Introduction
The Sangfor Security Team has recently detected and identified a new ransomware virus, dubbed the “Attention” virus by the Sangfor team, found to be quite active in the manufacturing and medical industries. The “Attention” virus employs insidious methods of social engineering and RDP brute-force attacks to spread the virus manually. Perhaps more unsettling, after the virus has encrypted the files, the attacker deletes the virus vector and intrusion logs manually.
There are currently several enterprises in Asia who have fallen victim to the “Attention” virus, and with no known decryption method, businesses are feeling the impact. Encrypted files are first appended with 10-12 randomly-chosen letters, followed by subsequent ransom note generation. While the virus is capable of self-duplication upon system startup, the attacker then manually deletes the self-duplication program.
Virus Analysis
1. The ransom informs the victim “YOUR FILES ARE ENCRYPTED.TXT,” as shown below:
2. The encrypted files are appended with 10-12 randomly-chosen letters (the first three letters are fixed), as shown below:
Sample Analysis
1. First, a random file named B3A9A362.ghost is generated in directory %temp% and 00 is written into the file as well, as shown below:
2. It then copies itself to C:\Users\panda\AppData\Roaming\Microsoft\Windows in system file ctfmon.exe, as shown below:
3. Using ShellExecute, it accesses the ctfmon.exe program and runs the ransomware program, as shown below:
4. The original file is then deleted automatically, as seen below:
"/c for /l %x in (1,1,666) do ( ping -n 3 127.1 & del "C:\Users\panda\Desktop\Ransomware1.exe" & if not exist "C:\Users\panda\Desktop\Ransomware1.exe" exit )"
5. A secret ransom key is subsequently generated and saved to the registry in HKEY_CURRENT_USER\Software\Ghost\Service, as shown below:
6. The “Attention” virus then traverses shared folders, disks and file directories across the network, as shown below:
7. The virus then encrypts files after reading the file contents.
The file name is then appended with 10-12 randomly-chosen letters.
Solution
There are currently no decryption tools capable of decrypting victims’ files. You are advised to isolate infected hosts and disconnect them from network. Sangfor also recommends you perform a virus scan and removal as soon as possible.
Ransomware Detection
1. Sangfor NGAF is capable of detecting this ransomware virus.
2. Sangfor offers customers and users free anti-malware software to scan for and remove the “Attention” ransomware virus and others.
Protection
The Sangfor Security Team recommends taking extra precautions to protect devices from infection, as no decryption methods are yet known.
1. Fix the vulnerability quickly by installing the corresponding patch on the host.
2. Back up critical data files regularly to other hosts or storage devices.
3. Do not click on any email attachment from unknown sources and do not download any software from untrusted websites.
4. Disable unnecessary file sharing.
5. Strengthen passwords and avoid using the same password for multiple computers to avoid compromising a series of computers on the network.
6. Disable RDP if it is unnecessary for your business. If you find your network under attack, use Sangfor NGAF to block port 3389 and any other vulnerable ports to stop the virus from spreading.
7. Sangfor NGAF can prevent brute-force attacks. Activate NGAF brute-force attack prevention and enable rules 11080051, 11080027 and 11080016.
8. For Sangfor NGAF customers, update NGAF to version 8.0.5 and enable AI-powered Sangfor Engine Zero to receive the best protection.
9. Deploy any Sangfor security products and connect to cloud-based Sangfor Neural-X to detect new threats.
10. Perform a network-wide security scan and virus removal to enhance network security. We recommend Sangfor NGAF to detect, prevent and protect your internal network.
