Category Archives: Ransomware

Just heard Whirlpool hit in Nefilim ransomware attack (28th Dec 2020)

Preface: Do you have doubt? For example: Mimikatz tool & Psexec.exe will detected by antivirus. How ransomware disable antivirus?

Technical Reference: Malware can no longer disable Microsoft Defender via the Registry.So it increase the difficulties to evade the defense mechanism. But it still cause great damage. A ransomware wreaked havoc on the digital world.

The most common ransomware attack vectors are:

  • Remote desktop protocol (RDP).
  • Email phishing.
  • Software vulnerabilities.
  • Malicious code hidden on the site
  • Malicious Email Links

How ransomware disable antivirus?

According to the vulnerability in operating system, software application,..etc. For more details, please refer to attached diagram. In additional, hackers exploit a vulnerability in a legitimate (.SYS) driver to gain kernel access will be an additional way. As a result, ransomware installs legitimate driver kill antivirus services.

Headline News: Home appliance giant Whirlpool hit in Nefilim ransomware attack –

Ransomware attacks are raging recent. The victim firm including famous watch manufacture, Bank, Health Services, etc. (30th Sep 2020)

Background: Cyber attack commonly based on vulnerability and user negligence. Ransomware also use the same concept.

An example of ransomware today: Conti and Ryuk code is similar. Conti uses a similar ransomware note template to Ryuk and that it appeared to be deploying the same TrickBot infrastructure.When the attack campaigns send unsolicited emails that it will using social engineering technique. Whereby, let users reduce the awareness. Therefore user will download malware from malicious websites or trick the user into opening malware through an attachment. Security expert noticed that the Conti ransomware has multiple anti-analysis features to slow detection and reverse engineering. Their method is using VBA code executes a multi-stage high obfuscation PowerShell script in the attempt to evade AV and security solutions. Ransomware is one of the most troublesome item since cyber attacks. Perhaps you can through below guideline to enrich related knowledge.

CISA and MS-ISAC Release the Prevention Best Practices –

Hong Kong Broadband Network customer staying alert! 17th Feb 2020

Synopsis: The threat actors hidden their email phishing package anywhere. As common we know, email phishing scam foot print are wide in area. But the antivirus and malware solution vendor setup blacklist domain name and content filtering function has reduced the infection ratio of malware and ransomware. It looks that the similar of idea to hunting cyber victim still valid. In my observation, the attacker sometimes will be reuse their technique. This time they store the trap in social media web. Found that the scam activities which mimic Hong Kong Broadband luck draw online program activities is awaken again. I found similar activities on yesterday (16th Feb 2020). Even the VirusTotal repository has only one cybersecurity vendor detected a similar record type. In the sense that they can escape your defense solution.

For more detail, please refer to announcement by HKBN in past.

About Emotet malware (2019)

Preface: Emotet malware found in 2015. But he is still aggressive nowadays. It shown that it is a long life cyber attack product .

Details: Australian Cyber Security Centre (ACSC) released an advisory that Emotet malware widespread in rapidly. The Emotet malware is distributed mostly by means of phishing email that contains either links to malicious sites, or malicious attachments.
Since Emotet is a polymorphic design.Emotet is a polymorphic engine to mutate different values and operations. From observation, it now link with ransomware.
The change in shape of Emotet more or less proof that his design is equivalent as a cyber weapon. It provide the functions for infiltration. Meanwhile, after finished the mission. It can link to ransomware. Such design can avoid forensic investigator conduct the validations.

For more details, please refer to ACSC announcement.

Not a fashion famous brand. Hermes ransomware, the predecessor to Ryuk. NCSC Releases Advisory on Ryuk Ransomware.

Preface: The NCSC is investigating current Ryuk ransomware campaigns targeting organisations globally, including in the UK. In some cases, Emotet and Trickbot infections have also been identified on networks targeted by Ryuk.

Technical details: Ryuk was first seen in August 2018. The Ryuk ransomware is often not observed until a period of time after the initial infection – ranging from days to months.Ryuk ransomware linked to Emotet and Trickbot banking trojans.
– The objective of Emotet conduct as a dropper feature in order to delivery for other Trojans.
– Trickbot aim to browser as a attack target, the aim to do manipulation techniques to facilitate data theft.
The structure of the encrypted file is identical to the structure used in Hermes Ransomware, including the distinctive HERMES token that this malware uses to identify files that it has already encrypted.

Remark: Cyber Criminals distributing Hermes Ransomware via dangerous malspam that contains Weaponized Password protected Word documents to encrypt the system files and lock the victim’s computer.

