2016-06-26 - RIG EK FROM 46.30.42.236 SENDS CERBER RANSOMWARE

ASSOCIATED FILES:

  • 2016-06-25-Rig-EK-sends-Cerber-ransomware-after-southcoastdrones.com.au.pcap   (4,261,866 bytes)
  • 2016-06-26-Rig-EK-sends-Cerber-ransomware-after-southcoastdrones.com.au.pcap   (4,752,659 bytes)
  • 2016-06-25-Cerber-decryption-instructions.bmp   (2,647,454 bytes)
  • 2016-06-25-Cerber-decryption-instructions.html   (12,389 bytes)
  • 2016-06-25-Cerber-decryption-instructions.txt   (10,514 bytes)
  • 2016-06-25-Cerber-decryption-instructions.vbs   (225 bytes)
  • 2016-06-25-Rig-EK-flash-exploit-after-southcoastdrones.com.au.swf   (24,439 bytes)
  • 2016-06-25-Rig-EK-landing-page-after-southcoastdrones.com.au.txt   (5,282 bytes)
  • 2016-06-25-Rig-EK-payload-Cerber-ransomware-after-southcoastdrones.com.au.exe   (204,017 bytes)
  • 2016-06-26-Cerber-decryption-instructions.bmp   (1,986,214 bytes)
  • 2016-06-26-Cerber-decryption-instructions.html   (12,389 bytes)
  • 2016-06-26-Cerber-decryption-instructions.txt   (10,514 bytes)
  • 2016-06-26-Cerber-decryption-instructions.vbs   (225 bytes)
  • 2016-06-26-Rig-EK-flash-exploit-after-southcoastdrones.com.au.swf   (24,439 bytes)
  • 2016-06-26-Rig-EK-landing-page-after-southcoastdrones.com.au.txt   (5,326 bytes)
  • 2016-06-26-Rig-EK-payload-Cerber-ransomware-after-southcoastdrones.com.au.exe   (631,072 bytes)

NOTES:

 

TRAFFIC

ASSOCIATED DOMAINS:

 

IMAGES


Shown above:  Traffic from the first pcap filtered in Wireshark.

 


Shown above:  Traffic from the second pcap filtered in Wireshark.

 


Shown above:  Injected script in page from compromised website pointing to the gate.

 


Shown above:  The gate redirecting to a Rig EK landing page.

 


Shown above:  Infected Windows desktop from Saturday, 2016-06-25.

 


Shown above:  Infected Windows desktop from Sunday, 2016-06-26.

 


Shown above:  An example of the desktop background from Saturday, 2016-06-25.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

Click here to return to the main page.