General

  • Target

    1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51

  • Size

    501KB

  • Sample

    240529-hhpzpsef45

  • MD5

    bf55c921b638ddf41a5120c90fe5f211

  • SHA1

    6a96dd8be36381d71eb7dac5f7a053064b546487

  • SHA256

    1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51

  • SHA512

    a3d91c51eb3bd59792f6cca32def989b4d069e489dcb74263f5f629fe300f4074b1a7d8a7a64410d7efc992e1d332108147aa0b2611e0777358749d7adfac166

  • SSDEEP

    12288:bGlEhiu/o/eXUG8nfBG5K92Qg+fgFfwjUKWXNDtn0lF620D4JNuq6JFcP:bGei/mUNaK9259wjU3dt0lF6264JArJs

Score
10/10

Malware Config

Extracted

Path

C:\Program Files (x86)\!nissenvelten!HOW_TO_RESTORE.log

Family

rook

Ransom Note
Hello! We warned you, but you even didn't replied Forced shutdown of devices can lead to the loss of all data. Do not forcibly disconnect storage volumes from hosts, don't interrupt process. Damaged information cannot be recovered. All data is properly protected against unauthorized access by steady encryption technology. We have downloaded essential data of company: - Huge amount of files, including: HR,Financial,Accounting,... - Large amounts of personal records of your employees and residents. - about 1TB (!!!) of data! In case if you refuse to cooperate with us, all essential data will be sold or published at dark marketplace. Full details and proofs will be provided in case of contacting us by following emails. [email protected] [email protected] It's just a business. We can help you to quickly recover all your files. We will explain what kind of vulnerability was used to hack your network. If you will not cooperate with us, you will never know how your network was compromised. We guarantee this will happen again. We can decrypt 2 small files (up to 1MB) for free. Send files by email. Register new email account at secure mail service like mailfence, protonmail to be sure that outgoing email not blocked by spam filter. Don't use gmail! WARNING! Don't report to police. They will suspend financial activity of company and negotiation process. �

Targets

    • Target

      1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51

    • Size

      501KB

    • MD5

      bf55c921b638ddf41a5120c90fe5f211

    • SHA1

      6a96dd8be36381d71eb7dac5f7a053064b546487

    • SHA256

      1a130d16a9e828cccb6a2135cbd7f1615219979612e0bae67cbe7c9a9606cf51

    • SHA512

      a3d91c51eb3bd59792f6cca32def989b4d069e489dcb74263f5f629fe300f4074b1a7d8a7a64410d7efc992e1d332108147aa0b2611e0777358749d7adfac166

    • SSDEEP

      12288:bGlEhiu/o/eXUG8nfBG5K92Qg+fgFfwjUKWXNDtn0lF620D4JNuq6JFcP:bGei/mUNaK9259wjU3dt0lF6264JArJs

    Score
    10/10
    • Rook

      Rook is a ransomware which copies from NightSky ransomware.

    • Renames multiple (7075) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

MITRE ATT&CK Matrix

Tasks