Phoenix Cryptolocker Ransomware Threat Intel Advisory

Published 29 April 2021


  • Phoenix Cryptolocker ransomware reportedly targeted the insurance giant CNA, in March 2021
  • The ransomware is believed to be linked to the Evil Corp threat group

Share this Threat Intel:

Advisory Type
Malware Intelligence
Malware Name
Phoenix Cryptolocker
Malware Type
Ransomware
Target Platform
Windows

Executive Summary

Phoenix Cryptolocker ransomware is a new variant of malware that reportedly targeted the insurance giant CNA, in March 2021. CNA’s customer and employee services were disrupted for 3 days, due to the attack. The ransomware is believed to be linked to the Evil Corp threat group as its code resembles the one used by Evil Corp in its previous ransomware. The new variant targets files with multiple extensions, leaving behind a ransom note along with the threat actor’s Telegram contact, “phoenix helpdesk”.

Technical Details

Based on the assumed connection with the Evil Corp threat group the initial access to the network is done by using RDP (Remote Desktop Protocol) or by using compromised credentials to access VPS (Virtual Private Servers). The ransomware masquerades as a legitimate software signed with a digital certificate issued by “SATURDAY CITY LIMITED.” It tricks the user into launching the software. Once the ransomware is executed it enumerates the system folders and directories for specific file extensions, encrypts the targeted files, and appends a “.phoenix“ extension to the encrypted files. They then leave a ransom note in the file “phoenix-help.txt.”

Phoenix Ransome Note
Phoenix-help.txt ransom note

Impact

Technical Impact
  • This ransomware comes as a legit signed software tricking the victim to execute it.
  • Encrypting the victims data. 
Business Impact
  • Encrypting the data makes a big impact on the business continuity process.
  • Affects the reputation of the victim company.

Mitigation

  • Maintain and update backup of all data
  • Grant only minimum levels of access/ permissions to all users
  • Isolate infected machines from the network
  • Update all credentials with a strong and secure one
  • Use updated version of AV, prevention and detection security tools
  • Use multi-factor authentication for all system accounts

Tactics, Techniques, and Procedures

Tactics
Techniques
Execution
T1059 Command and Scripting Interpreter
T1106 Native API
T1204 User Execution
T1047 Windows Management Instrumentation
Persistence
T1543.003 Windows Service
Privilege Escalation
T1543.003 Windows Service
Defense Evasion
T1222.001 Windows File and Directory Permissions Modification
T1564.001 Hidden Files and Directories
T1218 Signed Binary Proxy Execution
T1070.004 File Deletion
T1036 Masquerading
T1027 Obfuscated Files or Information
T1027.002 Software Packing
Discovery
T1083 File and Directory Discovery
T1518.001 Security Software Discovery
T1082 System Information Discovery
Collection
T1560 Archive Collected Data
T1005 Data from Local System
Command and Control
T1573 Encrypted Channel
Impact
T1486 Data Encrypted for Impact

 

Indicators of Compromise

SHA256
008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549
File
C:\Users\user\AppData\Roaming\DataWlan\Dfrg
C:\Users\user\AppData\Roaming\DataWlan\Dfrg:Zone.Identifier
URL
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
https://sectigo.com/CPS0
http://ocsp.sectigo.com0
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
https://sectigo.com/CPS0D
https://t.me/phdecrypt

Be informed in your Inbox

Sign up now to our Threat intelligence Newsletter and be the first to know about threats first in your inbox.

Join the Discussions

Discuss your way into our Community about these threats and stay Vigilant and informed.