Pandemics do not stop malware script kiddies.
Today is a (pretty much honeypot) computer with VNC enabled on the default port with a simple password set (single lower case dictionary word) that got brute forced by someone.
The hacker then checked if the machine was on the network and what other users were on the computer.
All files across the drive on the machine were encrypted with a file extension specific to the infection instance …
And the ransomware note “!!! ALL YOUR FILES ARE ENCRYPTED !!!.txt” contained..
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: runlocker@protonmail.com and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: runlocker@protonmail.com Reserved email: ranlock@keemail.me Your personal ID: A50-90E-EC9 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
The timeline looks like they hacked the computer the March around 42 minutes past midnight.
Then at 01:12am they snooped through the files (not much on the honeypot system but they did open a file called ” password.txt”.
At 01:14 they downloaded a file using Chrome:
hxxps://aes.one/files/d/a5e/17e641m6n07en291al7w21gn7t/c8ecdba9ef806c83/
Which in turn provides a .exe file called “zeppelin.exe“.
MD5 7e867d82199a59d28ce35d31ea688dee SHA-1 52adcf0361aa8fb3a34daa1bb67a620d58b2b8a7 SHA-256 b3a71d2611660242a98236e332e964bf9c1e6d647b570cc650e2815d8054afc5
The initial attempt to download this file was thwarted by Microsoft’s Windows Defender – the hacker then manually snoozed / turned off defender to complete their attack.
It is likely that the file gets copied into c:\Users\USERNAME\AppData\Roaming\Microsoft\Windows\spoolsv.exe and is detected as “Ransom:W32/ZZeppelin.A!MSR”
At 01:16am they fired off the encryption of all the files.
Potentially linked or maybe another hacker had also run a powershell script 10:11:48 03/04/2020 which did something with: hxxp://31.44.184.47:80/aa which appears to be a base64 encoded file containing further powershell script containing another base64 encoded file which then needs binary xor to produce a valid file.
Windows Defender also identifies this file.
MD5 4a79e1626ce14d7ae5f5b7965c872103 SHA-1 350cfa0b6f502672cb5e15ce10e17bc17632e749 SHA-256 35cd8737cebb9f72db999a49b260c5d9188615b31302d8e7d01b4f37ba4609db
I must say a massive thank you to GCHQ for their amazing tool CyberChef which made analyzing this so much easier.