Threat Research

Cyble – Punisher Ransomware Spreading Through Fake COVID Site

Securonix

CRIL uncovered a new Punisher ransomware variant spreading via a COVID-19-themed phishing site that targets Chilean users. The malware uses timestomping, a volume-serial-number-based system ID, and data exfiltration before encryption, with victim-specific details appended to ransom notes.

Keypoints

  • New Punisher ransomware variant spread through a COVID-themed phishing site targeting Chilean users.
  • Ransomware uses a .NET binary and employs timestomping to hinder incident response.
  • It gathers a system ID from the Volume Serial Number and uses it to influence encryption.
  • The malware collects victim information (machine name, username, system ID) and exfiltrates it via a POST to a C2 server.
  • AES-128 encryption is used, and encrypted files are renamed with the .punisher extension.
  • Ransom notes are augmented with victim-specific data and timer-based ransom increases; a fullscreen ransom alert is dropped as a shortcut (unlock your files.lnk).

MITRE Techniques

  • [T1204] User Execution – “This phishing website delivers ransomware disguised as a COVID tracking application, targeting Chilean users.”
  • [T1547.001] Registry Run Keys / Startup Folder – “drops ransom notes as a shortcut file named “unlock your files.lnk” in locations such as Desktop, Startup, and Start Menu so that the ransom alert will be shown to victims when they log in to their affected systems.”
  • [T1070.006] Timestomp – “The compilation time of this binary is altered; this technique is called ‘Timestomping’, an anti-forensics technique used to stay hidden during incident response activities.”
  • [T1497.003] Time-Based Evasion – “Time-Based Evasion” (as mapped in the MITRE techniques section).
  • [T1087] Account Discovery – “The ransomware creates a list for storing the victim’s information, such as Machine name, Username, System Id, etc.”
  • [T1082] System Information Discovery – “The ransomware identifies the victim’s IP using the API ‘https[:]//api.ipify[.]org’.”
  • [T1083] File and Directory Discovery – “The ransomware searches files in the victim’s machine for its encryption process. It executes the DriveInfo.GetDrives() method to get the names of all logical drives.”
  • [T1486] Data Encrypted for Impact – “encrypts files using the AES-128 algorithm” and “changes the extension of the encrypted files to “.punisher”.”
  • [T1071] Application Layer Protocol – “The data stored in this list is further sent to ‘hxxp[:]//20[.]100.168[.]3[:]1974/handshake.php’ using a POST request.”
  • [T1020] Automated Exfiltration – “The data stored in this list is further sent to … via a POST request to the C2 server.”

Indicators of Compromise

  • [MD5] Punisher ransomware executable – c267ca8be1871263937a5e433a49342c, df3a831a805ada51ce56e32a46a07b51
  • [SHA-1] Punisher ransomware executable – f10f8a99b610db68c2caca017eeb9cd046acea64, 7c235d83e6c95a6a7d587d6d3ec99262d52c0fb4
  • [SHA-256] Punisher ransomware executable – 79e4ecb131813bd897e9df2f75c32da92ffc603a5a74acb987c90088080774e4, dfc3e3eed6f6bba5e11fb88d06b22d0100188b1776b68b7207e0a4cac09ffa1a
  • [URL] C2 and download URLs – http://20.100.168.3:1974/handshake.php, http://20.100.168.3:1974/alertmsg.zip
  • [Domain] COVID-themed phishing site – covid19.digitalhealthconsulting.cl
  • [File name] Ransom note launcher – unlock your files.lnk
  • [File extension] Encrypted files extension – .punisher

Read more: https://blog.cyble.com/2022/11/25/punisher-ransomware-spreading-through-fake-covid-site/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint