Cyber Security News — Past 24 hours | 25.04.2021

As it turns out, the ransomware targets a victim by impersonating itself as a tool generating free Nitro gift codes. Surely, an average user, like a Discord Nitro user, would fall for it. Upon reaching the target system, the malware starts encrypting the data and appends a “.givemenitro” extension to the file names. After completing the encryption process. The malware changes the victim’s desktop to an evil Discord logo. Whereas, a ransomware screen also appears that serves as the ransom note. It demands the victim to pay the ransom as Nitro gift codes. Alongside this peculiar demand, the threat actors also give a very short deadline of three hours to fulfill their demand. Whereas, they threaten the victim to delete all of the data in the case of failure of ransom payment. Though, Bleeping Computer observed that this threat is merely a bluff and that nothing happens even after the 30hour deadline gets over. Once a victim pays the ransom, the attackers would check the gift code validity via Discord API URL. If verified, the threat actors then decrypt the data.
The researchers found that the decryptor is actually a static key embedded within the ransomware code. Thus, victims may not really have to pay the ransom if they can figure it out. However, they would still suffer some damage due to this attack. NitroRansomware bears an additional backdoor functionality as well. Plus, it can also execute commands on the target system.the victims of this ransomware must ensure changing their Discord passwords to avoid losing their accounts. Besides, ransomware also steals data from web browsers. So, the victims may also have to review and change the passwords of all accounts that they saved within their browsers.

source —

The group announced with a message on their leak side that they will provide information stolen from these companies before the publication, so that it would be possible to earn in the reduction price of shares.The ransomware gang aims at making pressure on the companies threatening them to leak information that could have a negative impact on their stock price, making it possible to traders to make a profit from the fall of the stock prices.

This is an unprecedented tactic in the cybercrime ecosystem.
However, the announcement also serves as an indirect method to threaten hacked companies that not paying the ransom demand could result in negative press large enough to impact their market listings and enough to push some victims into paying the asked ransom.

The ransomware gangs continue to evolve their tactics to force the victims into paying the ransom, we have observed multiple layers of extortion.

Initially, Maze operators started leaking the stolen data on their leak sites in a double model of extortion. Recently other gangs started offering to their network of affiliates cold-calls and DDoS attacks to threaten victims. threatened companies that they’d notify journalists about their security breaches

Some groups are attempting to make pressure on the victims by asking their customers to invite the company to pay the ransom demand and avoid having the customers’ data leaked online.

All of these tactics are usually deployed once ransomware gangs learn that a company whose data they stole and/or encrypted does not plan to pay the demanded ransom fee.


First documented by Cisco Talos in July 2020, Prometei is a multi-modular botnet, with the actor behind the operation employing a wide range of specially-crafted tools and known exploits such as EternalBlue and BlueKeep to harvest credentials, laterally propagate across the network and «increase the amount of systems participating in its Monero-mining pool».
With this access in place, the threat actor launched PowerShell to download the initial Prometei payload from a remote server.
Interestingly, newly unearthed evidence gathered from VirusTotal artifacts has revealed that the botnet may have been around as early as May 2016, implying that the malware has constantly been evolving ever since, adding new modules and techniques to its capabilities.

source —

In response to the ongoing attacks, the Taiwanese company has released an advisory prompting users to apply updates to QNAP NAS running Multimedia Console, Media Streaming Add-on, and HBS 3 Hybrid Backup Sync to secure the devices from any attacks. «QNAP strongly urges that all users immediately install the latest Malware Remover version and run a malware scan on QNAP NAS,» the company said. «The Multimedia Console, Media Streaming Add-on, and Hybrid Backup Sync apps need to be updated to the latest available version as well to further secure QNAP NAS from ransomware attacks». Patches for the three apps were released by QNAP over the last week.

CVE-2020–36195 concerns an SQL injection vulnerability in QNAP NAS running Multimedia Console or Media Streaming Add-on, successful exploitation of which could result in information disclosure. On the other hand, CVE-2021–28799 relates to an improper authorization vulnerability affecting QNAP NAS running HBS 3 Hybrid Backup Sync that could be exploited by an attacker to log in to a device.

source —

Stay Focused. Stay Vigilant.

Cyber Threat Incident Management Team — Cyber Security Commiunity @ SLIIT



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store