March 24, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Advisory – CVE-2019-1769 – Cisco NX-OS Software Line Card Command Injection Vulnerability
May 29, 2019Rewterz Threat Alert – Indicators of Compromise – GetCrypt Ransomware
May 29, 2019Rewterz Threat Advisory – CVE-2019-1769 – Cisco NX-OS Software Line Card Command Injection Vulnerability
May 29, 2019Rewterz Threat Alert – Indicators of Compromise – GetCrypt Ransomware
May 29, 2019
Severity
Medium
Analysis Summary
CrySIS, aka Dharma, is a family of ransomware that has been evolving since 2006 and actively targeting different businesses via email attachment or installable files masquerading as a legitimate application. It is most commonly delivered through RDP. The attackers obtain the RDP credentials through leaks or brute forcing weak credentials. Once installed the malware achieves persistence through registry entries and may, on certain versions of Windows, attempt to run with administrator privileges. This would allow for a greater number of files which it can encrypt. Once the encryption routines have been completed and certain details have been sent to a C&C server, a ransom note is put on the infected system’s desktop. Malwarebytes notes that typically the ransom amount is 1 Bitcoin but this can vary and may be adjusted depending on the revenue of the target company.
Impact
- File encryption
- Loss of sensitive information
Indicators of Compromise
Filename
- README.txt
- HOW TO DECRYPT YOUR DATA.txt
- Readme to restore your files.txt
- Decryption instructions.txt
- FILES ENCRYPTED.txt
- Files encrypted!!.txt
- Info.hta
Malware Hash (MD5/SHA1/SH256)
- 0aaad9fd6d9de6a189e89709e052f06b
- bd3e58a09341d6f40bf9178940ef6603
- 38dd369ddf045d1b9e1bfbb15a463d4c
Remediation
- Block all threat indicators at your respective controls
- Always be suspicious about emails sent by unknown senders
- Never click on link/attachments sent by unknown senders