blog.malwarebytes.com
Open in
urlscan Pro
130.211.198.3
Public Scan
Submitted URL: https://blog.malwarebytes.com/threat-intelligence/2022/03/ransomware-february-2022-review/'
Effective URL: https://blog.malwarebytes.com/threat-intelligence/2022/03/ransomware-february-2022-review/
Submission: On May 05 via api from CA — Scanned from CA
Effective URL: https://blog.malwarebytes.com/threat-intelligence/2022/03/ransomware-february-2022-review/
Submission: On May 05 via api from CA — Scanned from CA
Form analysis 2 forms found in the DOM
GET
<form id="search-form" onsubmit="submitSearchrightrail(event)" method="get">
<div class="searchbar-wrap-rightrail">
<label for="cta-labs-rightrail-search-submit-en" aria-label="cta-labs-rightrail-search-submit-en" aria-labelledby="cta-labs-rightrail-search-submit-en">
<input type="text" id="st-search-input-rightrail" class="st-search-input-rightrail" placeholder="Search Labs">
</label>
<button type="submit" id="cta-labs-rightrail-search-submit-en" aria-label="Submit your search query"><span class=""><img src="https://blog.malwarebytes.com/wp-content/themes/mb-labs-theme/images/search.svg" alt="Magnifying glass"></span>
</button>
</div>
</form>//www.malwarebytes.com/newsletter/
<form class="newsletter-form form-inline" action="//www.malwarebytes.com/newsletter/" _lpchecked="1">
<div class="email-input">
<label for="cta-footer-newsletter-input-email-en" aria-label="cta-footer-newsletter-input-email-en" aria-labelledby="cta-footer-newsletter-input-email-en">
<input type="text" class="email-input-field" id="cta-footer-newsletter-input-email-en" name="email" placeholder="Email address">
</label>
<input name="source" type="hidden" value="">
<input type="submit" class="submit-bttn" id="cta-footer-newsletter-subscribe-email-en" value="">
</div>
</form>Text Content
The official Malwarebytes logo The official Malwarebytes logo in a blue font B
We research. You level up.
Personal
Personal
* Security & Antivirus
* Malwarebytes for Windows
* Malwarebytes for Mac
* Malwarebytes for Chromebook
* Malwarebytes Browser Guard
* Overview
* Security & Antivirus for Mobile
* Malwarebytes for Android
* Malwarebytes for iOS
* Online Privacy
* Malwarebytes Privacy VPN
* Get Started
* Explore all Personal Products
* Explore Pricing
* FREE TRIAL OF MALWAREBYTES PREMIUM
Protect your devices, your data, and your privacy—at home or on the go.
Get free trial
Business
Business
Solutions
* BY COMPANY SIZE
* Small Business
1-99 Employees
* Mid-size Businesses
100-999 Employees
* Large Enterprise
1000+ Empoyees
* BY INDUSTRY
* Education
* Finance
* Healthcare
* Government
Products
* CLOUD-BASED SECURITY MANAGEMENT AND SERVICES
* Endpoint Protection
* Endpoint Protection for Servers
* Endpoint Detection & Response
* Endpoint Detection & Response for Servers
* Incident Response
* Malware Removal Service
* Nebula Platform Architecture
* CLOUD-BASED SECURITY MODULES
* Vulnerability & Patch Management
* Remediation for CrowdStrike®
* NEXT-GEN ANTIVIRUS FOR SMALL BUSINESS
* For Teams
* Get Started
* * Find the right solution for your business
* See business pricing
--------------------------------------------------------------------------------
* Don't know where to start?
* Help me choose a product
--------------------------------------------------------------------------------
* See what Malwarebytes can do for you
* Get a free trial
--------------------------------------------------------------------------------
* Our team is ready to help. Call us now
* +1-800-520-2796
Pricing
Partners
Partners
* Explore Partnerships
* Partner Solutions
* Resellers
* Managed Service Providers
* Computer Repair
* Technology Partners
* Partner Success Story
* Marek Drummond
Managing Director at Optimus Systems
"Thanks to the Malwarebytes MSP program, we have this high-quality product in
our stack. It’s a great addition, and I have confidence that customers’
systems are protected."
