Cylance vs. AES-NI aka SOREBRECT

On the heels of WannaCry, or even in parallel, another type of ransomware is making the rounds: AES-NI. Over the past three months, researchers have identified three different versions – or generations – which have been detected in the wild and found at impacted organizations. Read the technical writeup from our Threat Guidance team here.

See Cylance in action against AES-NI ransomware here:

VIDEO: Cylance vs. AES-NI/ SOREBRECT Ransomware

Background and Timeline

The earliest iterations of AES-NI ransomware trace their origin to December 2016. From the beginning, it had a “fileless,” self-destructing nature. In simple terms, the initial binary disappears and spawns additional functionality to encrypt files and speak to a command-and-control (C2) server.

Cylance’s unique research found that the XData version came out in mid-May. Its code is based on the original AES-NI version, but there are some notable differences such as XData not using TOR for its C2 server and a different usage of process injection techniques.

In an unusual twist, the original developer came out on Twitter disassociating himself from the newer variants, and actually issued decryption keys. He claims that others are trying to frame him for the newer, wider-spread versions.

How Is AES-NI Delivered? What Does It Do?

While the command and control is to targeted TOR servers, there doesn’t appear to be an actual targeted attack (based on how dispersed the affected countries are).

Industries affected include manufacturing, technology, and telecommunication, but we believe that these industries are mostly random, rather than targeted attacks on these organizations.

The initial version of AES-NI was found in Middle Eastern countries Kuwait and Lebanon. By the beginning of May, however, our sensors detected AES-NI (aka SOREBRECT) in Canada, China, Croatia, Italy, Japan, Mexico, Russia, Taiwan, and the United States.

What Does AES-NI Do?

The initial self-destructing (Read more...)

This is a Security Bloggers Network syndicated blog post authored by The Cylance Team. Read the original post at: Cylance Blog