Hermes ransomware distributed to South Koreans via recent Flash zero-day

Hermes ransomware distributed to South Koreans via recent Flash zero-day (Mar 14, 2018)

The Korean Advanced Persistent Threat (APT) group "Group 123" was observed using an Adobe Flash zero-day exploit in the wild. The exploit, registered as "CVE-2018-4878," is now being used to distribute the "Hermes" ransomware to South Korean users. The exploits are being delivered via malicious Word documents that have the embedded Flash object.

Recommendation: Ransomware is a continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place. In the unfortunate case a reproducible backup is not in place, make sure to check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for cyber criminals.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.