Category Archives: Ransomware

Not a fashion famous brand. Hermes ransomware, the predecessor to Ryuk. NCSC Releases Advisory on Ryuk Ransomware.

Preface: The NCSC is investigating current Ryuk ransomware campaigns targeting organisations globally, including in the UK. In some cases, Emotet and Trickbot infections have also been identified on networks targeted by Ryuk.

Technical details: Ryuk was first seen in August 2018. The Ryuk ransomware is often not observed until a period of time after the initial infection – ranging from days to months.Ryuk ransomware linked to Emotet and Trickbot banking trojans.
– The objective of Emotet conduct as a dropper feature in order to delivery for other Trojans.
– Trickbot aim to browser as a attack target, the aim to do manipulation techniques to facilitate data theft.
The structure of the encrypted file is identical to the structure used in Hermes Ransomware, including the distinctive HERMES token that this malware uses to identify files that it has already encrypted.

Remark: Cyber Criminals distributing Hermes Ransomware via dangerous malspam that contains Weaponized Password protected Word documents to encrypt the system files and lock the victim’s computer.

The pre-operation of Ryuk ransomware on infected computers:

  • Volume Shadow Server & Backup Kill
  • Installed lang check:
    0419 (Russia)
    0422 (Ukrainian)
    0423 (Belarusian)
  • Arp Blaclklist check
  • GetComputerName check
  • Process kill

Advisory report for download –

US-CERT Ransomware Guidance – 2018

An article issued by US-CERT with subject. Protecting Your Networks from Ransomware. Their aim is going to provide a guidance to fight against ransomware. Before you read the articles. There are few slogans are able to enhance your data protection framework. For instance:

1. Ransomware and Phishing Work Together

2. For whom who visiting online Gaming zone and Pornography web site in frequent are easy for encounter ransomware attack.

In order to avoid similar of cyber attack, enhance your awareness is the first priority. For more details, please refer below url for reference.

Protecting Your Networks from Ransomware:

Threat actor intend to stop your antivirus program – 2018

Just heard that there is a new attack method use by ransomware. The malware intend to stop and disable your workstation antivirus process. Since no antivirus protection, threat actor is free to do their task. Perhaps the defense vendor pay the focus on Ring 0 attack (kernel). Meanwhile new generation AV software implement behavioral detection analysis. So is there any space for threat actor?Yes, the ring 3 looks provides space to threat actor. They may find a way to evade the detection.

For instance:

  1. List all loaded DLL libraries in current process.
  2. Find entry-point address of every imported API function of each DLL library.
  3. Remove the injected hook JMP instruction by replacing it with the API’s original bytes.

Should you have interest to receive a high level understanding, please refer above diagram for reference.

Remediation step – Saturn Ransomware


Can we saying this? it is Google Adwords design flaw? It lure the threat actors go through this service to spread malware from Google search engine.

Quick note:

Saturn ransomware found this month (Feb 2018). It looks strange that attack victim only on physical machine instead of Virtual Machine. Why? Does the threat actor concern about VMware or HyperV have quick data recovery by Snap shot backup? Security expert found the following hints:

Saturn will execute the following commands to delete shadow volume copies, disable Windows startup repair, and to clear the Windows backup catalog.

cmd.exe /C vssadmin.exe delete shadows /all /quiet & wmic.exe shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

Perhaps hacker understand that doing ransomware targeting home user will be easier. May be enpterprise firm or cloud services provider contains full scope of SIEM system. As such, forensic investigator can be tracing them. Or this is a prototype may be there is another round of attack later on.

Status updated – 19th Feb 2018

20 antivirus engines detected this ransomware. Hash shown as below:


Anyway IT world do not have key words so called permanent solution. In the mean time. The action we can execute is doing the remediation.

Step 1: Start PC in Safe Mode

Through the F8 key (for Windows 7/Vista)

  1. Once the computer is restarted (usually after you hear the first computer beep), continuously tap the F8 key in 1 second intervals. If successful, the Advanced Boot Options menu will appear.
  2. Use the arrow keys to select Safe Mode and press ENTER.

For windows 10

Use the “Shift + Restart” combination. Another way of getting into Safe Mode in Windows 10 is to use the Shift + Restart combination. Open the Start menu and click or tap on the Power button. Then, while keeping the Shift key pressed, click or tap on Restart.

Step 2: Stop Saturn Processes From Windows Task Manager

Step 3: Remove Saturn Ransomware from Control Panel

Procedure 1:

Procedure 2:

Procedure 3:

Main body of the Saturn Ransomware relies browser to work and hide himself in web browser. So we require to uninstall the web browser:

Remark: We are not allow to uninstall or delete Internet Explorer from Windows 7, 8 and 10 and therefore we are going to delete the additional web browser. Since Saturn ransomware relies on web browser for operation.

Step 4: remove Malicious Registry Entries Created by Saturn Ransomware

Step 5: Remove Saturn Ransomware From Infected Internet Explorer

Take Down Saturn Ransomware From Internet Explorer. Open IE and click on Gear Icon from right-top corner in order to open the Tools. Tap on Manage Add-ons option.

Step 6: Reset Internet Explorer Settings

Open IE and click on Tools menu and then select Internet options.

Step 7: Download decryption tool

The decryption tool will not run if:

  • It can’t find a valid ransom note
  • It cannot find a valid encrypted file (i.e a file that is not corrupted)
  • It can’t decrypt the User ID field in the ransom note

End, Thank you.

Additional comment: New ransomware nickname Saturn was born this month. This ransomware provides a hints to me that it is the 1st phase of attack. Or it is a prototype. Perhaps we seen cyber attack, virus, malware and ransomware daily. The cyber world added one more member of bad guy we could not surprised!