FortiGuard Labs has become aware of several ransomware strains that caught the public’s attention for the week of June 13th, 2022. It is imperative to raise awareness about ransomware variants because infections can cause severe damage to organizations. This week’s Ransomware Roundup Threat Signal covers Nyx, Solidbit, RobbinHood and HelloXD ransomware along with the Fortinet protections against them.What is Nyx ransomware?Nyx is a double-extortion ransomware that was recently discovered. It steals data from the victim and encrypts files on the compromised machine and then demands a ransom from the victim in exchange for file recovery and not leaking the stolen information to the public. It leaves a ransom note in a file called READ_ME.txt that includes the victim’s unique ID, the attacker’s contact email address as well as secondary email address which the victim should use in case the attacker did not respond within 48 hours of the first email being sent to the attacker. Nyx ransomware’s ransom noteThe ransomware adds the following file extension to the files it encrypts:[victim’s unique ID].[the attacker’s primary contact email].NYX Files encrypted by Nyx ransomwareWhat is the Status of Coverage?FortiGuard Labs provides the following AV coverage against Nyx ransomware:W32/Filecoder.NHQ!tr.ransomWhat is Solidbit ransomware?Solidbit is a ransomware that encrypts files on the compromised machine and demands a ransom from the victim for file recovery. Solidbit ransomware’s lock screenSolidbit ransomware drops a ransom note in a file named RESTORE-MY-FILES.txt, which includes Solidbit’s own TOR site where the victim is asked to visit to contact the attacker along with the decryption ID. Solidbit ransomware’s ransom noteThe TOR site offers free decryption of a file (up to a maximum file size of 1MB) to prove that decryption works properly. The Solidbit threat actor also provides chat support for victims. Solibit ransomware’s TOR siteWhat is the Status of Coverage?FortiGuard Labs provides the following AV coverage against Solidbit ransomware:MSIL/Filecoder.APU!tr.ransomWhat is RobbinHood ransomware?RobbinHood is a ransomware has been in the wild since at least 2019. This ransomware is covered in this week’s ransomware roundup given a report recently surfaced that it was responsible for infecting an auto parts manufacture in February, 2022 which resulted in shutdown of the factories.Written in Golang, RobbinHood is a simple ransomware that encrypts files on the compromised machine and demands ransom for decrypting the affected files. A typical ransom note left behind by RobbinHood ransomware has the attacker’s bitcoin address and asks the victim to pay the ransom within 3 to 4 days depending on the ransomware variant. The attacker warns that the ransom amount increases by $10,000 each day if the payment is not made during the specified window. However, some RobbinHood ransom notes state that the victim’s keys will be removed after 10 days. This makes file recovery impossible in order to add pressure to the victim to pay the ransom. Also, the attacker asks the victim not to contact law enforcement or security vendors.Known file extensions that RobbinHood ransomware adds to encrypted files include “.enc_robbin_hood” and “.rbhd”.It also deletes shadow copies, which makes file recovery difficult.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against RobbinHood ransomware:W32/Robin.AB!tr.ransomW32/Robin.A!trW32/RobbinHood.A!tr.ransomW32/RobbinHood.A!trW32/Ransom_Win32_ROBBINHOOD.SMW32/Filecoder_RobbinHood.D!tr.ransomW32/Filecoder_RobbinHood.D!trW32/Filecoder_RobbinHood.C!trW32/Filecoder_RobbinHood.B!tr.ransomW32/Filecoder_RobbinHood.B!trW32/Filecoder_RobbinHood.A!trWhat is HelloXD ransomware?HelloXD is a ransomware that targets both Windows and Linux systems. The ransomware has been in the field since at least November 2021 and typically comes with a logo having a red face with horns. HelloXD ransomware logoIn order to inhibit file recovery, it deletes shadow copies before encrypting files. After files are encrypted, it drops a ransom note named “Hello.txt”., This contains a unique personal ID for the victim, Tox chat ID to contact the attacker as well as instruction to download and install Tox. The note also states that a ransom payment needs to be made within 96 hours of the infection or else the ransom amount will increase. Files that were encrypted by HelloXD have a “.hello” file extension.Some of the HelloXD ransomware samples reportedly deploy MicroBackdoor, an open-source backdoor to the compromised machine. The backdoor allows the attackers to keep foothold in the victim’s machine and will not likely be removed from the victim’s machine even if a ransom payment is made. What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against HelloXD ransomware:W32/Filecoder_Hello.C!trW64/Filecoder_Hello.C!trW64/Filecoder_Hello.A!tr.ransomMSIL/Filecoder.2362!tr.ransomW32/GenKryptik.FPIJ!trW64/CoinMiner.EJER!trW32/PossibleThreatAnything Else to Note?Victims of ransomware are cautioned against paying ransoms by such organizations as CISA, NCSC, the FBI, and HHS. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities which could potentially be illegal according to a U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) advisory.
