Monday, November 25, 2024
HomeRansomwareA New Ransomware Dubbed BlackCocaine Uses AES & RSA Encryption Methods

A New Ransomware Dubbed BlackCocaine Uses AES & RSA Encryption Methods

Published on

Recently, an Indian IT company that is specialized in the Banking and Financial Services sector, Nucleus Software has suffered a security breach on May 30, 2021, as reported by the cybersecurity experts at Cyble.

However, Nucleus Software has already reported the Bombay Stock Exchange (BSE) and the National Stock Exchange of India (NSEI) about this security breach. 

The company noted that the probability of financial data leak is dubious, as Nucleus Software has confirmed that they don’t store any financial data of its customers.

- Advertisement - SIEM as a Service

During the investigation, the security researchers at Cyble has discovered that this cyber attack is executed by the group behind the BlackCocaine Ransomware, and from the below image you can see the compromised page of BlackCocaine ransomware.

Technical Analysis

Here, the analysts assert that the first victim of the BlackCocaine ransomware group is Nucleus Software and they have also revealed the malicious website of BlackCocaine ransomware group:-

  • hxxp://blackcocaine[.]top/

On May 28, 2021, the above-mentioned domain name was registered by the BlackCocaine ransomware group. The security authorities at Cyble discovered the BlackCocaine ransomware sample files during their routine exercises.

The operators of BlackCocaine ransomware have used the MinGW tool to compile the ransomware payload file that is a UPX-packed 64-bit Windows executable file. 

While the threat actors have used the Go language to program this malicious executable, and on May 29, 2021, the operators behind this attack have compiled this executable file. 

After manually extracting the ransomware payload, the experts concluded that to evade several security analysis tools and make this more complicated threat actors have used various anti-VM and anti-debugging methods.

Here, while encrypting the victim documents to perform file system inventory, the BlackCocaine ransomware decrypts Windows APIs. After completing this stage, it automatically affixes the “.BlackCocaine” extension to the filenames of each encrypted file.

Moreover, cybersecurity researchers have concluded that in this attack the AES and RSA Encryption methods are used by the operators behind this BlackCocaine ransomware. 

After the successful encryption process, on the infected system, the threat actors drops a ransom note:- 

  • “HOW_TO_RECOVER_FILES.BlackCocaine.txt” 

Recommendations

The experts have suggested few recommendations and here they are mentioned below:-

  • To track and block the malware infection always use the shared IoCs.
  • Use strong passwords.
  • Use multi-factor authentication.
  • Turn on the automatic software update.
  • Use security tools.
  • Avoid opening untrusted links and email attachments.
  • Use the service provided by the AmiBreached.com portal to track your exposure in the Darkweb.

The BlackCocaine ransomware is one of the active and sophisticated malware strains; but, to lock the data and demand ransom from the victim the BlackCocaine uses the same standard of server-side encryption method.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity, and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting...

Python NodeStealer: Targeting Facebook Business Accounts to Harvest Login Credentials

The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ...

XSS Vulnerability in Bing.com Let Attackers Send Crafted Malicious Requests

A significant XSS vulnerability was recently uncovered in Microsoft’s Bing.com, potentially allowing attackers to...

Meta Removed 2 Million Account Linked to Malicious Activities

 Meta has announced the removal of over 2 million accounts connected to malicious activities,...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Helldown Ransomware Attacking VMware ESXi And Linux Servers

Helldown, a new ransomware group, actively exploits vulnerabilities to breach networks, as since August...

Phobos Ransomware Admin as Part of International Hacking Operation

The U.S. Department of Justice unsealed criminal charges today against Evgenii Ptitsyn, a 42-year-old Russian...

Black Basta Ransomware Leveraging Social Engineering For Malware Deployment

Black Basta, a prominent ransomware group, has rapidly gained notoriety since its emergence in...