AhnLab SEcurity intelligence Center (ASEC) confirmed that CryptoWire ransomware, which was created based on open source and was popular in 2018, is currently being distributed.
CryptoWire ransomware is mainly distributed through phishing emails and is characterized by being created with Autoit script.
main function
The ransomware copies itself to the “C\Program Files\Common Files” path and registers a task scheduler to maintain continuity.
To expand file encryption, search the locally connected network environment, save it as domaincheck.txt on the desktop, and search for the created account.
Additionally, delete the Recycle Bin and Volume Shadow Copy to prevent recovery.
The encrypted file is in the form of [existing file name].encrypted.[existing extension] , and a window pops up asking you to purchase a decryption key to decrypt the file.
The characteristic of this ransomware is that it contains a decryption key. There is a type that includes a decryption key in the Autoit script, as shown in [Figure 8], or sends the decryption key along with the infected system information to the attacker’s server, as shown in [Figure 9].
Ransomware that can confirm the decryption key is not common, and in general, decryption is very difficult, so be careful about executing files from unknown sources to prevent ransomware. Additionally, in case of suspicious files, it is necessary to scan through antivirus and update the latest antivirus.
[File Diagnosis]
– Trojan/Win.Kryptik.C5576563 (2024.01.20.00)
– Ransomware/Win.bcdedit.C5590639 (2024.02.20.00)
[Behavior Diagnosis]
– Malware/MDP.Ransom.M1171
[IoC]
MD5
– cd4a0b371cd7dc9dab6b442b0583550c
– a410d4535409a379fbda5bb5c32f6c9c
C2
– hxxp://194.156.98[.]51/bot/log.php