Category Archives: Advisories
python2.7-2.7.18-22.fc35
FEDORA-2022-ec74ac4079
Packages in this update:
python2.7-2.7.18-22.fc35
Update description:
Security fix for CVE-2015-20107
A Vulnerability in Cisco Email Security Appliance, Cisco Secure Email & Web Manager Could Allow for an Authentication Bypass – PATCH: NOW – TLP: WHITE
A vulnerability in Cisco Email Security Appliance, Cisco Secure Email & Web Manager could Allow for an authentication bypass under specific conditions. Exploitation of this vulnerability could allow for an unauthenticated attacker to gain unauthorized access to the web-based management interface of the affected device.
python2.7-2.7.18-22.fc37
FEDORA-2022-bbd21c18ad
Packages in this update:
python2.7-2.7.18-22.fc37
Update description:
Automatic update for python2.7-2.7.18-22.fc37.
Changelog
* Thu Jun 9 2022 Charalampos Stratakis <cstratak@redhat.com> – 2.7.18-22
– Security fix for CVE-2015-20107
Resolves: rhbz#2075390
USN-5485-1: Linux kernel vulnerabilities
It was discovered that some Intel processors did not completely perform
cleanup actions on multi-core shared buffers. A local attacker could
possibly use this to expose sensitive information. (CVE-2022-21123)
It was discovered that some Intel processors did not completely perform
cleanup actions on microarchitectural fill buffers. A local attacker could
possibly use this to expose sensitive information. (CVE-2022-21125)
It was discovered that some Intel processors did not properly perform
cleanup during specific special register write operations. A local attacker
could possibly use this to expose sensitive information. (CVE-2022-21166)
USN-5484-1: Linux kernel vulnerabilities
It was discovered that the Linux kernel did not properly restrict access to
the kernel debugger when booted in secure boot environments. A privileged
attacker could use this to bypass UEFI Secure Boot restrictions.
(CVE-2022-21499)
It was discovered that a race condition existed in the network scheduling
subsystem of the Linux kernel, leading to a use-after-free vulnerability. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2021-39713)
It was discovered that some Intel processors did not completely perform
cleanup actions on multi-core shared buffers. A local attacker could
possibly use this to expose sensitive information. (CVE-2022-21123)
It was discovered that some Intel processors did not completely perform
cleanup actions on microarchitectural fill buffers. A local attacker could
possibly use this to expose sensitive information. (CVE-2022-21125)
It was discovered that some Intel processors did not properly perform
cleanup during specific special register write operations. A local attacker
could possibly use this to expose sensitive information. (CVE-2022-21166)
kernel-5.18.5-100.fc35
FEDORA-2022-177a008b98
Packages in this update:
kernel-5.18.5-100.fc35
Update description:
The 5.18.5 stable kernel update contains mitigation for the processor MMIO stale-data vulnerabilities. These are covered by CVE-2022-21166 CVE-2022-21125 and CVE-2022-21123
kernel-5.18.5-200.fc36
FEDORA-2022-391e24517d
Packages in this update:
kernel-5.18.5-200.fc36
Update description:
The 5.18.5 stable kernel update contains mitigation for the processor MMIO stale-data vulnerabilities. These are covered by CVE-2022-21166 CVE-2022-21125 and CVE-2022-21123
USN-5482-1: SPIP vulnerabilities
It was discovered that SPIP incorrectly validated inputs. An authenticated
attacker could possibly use this issue to execute arbitrary code.
This issue only affected Ubuntu 18.04 LTS. (CVE-2020-28984)
Charles Fol and Théo Gordyjan discovered that SPIP is vulnerable to Cross
Site Scripting (XSS). If a user were tricked into browsing a malicious SVG
file, an attacker could possibly exploit this issue to execute arbitrary
code. This issue was only fixed in Ubuntu 21.10. (CVE-2021-44118,
CVE-2021-44120, CVE-2021-44122, CVE-2021-44123)
It was discovered that SPIP incorrectly handled certain forms. A remote
authenticated editor could possibly use this issue to execute arbitrary code,
and a remote unauthenticated attacker could possibly use this issue to obtain
sensitive information. (CVE-2022-26846, CVE-2022-26847)
USN-5483-1: Exempi vulnerabilities
It was discovered that Exempi incorrectly handled certain media files. If a
user or automated system were tricked into opening a specially crafted
file, a remote attacker could cause Exempi to stop responding or crash,
resulting in a denial of service, or possibly execute arbitrary code.