R
RAJU.MSC.MATHEMATICS
On 24-06-2020, Recently Some cybersecurity researchers found LUCIFER ransomware attacked to organization computers which is running windows based computers
The way of attack is explained by the below article
Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices
After reading the above article, I took the following precautions
step 01
I added the following links in the hosts file, which is located in C:\windows\system32\drivers\etc\
## Begining Block LUCIFER ransomware website address added on 24-06-2020
#
0.0.0.0 pool.supportxmr.com
0.0.0.0 www.yzzswt.com
0.0.0.0 gulf.moneroocean.stream
# end Block LUCIFER ransomeware address ===============
Also, i blocked the following Remote IP addresses in windows advanced firewall
3.0.193.200
3.112.214.88
3.253.40.188
3.253.40.189
35.163.175.186
37.187.154.79
37.187.95.110
37.59.43.131
37.59.43.136
37.59.44.193
37.59.44.68
37.59.44.93
37.59.45.174
37.59.49.7
37.59.51.212
37.59.52.83
37.59.54.205
37.59.55.60
37.59.56.102
44.202.105.45
45.125.194.18
45.125.194.34
45.32.24.80
45.76.206.51
45.77.31.97
46.105.103.169
47.101.30.124
47.102.251.102
47.102.39.92
47.110.190.245
47.110.199.70
47.241.2.137
47.244.176.59
76.9.50.126
78.46.89.102
78.46.91.134
78.46.91.171
78.47.158.234
88.99.193.240
88.99.242.92
91.121.140.167
91.121.2.76
91.121.87.10
92.110.160.114
94.130.12.27
94.130.12.30
94.130.164.60
94.130.165.85
94.130.165.87
94.130.206.79
94.23.206.130
94.23.212.204
94.23.23.52
94.23.23.52
94.23.247.226
94.23.41.130
94.23.8.105
95.179.220.100
95.216.46.125
103.101.30.10
104.140.201.102
107.178.104.10
107.191.99.221
107.191.99.95
111.7.68.222
116.203.61.78
116.203.73.240
116.211.169.162
117.139.17.68
139.180.131.153
139.224.168.24
139.224.20.173
139.224.219.119
139.99.100.250
139.99.123.196
139.99.124.170
139.99.125.38
139.99.72.56
142.44.240.132
149.202.214.40
149.202.83.171
149.28.17.136
161.117.192.8
172.104.91.217
176.31.117.82
176.9.2.144
176.9.4.26
176.9.53.68
176.9.63.166
178.128.107.204
178.63.100.197
178.63.48.196
18.180.72.219
183.201.229.131
188.165.199.78
188.165.214.76
188.165.214.95
188.165.254.85
203.107.32.162
203.107.40.49
206.189.33.65
210.1.226.51
218.11.2.44
223.167.166.51
180.126.161.27
210.112.41.71
122.112.179.189
121.206.143.140
Also, I deleted all registry keys under
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /f
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /f
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce" /f
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\spreadCpuXmr" /f
reg.exe delete "HKCU\Software\RealVNC\vncviewer\KnownHosts" /f
reg.exe delete "HKCU\Software\RealVNC\vncviewer\MRU" /f
reg.exe delete "HKCU\Software\Microsoft\Internet Explorer\MAIN\Start Page" /f
Block the .exe , .dll , .txt , .html files using software restricting policy for the following folders under below locations
C:\ProgramData\
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\
%ROOT PATH%
%TEMP%
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
C:\Users\YOURUSERNAME\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Note::
after blocked in SRP, some trusted applications also are blocked and it cannot able to run, so in that case, add exclusions in SRP
The source is taken from:
https://unit42.paloaltonetworks.com/
I say thanks to the authors Ken Hsu, Durgesh Sangvikar, Zhibin Zhang and Chris Navarrete of the article from that forum, for the detailed explanations of the ransomware.
Thanks for reading my post, If you like this post means, then share this post to other users and give upvotes
Continue reading...
The way of attack is explained by the below article
Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices
After reading the above article, I took the following precautions
step 01
I added the following links in the hosts file, which is located in C:\windows\system32\drivers\etc\
## Begining Block LUCIFER ransomware website address added on 24-06-2020
#
0.0.0.0 pool.supportxmr.com
0.0.0.0 www.yzzswt.com
0.0.0.0 gulf.moneroocean.stream
# end Block LUCIFER ransomeware address ===============
Also, i blocked the following Remote IP addresses in windows advanced firewall
3.0.193.200
3.112.214.88
3.253.40.188
3.253.40.189
35.163.175.186
37.187.154.79
37.187.95.110
37.59.43.131
37.59.43.136
37.59.44.193
37.59.44.68
37.59.44.93
37.59.45.174
37.59.49.7
37.59.51.212
37.59.52.83
37.59.54.205
37.59.55.60
37.59.56.102
44.202.105.45
45.125.194.18
45.125.194.34
45.32.24.80
45.76.206.51
45.77.31.97
46.105.103.169
47.101.30.124
47.102.251.102
47.102.39.92
47.110.190.245
47.110.199.70
47.241.2.137
47.244.176.59
76.9.50.126
78.46.89.102
78.46.91.134
78.46.91.171
78.47.158.234
88.99.193.240
88.99.242.92
91.121.140.167
91.121.2.76
91.121.87.10
92.110.160.114
94.130.12.27
94.130.12.30
94.130.164.60
94.130.165.85
94.130.165.87
94.130.206.79
94.23.206.130
94.23.212.204
94.23.23.52
94.23.23.52
94.23.247.226
94.23.41.130
94.23.8.105
95.179.220.100
95.216.46.125
103.101.30.10
104.140.201.102
107.178.104.10
107.191.99.221
107.191.99.95
111.7.68.222
116.203.61.78
116.203.73.240
116.211.169.162
117.139.17.68
139.180.131.153
139.224.168.24
139.224.20.173
139.224.219.119
139.99.100.250
139.99.123.196
139.99.124.170
139.99.125.38
139.99.72.56
142.44.240.132
149.202.214.40
149.202.83.171
149.28.17.136
161.117.192.8
172.104.91.217
176.31.117.82
176.9.2.144
176.9.4.26
176.9.53.68
176.9.63.166
178.128.107.204
178.63.100.197
178.63.48.196
18.180.72.219
183.201.229.131
188.165.199.78
188.165.214.76
188.165.214.95
188.165.254.85
203.107.32.162
203.107.40.49
206.189.33.65
210.1.226.51
218.11.2.44
223.167.166.51
180.126.161.27
210.112.41.71
122.112.179.189
121.206.143.140
Also, I deleted all registry keys under
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /f
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /f
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce" /f
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\spreadCpuXmr" /f
reg.exe delete "HKCU\Software\RealVNC\vncviewer\KnownHosts" /f
reg.exe delete "HKCU\Software\RealVNC\vncviewer\MRU" /f
reg.exe delete "HKCU\Software\Microsoft\Internet Explorer\MAIN\Start Page" /f
Block the .exe , .dll , .txt , .html files using software restricting policy for the following folders under below locations
C:\ProgramData\
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\
%ROOT PATH%
%TEMP%
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
C:\Users\YOURUSERNAME\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Note::
after blocked in SRP, some trusted applications also are blocked and it cannot able to run, so in that case, add exclusions in SRP
The source is taken from:
https://unit42.paloaltonetworks.com/
I say thanks to the authors Ken Hsu, Durgesh Sangvikar, Zhibin Zhang and Chris Navarrete of the article from that forum, for the detailed explanations of the ransomware.
Thanks for reading my post, If you like this post means, then share this post to other users and give upvotes
Continue reading...