Ransomware MongoLock Immediately Deletes Files, Formats Backup Drives

We have been following a new wave of MongoLock ransomware attacks that immediately deletes files upon infection instead of encrypting it, and further scans for other available folders and drives for file deletion. In the wild since December 2018, the ransomware demands a payment of 0.1 bitcoin from victims within 24 hours to retrieve the files allegedly saved in the cybercriminals’ servers. Examining more than 200 samples, our telemetry showed the highest number of infections in South Korea, Great Britain, the United States, Argentina, Canada, Germany, Taiwan and Hong Kong. Trend Micro machine learning and behavioral detection technology proactively blocked this ransomware at the time of discovery.

Routine and Behavior

Reminiscent of the MongoLock attacks in September 2018, we found this particular campaign also targeting databases with weak security settings. Further, we found this ransomware being hosted on PythonAnywhere, a Python-based online integrated development environment (IDE) and web hosting service. Accessing hxxp://update.pythonanywhere.com/d, it downloads an executable file named update.exe, while accessing hxxp://update.pythonanywhere.com redirects the user to a mimicked page of a gaming site written in Chinese. As of publishing, the site remains live, and the cybercriminals frequently change the ransomware samples on the website. Any host using hxxp://{user-defined}.pythonanywhere.com may be vulnerable to abuse.

[Read: New multi-platform Xbash packs obfuscation, ransomware, coinminer, worm, and botnet]

As opposed to commonly observed ransomware routines wherein files are encrypted, this variant deletes important data found in drives A and D and drops the ransom note in the database.

Figure 1. Ransom note left in the database of MongoLock-infected units.

The ransomware scans and then deletes files found in the Documents, Desktop, Recent, Favorites, Music, Videos, and Recycle Bin folders, and formats the available backup drives. According to the ransom note, copies of the deleted files are uploaded to a URL using an encrypted HTTPS protocol, and we traced the email and command and control (C&C) server hosted in a ToR network. File deletion continues after the infected computer is offline, making the files unrecoverable. Analyzing the sandbox, we found no trace of the database scans and searches, which may imply that the deleted data only affects the physical files found in the specified directories.

[Read: Evolution of Cybercrime]

Following the recent Ryuk ransomware attacks that reportedly halted printing operations of major newspapers in the US, we will continue to follow and investigate this campaign. We suspect that the cybercriminals are still studying the industries and techniques where they can get the most profit, and advise enterprises to revisit and ensure that their security policies and procedures are in place. Administrators are advised to review their online database and server settings to secure them accordingly. To defend against this threat:

  • Update your systems and software to prevent cybercriminals from abusing possible entry points and infection channels.
  • Practice the 3-2-1 system.
  • Use a multi-layered security solution that can scan and block malicious URLs.

[Read: Bridging cybersecurity gaps with managed detection and response]

Trend Micro Solutions

Trend Micro XGen™ security provides a cross-generational blend of threat defense techniques against a full range of threats for data centerscloud environmentsnetworks, and endpoints. It infuses high-fidelity machine learning with other detection technologies and global threat intelligence for comprehensive protection against advanced malware. Smart, optimized, and connected, XGen™ powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.

 Indicators of Compromise

 

SHA256

Detection

698be23b36765ac66f53c43c19ea84d9be0c3d7d81983726724df6173236defa

RANSOM.WIN32.MONGOLOCK.THOAOBAI


Malicious domains/URLs:
  • hxxp://update.pythonanywhere.com/d (Arrival vector)
  • hxxps://s.rapid7.xyz / 104.27.178.191 (C&C)


 With additional insights from Matthew Camacho and Paul Pajares

 Update as of January 9, 2019, 7 pm PST:

PythonAnywhere has removed the site.

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.