2017-03-15 - EITEST RIG EK SENDS REVENGE RANSOMWARE
ASSOCIATED FILES:
- ZIP archive of the pcap: 2017-03-15-EITest-Rig-EK-sends-Revenge-ransomware.pcap.zip 187 kB (187,246 bytes)
- 2017-03-15-EITest-Rig-EK-sends-Revenge-ransomware.pcap (241,884 bytes)
- ZIP archive of the malware: 2017-03-15-EITest-Rig-EK-sends-Revenge-ransomware-malware-and-artifacts.zip 163 kB (163,435 bytes)
- 2017-03-15-EITest-Rig-EK-flash-exploit.swf (14,942 bytes)
- 2017-03-15-EITest-Rig-EK-landing-page.txt (118,021 bytes)
- 2017-03-15-EITest-Rig-EK-payload-Revenge-ransomware-5uhcwesi.exe (116,224 bytes)
- 2017-03-15-Revenge-Ransomware-decryption-instructions.txt (7,116 bytes)
- 2017-03-15-page-from-activaclinics.com-with-injected-EITest-script.txt (59,358 bytes)
DETAILS
NOTES:
- Revenge ransomware is a variant (or the next evolution) of CryptoMix ransomware).
- BroadAnalysis.com reported it yesterday: Rig Exploit Kit via the EiTest delivers CryptoShield/REVENGE ransomware
- Read more from BleepingComputer: Revenge Ransomware, a CryptoMix Variant, Being Distributed by RIG Exploit Kit

ASSOCIATED DOMAINS:
- www.activaclinics.com - compromised side
- 188.227.75.37 port 80 - try.bannerautoservice.com - Rig EK
- 91.207.7.77 port 80 - 91.207.7.77 - POST /images/temp/4gallery/temp_reserv/gallery.php [Revenge ransomware post-infection traffic]
FILE HASHES:
- SHA256 hash: 3ff2b1e57b82789084f722fb22388af0d79dc3340325d8db83e63c1a2a42da79
File description: Rig EK Flash exploit seen on 2017-03-15
- SHA256 hash: 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c
File location: C:\Users\[username]\AppData\Local\Temp\5uhcwesi.exe
File description: EITest Rig EK payload, Revenge ransomware
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcap: 2017-03-15-EITest-Rig-EK-sends-Revenge-ransomware.pcap.zip 187 kB (187,246 bytes)
- ZIP archive of the malware: 2017-03-15-EITest-Rig-EK-sends-Revenge-ransomware-malware-and-artifacts.zip 163 kB (163,435 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.