Written by: Maor Huli

The ransomware introduced in July is:

1. Loki
2. BlueSky
3. Babuk
4. LockBit 3.0
5. Matrix

EXECUTIVE SUMMARY

As an integral department in Cynet’s research team, Orion works around the clock to track threat intelligence resources, analyze payloads, and automate labs to protect our customers against the newest ransomware variants. In these monthly reports, Orion reviews the latest trends identified in Bleeping Computer — the most up-to-date website that summarizes the newest ransomware variants — and shares how Cynet detects against these threats.

CYNET 360 AutoXDR™ VS RANSOMWARE

Loki Ransomware

• Observed since: Late 2021
• Ransomware encryption method: AES + RSA
• Ransomware extension: .PayForKey
• Ransomware note: Restore-My-Files.txt
• Sample hash: f2522a56f9416eb701afc1773c08e9a3cc9143c8880954140e515f66a0028637

Cynet 360 AutoXDR™ Detections:

Loki Overview

Loki ransomware renames the encrypted files with .PayForKey, along with the attacker’s email and the host ID in the extension.

The ransomware also encrypts the entire Drive C: (the system drive):

Eventually, it shuts down the computer and locks out the user until a payment:

Once a computer’s files have been encrypted and renamed, it drops a note as Restore-My-Files.txt:

The ransomware note contains general information, warnings, and the attacker’s email address:

Before shutting down, the ransomware also changes the desktop background:

BlueSky Ransomware

• Observed since: 2022
• Ransomware encryption method: AES + RSA
• Ransomware extension: .bluesky
• Ransomware note: # DECRYPT FILES BLUESKY #.txt | .html
• Sample hash: 3e035f2d7d30869ce53171ef5a0f761bfb9c14d94d9fe6da385e20b8d96dc2fb

Cynet 360 AutoXDR™ Detections:

BlueSky Overview

BlueSky ransomware renames the encrypted files with .bluesky in the extension:

Once a computer’s files have been encrypted and renamed, it attempts to drop the ransomware note named # DECRYPT FILES BLUESKY #.txt | .html:

That ransomware note contains general information, warnings, and the attacker’s tor website:

Babuk Ransomware

• Observed since: Early 2021
• Ransomware encryption method: AES + RSA
• Ransomware extension: .again
• Ransomware note: How To Restore Your Files.txt
• Sample hash: 047a6c39806168e7e66b2ef2297b7019cc9e53364dc6b3ec3af830f9eea1f798

Cynet 360 AutoXDR™ Detections:

Babuk Overview

Babuk ransomware renames the encrypted files with .again in the extension:

Once a computer’s files have been encrypted and renamed, it drops a note named: How To Restore Your Files.txt:

The ransom note contains only a tor website with a chat token to contact the attacker:

LockBit 3.0 Ransomware

• Observed since: Mid 2022
• Ransomware encryption method: AES + RSA
• Ransomware extension: .[a-zA-Z0-9]{9}
• Ransomware note: [a-zA-Z0-9]{9}.readme.txt
• Sample hash: 80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce

Cynet 360 AutoXDR™ Detections:

LockBit 3.0 Overview

LockBit 3.0 needs to execute by a specific method for it to work,

The executable needs to be renamed to “{04830965-76E6-6A9A-8EE1-6AF7499C1D08}.exe” and needs to be executed with the following parameters:

“-k LocalServiceNetworkRestricted -pass db66023ab2abcb9957fb01ed50cdfa6a” via CMD or PowerShell:

LockBit 3.0 ransomware renames the encrypted files with .(9 characters) in the extension:

Once a computer’s files have been encrypted and renamed, it drops a note as (9 characters).readme.txt:

Upon execution, it immediately encrypts the endpoint and drops the ransomware note. The ransomware note contains general information, warnings, and several attacker’s links:

Matrix Ransomware

• Observed since: Late 2016
• Ransomware encryption method: AES + RSA
• Ransomware extension: .KOK08
• Ransomware note: !README_KOK08!.rtf
• Sample hash: 1006bb0f89f4780fb9920bff1b6692f6f0cc921fd7d561f6e0ecea501543a5cb

Cynet 360 AutoXDR™ Detections:

Matrix Overview

Matrix ransomware renames the encrypted files with .KOK08 in the extension:

Once a computer’s files have been encrypted and renamed, it drops a note as !README_KOK08!.rtf:

Upon execution, it immediately encrypts the endpoint and drops the ransomware note. The ransomware note contains general information, warnings, and the attacker’s emails: