On Tuesday, 24 October, many reports began circulating about a new ransomware file affecting Ukrainian and Russian computer systems. This malware is believed to be a variant of NotPetya and has already been reported at Ukraine’s Ministry of Infrastructure and Kiev’s public transportation system. The Russian news service Interfax also issued an official update stating that it had been hacked and that it was working to restore its systems. Find out how to protect yourself below.
So far IntelliGO customers with Managed Detection and Response (MDR) managed firewalls, IntelliGO agents and collection can use the following to protect themselves:
- Adobe Updater process should be limited to Adobe update URLs only. Usually a variant of the URL: https://fpdownload.macromedia.com
- Block fake updater site: 1dnscontrol[.]com
- Use IntelliGO Threat Hunt for AD: Monitor for any scheduled tasks, typically named for Game of Thrones characters or locations.
- Create a file on local disks for c:\windows\infpub.dat and make it read-only to avoid overwrite by the actual file.
The malware behavior uses the Adobe Updater site to download an exploit which, once executed will create the Infpub.dat, C:\Windows\cscc.dat and C:\Windows\dispci.exe files. The Cscc.dat file is actually a renamed copy of the dcrypt.sys Filter driver from DiskCryptor. Infpub.dat will then create a Windows service called Windows Client Side Caching DDriver that is used to launch the cscc.dat driver.
Infpub.dat will also create a scheduled task that launches the dispci.exe file when the user logs into the computer. This scheduled task is called Rhaegal, after one of the dragons from the Game of Thrones series. This scheduled task will execute the "C:\Windows\dispci.exe" -id [id] && exit command”.
IntelliGO MDR customers will get a notification on protection and be contacted regarding implementation of firewall blocks and will be monitored for suspicous AD activity. If you have any questions or if you have been breached Contact Us immediately.