2013-08-25 - Landscape

Prism themed ransomware - Kovter evolution

Prism logo ;)

I found a new (to me - it seems it's 2 weeks old) Prism Themed ransomware. Not really worth a post but could make you smile too...so here is it :

Prism Themed Ransomware - 2013-08-25
(Kovter.???)

Based on where I found it, http calls and other details, I would say it could be the same actors that were behind Kovter.

Fiddler Trace of Infection + Design Gathering

<edit1: > Checking a little more it's an evolution of Kovter Also looking at your browsing history.

History check
(against a list that is now encoded)

</edit1>

Ransomware C&C :
94.242.206.71

5577 | 94.242.192.0/18 | ROOT | LU | ROOT.LU | ROOT SA

zipwog.biz
Registrant Name: Vladislav Krasnov
Registrant Address1: Kahovskaya st. 31
Registrant City: Perm
Registrant State/Province: Permskaya oblast
Registrant Postal Code: 614109
Registrant Phone Number: +7.9145023291
Registrant Email: [email protected]

<edit2 2013-08-26>
After Circl action their failover Reverse Proxy in Germany is being used:
83.133.110.32
13237 | 83.133.0.0/16 | LAMBDANET | DE | GREATNET.DE | GREATNET NEW MEDIA.
zigwog.info
</edit2>
<edit3>
2013-08-30 - 83.133.110.34 - sectempus.biz
2013-09-14 - 83.133.110.34 - xvertigo2.biz - For instance : f64155da0b44520288dadc759197e04c
2013-09-29 - 50.7.193.124 - xvertigo3.org & .biz - For instace : a36bf8f14ddf717029a6d89f4c7f53f3

30058 | 50.7.192.0/19 | FDCSERVERS | CZ | FDCSERVERS.NET | FDCSERVERS.NET

2013-10-08 - 83.133.126.55 - svertmagz.biz- For instance : ad81dd113b1667c7d1365506902ea6a0

13237 | 83.133.0.0/16 | LAMBDANET | DE | GREATNET.DE | GREATNET NEW MEDIA.

German Design : Spotted by Malekal

Kovter DE Design 2013-09-29

</edit3>

File:
e1988e7512bb18dc0e3ed946ca466d0f - Sample here (OwnCloud via Goo.gl)
407886c0ad30f4152428e7c99536bbaa
3f09fbc368f17edb61193d5db5ee0749 - 2013-08-30