AdobeStock_110047872

Warning! A new Ransomware strain that also performs denial of service attacks on your other devices has been discovered.

Hi there again my fellow Nexthinkers. Today I completed some more Ransomware research. Instead of just being satisfied that they have encrypted all your files on network shares and locking your machines, this variant of Ransomware also started a DoS attack that blasts SPOOFED network traffic at various IP addresses. This is the first Ransomware I have seen with DDoS capability.

This Ransomware uses a file-less attack method “Weaponised documents” which most antivirus and “next-gen” antivirus software’s are not capable of seeing inside a phishing email with a random filename.

In this case the Phishing email exploited their victims using Visual Basic in a Rich Text Document (.rtf), this in turn launched Microsoft Word and initiated the embedded macros. The macros then ran an administrator command prompt on the host to create another malicious binary with random code which is then executed. The observed network traffic looks to be flooding the subnet with UDP port 6892 and would spoof the source.

Since the source of the DoS attack will be spoofed, finding the real source of the infected machine will be very quick in Nexthink minimising downtime by just searching for any endpoints using UDP 6829. It has the potential capability to join a Botnet to be used in a Distributed Denial of Service attack (DDoS) as a chargeable Dark Web service.

Extra File Information
https://www.virustotal.com/en/file/987535371c0bbb57ccbf2f322bcc5111348756af794cb819441e59b6f372c9c6/analysis
As new variants of this come out with different hash values and knowing that traditional AV will not be able to keep up, please take advantage of our behavioral alerts and investigations to stop this Ransomware from impacting your business.

Word
Admin Command
New Binary
UDP 6829