Threat Intelligence.Blog.
Secrets Behind Ever101 Ransomware
June 22nd, 2021
A victim called the incident response teams of Global Threat Center, reporting a seemingly
new stream of ransomware attack. Upon investigation, we determined the extension of the
encrypted files was certainly new, but the malware displayed significant similarities with
several ransomware families—a combination that made attribution an interesting and difficult
riddle. The attack’s signature was a Music folder containing an arsenal of tools, which the
malware dropped and executed on each of the encrypted machines... READ MORE
Cuba Ransomware On a Roll
May 5th, 2021
At the end of 2020, our team made up of SecurityJoes and Profero incident responders, led an investigation into a complex attack in which hundreds of machines were encrypted, knocking the victim company offline completely. The threat actors behind the attack deployed the Cuba ransomware across the corporate network, using a mixture of PowerShell scripts, SystemBC, and Cobalt Strike to propagate it. Cuba Ransomware utilizes the symmetric ChaCha20 algorithm for encrypting files, and the asymmetric RSA algorithm for encrypting key information. As a result, the files could not be decrypted without the threat actor’s private RSA key... READ MORE
APT27 Turns To Ransomware
January 4th, 2021
At the peak of the COVID-19 pandemic and economic crisis, our Global Incident Response and Cyber Crisis Management teams were engaged on several fronts around the world, fighting cybercrime, and even nation-state actors. The following report tells the story of one of these engagements and how again, the thin line between nation-states and cybercrime was crossed.