANIZATION
Here are some tips from Sangfor to protect your Organization:
1. Please update all of your Windows systems to its newest patches.
2. Patch the Eternal Blue vulnerability by downloading it from Windows website.
3. Beware of phishing email, do not open unknown emails and especially unidentified attachments.
4. Temporarily prohibit the use of all SMB services by blocking ports 3389, 445, 135 and 139 for urgent protection.
5. Make regular local backup of important files and databases.
HOW SANGFOR NGAF CAN PROTECT YOU
Sangfor NGAF is the world 1st fully integrated NGFW (Next Generation Firewall) + WAF (Web Application Firewall). It can help you provide a comprehensive network security protection against current, emerging and future threats.

SANGFOR NGAF's database is regularly updated to protect our users against popular attacks deriving from the Eternal Blue exploit.

In addition, Sangfor NGAF can also protect you against new varient of Ransomware by providing you with a full range of security features such as:

Anti-Phishing: Send out alerts on suspicious emails that could bring in Ransomware.

Anti-Virus: Block malware that can infect your hosts with ransomware using over 1 million signatures in SANGFOR database.

Sandboxing: Detect and block emerging and new Ransomware by cloud-based threat analysis.

Anti-Malware: Damage remediation - keep Ransomware from spreading via corporate network and even block the encryption process.
THREATS ARE CONTINUOUSLY EMERGING AND EVOLVING.

MAKE SURE THAT YOUR ORGANIZATION IS SAFE BY REQUESTING A FREE SECURITY ASSESSMENT OF YOUR NETWORK !
I WANT MY FREE NETWORK SECURITY ASSESSMENT

Our Social Networks

Global Service Center:

COPYRIGHT © 2000-2018 SANGFOR TECHNOLOGIES INC. ALL RIGHTS RESERVED.