The pre-operation of Ryuk ransomware on infected computers:

  • Volume Shadow Server & Backup Kill
  • Installed lang check:
    0419 (Russia)
    0422 (Ukrainian)
    0423 (Belarusian)
  • Arp Blaclklist check
  • GetComputerName check
  • Process kill

Advisory report for download –

US-CERT Ransomware Guidance – 2018

An article issued by US-CERT with subject. Protecting Your Networks from Ransomware. Their aim is going to provide a guidance to fight against ransomware. Before you read the articles. There are few slogans are able to enhance your data protection framework. For instance:

1. Ransomware and Phishing Work Together

2. For whom who visiting online Gaming zone and Pornography web site in frequent are easy for encounter ransomware attack.

In order to avoid similar of cyber attack, enhance your awareness is the first priority. For more details, please refer below url for reference.

Protecting Your Networks from Ransomware:

Threat actor intend to stop your antivirus program – 2018

Just heard that there is a new attack method use by ransomware. The malware intend to stop and disable your workstation antivirus process. Since no antivirus protection, threat actor is free to do their task. Perhaps the defense vendor pay the focus on Ring 0 attack (kernel). Meanwhile new generation AV software implement behavioral detection analysis. So is there any space for threat actor?Yes, the ring 3 looks provides space to threat actor. They may find a way to evade the detection.

For instance:

  1. List all loaded DLL libraries in current process.
  2. Find entry-point address of every imported API function of each DLL library.
  3. Remove the injected hook JMP instruction by replacing it with the API’s original bytes.

Should you have interest to receive a high level understanding, please refer above diagram for reference.

Remediation step – Saturn Ransomware


Can we saying this? it is Google Adwords design flaw? It lure the threat actors go through this service to spread malware from Google search engine.

Quick note:

Saturn ransomware found this month (Feb 2018). It looks strange that attack victim only on physical machine instead of Virtual Machine. Why? Does the threat actor concern about VMware or HyperV have quick data recovery by Snap shot backup? Security expert found the following hints:

Saturn will execute the following commands to delete shadow volume copies, disable Windows startup repair, and to clear the Windows backup catalog.

cmd.exe /C vssadmin.exe delete shadows /all /quiet & wmic.exe shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

Perhaps hacker understand that doing ransomware targeting home user will be easier. May be enpterprise firm or cloud services provider contains full scope of SIEM system. As such, forensic investigator can be tracing them. Or this is a prototype may be there is another round of attack later on.

Status updated – 19th Feb 2018

20 antivirus engines detected this ransomware. Hash shown as below:


Anyway IT world do not have key words so called permanent solution. In the mean time. The action we can execute is doing the remediation.

Step 1: Start PC in Safe Mode

Through the F8 key (for Windows 7/Vista)

  1. Once the computer is restarted (usually after you hear the first computer beep), continuously tap the F8 key in 1 second intervals. If successful, the Advanced Boot Options menu will appear.
  2. Use the arrow keys to select Safe Mode and press ENTER.

For windows 10

Use the “Shift + Restart” combination. Another way of getting into Safe Mode in Windows 10 is to use the Shift + Restart combination. Open the Start menu and click or tap on the Power button. Then, while keeping the Shift key pressed, click or tap on Restart.

Step 2: Stop Saturn Processes From Windows Task Manager

Step 3: Remove Saturn Ransomware from Control Panel

Procedure 1:

Procedure 2:

Procedure 3:

Main body of the Saturn Ransomware relies browser to work and hide himself in web browser. So we require to uninstall the web browser:

Remark: We are not allow to uninstall or delete Internet Explorer from Windows 7, 8 and 10 and therefore we are going to delete the additional web browser. Since Saturn ransomware relies on web browser for operation.

Step 4: remove Malicious Registry Entries Created by Saturn Ransomware

Step 5: Remove Saturn Ransomware From Infected Internet Explorer

Take Down Saturn Ransomware From Internet Explorer. Open IE and click on Gear Icon from right-top corner in order to open the Tools. Tap on Manage Add-ons option.

Step 6: Reset Internet Explorer Settings

Open IE and click on Tools menu and then select Internet options.

Step 7: Download decryption tool

The decryption tool will not run if:

  • It can’t find a valid ransom note
  • It cannot find a valid encrypted file (i.e a file that is not corrupted)
  • It can’t decrypt the User ID field in the ransom note

End, Thank you.

Additional comment: New ransomware nickname Saturn was born this month. This ransomware provides a hints to me that it is the 1st phase of attack. Or it is a prototype. Perhaps we seen cyber attack, virus, malware and ransomware daily. The cyber world added one more member of bad guy we could not surprised!