* See full story
Resources
Resources
* Learn About Cybersecurity
* Antivirus
* Malware
* Ransomware
* See all
* Malwarebytes Labs
* Explore
* Business Resources
* Reviews
* Analyst Reports
* Case Studies
* See all
* Press & News
* Learn more
* Events
*
Featured Event: RSA 2021
* See Event
Support
Support
* Technical Support
* Support
* Premium Services
* Forums
* Vulnerability Disclosure
* Training for Personal Products
* Training for Business Products
* Featured Content
*
Activate Malwarebytes Privacy on Windows device.
* See Content
FREE DOWNLOAD
CONTACT US
COMPANY
Company
* About Malwarebytes
* Careers
* News & Press
SIGN IN
Sign In
* My Account
* Cloud Console
* Partner Portal
SUBSCRIBE
25% off Cloud-Based Protection Sale Extended for Small Business Week - See Offer
>
Check out our MITRE ATT&CK Top performance! View Results >
Threat Intelligence
RANSOMWARE: FEBRUARY 2022 REVIEW
Posted: March 10, 2022 by Threat Intelligence Team
Get the latest information on ransomware trends with our monthly review.
The Malwarebytes Threat Intelligence team continuously monitors the threat
landscape to stay on top of existing and emerging attacks. In this February 2022
ransomware review, we go over some the most successful ransomware incidents
based on both open source and dark web intelligence.
BLACKBYTE
* Observed since: July 2021
* Ransomware note: BlackByteRestore.txt
* Ransomware extension: .BlackByte
* Kill Chain: Some victims reported that attackers used known Microsoft
Exchange Server vulnerabilities to gain access to their networks. > BlackByte
Ransomware
* Sample hash: 1df11bc19aa52b623bdf15380e3fded56d8eb6fb7b53a2240779864b1a6474ad
HERMETICRANSOM (PARTYTICKET)
* Observed since: February 2022
* Ransomware note: read_me.html
* Ransomware extension: <original file
name>.[vote2024forjb@protonmail[.]com].encryptedJB
* Kill Chain: On Feb. 23, 2022, destructive attacks were conducted against
Ukrainian entities. Industry reporting has claimed the Go-based ransomware
dubbed PartyTicket (or HermeticRansom) was identified at several
organizations affected by the attack
* Sample hash: 4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382
SFILE (ESCAL)
* Observed since: February 2022
* Ransomware note: .<company_name>.!README.log
* Ransomware extension: .<company_name>.<random>
* Kill Chain: Smaller ransomware strains used in targeted attacks
* Sample hash: 6a7cef95a501cce16dce6f5a645fc97c4bcbb568c83dde5a7f2e4a0d7555dd98
LOCKBIT 2.0
* Observed since: September 2019
* Ransomware note: Restore-My-Files.txt
* Ransomware extension: .lockbit
* Kill Chain: Brute force attack on a web server containing an outdated VPN
service > LockBit
* Sample hash: 9feed0c7fa8c1d32390e1c168051267df61f11b048ec62aa5b8e66f60e8083af
MAGNIBER
* Observed since: October 2017
* Ransomware note: readme.txt
* Ransomware extension: dihlxbl
* Kill Chain: Being Distributed via Microsoft Edge and Google Chrome (Korean
users)
* Sample hash: 06ea8f2b8b70b665cbecab797125733f75014052d710515c5ca2d908f3852349
SURTR
* Observed since: December 2021
* Ransomware note: SURTR_README.hta
* Ransomware extension: .surtr
* Kill Chain: Spear-Phishing > MalDoc > Surtr Ransomware
* Sample hash: 40e5bb0526169c02126ffa60a09041e5e5453a24b26bc837036748b150fa3fae
SUGAR
* Observed since: January 2021
* Ransomware note: BackFiles_encoded01.txt
* Ransomware extension: .Encoded01
* Kill Chain: Spear-Phishing > MalDoc > Sugar Ransomware
* Sample hash: 4a97bc8111631795cb730dfe7836d0afac3131ed8a91db81dde5062bb8021058
CONTI
* Observed since: June 2021
* Ransomware ext: .CONTI
* Ransomware notes: CONTI.txt – R3ADM3.txt – readme.txt – CONTI_README.txt
* Kill Chain: Spear-Phishing > Bazar backdoor, or IcedID > Cobalt
Strike > Conti Ransomware
* Sample hash: 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59
MITIGATIONS
Source: IC3.gov
* Implement regular backups of all data to be stored as air-gapped,
password-protected copies offline. Ensure these copies are not accessible for
modification or deletion from any system where the original data resides.
* Implement network segmentation, such that all machines on your network are
not accessible from every other machine.
