In the very first days of January 2018, the South Korean Emergency Response Team (KrCERT) published a detail report of how a supposedly botchy Flash Player update was being used in several targeted attacks on many of the country’s state agencies’ servers. The flaw they identified was in correspondence to the Flash Player Update 28.0.0.137. The report had further evidence that the ransomware which attaches itself with the Update spreads through Office documents being opened and shared via email attachments. The reason for this is because the Word documents constitute nearly 70% of the correspondence between several South Korean government agencies per day.
Only a week after the report, spam campaigns had begun targeting South Korean civilians. It is believed that these are not the same attackers that had used the Flash Player update to try and penetrate the state agencies. Rather, another group that is merely using the same technique. The use of spam campaigns to increase the distribution of ransomware files is nothing new but the news that a Flash update is being used to gain easier access certainly came as a surprised to authorities.
The technique being used in this instance is probably through an exploitation kit called GreenFlash Sundown. It merges the Flash update definitions with the Hermes ransomware and is sent to users in the form of a spam message made to look like the offer of a Flash update. A similar technique was used in an attack on a Taiwanese bank believed to have been carried out by a North Korean group. They utilized the same exploitation kit and attached it to an Office update.
The first civilian report of being affected by this virus came on 28th February 2018. By 13th of March, the number of people complaining of having been the victims of a similar attack rose to thousands. Authorities have revealed that they have been able to identify the redirection code within the update’s JavaScript libraries. The code redirects the network to an OpenX server. The server then compromises the main page’s source code and begins encrypting the computer. The encoding used in this ransomware attack is RC4.
For assistance with file recovery and Hermes ransomware removal, please contact MonsterCloud – cyber security experts for a professional ransomware removal.
