April 18, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – ServHelper Backdoor – Active IOCs
October 26, 2021Rewterz Threat Advisory – CVE-2021-30918 – Apple iOS and iPadOS Vulnerability
October 27, 2021Rewterz Threat Alert – ServHelper Backdoor – Active IOCs
October 26, 2021Rewterz Threat Advisory – CVE-2021-30918 – Apple iOS and iPadOS Vulnerability
October 27, 2021
Severity
High
Analysis Summary
A new ransomware family packs multiple unique features, including improving performance and give its operators the option to only target networked SMB shares. Dubbed Conti, the malware improves performance through the use of “up to 32 simultaneous encryption efforts,” and is likely directly controlled by its operators, which means that it can target network-based resources and skip local files, similarly with what the Sodinokibi ransomware can do. the new ransomware abuses the Windows Restart Manager to close applications that lock certain files, thus making sure it can encrypt all the data it wants. The notable effect of this capability is that it can cause targeted damage in an environment in a method that could frustrate incident response activities. A successful attack may have destruction that’s limited to the shares of a server that has no Internet capability, but where there is no evidence of similar destruction elsewhere in the environment.
Impact
- File Encryption
Indicators of Compromise
SHA-256
- d67fc973684b4739b01e3b324b2ed0713392d53970b6d2881d84fea688ee8737
- 4a3dd6c35242de1c8df47fca2f70c39cff113ea4bf4828b9070ba954719c764c
- 01d96b892f3c13146e5072f83fb610a45b495a57db6e24c5ddbe2a299b3c2750
- 62a19f395e9b4fba271242c333eb3f8e5cc50a60eb792940aafe2b3fb685f2ab
- a3be757ca383b7098c0dbdadcd5fc0c2bef9318f0e8d9ba55166c5eccc665552
- bcdd0fece3ca3cc7870aa7076506d7128065fc4db3da18aada9a9fcd434c7464
- 90edcc41c52eeb932999a04c744256dc5710f12736650fb886cd24f616e24743
- b1b5c959b9975a18d58f070aea003590ccaa63f225845a9ff1d857b756ec1d4f
- e6df6be47eddea113adb90942321653d4eb9a9787a15f9da1ed31382a90dc782
- 17dd589a376da555f84b280bc0ec708014b3e5b629645c959da25ba820295541
- 850fda9df8889a719a73bc8f960de5ade7a50c4753f674bf9504a85f0b8b1f7b
- c7ff4fb6ca8ca2f9d16f469ba07d5ca52c7eee43314fe3eb874f7456ec3ed2ef
- 6d66e85fed42740f7170d618c58b92970b5adee92973762080d8eb2e4b3bce06
- ee12031f4ef2e64896c156b29de566ca9df448c5ff7b49083e67181a356384cf
- bdbe3871a9ec7e9df8a7292073777a759cf36c7ad1c0c91485d2737b7aedc8f9
- 8b879d34f13465a7595cc6a94a27e93c6af6dfcb848633ee09eadf38001d6c0f
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.
