Researchers identified a new Thanos ransomware variant targeting a UAE police department, where this advanced RaaS tool, known for data theft, network spread, and evasion tactics, was customized for this specific attack.
The system has been compromised by ransomware, resulting in file encryption, as the attacker has appended the “.crypted” extension to encrypted files, indicating a successful attack.
The ransomware attack has encrypted files and demands a $20,000 Bitcoin ransom to decrypt them. Instructions on how to pay the ransom and decrypt the files are provided in the HOW_TO_DECYPHER_FILES.txt file.
Upon restarting the system, the user will be prompted to enter credentials in order to successfully log in, which happens because the system requires authentication.
The .NET malware, while obfuscated with base64 encoding, was easily deobfuscated using a simple script, which decoded all base64-encoded strings, revealing the malware’s underlying functionality and malicious intent.
The deobfuscated code reveals the presence of the Thanos ransomware, indicated by its signature and the “.crypted” file extension, by targeting specific file types for encryption, compromising sensitive data and disrupting system operations.
The system’s Task Manager and backup/recovery services are currently inaccessible or non-functional, potentially hindering troubleshooting, data protection, and system restoration capabilities.
A decoded base64 string reveals a download link for PAExec, a remote administration tool similar to PsExec, which suggests potential malware attempting to establish a backdoor for unauthorized remote access.
ProcessHide, a software application, is employed to conceal Power Admin from detection by process monitoring tools like Windows Task Manager, effectively rendering it invisible to scrutiny.
SonicWall has identified a malware variant targeting the Sharjah Police Force in the UAE, which scans the internal network for active systems and leverages compromised credentials to gain unauthorized access.
The provided login credentials were unsuccessful, prompting an attempt to access an alternative list of usernames and passwords, while a previous email outreach to the operator failed due to an undeliverable message.
.webp?w=1200&resize=1200,0&ssl=1 "Rekoobe Backdoor May Be Targeting Trading View Users via Open Directories")
.webp?w=1200&resize=1200,0&ssl=1 "Kill Security Ransomware Allegedly Claims Breach of Buddy Loan")
