Arctic Wolf sniffs out new ransomware variant
- by nlqip
“The NtQuerySystemInformation function allows the caller to obtain information about the current system’s physical details such as the number of logical processors available,” Arctic Wolf said. “This information can be useful when determining how many threads the multi-threaded encryption routine should allocate.”
Once critical system information is obtained, encryption is attempted. “Using the system information discovered earlier, the sample configures a thread pool dedicated to encrypting all the discovered files,” the report added. “This thread pool uses the logical processor information with a minimum number of two processors and a maximum number of sixteen processors. The deprecated Windows APIs for CryptImportKey and the CryptEncrypt are called during the process.”
After the encryption is completed, the miscreants leave a ransom note, written to one of the configuration files on the disk, with a usual ‘readme.txt’ name.
Source link
lol
“The NtQuerySystemInformation function allows the caller to obtain information about the current system’s physical details such as the number of logical processors available,” Arctic Wolf said. “This information can be useful when determining how many threads the multi-threaded encryption routine should allocate.” Once critical system information is obtained, encryption is attempted. “Using the system information…
Recent Posts
- Arm To Seek Retrial In Qualcomm Case After Mixed Verdict
- Jury Sides With Qualcomm Over Arm In Case Related To Snapdragon X PC Chips
- Equinix Makes Dell AI Factory With Nvidia Available Through Partners
- AMD’s EPYC CPU Boss Seeks To Push Into SMB, Midmarket With Partners
- Fortinet Releases Security Updates for FortiManager | CISA