The Financial Security Institute of South Korea released a cyber threat intelligence report on Wednesday regarding Masscan ransomware in an effort to prep private organizations against upcoming attacks. In addition to attack timelines, the report describes the tactics, techniques, and procedures, or TTPs, of Masscan ransomware in detail.
Unlike other ransomware, Masscan first encrypts desktop and shared network folders while using different encryption algorithms for database and compressed files, the researchers discovered. Once the encryption process is done, it adds “masscan” to the file extension string.
“The attacker stores extension information, encryption-related key information, and ransom note data in separate files and manages them separately to update ransomware and manage the damaged system,” the report stated. “The decryption tool also stores key information as a separate file. Until now, it has been impossible to recover encrypted files with decryption tools without the key information.”
Masscan ransomware has recently made its way to South Korean companies, particularly infiltrating vulnerable database servers which are often neglected by administrators. According to the Korea Internet & Security Agency, 37 domestic companies reported damages by Masscan from July to September of this year.
On July 17, a taxi service company was infected with Masscan, which resulted in paralyzing the company’s networks. The attack interfered with approximately 3,000 taxi drivers’ operations in several cities in South Korea for more than three days. The company allegedly paid the ransom to the hacker and received the decryption key to restore their computer system.
Victims of Masscan ransomware were also reported in the United States, Vietnam, and the Czech Republic. “In order to minimize the surface of attack and handle accidents, firewall policies should be reduced to minimum requirements and companies must identify whether there is any missing or neglected information assets,” recommended the researchers.