Blog

Secrets Behind Ever101 Ransomware

By
June 22, 2021
Share this post

https://profero.io/blog/secrets-behind-ever101-ransomware

A victim called the incident response teams of Global Threat Center, reporting a seemingly new stream of ransomware attack. Upon investigation, we determined the extension of the encrypted files was certainly new, but the malware displayed significant similarities with several ransomware families — a combination that made attribution an interesting and difficult riddle. The attack’s signature was a Music folder containing an arsenal of tools, which the malware dropped and executed on each of the encrypted machines. Throughout our investigation, we primarily focused on the toolset utilized by the threat actor, in order to build an in-depth profile of the incident in hopes of making an attribution. While many of the tools used by the threat actor were not custom, we were still able to assemble a temporary portfolio of tactics, techniques, and procedures (TTPs), which pointed us to potential links to a few existing ransomware groups with similar TTPs. This portfolio was particularly helpful during the negotiation process, as we were able to gain vital information, such as assessing the reliability of the threat actor in terms of providing a working decryption tool. In fact, during the negotiation, the attackers offered a video documenting the decryption process, which also revealed they used a free software from BandiCam and WinRAR, in what seems to be Arabic.

The ransomware had the extension “.ever101,” and was using the CryptoPP8 library (an inbuilt C++ library) for encryption. It utilizes Salsa20 for encrypting file data, and RSA-2048 for encrypting file keys. We confirmed many — but not all — of the tools in the arsenal. Because they were encrypted during the attack, we had little hope of discovering their origin. We were able to establish that the EVER101 ransomware is almost identical to a number of ransomware families, such as CURATOR and Paymen45, both of which are believed to be developed by the EverBe group. Our hypothesis is that this ransomware was built through a “Ransomware-as-a-Service” builder, rather than being fully developed by the threat actor or group, whose identity and location remain unknown.

During our investigation of the bitcoin movement related to the attack, we made an interesting discovery of a transfer of approximately US$600, to a platform of massage providers across major cities in the United States. This gave us a specific lead to the threat actors, and we developed potential explanations for this questionable transfer.

Full report is available here

Share this post

Related posts

Read related insights

View all

AtomicStealer Spreading via Fake Apple Support Websites

Uncovering AtomicStealer campaign using a fake Apple Support website designed to trick users into running a malicious bash command, infecting their machine.

Read Now

The $5 Million Letter: When Physical Mail Becomes Digital Extortion

How sophisticated criminals are using old-school tactics and psychological warfare to extort businesses without ever touching their systems

Read Now

New Attack Vector - AI - Induced Destruction

The New Attack Vector No One Saw Coming, how "helpful" AI assistants are accidentally destroying production systems - and what we're doing about it.

Read Now
View all
Profero logo
Subscribe
By subscribing you agree to with our Privacy Policy and provide consent to receive updates from our company.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Solution
Get StartedUnder Attack?
About
CompanyCareers
Resources
BlogGithubTrust Portal
Contact
X/Twitter
LinkedIn
© 2024 Profero. All rights reserved.
Privacy PolicyTerms of Service
By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
ManageDenyAccept