Rewterz Threat Alert – Indicators of Compromise – GetCrypt Ransomware

Severity

High

Analysis Summary

A new ransomware family called GetCrypt being distributed through malvertising campaigns. The campaigns redirected users to a site hosting the RIG exploit kit, which was used to try and exploit vulnerabilities found on the computer. Successful exploitation led to the download of the GetCrypt ransomware that first checks the victim host’s language and terminates if it is set to Ukrainian, Belarusian, Russian, or Kazakh. If it is not terminated, it first clears all volume shadow copies to prevent potential recovery efforts. It then scans the system to identify files to be encrypted and performs the encryption using the Salsa20 and RSA-4096 encryption algorithms. A ransom note is left behind demanding payment in exchange for the decryption key. Along with encrypting accessible network drives, this malware is unique in its use of brute force attacks to attempt to mount shares requiring additional authentication.

GetCrypt will also change your desktop background to the following image.

Impact

• File encryption
• Loss of sensitive information

Indicator of Compromise

Malware Hash (MD5/SHA1/SH256)

• 8d833937f4da8ab0269850f961e8a9f963c23e6bef04a31af925a152f01a1169

Remediation

Block threat indicator at your respective controls.