技术控

    今日:117| 主题:49179
收藏本版 (1)
最新软件应用技术尽在掌握

[其他] HDDCryptor: Subtle Updates, Still a Credible Threat

[复制链接]
难瘦 发表于 3 天前
81 1

立即注册CoLaBug.com会员,免费获得投稿人的专业资料,享用更多功能,玩转个人品牌!

您需要 登录 才可以下载或查看,没有帐号?立即注册

x
by Stephen Hilt and Fernando Mercês
   Since first writing about thediscovery of HDDCryptor back in September, we have been tracking this ransomware closely as it has evolved. Last week, a new version was spotted in the wild, and based on our analysis, we believe that this variant is the one used in a recent  attack against San Francisco Municipal Transport Agency (SFMTA).
  In this attack, as we’ve seen with other versions of HDDCryptor, the ransomware dropped some tools to perform full disk encryption, as well as the encryption of mounted SMB drives. We believe the threat actors behind the attack don’t use exploit kits and automated installers to instantly compromise and infect victims. Instead, they first attempt to gain access to the machine, most likely through a more targeted attack or exploit, before manually triggering and executing the malware. While we don’t have specific information on how this was accomplished across SFMTA’s 2,000 machines, it is highly likely that it was through scheduling a job to run on all of the devices using some form of admin credentials.
   When contacted, the actors using this new HDDCryptor replied with a similar message to the one seen at the CSO online article .
   
HDDCryptor: Subtle Updates, Still a Credible Threat-1 (specific,Stephen,believe,version,against)

   Figure 1. The attacker’s e-mail response that includes instructions on how to obtain Bitcoin
  How has HDDCryptor Evolved?
   Previously, HDDCryptor did all of this with a user account that was added, which in September was “mythbusters.” Shortly after, it was observed to add a user of “ABCD,” as the creators had likely changed the username to avoid detection. In the most recent observed version as of last week, HDDCryptor no longer adds a user, however it creates a path of “ C:\Users\WWW ” in which it drops the files needed to perform the encryption of both the local hard drive and any attached file shares.

HDDCryptor: Subtle Updates, Still a Credible Threat-2 (specific,Stephen,believe,version,against)

   Figure 2. Components dropped by HDDCryptor
  After trying to encrypt remote network shares, the ransomware puts into place all the pieces needed for local encryption and the system is rebooted once. Then, HDDCryptor starts performing what it needs.
友荐云推荐




上一篇:Redis + Node.js: Introduction to Caching
下一篇:Saying Farewell to Snapins!
酷辣虫提示酷辣虫禁止发表任何与中华人民共和国法律有抵触的内容!所有内容由用户发布,并不代表酷辣虫的观点,酷辣虫无法对用户发布内容真实性提供任何的保证,请自行验证并承担风险与后果。如您有版权、违规等问题,请通过"联系我们"或"违规举报"告知我们处理。

左眼角的淚痣 发表于 前天 02:51
支持一下,下面的保持队形!
回复 支持 反对

使用道具 举报

*滑动验证:
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

我要投稿

推荐阅读

扫码访问 @iTTTTT瑞翔 的微博
回页顶回复上一篇下一篇回列表手机版
手机版/CoLaBug.com ( 粤ICP备05003221号 | 文网文[2010]257号 )|网站地图 酷辣虫

© 2001-2016 Comsenz Inc. Design: Dean. DiscuzFans.

返回顶部 返回列表