A new ransomware developed by a Russian Cybercrime group known as Evil Corp. has targeted multiple enterprise networks in the US. This new ransomware uses a fake software update alert to trick its victims into downloading a malicious file. Once compromised, the attacker uses Cobalt Strike to steal credentials and escalate privileges enabling them to move across devices and to compromise security via legitimate tools like Powershell. The payload is successfully deployed using the PsExec tool then proceeds to encrypt the victim data and deletes the Windows shadow volume copies.
Indicators of Compromise
|SOLUTION MODULES||SOLUTION AVAILABLE||PATTERN BRANCH||RELEASE DATE||DETECTION/POLICY/RULES|
|PREDICTIVE LEARNING (TRENDX)||Yes||Troj.Win32.TRX.XXPE50FFF036|
|FILE DETECTION (VSAPI/SMART SCAN) AND ADVANCED THREAT SCAN ENGINE (ATSE)||Yes||SmartScan TBL Version: 20352.004.00|
Conventional OPR Version: 15.951.00
|2020-06-24 05:04 (UTC)|
15.951.00 released June 24, 2020, 20:22:20 (UTC)
|BEHAVIORAL MONITORING (AEGIS)||Yes||Threat Behavior Analysis|
|FILE DETECTION (VSAPI/SMART SCAN) AND ADVANCED THREAT SCAN ENGINE (ATSE)||Yes||SmartScan TBL Version: 20356.024.00|
Conventional OPR Version: 15.955.00
|Released around 2020-06-27 00:10 (UTC)|
Released June 26, 2020, 20:22:19 (UTC)
|FILE DETECTION (VSAPI/SMART SCAN) AND ADVANCED THREAT SCAN ENGINE (ATSE)||Yes||SmartScan TBL Version: 20354.011.00|
Conventional OPR Version: 15.953.00
|Released around 2020-06-25 12:24 (UTC)|
Released June 25, 2020, 20:22:20 (UTC)
Prevention and Containment
Containment is possible by installing a Trend Micro endpoint agent such as OfficeScan, Apex One, Deep Security, or Worry-Free Business Security, and configuring to best practices.
Make sure to configure your solutions to its best practice settings, making sure that the following key features are enabled for your Endpoint Security:
- Smart Scan – Threat patterns are stored in cloud and are updated every hour.
- Predictive Machine Learning – Proactive solution for threats that are not yet known to our patterns
- Behavior Monitoring – Monitors process activity for any malicious attempts to change critical settings and unauthorized file modification
- Agent Self Protection – If enabled and configured with a password, users and processes will not be able to make unauthorized changes to your security software.
Worry Free Business Security, Apex One, or Deep Security will be able to clean up the ransomware notes left.
File recovery is not possible post infection as after evaluating the threat, there is no known way to decrypt the files.
It is recommended to restore from back-up all encrypted files. One good safe computing practice is to ensure you have accurate back-ups of your files. The 3-2-1 principle should be in play: three copies, two different media, one separate location. Windows has a feature called Volume Shadow Copy that allows you to restore files to their previous state and is enabled by default.