Arctic Wolf sniffs out new ransomware variant
- by nlqip
“The NtQuerySystemInformation function allows the caller to obtain information about the current system’s physical details such as the number of logical processors available,” Arctic Wolf said. “This information can be useful when determining how many threads the multi-threaded encryption routine should allocate.”
Once critical system information is obtained, encryption is attempted. “Using the system information discovered earlier, the sample configures a thread pool dedicated to encrypting all the discovered files,” the report added. “This thread pool uses the logical processor information with a minimum number of two processors and a maximum number of sixteen processors. The deprecated Windows APIs for CryptImportKey and the CryptEncrypt are called during the process.”
After the encryption is completed, the miscreants leave a ransom note, written to one of the configuration files on the disk, with a usual ‘readme.txt’ name.
Source link
lol
“The NtQuerySystemInformation function allows the caller to obtain information about the current system’s physical details such as the number of logical processors available,” Arctic Wolf said. “This information can be useful when determining how many threads the multi-threaded encryption routine should allocate.” Once critical system information is obtained, encryption is attempted. “Using the system information…
Recent Posts
- Windows 10 KB5046714 update fixes bug preventing app uninstalls
- Eight Key Takeaways From Kyndryl’s First Investor Day
- QNAP pulls buggy QTS firmware causing widespread NAS issues
- N-able Exec: ‘Cybersecurity And Compliance Are A Team Sport’
- Hackers breach US firm over Wi-Fi from Russia in ‘Nearest Neighbor Attack’