Innovative threat actors are working hard to ensure that Nuke and other ransomware remain a threat to organizations worldwide. Directions on how to obtain bitcoin and a bitcoin address for paying the ransom are also provided:įigure 7: !!_RECOVERY_instructions_!!.htmlįigure 8: !!_RECOVERY_instructions_!!.txt Conclusion These two files give the victim detailed information on what has happened and instructions on what to do next. The files are “!!_RECOVERY_instructions_!!.html” and “!!_RECOVERY_instructions_!!.txt” (see Figure 7 and Figure 8). Once the encryption is complete, Nuke drops two files to the victim’s desktop and launches them. By foiling malware calls to the vssadmin tool users can preserve access to their file backups.įigure 6: Uses vssadmin to delete shadow copy This has led some users to rename the vssadmin tool, thus causing ransomware calls to the tool to fail. Using vssadmin to prevent victims from accessing shadow volumes and recover encrypted files is a common tactic for ransomware. This command disables the windows repair and backup option, preventing users from restoring copies of the encrypted files. Nuke uses vssadmin to delete shadow volume snapshots by using the command “vssadmin delete shadows /all /quiet”. Users are instructed to send an email to ‘opengatesindiacom’ in order to receive further information on recovering their files:įigure 5: This is set as the victims’ desktop wallpaper post encryption of files Victims are warned that the encryption key required to decrypt the files will be deleted after 96 hours. It displays information about what type of encryption was used and provides instructions on how to recover the files. The wallpaper alerts the victim that their files have been encrypted (see Figure 5). Post-encryption, Nuke drops the file desktop_wallpaper.bmp and sets it as the victim’s desktop wallpaper:įigure 4: Malware drops the file ‘desktop_wallpaper.bmp’ Once a file is encrypted its file name changes to a combination of random characters followed by the ‘.nuclear55’ extension:įigure 3: File changes file name to random characters and appends ‘.nuclear55’ extension In order to decrypt the files, the RSA private key is required, which the attacker promises to supply to the victim once the ransom has been paid. Next, the AES 256 key is asymmetrical encrypted using the attacker’s public RSA key and the result is appended to the encrypted file bytes. First, file bytes are symmetrically encrypted using an AES 256 key generated specifically for the victim’s machine. File encryption is performed using standard AES and RSA encryption schemes. The malware creates persistence by modifying registry keys to ensure it automatically runs at startup:įigure 2: Modifying registry keys to ensure malware runs automatically at system startup The Nuke sample we analyzed hides itself by using an Adobe icon and displaying itself with the file name (and description) ‘Adobe Reader’:įigure 1: File displaying itself as Adobe Reader The BlackBerry Cylance Threat Research team recently analyzed a Nuke sample as part of our ongoing effort to inform the public about modern threats. Nuke also changes the desktop wallpaper to alert the user to the infection. The files inform the victim of the infection and provide details on how to pay ransom. Once Nuke executes it drops two files to the desktop: !!_RECOVERY_instructions_!!.html and !!_RECOVERY_instructions_!!.txt. For example, an infected file name might be “ ab0a+afbamcdEcmf.nuclear55”. Once a file is encrypted, Nuke changes the file name to a combination of random characters followed by a. Nuke ransomware, first identified in 2016, encrypts files with an AES 256-bit encryption key that is protected by asymmetrically encrypting it using 2048-bit RSA.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |