UPDATE 6/8/2017: This is a CRyPTON Variant, see below.

A new variant of Dharma CryptON (CryptON 36 variant, to be precise), seems to have hit a server;  here are some of the details I’ve been gathering.

Ransom Note

A file named ### DECRYPT MY FILES ###.txt is placed in each directory where encrypted files are located with the following content.

*** ALL YOUR WORK AND PERSONAL FILES HAVE BEEN ENCRYPTED ***

To decrypt your files you need to buy the special software – «Nemesis decryptor»
You can find out the details / buy decryptor + key / ask questions by email: mk.goro@aol.com
Your personal ID: 3509099450

Encrypted Files

Encrypted files have the following appended: .id-3509099450_[mk.goro@aol.com].0oxr4

Registry Entry

An interesting Registry entry is observed:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESOFTWAREWow6432NodeKJ8CvJIB1H5nRcJZ]
"KJ8CvJIB1H5nRcJZd"="32B7DAEBA948B330EA098023EE44F4C003D3ADFD3D1DFEC22DEA17F1030C8C5D"
"KJ8CvJIB1H5nRcJZn"="B70D46F62D9189C86EB4017E7F83B2F81AEFD85392883862DC9AF3912EA38D6311EAE04DFC9473ABB19D510AE58852F91FA6933EAA5161EE2372EEF1E033A1E857BAB9603840A6F4CEEB54AF0E4332CF1617DFBD553A99F07873DEEFC66504B1A975862171DC6D74A970FB9580C389E708C950066FFC65596DBE51AE757BE10F7AB43285511704B9F71EF0615B0203F551EDA54CEBB93BD8609C88D7129DE39390B9D88595FD9A1B460F8F3B50D2B9EEA155DBCCD2F084E88877799559D51F190667D01E0F0858B0F27EE5D0A5F64310FD731EC53F89A2C5EEDCCD999A1620BA48469D51A00A545A33CEB7563610A3D3BE65CC7B5FCCE76C7181E316BB2FE6D9"
"KJ8CvJIB1H5nRcJZs"="1"

Google search for any parts of .0oxr4 comes up short as well as any of the information in the Registry key HKEY_LOCAL_MACHINESOFTWAREWow6432NodeKJ8CvJIB1H5nRcJZ

 

Searching for the email mk.goro@aol.com indicates this may be a ransomware that can be decrypted, according to ID Ransomware website.  However, I have found nothing that works for decrypting.

I have attached two sample files, an original Informant SNMP zip file pulled from a backup as well as the encrypted file.

Still a work in progress…

Update: 6/8/2017

From: https://www.bleepingcomputer.com/forums/t/632389/dharma-ransomware-filenameemaildharmawalletzzzzz-support-topic/page-99

Any files that are encrypted with the newest variant of CryptON (Cry9, Cry36, Cry128, X3M, Nemesis) will have a random 5 character hexadecimal extension appended to the end of the encrypted data filename (i.e. .id-1163283255_[liukang@mortalkombat.su].08c85, .id-1163283255_[mk.baraka@aol.com].830s7) and leave files (ransom notes) named ### DECRYPT MY FILES ###.txt.

There is an ongoing discussion in this topic where victims can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.

This is a cry36 variant and apparently not decrypted at this time, see: https://support.emsisoft.com/topic/27231-cry9-invalid-crypton-file-pair/?page=4#comment-171791

I put this script together from a few different sources.  It basically enumerates Active Directory and checks any 2008+ server for existence of KB patch for MS17-010.

MS17-010 patches a critical vulnerability discovered in Microsoft Windows operating systems that involve SMB exploits from a ShadowBrokers NSA dump of leaked NSA hacking tools.  It’s been spreading from CPU miner payloads to Ransomware (WannaCry/WannaCry 2.0) etc.

import-module activedirectory

$ErrorActionPreference= 'silentlycontinue'

# *** SERVER VERSIONS ***
# Server 2016 / Win10 - NT 10
# Server 2012 R2 / Win8.1 - NT 6.3
# Server 2012 / WIn8 - NT 6.2
# Server 2008 R2 / Win7 - NT 6.1
# Server 2008 / WinVista - NT 6.0
# Server 2003 R2 / WinXP64 - NT 5.2
# Server 2003 - NT 5.2
# WinXP - NT 5.1

