Phoenix Cryptolocker Ransomware Threat Intel Advisory

Executive Summary

Phoenix Cryptolocker ransomware is a new variant of malware that reportedly targeted the insurance giant CNA, in March 2021. CNA’s customer and employee services were disrupted for 3 days, due to the attack. The ransomware is believed to be linked to the Evil Corp threat group as its code resembles the one used by Evil Corp in its previous ransomware. The new variant targets files with multiple extensions, leaving behind a ransom note along with the threat actor’s Telegram contact, “phoenix helpdesk”.

Technical Details

Based on the assumed connection with the Evil Corp threat group the initial access to the network is done by using RDP (Remote Desktop Protocol) or by using compromised credentials to access VPS (Virtual Private Servers). The ransomware masquerades as a legitimate software signed with a digital certificate issued by “SATURDAY CITY LIMITED.” It tricks the user into launching the software. Once the ransomware is executed it enumerates the system folders and directories for specific file extensions, encrypts the targeted files, and appends a “.phoenix“ extension to the encrypted files. They then leave a ransom note in the file “phoenix-help.txt.”

Impact

Technical Impact

• This ransomware comes as a legit signed software tricking the victim to execute it.
• Encrypting the victims data.

Business Impact

• Encrypting the data makes a big impact on the business continuity process.
• Affects the reputation of the victim company.

Mitigation

• Maintain and update backup of all data
• Grant only minimum levels of access/ permissions to all users
• Isolate infected machines from the network
• Update all credentials with a strong and secure one
• Use updated version of AV, prevention and detection security tools
• Use multi-factor authentication for all system accounts

Tactics, Techniques, and Procedures

Indicators of Compromise