We have recently tested a new ransomware-type computer malware called SOREBRECT Ransomware. Research has shown that it is a fileless ransomware that injects its script into a Windows process and once it is injected into it, this ransomware is set to encrypt your files. It is worth mentioning that this ransomware is unique in that it targets computers of companies and businesses as this is where big money is to be made. This ransomware’s developers hope to encrypt sensitive and vital business documents for which you would be inclined to pay a lot of money.
We have found that this particular ransomware can be disseminated via two methods. Remote Desktop Protocol is (RDP) one of the methods used. This ransomware was designed to compromise the administrator’s credentials by a brute force attack. Apart from using RDP, this ransomware’s developers also employ PsExec which is a computer server utility that allows its user to execute Microsoft Windows Server processes on a remote system and redirect output to the local system. Both of these methods are very clever and effective as they facilitate a silent infection. Now that we know how this ransomware id distributed let us take a look at how it works.
Research has revealed that this particular ransomware is set to infect servers a company’s server(s) and then spread to all computers connected to those servers. This ransomware was designed to communicate with its command and control (C&C) server via a Tor network. As mentioned, SOREBRECT Ransomware was set to compromise administrator’s credentials with a brute force attack and then uses Microsoft’s Sysinternals PsExec command-line to start encrypting your files. Research has shown that this ransomware injects malicious code to svchost.exe which is a legitimate MS Windows process and deletes the binary. As a result, this ransomware becomes fileless. This ransomware also deletes the affected computer’s event logs using wevtutil.exe to make the forensic analysis difficult. It also deletes the shadow copies of the encrypted files using the vssadmin command. Furthermore, we have found that this ransomware was set to attempt to delete %HOMEDRIVE%\$RECYCLE.BIN which is the Recycle Bin and stop many services of the infected computer such as AcrSch2Svc, BackupExecJobEngine, DLOAdminSvcu, MySQL56, SQLWriter, VeeamNFSSvc, WseNtfSvc, and dozens of others.
According to our research, SOREBRECT Ransomware was configured to use a unique AES-256 encryption algorithm in ECB mode to encrypt your files and an RSA-2048 encryption algorithm to encrypt the randomly generated key. This ransomware’s creators urge you not to try to use a third-party decryption tool because they can ruin your files for good. While this may be the case, you should not trust this ransomware’s developers either as they might not give you the decryption key. The decryption key does not come free as the creators want you to contact them via one of three provided email addresses or BitMsg if they do not reply your email in 48 hours. This ransomware does not specify the sum of money to be paid, and we think it can vary to a huge degree. SOREBRECT Ransomware it was set to append the encrypted files with a ".key.aes_ni_0day" file extension. Nevertheless, it was also set to skip some file types. The skipped files include those with .exe, .dll, .lnk, and .sys file extensions. Once the encryption is complete, it was set to drop a ransom note named “!!! READ THIS - IMPORTANT !!!.txt” into each folder where a file was encrypted. Furthermore, it was set to create a registry entry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText that may be used to open the ransom note automatically.
As you can see, SOREBRECT Ransomware is one highly malicious computer infection that can infect your company’s server and spread to all of the PC’s connected to it. Therefore, it is vital that you ensure the security of the server and the computers. This ransomware’ deletes itself after injecting malicious script into svchost.exe. Still, we recommend that you get an anti-malware program such as SpyHunter to detect any any malicious files that may be left by this ransomware and go to their locations and erase them manually.