Threat Spotlight: AES-NI aka SOREBRECT Ransomware

Introduction

Just a week after the WannaCry ransomware outbreak, researchers discovered another ransomware called XData, which is infecting hundreds of PCs across the Ukraine. Within less than 24 hours, XData got a strong foothold on those machines.

While that fact is notable in itself, there is an additional level of intrigue around this malware that appeals equally to the crime drama enthusiast and the conspiracy theorist. It turns out that XData is actually derived from an older ransomware called AES-NI.

Since the initial outbreak, the supposed developer of AES-NI contacted multiple researchers and journalists to disavow any connection to XData. Regardless of the motives behind XData, the malware appears to be spreading outside of Ukraine, so we’re here to break it down and raise awareness of this virulent and destructive ransomware variant in an effort to show other security teams how to block it from infecting their systems.

First, the Drama

The AES-NI ransomware first surfaced around December of 2016 after infected users posted the ransom note and file extension on help forums. Some of the early file extensions appended to encrypted files includes .lock, .pre_alpha, .aes and .aes_ni. As is so often the case, the name came from unique strings in the ransom note.

On May 18, 2017, the XData version came out. Its code is based on the original AES-Ni version, but there are some notable differences such as XData not using TOR for its Command-and-Control (C&C) server and usage of process injection techniques. The most obvious difference is the file extension for encrypted files, which is “.~xdata~”.

According to the AES-NI developer, who has been active on Twitter and has reached out to some security researchers and to BleepingComputer, he thinks that his source code for AES-NI was stolen and was used to create XData. Because (Read more...)

This is a Security Bloggers Network syndicated blog post authored by Cylance Threat Guidance Team. Read the original post at: Cylance Blog