2013-08-25 - Landscape

Prism themed ransomware - Kovter evolution


Prism logo ;)


I found a new (to me - it seems it's 2 weeks old) Prism Themed ransomware. Not really worth a post but could make you smile too...so here is it :

Prism Themed Ransomware - 2013-08-25
(Kovter.???)
Based on where I found it, http calls and other details, I would say it could be the same actors that were behind Kovter.

Fiddler Trace of Infection + Design Gathering
<edit1: > Checking a little more it's an evolution of Kovter Also looking at your browsing history.
History check
(against a list that is now encoded)
</edit1>


Ransomware C&C :
94.242.206.71
5577 | 94.242.192.0/18 | ROOT | LU | ROOT.LU | ROOT SA

zipwog.biz
Registrant Name:          Vladislav Krasnov
Registrant Address1:          Kahovskaya st. 31
Registrant City:                  Perm
Registrant State/Province: Permskaya oblast
Registrant Postal Code:      614109
Registrant Phone Number: +7.9145023291
Registrant Email:           [email protected]

<edit2 2013-08-26>
After Circl action their failover Reverse Proxy in Germany is being used:
83.133.110.32
13237 | 83.133.0.0/16 | LAMBDANET | DE | GREATNET.DE | GREATNET NEW MEDIA.
zigwog.info
</edit2>
<edit3>
2013-08-30 - 83.133.110.34 - sectempus.biz
2013-09-14  - 83.133.110.34 - xvertigo2.biz - For instance : f64155da0b44520288dadc759197e04c
2013-09-29 - 50.7.193.124 - xvertigo3.org & .biz  - For instace : a36bf8f14ddf717029a6d89f4c7f53f3
30058 | 50.7.192.0/19 | FDCSERVERS | CZ | FDCSERVERS.NET | FDCSERVERS.NET
2013-10-08 - 83.133.126.55 - svertmagz.biz-  For instance : ad81dd113b1667c7d1365506902ea6a0
13237 | 83.133.0.0/16 | LAMBDANET | DE | GREATNET.DE | GREATNET NEW MEDIA.
2013-10-21 - 50.7.193.124 - svoirdwiz.org & svoirdwiz.biz
30058 | 50.7.192.0/19 | FDCSERVERS | CZ | FDCSERVERS.NET | FDCSERVERS.NET

German Design : Spotted by Malekal

Kovter DE Design 2013-09-29
</edit3>