* Install and regularly update antivirus software on all hosts, and enable
real-time detection.
* Install updates/patch operating systems, software, and firmware as soon as
updates/patches are released.
* Review domain controllers, servers, workstations, and active directories for
new or unrecognized user accounts.
* Audit user accounts with administrative privileges and configures access
controls with the least privilege in mind. Do not give all users
administrative privileges.
* Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor
remote access/RDP logs for any unusual activity.
* Consider adding an email banner to emails received from outside your
organization.
* Disable hyperlinks in received emails.
* Use double authentication when logging into accounts or services.
* Ensure routine auditing is conducted for all accounts.
* Ensure all the identified IOCs are input into the network SIEM for continuous
monitoring and alerts.
HOW MALWAREBYTES PROTECTS AGAINST RANSOMWARE
Malwarebytes can protect systems against all ransomware variants in several
ways.
The Malwarebytes Anti-Malware technology detects malicious files, browser
modifications, and system modifications on Windows PCs using a combination of
signature-based and signatureless technologies. This layer of protection detects
the Ransomware binary itself. Detections can happen in real-time as the binary
is run or the infection can be rooted out from an already-compromised machine by
conducting a full system scan.
Anti-Ransomware is a signatureless technology in charge of monitoring system
activity of processes against a certain subset of data in specific locations on
the endpoint. Using patented technology, Anti-Ransomware assesses changes in
those data files. If an internal scoring threshold is crossed by a monitored
process, it triggers a detection from the Anti-Ransomware component.
For those already infected, Ransomware Rollback can help recover encrypted files
within 72 hours of the attack. Rollback creates a local cache on the endpoint to
store changes to files on the system. It can use this cache to help revert
changes caused by a threat. The Rollback feature is dependent on activity
monitoring available in Malwarebytes Endpoint Detection and Response.
Recommended reading: How to protect your RDP access from ransomware attacks
RELATED
Ransomware: March 2022 reviewApril 11, 2022In "Threat Intelligence"
Threat spotlight: DarkSide, the ransomware used in the Colonial Pipeline
attackMay 12, 2021In "Ransomware"
[UPDATED] Threat Spotlight: Sodinokibi/REvil ransomwareJuly 18, 2019In "Threat
spotlight"
SHARE THIS ARTICLE
--------------------------------------------------------------------------------
COMMENTS
--------------------------------------------------------------------------------
RELATED ARTICLES
A week in security
A WEEK IN SECURITY (MARCH 21 – 27)
March 28, 2022 - The most important and interesting security stories from the
last seven days.
CONTINUE READINGNo Comments
Ransomware
AVOSLOCKER RANSOMWARE USES MICROSOFT EXCHANGE SERVER VULNERABILITIES, SAYS FBI
March 21, 2022 - The AvosLocker ransomware as a service affiliates have been
found to target multiple critical infrastructure sectors, using Exchange Server
vulnerabilities.
CONTINUE READINGNo Comments
Threat Intelligence
AVOSLOCKER ENTERS THE RANSOMWARE SCENE, ASKS FOR PARTNERS
July 23, 2021 - We examine AvosLocker, a new ransomware aiming to grow into the
coveted big game hunting space.
CONTINUE READINGNo Comments
--------------------------------------------------------------------------------
ABOUT THE AUTHOR
Threat Intelligence Team
Contributors
Threat Center
Podcast
Glossary
Scams
Write for Labs
CYBERSECURITY INFO YOU CAN'T DO WITHOUT
Want to stay informed on the latest news in cybersecurity? Sign up for our
newsletter and learn how to protect your computer from threats.
Imagine a world without malware. We do.
FOR PERSONAL
FOR BUSINESS
COMPANY
ABOUT US
CAREERS
NEWS AND PRESS
MY ACCOUNT
SIGN IN
CONTACT US
GET SUPPORT
CONTACT SALES
3979 Freedom Circle, 12th Floor
Santa Clara, CA 95054
One Albert Quay, 2nd Floor
Cork T12 X8N6
Ireland
English
Legal
Privacy
Accessibility
Terms of Service
© 2022 All Rights Reserved
Select your language
* English
* Deutsch
* Español
* Français
* Italiano
* Português (Portugal)
* Português (Brasil)
* Nederlands
* Polski
* Pусский
* 日本語
* Svenska
Cybersecurity basics
Your intro to everything relating to cyberthreats, and how to stop them.
Loading Comments...
You must be logged in to post a comment.