Threat Signal Report

Ransomware Roundup - 2022/05/26

description-logo Description

FortiGuard Labs became aware of a number of new Ransomware strains for the week of May 23rd, 2022. It is imperative to raise awareness about new ransomware as infections can cause severe damage to the affected machines and organizations. This Threat Signal covers Yashma ransomware, GoodWill ransomware and Horsemagyar ransomware along with Fortinet protections against them.


What is Yashma Ransomware?

Yashma ransomware is a new and is generated through Yashma ransomware builder. It is claimed as the sixth version of Chaos ransomware builder. Reportedly, compared to the fifth version, Yashma ransomware builder now supports the "forbidden country" option which attackers can choose not to run the generated ransomware based on the victim's location. The new builder also enables the ransomware to stop a wide variety of services running on the compromised machine such as anti-malware solutions, and Remote Desktop and Backup services. Additionally, it is important to note that from the fifth version of Chaos ransomware builder, the crafted ransomware can successfully encrypt files larger than 2,117,152 bytes and no longer corrupts them.


A known sample of Yashma ransomware has the following ransom note:


All of your files have been encrypted with Yashma ransomware

Your computer was infected with a ransomware. Your files have been encrypted and you won't

be able to decrypt them without our help.What can I do to get my files back?You can buy our special

decryption software, this software will allow you to recover all of your data and remove the

ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only.

How do I pay, where do I get Bitcoin?

Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search

yourself to find out how to buy Bitcoin.

Many of our customers have reported these sites to be fast and reliable:

Coinmama - hxxps://www[.]coinmama[.]com Bitpanda - hxxps://www[.]bitpanda[.]com

Payment informationAmount: 0.1473766 BTC

Bitcoin Address: [removed]


At the time of this writing, the attacker's bitcoin wallet has no transactions.


FortiGuard Labs previously released several blogs on Chaos ransomware. See the Appendix for links to "Chaos Ransomware Variant Sides with Russia" and "Chaos Ransomware Variant in Fake Minecraft Alt List Brings Destruction to Japanese Gamers".


What is the Status of Coverage for Yashma ransomware?

FortiGuard Labs provides the following AV coverage against a known sample of Yashma ransomware:


MSIL/Filecoder.APU!tr.ransom


What is GoodWill Ransomware?

GoodWill ransomware was recently discovered, however it appears to have been first observed in March 2022. The ransomware encrypts files on the compromised machine and adds a ".gdwill" file extension to the affected files.


Unlike other ransomware that demands ransom to recover the encrypted files, GoodWill asks the victim to do three good deeds. Firstly, the victim must provide clothes and blankets to needy people on the street. Secondly, the victim must feed dinner to five children at a pizza or fried chicken joint. Lastly, the victim must visit a local hospital and provide financial assistance to those in need. After finishing each deed, proof must be provided to the attacker, and a decryption tool and video instruction will be provided to the victim after completing all the deeds.


What is the Status of Coverage for GoodWill ransomware?

FortiGuard Labs provides the following AV coverage against GoodWill ransomware:


MSIL/Filecoder.AGR!tr.ransom


What is Horsemagyar Ransomware?

Horsemagyar ransomware is a new variant of Sojusz ransomware that was recently discovered. It encrypts files on the compromised machine and adds ".[10 digit ID number].spanielearslook.likeoldboobs" file extension to the encrypted files. The ransomware leaves a ransom note as Horse.txt. The first sighting of Sojusz ransomware goes back to February, 2022 and it added a ".[10 digit ID number].[attacker's email address].bec" extension to the files it encrypted.


Example of ransom note left behind by Horsemagyar ransomware is below:


::: Hello my dear friend :::

Unfortunately for you, a major IT security weakness left you open to attack, your files have been encrypted

If you want to restore them,write to our skype - [removed] DECRYPTION

Also you can write ICQ live chat which works 24/7 @[removed]

Install ICQ software on your PC https://icq[.]com/windows/ or on your mobile phone search in Appstore / Google market ICQ

Write to our ICQ @[removed] https://icq[.]im/[removed]

If we not reply in 6 hours you can write to our mail but use it only if previous methods not working - [removed]@onionmail.org

Attention!

* Do not rename encrypted files.

* Do not try to decrypt your data using third party software, it may cause permanent data loss.

* We are always ready to cooperate and find the best way to solve your problem.

* The faster you write, the more favorable the conditions will be for you.

* Our company values its reputation. We give all guarantees of your files decryption,such as test decryption some of them

We respect your time and waiting for respond from your side

tell your MachineID: MA

HINE_ID and LaunchID: LAUNCH__ID

Sensitive data on your system was DOWNLOADED.

If you DON'T WANT your sensitive data to be PUBLISHED you have to act quickly.

Data includes:

- Employees personal data, CVs, DL, SSN.

- Complete network map including credentials for local and remote services.

- Private financial information including: clients data, bills, budgets, annual reports, bank statements.

- Manufacturing documents including: datagrams, schemas, drawings in solidworks format

- And more...


What is the Status of Coverage against Horsemagyar Ransomware?

FortiGuard Labs provides the following AV coverage against Horsemagyar ransomware:


W32/Filecoder.NSF!tr.ransom


Anything Else to Note?

Victims of ransomware are cautioned against paying ransoms by such organizations as CISA, NCSC, the FBI, and HHS. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities which could potentially be illegal according to a U.S. Department of Treasury's Office of Foreign Assets Control (OFAC) advisory.


Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.