• Cyber Security
    • Ransomware Prevention
    • Ransomware Removal
    • Ransomware File Recovery
    • Ransomware Types
  • Ransomware Services
    • Ransomware Removal
    • Ransomware File Recovery
  • News
  • Tutorials
  • Ransomware TV

NotPetya Ransomware was Linked to Telebots

October 21, 2018Simeon Georgiev

The experts of digital forensics, Robert Lipovsky and Anton Cherepanov, have shared their insights on NotPetya Ransomware. The experts believe that there is an affiliation between BlackEnergy and NotPetya.

In 2015, the BlackEnergy malware shut down many parts of Ukraine. According to Lipovsky and Cherepanov, both NotPetya and BlackEnergy possess an identical tool called KillDisk encryption. This type of encryption is common in all the attacks of Telebots –– BlackEnergy’s owner cybercriminal group.

Experts explained that the final phase of Telebots’ attack consisted of the use of KillDisk tool, which was used to modify and apply overwriting on the files. During this process, the file extensions were also changed. Moreover, it was also found out that the cyber epidemic spread because of a backdoor that was installed by Telebots in the financial application known as M.E.Doc. M.E.Doc is extensively used in the corporate and governmental sectors in Ukraine for finance related operations.

Additionally, it was also found out that the 2016 power grid attack in Ukraine contained traces of code that tie it to the Industroyer –– a malware known to attack Industrial Control Systems. At that time, the connection could not be established. However, recently security analysts were able to find striking resemblances between all these attacks during a ransomware removal investigation. As a result, Telebots is positioned to be the mastermind of all the major cyber mayhem in Ukraine since 2015.

What’s more is that the latest virus created by Telebots, Win32/Exaramel, is another variant of Industroyer with a few more new features. When Win32/Exaramel enters a system, it duplicates files and applies encryption. Subsequently, the duplicated files are received by a command and control center. A Window service known as Wsmprovav that has a description of “Windows Check AV” is used as the dropper by the Win32/Exaramel. Experts theorize that depending upon its cyber defense system, a separate attack method is reserved for each victim.

Simeon Georgiev
https://www.linkedin.com/in/simeon--georgiev/
I am a Cyber Security Enthusiast from Bulgaria. I like to write about malware and ransomware and global cyber attacks. You can reach me on Twitter @sgeorgiev1995 or Email: [email protected]
Previous post NotPetya Ransomware Linked with Industroyer Next post Ransomware may replace data theft as the leading cyber threat

Related Articles

NonPetya Ransomware Caused Millions of Dollars Worth of Damage to Maersk

January 27, 2018Simeon Georgiev
NonPetya Ransomware Caused Millions of Dollars Worth of Damage to Maersk

Ransomware: 4 Types of the Latest Trend in Cybercrimes

February 1, 2018Simeon Georgiev
Ransomware: 4 Types of the Latest Trend in Cybercrimes

NonPetya Ransomware Caused Millions of Dollars Worth of Damage to Maersk

February 1, 2018Simeon Georgiev
NonPetya Ransomware Caused Millions of Dollars Worth of Damage to Maersk

Latest on Ransomware TV

https://vimeo.com/399908876?loop=0

Recent Posts

  • How to protect your organization against ransomware reinfections
  • AuKill Helps Ransomware Operators Disable EDR and Security Tools
  • AI-ransomware is a real threat, just not a realistic one yet
  • Rorschach is the new speed king in the ransomware space
  • The Role of Supply Chain Breaches in Ransomware Attacks

Stay Protected

Subscribe to our mailing list to get the latest cyber security and ransomware removal articles!

Thank you for subscribing.

Something went wrong.

Navigation

  • Cyber Security
    • Ransomware File Recovery
    • Ransomware Prevention
    • Ransomware Removal
    • Ransomware Types
  • News
  • Tutorials

Ransomware Attacks (Last 6M)

0

Connect & Protect

Facebook
Google+
LinkedIn
YouTube
Vimeo

More

  • BECOME A CONTRIBUTOR

MonsterCloud Reviews

© 2020 MonsterCloud.com. All Rights Reserved.