LOL/OMG Crypto-Ransomware se propage essentiellement par des attaques bruteforce RDP, une fois la main sur le serveur, il visera le serveur de fichiers de l'entreprise afin de chiffrer les documents pour demander de payer une rançon en échange d'un déchiffrage. L'extension peut changer au cours du temps, dans la dernière variante observée, l'extension est .LOL! On a aussi vu par le passé dans de précédentes campagnes, l'utilisation de l'extension .OMG!
Le texte contenant les instructions pour payer la rançon (nom du fichier how to get data.txt) :
La détection du sample observé :JOKE
Hello boys and girls! Welcome to our high school "GPCODE"!
If you are reading this text (read this very carefully, if you can read), this means that you have missed a lesson about safety and YOUR PC HACKED !!! Dont worry guys - our school specially for you! The best teachers have the best recommendations in the world! Feedback from our students, you can read here:
1)http://forum.kaspersky.com 2)http://forum.drweb.com 3)http://forum.eset,com 4)www.forospyware.com
As you see- we trust their training, only we have special equipment(cryptor.exe and decryptor.exe) and only here you will get an unforgettable knowledge!
The lesson costs not expensive. Calculate the time and money you spend on recovery. Time is very expensive, almost priceless.We think that it is cheaper to pay for the lesson and never repeat the mistakes.We guarantee delivery of educational benefits(decryptor.exe). First part(cryptor.exe) you have received :-)
SERIOUSLY
Your important files (photos, videos, documents, archives, databases, backups, etc.) which were crypted with the strongest military cipher RSA1024 and AES.No one can`t help you to restore files without our decoder. Photorec, RannohDecryptor etc repair tools are useless and can destroy your files irreversibly.
If you want to restore files - send e-mail to [email protected] with the file "how to get data.txt" and 1-2 encrypted files less than 5 MB. PLEASE USE PUBLIC MAIL LIKE YAHOO or GMAIL.
You will receive decrypted samples and our conditions how you`ll get the decoder. Follow the instructions to send payment.
P.S. Remember, we are not scammers. We don`t need your files. After one month all your files and keys will be deleted.Oops!Just send a request immediately after infection. All data will be restored absolutelly. Your warranty - decrypted samples and positive feedbacks from previous users.
====================
43E498C330E641AE01D50FBAD5405BA3BCE55EB1B3BFAB73EA880E657A6806E2
B58142780B2BC749AAA28C94BF92C80B8025E0346F222CEABC9BBE35DBB62138
3CA27E1002D466A6CA1A24033FB144D712D12D250A89751E1976DBBCA4517D84
9DB2ADC11A61EAB3129BE455A4613D04116B2A33422A01EB756DE3DCBE822373
155D5E5D3095C206F1A8D828E302553408030BCC7DC1B63895F8AB959881A4FD
====================
Le ransomware se lance par un simple raccourci dans le dossier de Démarrage :SHA256: 7f767c06208c5c5db65678ee62e9c0ef70f79e7db8a429d1780064e06548a8ae
Nom du fichier : ysydol.xex
Ratio de détection : 16 / 54
Date d'analyse : 2016-01-19 15:29:47 UTC (il y a 1 minute)
Antivirus Résultat Mise à jour
AVG Dropper.Generic_c.ATDF 20160119
Avast Win32:Malware-gen 20160119
Avira TR/Dropper.Gen 20160119
Bkav W32.HfsAtITPSINF.802C 20160119
CMC Trojan.Win32.Generic!O 20160111
Cyren W32/GenBl.60AC2CAA!Olympus 20160119
ESET-NOD32 a variant of Win32/Injector.Autoit.CAF 20160119
Ikarus Trojan.Win32.Injector 20160119
K7AntiVirus Trojan ( 700000111 ) 20160119
K7GW Trojan ( 700000111 ) 20160119
Malwarebytes Ransom.FileLocker.AI 20160119
McAfee Artemis!60AC2CAAA0DC 20160119
McAfee-GW-Edition BehavesLike.Win32.PWSZBot.hc 20160119
Microsoft Ransom:Win32/Fortrypt.A 20160119
Qihoo-360 HEUR/QVM11.1.Malware.Gen 20160119
Rising PE:Malware.Generic/QRS!1.9E2D [F] 20160119
Sécuriser son WindowsShortcutTarget: Windows.lnk -> C:\Users\VincentPC\AppData\Roaming\ysydol\ysydol.exe ()
2016-01-19 16:38 - 2016-01-19 16:39 - 00000000 ____D C:\Users\VincentPC\AppData\Roaming\ysydol
2016-01-19 16:37 - 2016-01-18 18:27 - 00585640 _____ C:\Users\VincentPC\Desktop\60ac2caaa0dc170892a54b4f9e1a0eab.zip.LOL!
Afin de sécuriser son Windows pour limiter les ransomwares et d'autres menaces connues, suivre le tutoriel de sécurisation de son Windows.
=> Sécuriser son Windows.
Dans cette attaque, il convient de sécuriser le réseau de l'entreprise avec :
- L'utilisation de mots de passe forts.
- D'éviter de rendre TSE ou autre RDP directement accessibles depuis l'internet.