Craig Rider

Craig Rider AU .nem3end RANSOMWARE

Recommended Posts

G'day,

Have a few machines which were accessed via RDP.

It looks like we interrupted them in the process as I have a number of files from a few different machines which to me looks like pieces to the jigsaw.  (Possibly have the local and remote ID Keys for a machine).

They used ProcessHacker in conjuction with Lock.exe

[email protected]

[email protected]

[email protected]

[email protected]

Share this post


Link to post
Share on other sites

I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can be 100% certain which ransomware you are dealing with:
https://id-ransomware.malwarehunterteam.com/

You can paste a link to the results into a reply if you would like for me to review them.

Share this post


Link to post
Share on other sites

This is more than likely Cry36, or a similar Nemesis variant. The "sample bytes" is usually an accurate way to identify it.

Do you still have a copy of the malware that encrypted the files? If so, would it be possible to upload it to VirusTotal and post a link to the analysis here?

Share this post


Link to post
Share on other sites

That certainly looks like a Nemesis variant (probably similar to Cry36 since it used secure encryption). First seen on VirusTotal on May 29th, so it's not brand new. I'll run it by our malware analysts just to be certain, however I expect they've already seen it.

Share this post


Link to post
Share on other sites

It's been confirmed as Cry36.

In the case of ransomware like this, which uses secure encryption and generates new public/private keys for every computer it infects, usually there is no way to decrypt the files without getting the private key from the criminals who made the ransomware. You can try a tool such as ShadowExplorer, however ransomware like this usually deletes Volume Shadow Copies, so ShadowExplorer will usually find nothing. Even if the Volume Shadow Copies were not deleted, the odds of finding backup copies of files in them is pretty slim, since Windows would normally only leave backup copies of files in the Volume Shadow Copies if you were using Microsoft's own backup software for data backups (although sometimes the System Restore will save copies of files in the Volume Shadow Copies).
http://www.shadowexplorer.com/

In cases where the Volume Shadow Copies are deleted, then note that ransomware doesn't generally delete them securely, so it might be possible to use a file undelete utility to undelete the old Volume Shadow Copies, and then use ShadowExplorer to recover files, however this isn't necessarily straightforward to do (the computer will need to be running from a bootable disk to have write access to the "System Volume Information" folder, or the hard drive will need to be connected to another computer), and even if you can recover the old Volume Shadow Copies, as mentioned above the odds of there being backup copies of important files in them are low to begin with. Note that you may need to find a local computer technician who can assist you with this if you do want to try it.

Here's a link to a list of file recovery tools at Wikipedia:
https://en.wikipedia.org/wiki/List_of_data_recovery_software#File_Recovery

Share this post


Link to post
Share on other sites

Thank you for the confirmation.

Could someone please have a look at the attached ZIP files for the RearLeftPC and WebSrv.

The ransomware was delivered via RDP and looks to be manually executed (to me - or an automated process we interrupted).

The file contents for the for each machine are different, as in, there appears to be some files left behind and not cleaned up.

Please see these DIR captures for examples, in particular the WebSvr capture.

 

The file lock.exe.ransomware.danger.seriesofnumbers.seriesofnumbers.nem3end looks interesting to me.

 

WebCapture.PNG
Download Image

FrontLeftCapture.PNG
Download Image

RearLeftCapture.PNG
Download Image

Share this post


Link to post
Share on other sites

I don't see anything abnormal in your screenshots. They look just like folders I've found on systems compromised via RDP. If you'd like me to explain anything specific, then please send me a private message.

 

Have you already seen the information I usually post for those who have systems compromised via RDP? It's some information to help get started securing RDP. If you haven't, then I'll post it below for you to review:

First I recommend temporarily disabling all port rules in your firewall (closing all open ports) until you can do a full audit of your firewall configuration and determine which ports need to remain open. There are some basic recommendations below to help get you started with the port audit.

If you are managing a company network, then some form of IPS/IDS is highly recommended to monitor the network for intrusions. If you already have such a system in place, then I recommend a full audit of any rules you have configured to make sure that the device is providing adequate monitoring. It is also recommended to have someone with penetration testing experience verify that the IPS/IDS is properly alerting when there are intrusion attempts.

Also, quickly change all passwords on any workstations and/or servers that are connected to the same network as the compromised system. Also be sure to change passwords on any online accounts, as well as any routers or switches (or other devices that have network-accessible administration functions).

I recommend that every account have a different password, that passwords be no shorter than 25 characters and be made up of a random combination of uppercase letters, lowercase letters, numbers, and symbols. Obviously passwords like that are difficult (if not impossible) to remember, so a password manager may be required in order to aid in managing passwords. KeePass is probably the simplest password manager, and stores password databases locally instead of on some "cloud" server. If something capable of automatically filling in passwords (or sharing passwords between multiple devices/users) is necessary then there are reasonable passwords managers from LastPass, bitwarden, 1Password, Dashlane, etc. Note that unlike KeePass, these password managers work as extensions added to web browsers (or apps on mobile phones), and they store password databases online.

When auditing your firewall configuration and preparing to reopen ports, I recommend never opening ports globally unless absolutely necessary. I also recommend requiring anyone who needs access to sensitive services (RDP, Windows Networking, etc) to connect to the network via a VPN so that you don't have to open ports for those services in the firewall, and then only open the VPN port in the firewall for IP addresses that need access to it. If someone who needs access has a dynamic IP, then many firewalls these days support something like Single Packet Authorization or Port Knocking to dynamically open ports for unknown IP addresses.

Share this post


Link to post
Share on other sites

I've run lock.exe (as non-admin) against a clean windows installation and got the following files.

The temp.txt files has more content than my previously infected machines - possibly because not run as admin and no internet access.

#DECRYPT_MY_FILES#.txt

temp000000-2.txt

Desert.jpg.1022949153.nem3end

Chrysanthemum.jpg.1022949153.nem3end

 

Is it possible this long string might be a key?

This information hasn't been in the previous files (possibly deleted as part of the ransomware end of process cleanup?)

(edited)

Edited by GT500
Removed contents of file to keep it private.

Share this post


Link to post
Share on other sites

It contains information about the computer. There's a long string of encoded data. I'll ask and see if anyone knows what it contains.

Share this post


Link to post
Share on other sites
1 hour ago, Craig Rider said:

Is it possible this long string might be a key?

That's possible. If it is, my guess would be that it's the public key used to encrypt files. With most secure ransomware like Cry36 the private key needed to decrypt files is never stored on the infected computer.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.