A new sample was released today courtesy of http://www.pcapanalysis.com which can be located at the reference linked at the bottom. The ransomware is currently being distributed mostly via malspam campaigns but was also observed being served up by the lord exploit kit and links were found posted on hacked wordpress sites and forums for drive-by-download watering hole style attacks.
What makes the crimeware profiteers so hard to stop from this ransomware attack is that they are using burner e-mail addresses and dynamic DNS which they can create and destroy on the fly to deliver their malicious executable. Let’s not forget that they are also not generating any network traffic other than utilizing Google’s own services to track successful installations and metrics and the only trace back to them looking at network traffic would be the original download or vector.
After you have downloaded the word document or PDF executing the word document a series of powershell commands download the latest binary that the crimeware actors scan daily after making changes to it on VirusTotal to see what the detection rate is. Below is an image of what an infected user will see after this occurs. There is an e-mail and a bitcoin address as identifying marks. See below:
The e-mail address is listed as firstname.lastname@example.org and it was using the domain name service-updater[.]hopto[.]org with an IP address resolving to 126.96.36.199 with a network whois:
Network Whois record
Queried whois.afrinic.net with “188.8.131.52“…
% Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '184.108.40.206 - 220.127.116.11' % No abuse contact registered for 18.104.22.168 - 22.214.171.124 inetnum: 126.96.36.199 - 188.8.131.52 netname: Oran descr: Residentiel country: DZ admin-c: SD6-AFRINIC tech-c: SD6-AFRINIC status: ASSIGNED PA mnt-by: DJAWEB-MNT source: AFRINIC # Filtered parent: 184.108.40.206 - 220.127.116.11 person: Security Departement address: Alger phone: tel:+213-21-91-12-24 fax-no: tel:+213-21-91-12-08 nic-hdl: SD6-AFRINIC mnt-by: GENERATED-IRIXFFLWUREDGEB9HMRODGUJH3OJCIPE-MNT source: AFRINIC # Filtered % Information related to '18.104.22.168/12AS36947' route: 22.214.171.124/12 descr: Algerie Telecom origin: AS36947 mnt-by: DJAWEB-MNT source: AFRINIC # Filtered
So not a lot to go on, just because that large IP block is owned by Algerie Telecom doesn’t mean they are behind the crimeware or involved in anyway.
Disable macros on your Microsoft Office products, never open suspicious e-mails, block dynamic DNS completely