Social Engineering: Media Manipulation

The SonicWall Capture Labs Threat Research Team have come across a fake ransomware Trojan that functions as a bootlocker. It is named Uselessdisk because of the debugging symbols and project name strings that the developer has left in the executable file. Its aim is simple: render the system unbootable and pretend that files on the system have been encrypted. Ask for $300 USD in bitcoin for file recovery.

Infection Cycle:

Upon running the malware, it quickly reboots the machine and displays the following message:

Usually the process of encrypting files takes at least a few seconds so we were suspicious when this malware claimed to achieve this so quickly. We were doubtful as to whether any encryption was actually taking place at all. Running the malware through a debugger and analyzing its behavior confirmed this doubt.

The Trojan is quite simply, a boot locker. Its first step is to acquire direct access to the physical drive by using the CreateFileA API to open "\\.PHYSICALDRIVE0". It also attempts to lock the volume for exclusive access to the drive by using the IO control code FSCTL_UNLOCK_VOLUME with the DeviceIOControl API call:

These functions only return successful if the Trojan is run in administrator mode. If the above calls return successfully the Trojan then calls WriteFile to overwrite the MBR (Master Boot Record):

This causes the above message to be shown on the screen at boot time and renders the operating system unbootable.

Once the MBR has been overwritten, the Trojan unlocks the volume then uses WinExec to run the shutdown command with arguments to reboot the system immediately:

The Trojan is unlikely to be lucrative.

The bitcoin address (1GZCw453MzQr8V2VAgJpRmKBYRDUxxxzco) has received no transactions yet at the time of writing this alert:

How to Avoid CyberAttacks?

Employee Education: CYBERSECURITY 101 It's critical that your staff understands what ransomware is and the threats that it poses. Provide your team with specific learning experience examples of suspicious emails with clear instructions on what to do if they encounter a potential ransomware lure (i.e. don’t open attachments, if you see something, say something, etc.) see CYBERSECURITY 101 training program below

Security: Antivirus software is essential for any business to protect against ransomware and other risks. Ensure your security software is up to date to protect against newly identified threats. Keep all business applications patched and updated to minimize vulnerabilities.

Backup Disaster recovery: Modern total data protection solutions take snapshot-based, incremental backups as frequently as every five minutes to create a series of recovery points. If your business suffers a ransomware attack, this technology allows you to roll-back your data to a point-in-time before the corruption occurred. First, you don’t need to pay the ransom to get your data back. Second, since you are restoring to a point-in-time before the ransomware infected your systems, you can be certain everything is clean and the malware can’t be triggered again.

EmailSecurity: Use a real Cloud-based email security platform, a robust, secure, and legally compliant email encryption.

Quarterly Network Security Assessments: Did you know that most security vulnerabilities occur inside a business, behind the firewall? In fact, more than 70% of all cyber security incidents today are the result of INTERNAL security issues that no firewall, anti-virus or malware device could have prevented. schedule yours now.

To find out about cybersecurity and what SynerTech security team can do to fight back, Fill out the form here .

Source:https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=1135