VMRay

Save the date: Make sure to see VMRay Software Engineer, @c1truz_ presentation “Dissecting Rotten Apples” at #Nullcon2020. Get an in-depth look at the macOS operating system from a malware analyst’s perspective. Register here: https://hubs.ly/H0mTydt0 pic.twitter.com/1U8rCILGKe

[Hiring] If you have a passion for UX then this job is for you! This role will lead our user experience design and strategy. Apply today! https://hubs.ly/H0mRZBZ0 pic.twitter.com/R7K06Egdlw

[Blog] Sandbox Evasion Techniques: Understanding Context Aware #Malware https://hubs.ly/H0mPMlz0 pic.twitter.com/3r1Q1K8bCj

[New Blog] 2020 Outlook: Evaluating the Threat Landscape at the Dawn of a New Decade. Featuring insights from our technology partners: @vmw_carbonblack, @ThreatConnect, @swimlane and @GDATA Cyberdefense. https://hubs.ly/H0mPMCk0 pic.twitter.com/dgVjSMyHQ4

Horton looked towards VMRay & @EclecticIQ They were in talks about a party, with food & some brew How fun! Horton thought – he was excited To network with his peers – they could all be united What do you say? Does this sound like fun? You better sign up now before it's all done!pic.twitter.com/igWaabQLuq

At the end of the analysis, VMRay Analyzer takes a memory dump of the sample before it terminates. In this unpacked binary, we can see Xorist string.pic.twitter.com/FvZ8Ug04on

Xorist does not have a C2, and the key is hardcoded. To get the key, victims would have to contact the attacker by phone, but the free decryptor released by Emsisoft in 2016 still works and is downloadable from NoMoreRansom. https://www.nomoreransom.org/en/decryption-tools.html …pic.twitter.com/9UbOw6Q0y6

The “.EnCiPhErEd” suffix is added to all encrypted files. When the victim opens an encrypted file a prompt to enter the decryption key will appear.pic.twitter.com/CSqMc6S6fW

Xorist adds itself to the registry for persistence and creates a new command for the suffix “.EnCiPhErEd” that opens the ransomware again.pic.twitter.com/mBs8WDi71S

In the extracted strings of Xorist ransomware, the following suffixes are targeted. https://www.vmray.com/analyses/307020697b1a/report/behavior_grouped.html …pic.twitter.com/p7uQTiiG83

VMRay’s Reputation Engine recognizes the sample as “Win32.Trojan.Xorist” and our VTI rules classify it as ransomware because it renames multiple user files.pic.twitter.com/fRw8aAc3Mw

[#Malware Analysis] Xorist ransomware doesn’t have a C&C server. Instead, #Xorist relies on the victim sending an SMS message to a Chinese phone number. https://www.vmray.com/analyses/307020697b1a/report/overview.html … https://twitter.com/raby_mr/status/1219494565712785409 …pic.twitter.com/JK3VIHrkby

.@expel_io Sr. Detection & Response Analyst, @tfornez talks about using automation with VMRay to get results faster while minimizing the need for manual submission on the @riskybusiness #podcast. https://www.vmray.com/cyber-security-blog/expel-automating-vmray-fast-answers-risky-business-podcast/ …pic.twitter.com/dzbXY17zbB

[Hiring] Are you a great storyteller that captivates the audience? We're looking for you. Apply to be our new Product Marketing Manager and make a monumental impact at VMRay. https://hubs.ly/H0mHln40 pic.twitter.com/Jrg2aEPJEc