Financial security researchers dissected Masscan ransomware

By Dain Oh, The Readable
Dec. 14, 2022 8:00PM KST

The Financial Security Institute of South Korea released a cyber threat intelligence report on Wednesday regarding Masscan ransomware in an effort to prep private organizations against upcoming attacks. In addition to attack timelines, the report describes the tactics, techniques, and procedures, or TTPs, of Masscan ransomware in detail.

Unlike other ransomware, Masscan first encrypts desktop and shared network folders while using different encryption algorithms for database and compressed files, the researchers discovered. Once the encryption process is done, it adds “masscan” to the file extension string.

“The attacker stores extension information, encryption-related key information, and ransom note data in separate files and manages them separately to update ransomware and manage the damaged system,” the report stated. “The decryption tool also stores key information as a separate file. Until now, it has been impossible to recover encrypted files with decryption tools without the key information.”

Masscan ransomware has recently made its way to South Korean companies, particularly infiltrating vulnerable database servers which are often neglected by administrators. According to the Korea Internet & Security Agency, 37 domestic companies reported damages by Masscan from July to September of this year.

On July 17, a taxi service company was infected with Masscan, which resulted in paralyzing the company's networks. The attack interfered with approximately 3,000 taxi drivers’ operations in several cities in South Korea for more than three days. The company allegedly paid the ransom to the hacker and received the decryption key to restore their computer system.

Victims of Masscan ransomware were also reported in the United States, Vietnam, and the Czech Republic. “In order to minimize the surface of attack and handle accidents, firewall policies should be reduced to minimum requirements and companies must identify whether there is any missing or neglected information assets,” recommended the researchers.

The cover image of this article was designed by Areum Hwang.

Dain Oh is an award-winning cybersecurity journalist based in South Korea and the founding editor-in-chief of The Readable by S2W. Before joining S2W, she worked as a reporter for The Electronic Times, the top IT newspaper in Korea, covering the cybersecurity industry on an in-depth level. She reported numerous exclusive stories, and her work related to the National Intelligence Service led to her being honored with the Journalist of the Year Award in 2021 by the Korea Institute of Information Security and Cryptology in a unanimous decision. She was also the first journalist to report on the hacking of vulnerable wallpads in South Korean apartments, which later became a nation-wide issue.