This Week in Security: NemeS1S, French Elections and Phishing

NemeS1S: Ransomware Déjà Vu . . . . Again!

In early February 2017, we blogged about a new ransomware-as-a-service (RaaS) offering dubbed “NemeS1S”. While this service offered all the features we have come to know well in the RaaS world, one characteristic stood out above all others. The “new” service was really just a pretty wrapper around the older, very well known, PadCrypt ransomware family.

The service allows wanna-be cybercriminals to customize their bitcoin ransom amounts and other aspects of the binary and messaging, but at the end of the day, criminals were stuck with PadCrypt binaries that were easily detected and prevented by most endpoint security products.

Shortly after our blog appeared, the NemeS1S service vanished. We like to think our publicizing of the service (and shortcomings within) had an effect on the service and cut down the market for it. Unfortunately, that cannot be corroborated, but we can always continue with our fantasy that we did a little bit of good there.

Now, fast-forward to March 7, 2017 –  and the service reappeared. There are a few tweaks in the service, and the model itself actually changed between March 7 and the writing of this blog on May 11.

The overall model remains the same, but there are a few interesting updates to what these guys are offering. On Day 1, the system was completely open to new registration and allowed for complete ransomware binary creation and management. Sounds great in theory, but the resulting binaries were still PadCrypt!

This group has, once again, attempted to put lipstick on a very old and very well-known pig. Decoding the embedded ransom messaging within the binary (Base64) is just one indicator of the legacy PadCrypt activity.

Figures 1 and 2 below show the Base64 blob and decoded data respectively:

Figure 1: Base64 Blob

Figure (Read more...)

*** This is a Security Bloggers Network syndicated blog from Cylance Blog authored by Cylance Research and Intelligence Team. Read the original post at: