In a recently observed attack, we also noted new tactics used to infect systems.
This leads to ‘explicit cyclic substitutions’ that can describe the mutual sharing of local recursive definitions.The Bucbi ransomware family, which dates back to early 2014, has received a significant update.However, in recent weeks, Palo Alto Networks researchers have observed attackers brute-forcing RDP accounts on Internet-facing Windows servers to deliver their malware.Additionally, the malware itself has been modified to no longer require an Internet connection.A call to WNet Open Enum is made to enumerate all network disk resources available.
Should a network disk be identified, the encryption routine will be run against this resource.
The following five IP addresses were observed attacking the victim machine starting in late March 2016: Many common usernames were used in attempted logins in this brute force attack, including a number of point of sale (Po S) specific usernames.
It is likely that this attack originally began with the attackers seeking out Po S devices, and after a successful compromise, changed their tactics once they discovered that the compromised device did not process financial transactions.
This sequence then has a search/replace performed on it in order to convert it into an alphabetic string. The algorithm above makes use of the GOST block cipher to generate a unique filename.
GOST is fairly obscure, as it was developed in the 1970s by the Soviet government. This particular technique for generating a unique filename looks to be specific to Bucbi, as no other malware families have been discovered using it.
Two files are created—one 580 bytes in size, and one 1060 bytes in size.