Threat Research

ALERTA DE SEGURIDAD CIBERNÉTICA: INCIDENTE EN SERVICIO PÚBLICO – CSIRT de Gobierno

Securonix

The Government CSIRT reports an active cyber security incident affecting a government service, attributed to ransomware targeting Microsoft and VMware ESXi servers. The malware encrypts VM-related files (changing them to a .crypt extension) and leaves a ransom note, with infostealer capabilities and specific IOCs identified.
#NTRUEncrypt #VMwareESXi #Microsoft #CSIRT_Gobierno

Keypoints

  • The CSIRT de Gobierno announces an ongoing incident impacting a government service, disrupting online systems.
  • The ransomware can stop all running virtual machines and encrypt VM-related files, resulting in a .crypt extension.
  • Encryption uses the NTRUEncrypt public-key algorithm and targets multiple VM-related file types (.log, .exe, .dll, .vswp, .vmdk, .vmsn, .vmem).
  • The malicious program also includes infostealer capabilities, including browser credential theft, device enumeration (HDDs/pendrives), and antivirus evasion with a timeout.
  • IOCs include specific executable names (0t8I7t8q8.exe, 6c1W1w0p9.bat, lock.exe) and their SHA-256 hashes.
  • Guidance from CSIRT emphasizes up-to-date antivirus/patching, backups, phishing awareness, network segmentation, anti-spam configuration, and reporting incidents to CSIRT.

MITRE Techniques

  • [T1486] Data Encrypted for Impact – The ransomware can stop all running virtual machines and encrypt files related to the virtual machines. “The ransomware has the ability to stop all running virtual machines and encrypt files related to the virtual machines.”
  • [T1555.003] Credentials from Web Browsers – Infostealer capability to steal credentials from browsers. “It steals credentials from browsers.”
  • [T1120] Peripheral Device Discovery – Enumerates extraction devices such as HDDs and pendrives. “Enumerates extraction devices such as HDDs and pendrives.”
  • [T1562.001] Impair Defenses – Antivirus evasion with timeout. “It possesses antivirus evasion capabilities with timeout.”

Indicators of Compromise

  • [File] Executable names observed – 0t8I7t8q8.exe, 6c1W1w0p9.bat, and lock.exe
  • [SHA256] Hashes for IoCs – 39b74b2fb057e8c78a2ba6639cf3d58ae91685e6ac13b57b70d2afb158cf742d, ac73234d1005ed33e94653ec35843ddc042130743eb6521bfd3c32578e926004, and 1 more hash (lock.exe)

Read more: https://www.csirt.gob.cl/noticias/alerta-de-seguridad-cibernetica-incidente-en-servicio-publico/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint