EByte Ransomware is a new variant developed by EvilByteCode that targets Windows systems using advanced encryption methods. It encrypts user data, displays a ransom note, and has significant potential risks due to its public availability on GitHub. Affected: Windows systems, organizations, individuals
Keypoints :
- Developed in Go language and utilizes ChaCha20 encryption and ECIES for key transmission.
- Publicly available on GitHub claimed to be for educational purposes.
- Establishes persistence, executes unauthorized commands, and communicates with a C2 infrastructure.
- Encrypts files with the extension .EByteLocker and displays a ransom note named βDecryption Instructions.txtβ.
- Modifies the desktop wallpaper as part of the attack.
- Targets Windows systems and contains features to maintain access and evade detection.
- Leverages various MITRE techniques for execution, persistence, defense evasion, and data encryption.
- Highlight the need for proactive cybersecurity measures and comprehensive incident response plans.
MITRE Techniques :
- Execution (T1059): Command and Scripting Interpreter β Executes the ransomware payload.
- Execution (T1106): Native API β Uses Native API for executing operations.
- Execution (T1129): Shared Modules β Utilizes shared libraries for malicious functionalities.
- Persistence (T1505.003): Server Software Component β Maintains persistence via web server functionalities.
- Persistence (T1574): Hijack Execution Flow β Abuses execution paths to maintain presence.
- Privilege Escalation (T1055): Process Injection β Injects code into processes to elevate privileges.
- Defense Evasion (T1006): Direct Volume Access β Accesses volumes directly to evade detection.
- Impact (T1486): Data Encrypted for Impact β Encrypts user data to extort ransom.
Indicator of Compromise :
- [SHA256] 25bc9f536d47dedfb2750878f2eb08190232ef47d30f8332110dbc7c2cc732e4 (Server.exe)
- [SHA256] 08cf671756c4a333fe6fe40feb5707d048c576e0f701cacb38a466558c420acc (EByteLocker-Built.exe)
- [SHA256] 70266f83906956deece1c628f52db70c6a4f2c7612fe0f5c811a615284a02fc0 (Decryptor-Built.exe)
Full Story: https://www.cyfirma.com/research/go-language-based-ebyte-ransomware-a-brief-analysis/