New Ransomware Using DiskCryptor with Custom Ransom Message (Nov 2, 2018)
Independent researchers by the Twitter handle "MalwareHunterTeam" discovered a new ransomware campaign that installs the "DiskCryptor" encryption service onto the infected machine and restarts the computer. A ransom note is then shown following the reboot, giving the victim instructions on how to retrieve their files. The threat actors behind this new campaign are suspected to possibly be compromising a target machine's Remote Desktop Services (RDS) to install the ransomware manually. During the ransomware's installation process, a log in the machine's Public files shows the current stage of the encryption process. Once the machine has been fully encrypted, it will initiate a reboot that then shows the ransom note with the instructions for payment. The instructions indicate that the email "mcrypt2018@yandex[.]com" be contacted to receive the decryption password as well as find out the cost of the ransom and make the payment. It is unclear the initial attack vector of the ransomware.
Recommendation: Ransomware can potentially be blocked by using endpoint protection solutions (HIDS), but as this news shows, new threats are constantly evolving to bypass these protections. Always keep your important files backed up. In the case of ransomware infection, the affected system must be wiped and reformatted. Other devices on the network should be checked for similar infections. Always check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for cyber criminals.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.