2017-08-02 - "BLANK SLATE" CAMPAIGN PUSHES GRYPHON RANSOMWARE (A BTCWARE VARIANT)

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-08-02-Gryphon-ransomware-from-scenetavern_win.pcap.zip   143 kB (142,815 bytes)
• 2017-08-02-Blank-Slate-email-tracker.csv.zip   0.8 kB (842 bytes)
• 2017-08-02-Blank-Slate-emails-and-Gryphon-ransomware-files.zip   198.2 kB (198,225 bytes)

SOME BACKGROUND:

• 2017-03-02 - Palo Alto Networks Unit 42 Blog:  "Blank Slate" Campaign Takes Advantage of Hosting Providers to Spread Ransomware.
• 2017-03-22 - Internet Storm Center (ISC):  "Blank Slate" malspam still pushing Cerber ransomware.
• 2017-06-29 - ISC:  Catching up with Blank Slate: a malspam campaign still going strong.
• 2017-07-31 - Bleeping Computer:  Crypt GlobeImposter Ransomware Distributed via Blank Slate Malspam.

TODAY'S NOTES (UPDATED 2017-08-03):

• It appears the Blank Slate campaign is pushing different variants of ransomware as the need arises (whatever that need may be).
• @leotpsc reported an example of Gryphon ransomware on 2017-07-27 (link) and @struppigel reported an example on 2017-07-31 (link).
• At first, I thought this was a variant of Amnesia based on what little I could find, but I was wrong.
• On 2017-08-03, @demonslay335 confirmed Gryphon is actually a BTCWare variant(link to tweet).

 

EMAILS

Shown above:  Spreadsheet tracker with 4 examples today.

 

Shown above:  One of the attached zip archives and its contents.

 

TRAFFIC

Shown above:  Traffic from an infection filtered in Wireshark.

 

URLS GENERATED BY THE EXTRACTED .JS FILES TO GET THE RANSOMWARE:

• 119.28.78[.]131 port 80 - hallvilla[.]win - GET /support.php?f=1.dat
• 119.28.78[.]131 port 80 - scenetavern[.]win - GET /support.php?f=1.dat

 

EMAIL FROM THE DECRYPTION INSTRUCTIONS:

• chines34@protonmail[.]ch

 

SHA256 HASHES

FILE ATTACHMENTS (ZIP ARCHIVES):

• 9db57550187c44ea708052f8c351717f55e629de1841b9e84575dee0460fa532 - EMAIL_7229655_[recipient].zip
• 7c2d071458efb62cc542ad3f078549a04431754c0e45fa6a618790e016bd8593 - EMAIL_3365126820_[recipient].zip
• 315281c5c0441e79907f2503a406c013bc7bae8ed568c4f04103ef4d2717847c - EMAIL_2990067725884_[recipient].zip
• dfaa0426b78d14eeb514ab6d479aae65ba7c52445bd0eda654e39557fa5a366d - EMAIL_065219552323687_[recipient].zip

 

EXTRACTED .JS FILES:

• 963414d992fb832d1fc46c160e9dffb35316226843c3b9e5b5da629d0b5d05f4 - 7oSZHYt.js
• ca228784df33a56566e9435455daeb799736f300392c183b47fcc024f6b50392 - RLbPRgWrsX.js
• dbe99b18ad9ae46e26a96d323f1587dd01cf634db9da4f3ce8ab9be682cbab24 - lI85VOyk.js
• 4022bfb198bbe1ca5386f7a9cd760492f662255eb400c855eeb88c92d89c8467 - pHzI.js

 

GRYPHON RANSOMWARE SAMPLE:

• SHA256 hash:  933af0c69e1e622e5677e52c24545761c2843b3f52ea38e63bbe4786bfd6276e
  File size:  280,144 bytes
  File description:  Gryphon ransomware from scenetavern.win on 2017-08-02

 

IMAGES

Shown above:  Some encrypted files on a Windows host infected with today's Gryphon sample.

 

Shown above:  Gryphon ransomware decryption instructions.

 

Click here to return to the main page.