Back to Posts

RIG-v from 195.133.49.200 sends CryptoShield Ransomware

Posted in ransomware, exploitkit

RIG-v from 195.133.49.200 sends CryptoShield Ransomware


Today I got a different ransomware called CryptoShield. I have been told by a few people that this is a CryptoMix variant.

I have submitted a signature for the CnC Traffic to EmergingThreats for public release tomorrow. Thanks Guys!

Domains:

64.71.35.47   hudginslawfirm.com   Compromised site
195.133.49.200   qwe.umudum.org   RIG-v EK
45.76.81.110      CryptoShield Checkin



Traffic:

image-title-here EITEST Redirect


image-title-here RIG-v & CryptoShield


This was highly amussing, the ransomware POSTed the private key in plaintext to the CnC Server. #fail

image-title-here CryptoShield CnC Traffic



Network Signatures:

ET CURRENT_EVENTS Evil Redirector Leading to EK EITest Inject Oct 17 2016 M3
ET CURRENT_EVENTS Evil Redirector Leading to EK EITest Inject Oct 17 2016 M4
ET CURRENT_EVENTS RIG EK URI struct Oct 24 2016 (RIG-v)
ETPRO CURRENT_EVENTS RIG EK Landing Pre-filter (Rig-v)
ET CURRENT_EVENTS RIG EK Landing Sep 12 2016 T2
ETPRO CURRENT_EVENTS RIG EK Landing Nov 30 2016 (RIG-v)
ETPRO CURRENT_EVENTS RIG/Sundown/Xer EK Payload Jul 06 2016 M2
ETPRO CURRENT_EVENTS RIG EK Flash Exploit Mar 29 2016



Process Tree:

image-title-here Exploit and CryptoShield execution



File Hashes:

Detection ratio: 10 / 54 Link

SHA256: 04fb00bdd3d2c0667b18402323fe7cf495ace5e35a4562e1a30e14b26384f41c
File type: Flash


Detection ratio: 7 / 56 Link

SHA256: cadb8633e114f4b91b9b394878231c780bb305939f2b2a84b0e0f7b3b464f164
File type: Win32 EXE

image-title-here Virustotal Results


image-title-here File Details



Ransome Note:

image-title-here Note *.txt


image-title-here Note *.html



Encrypted Files:

image-title-here Pictures Folder


image-title-here File Contents



associated files:
traffic.zip
samples.zip

This website focuses on the latest malware, exploit kits, spam and phishing attacks that are seen in the wild. Inspired by @malware_traffic, @BroadAnalysis and @malwareforme

Read Next

RIG-v from 194.87.238.148 sends Cerber Ransomware