On July 21st, a new variant of ransomware was discovered dubbed Exorcist Ransomware. This Ransomware is unique due to its ability to scan keyboards and their setups upon entering the environment. Specifically, this variant of ransomware is looking at locale of the machine before running the encryption process. Russian based machines will make the malware self-detonate as well as any locale in the Moscow Standard Time Zone, or is utilizing Russian keys on their keyboard.

The CIS (Commonwealth of Independent States) based attack encrypts files and asks for a ransom of $5,000 in bitcoin. Another perk is it can work without connection to the internet. Based on threat intelligence this is being delivered via RaaS (Ransomware-as-a-Service) and the commission for getting a user to fall victim results in a 30% commission for the attacker. This brings a whole new meaning to third party usage.

Courtesy of @malwrhunterteam

What you’ll see if your computer is infected by this ransomware is a wallpaper change, and HTML applications being dropped into multiple folders. File names may be named one thing before encryption and have an added extension after encryption is carried out. The cybercriminals behind this want the victims to communicate with them so they have a better chance to have the currency exchanged.

The typical entry point remains consistent as many other variants of ransomware

  • Email Compromise
  • RDP (Remote Desktop Protocol) Entrance
  • Malicious attachments and URLs
Courtesy of @malwrhunterteam

We closely monitor new ransomware and their patterns to stay on top of the latest advancements. Twitter user, @malwrhunterteam is a great resource, and they provide more in-depth details on exactly how the attack is executed and what it looks like on the inside.

SpearTip experts want you to be aware of these types of attacks because they have the ability to affect you. It is vital you pay attention to your internet safety. No IOC has been released as of now, but it was most likely either email compromise, or entrance through RDP. More investigation is being done on how the bad actors entered the environment, but the fact is these people will attack anyone with no remorse.

Preventing these attacks is possible and SpearTip can be a hub for achieving this. Our in-house tool, ShadowSpear® is a multi-faceted option for companies or organizations looking to keep themselves protected. By reading the information above, it is evident ransomware is not, and will not stop any time soon.

This is a breaking news story and more information will be posted as the story develops. Refresh this page for the latest update.

Be smart. Invest in a cybersecurity plan.

24/7 Breach Response: 833.997.7327