Category Archives: Ransomware Family

CERBER Ransomware Hidden C2 Servers Traffic and Malware Analysis

Cerber ransomware has been one of the most prolific crimeware botnets to have arisen, it is currently generating an estimated $2.5 million dollars a year and rising. Once infected, your content is encrypted and held for ransom as the name implies. You will see an image popup with instructions on how to reclaim your data… Read More »

Share Button

Malspam E-mail Leads to Ransomware Cerber/Zerber Infection TRAFFIC SAMPLE

  Example of files that were encrypted and protected:   The domain name ftoxmpdipwobp4qy.joa688.top was NX and not required for the purchase process. 2016-12-16 01:29:05.256362 IP 192.168.1.102.50104 > 72.167.232.152.80: Flags [P.], seq 0:303, ack 1, win 256, length 303: HTTP: GET //up1/1/4fv3b5.exe HTTP/1.1 E..W..@……..fH……P.n……P…….GET //up1/1/4fv3b5.exe HTTP/1.1 Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */* Accept-Language: en-us User-Agent: Mozilla/4.0… Read More »

Share Button

BRO vs Snort IDS Locky Ransomware tcpdump Traffic Sample Data Packet Analysis

(PCAP and Binary samples available with their usual password and location) Bro and Snort are completely different types of applications although they are commonly compared against one another. From a network security standpoint Snort can’t do much to detect new malware variants, obfuscation TTPs and other non-low hanging fruit we haven’t created a signature for.… Read More »

Share Button

CryptoDefense Ransomware PCAP Traffic Sample Malware – How to decrypt your files

    Solution – Step 1 – Install this free trial of Kaspersky to remove the malware   Solution – Step 2 Don’t pay the ransom, there is a solution for CryptoDefense and CryptoLocker, this below is from bleepingcomputer.com How to restore files encrypted by CryptoDefense using the Emsisoft Decryptor If you were infected before… Read More »

Share Button

HISTORICAL Malware Sample – CryptoLocker Ransomware – Traffic Sample Indicators Analysis

2012-10-04 09:29:31.118093 IP 192.168.248.165.53 > 4.2.2.2.53: 16567+ A? jbtuehcyosios.info. (36) E..@.L….y……….5.5.,r\@………..^Mjbtuehcyosios.info….. 2012-10-04 09:29:31.159025 IP 8.8.8.8.53 > 192.168.248.165.53: 16567 NXDomain 0/1/0 (96) E..|.x……………5.5.h..@………..^Mjbtuehcyosios.info………….. .0.a0.info.afilias-nst…noc.8w.v……….  :….. 2012-10-04 09:29:31.159472 IP 192.168.248.165.53 > 8.8.8.8.53: 60444+ A? jbtuehcyosios.info.localdomain. (48) E..L.O….n……….5.5.8A………….^Mjbtuehcyosios.info.localdomain….. 2012-10-04 09:29:31.159555 IP 192.168.248.165.53 > 4.2.2.2.53: 60444+ A? jbtuehcyosios.info.localdomain. (48) E..L.P….x……….5.5.8K………….^Mjbtuehcyosios.info.localdomain….. 2012-10-04 09:29:31.168602 IP 4.2.2.2.53 > 192.168.248.165.53: 60444 NXDomain 0/1/0… Read More »

Share Button