Emergence of Elpaco Ransomware Raises Cybersecurity Concerns
/ 3 min read
Quick take - The emergence of the Elpaco ransomware variant, part of the Mimic family, has raised cybersecurity concerns due to its sophisticated methods of exploiting vulnerabilities, encrypting user data, and evading detection.
Fast Facts
- Elpaco ransomware, part of the Mimic family, exploits vulnerabilities like CVE-2020-1472 (Zerologon) to gain unauthorized access and encrypt user data, demanding ransom payments.
- Attackers use Remote Desktop Protocol (RDP) for initial access, employing brute force attacks to compromise servers.
- The malware packages a legitimate file search engine, Everything, within a 7-Zip installer, complicating detection by mixing legitimate and malicious components.
- Elpaco utilizes multi-threaded encryption with the ChaCha20 cipher and RSA-4096 for key protection, while logging activities in MIMIC_LOG.txt and deleting executables post-execution to evade detection.
- Detected in multiple countries since August 2023, Elpaco’s tactics include network share discovery and command execution, prompting the development of YARA rules for improved detection and prevention strategies.
The Emergence of Elpaco Ransomware
The emergence of the Elpaco ransomware variant, a part of the Mimic ransomware family, has raised significant cybersecurity concerns. This sophisticated malware exploits vulnerabilities to gain unauthorized access and encrypt user data, demanding ransom payments from victims.
Attack Vector and Methodology
The attackers initially accessed the victim’s server through Remote Desktop Protocol (RDP) following a successful brute force attack. They elevated their privileges by exploiting the CVE-2020-1472 vulnerability, commonly known as Zerologon.
The Elpaco ransomware is particularly notable for its use of the Everything library, a legitimate file search engine, which it packages within a 7-Zip installer. This choice of packaging has raised suspicions among detection tools, as it contains both legitimate applications and a password-protected archive housing malicious payloads.
Upon execution, Elpaco performs several malicious actions. It unpacks and drops necessary files into a directory with a randomly generated UUID. The main binary, svhostss.exe, mimics the legitimate svchost.exe process to evade detection. The malware also creates a session key file named session.tmp, allowing it to resume the encryption process if interrupted. To further complicate detection efforts, the malware utilizes a GUI named gui40.exe, enabling operators to customize ransomware properties, select drives for encryption, and inject processes to hide malicious activities.
Encryption and Evasion Techniques
Elpaco employs multi-threaded encryption for efficiency, utilizing the ChaCha20 stream cipher to encrypt files. The encryption key is protected by RSA-4096. All actions taken by the ransomware are logged in a file named MIMIC_LOG.txt. The malware is designed to delete its executables and configuration files after execution to avoid detection.
The presence of Elpaco has been reported in various countries, including the United States, Russia, the Netherlands, Germany, and France. Its activities have been noted since at least August 2023. Kaspersky products have identified Elpaco, providing specific verdicts related to its dropper and console interface.
Response and Mitigation Strategies
In response to this threat, YARA rules have been developed for detecting both the Elpaco dropper and its console interface. These rules focus on file types, relevant strings, and library imports. Elpaco’s tactics, techniques, and procedures (TTPs) include network share discovery, command execution, data encryption, and various methods to evade defense mechanisms.
As cybersecurity experts continue to analyze this growing threat, the need for robust detection and prevention strategies remains paramount in safeguarding sensitive data from ransomware attacks.
Original Source: Read the Full Article Here
