May 2020 was not a good month for both the Texas Courts and the Texas Department of Transportation (TxDOT) as the month marked the discovery of a new ransomware called Ransom X, being effectively utilized in human-operated and focused on attacks against government agencies and enterprises.
Advanced Intel's Vitali Kremez discovered a 'ransom.exx' which was believed to be the name of the ransomware. As this is human-operated ransomware, as opposed to one distributed by means of phishing or malware, when executed the ransomware opens a console that shows info to the attacker while it is running.
As indicated by Kremez, Ransom.exx works to terminate 289 procedures identified with security software, database servers, MSP softwares, remote access devices, and mail servers.
Ransom X will likewise play out a series of orders all through the encryption process that:Clear Windows event logsDelete NTFS journalsDisable System RestoreDisable the Windows Recovery EnvironmentDelete Windows backup catalogsWipe free space from local drives.
The commands executed are listed below:cipher /w %s wbadmin.exe delete catalog –quiet bcdedit.exe /set {default} recoveryenabled no bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures schtasks.exe /Change /TN "MicrosoftWindowsSystemRestoreSR" /disable wevtutil.exe cl Application wevtutil.exe cl System wevtutil.exe cl Setup wevtutil.exe cl Security wevtutil.exe sl Security /e:false fsutil.exe usn deletejournal /D C:
The ransomware then starts to encrypt the entirety of the information on the computer and affix a custom extension related to the victim to each encrypted record.
As observed below, the custom extension for the Texas Department of Transportation attack was .txd0t.
texas human operated ransomware targets against government agencies enterprises
