GetCrypt Ransomware Brute Forces Credentials, Decryptor Released (May 22, 2019)
An exploit kit researcher(s) known as “nao_sec” discovered a new ransomware called “GetCrypt.” The ransomware is delivered through malvertising campaigns that will redirect users to the “RIG” Exploit Kit (EK). The campaign was found to be using “Popcash” advertisement network to distribute the malvertisements. If a user clicks on a malvertisement he/she will be redirected to a webpage hosting the RIG EK that will attempt to run malicious scripts to exploit vulnerabilities on the host machine. The ransomware checks the default language on the Windows machine and if it is Belarusian, Kazakh, Russian, or Ukrainian it will halt the encryption process, otherwise GetCrypt will utilize the “Salsa20” and “RSA-4096” encryption algorithms. The ransomware is also capable of brute-force attacking network account credentials to propagate through a network.
Recommendation: Users should be cautious when clicking on advertisements because as this story portrays, malicious advertisements can sometimes appear on legitimate online locations. If the advertised product is appealing, it would be safer to search for the product on the authentic website of the company who is selling the product, or other trusted online shopping locations. In addition, it is paramount to have a comprehensive and tested backup solution in place. If a reproducible backup is not available, there may a decryptor available that can assist in retrieving encrypted files. In GetCrypt’s case, security researchers have developed a free decryptor that can be used to get files back for free.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.