$computers = get-adcomputer -filter * -properties * | select-object name,operatingsystem

$computers | foreach {
 $hotfixes = @()
 $osdetect = $_.operatingsystem
 $computer = $_.name
 switch -wildcard($osdetect)
 {
 "*Server*2016*" { $hotfixes = @("KB4013429", "KB4019472", "KB4015217", "KB4015438", "KB401663") }
 "*Server*2012*R2*" { $hotfixes = @("KB4012216", "KB4015550", "KB4019215") }
 "*Server*2012" { $hotfixes = @("KB4012217", "KB4015551", "KB4019216") } # A bit of a hack, not sure how this displays...
 "*Server*2008*" { $hotfixes = @("KB4012212") }
 default {$hotfixes = NULL } # Do nothing if it isn't a server and not 2008-2016.
 }
 if ($hotfixes.count -gt 0) {
 $hotfixes | foreach {
 write-host "Checking $computer ($osdetect)..."
 if (!(get-hotfix -id $_ -computername $computer)) {
 write-host $computer "Missing ($_)"
 }
 }
 } else {
 write-host "Skipping $computer ($osdetect)..."
 }
}

For those of you who may have followed along on my original post of me troubleshooting an IBM X3650, I found a system planar for $20 (lol). Just arrived today, with shuttle, which is awesome. I’ll be putting this in the server chassis today and hopefully getting a successful boot.

Left is the new board and right is the old.

width=840

Update 5/12

After being out of the office with other tasks, I finally had some time this morning to get this swapped out.

Everything went well with the exception of the memory. I had to put in 2x1GB sticks in DIMM slots 1 and 4 as the previously installed 4GB modules were not working and I was finally able to get a POST.

The BIOS at post is 1.03 and ServeRAID 8k-l initialized. I do need to update the BIOS as well as ServeRAID BIOS. The board I swapped from was at BIOS 1.19 and ServeRAID BIOS was at 17003.

WordPress has a password reset feature that contains a vulnerability which might in some cases allow attackers to get hold of the password reset link without previous authentication.

Such attack could lead to an attacker gaining unauthorized access to a victim’s WordPress account.  This affects all versions of WordPress, including the current version, 4.7.4.

Description

The vulnerability stems from WordPress using untrusted data by default when creating a password reset e-mail that is supposed to be delivered only to the e-mail associated with the owner’s account.

This can be observed in the following code snippet that creates a From email header before calling a PHP mail() function:

wp-includes/pluggable.php

if ( !isset( $from_email ) ) {
        // Get the site domain and get rid of www.
        $sitename = strtolower( $_SERVER['SERVER_NAME'] );
        if ( substr( $sitename, 0, 4 ) == 'www.' ) {
                $sitename = substr( $sitename, 4 );
        }

        $from_email = 'wordpress@' . $sitename;
}

3 separate example scenarios (both the ones that require victim interaction and those that do not) include:

  1. Attacker can perform a prior DoS attack on the victim’s email account/server (e.g by sending multiple large files to exceed user’s disk quota, attacking the DNS server etc) in order to prevent the password reset email from reaching the victim’s account and bounce back to the malicious sender address that is pointed at the attacker (no user interaction required)
  2. Some autoresponders might attach a copy of the email sent in the body of the auto-replied message (no user interaction required)
  3. Sending multiple password reset emails to force the user to reply to the message to inquiry explanation for endless password reset emails. The reply containing the password link would then be sent to attacker. (user interaction required)

Workarounds

  1. If you are using Apache, you can turn on UseCanonicalName (see: https://httpd.apache.org/docs/2.4/mod/core.html#usecanonicalname)
  2. I created a simple plugin that you can install in your WordPress installation. It will disable the last password functionality.
    Disable Password Reset
grep -E -o [A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+.[A-Za-z]{2,6}
s
search
c
compose new post
r
reply
e
edit
t
go to top
j
go to the next post or comment
k
go to the previous post or comment
o
toggle comment visibility
esc
cancel edit post or comment