Phoenix Cryptolocker ransomware is a new variant of malware that reportedly targeted the insurance giant CNA, in March 2021. CNA’s customer and employee services were disrupted for 3 days, due to the attack. The ransomware is believed to be linked to the Evil Corp threat group as its code resembles the one used by Evil Corp in its previous ransomware. The new variant targets files with multiple extensions, leaving behind a ransom note along with the threat actor’s Telegram contact, “phoenix helpdesk”.
Based on the assumed connection with the Evil Corp threat group the initial access to the network is done by using RDP (Remote Desktop Protocol) or by using compromised credentials to access VPS (Virtual Private Servers). The ransomware masquerades as a legitimate software signed with a digital certificate issued by “SATURDAY CITY LIMITED.” It tricks the user into launching the software. Once the ransomware is executed it enumerates the system folders and directories for specific file extensions, encrypts the targeted files, and appends a “.phoenix“ extension to the encrypted files. They then leave a ransom note in the file “phoenix-help.txt.”
This ransomware comes as a legit signed software tricking the victim to execute it.
Encrypting the victims data.
Encrypting the data makes a big impact on the business continuity process.
Affects the reputation of the victim company.
Maintain and update backup of all data
Grant only minimum levels of access/ permissions to all users
Isolate infected machines from the network
Update all credentials with a strong and secure one
Use updated version of AV, prevention and detection security tools
Use multi-factor authentication for all system accounts
Tactics, Techniques, and Procedures
Command and Scripting Interpreter
Windows Management Instrumentation
Windows File and Directory Permissions Modification