All Your Files Have Been Encrypted By Bright Night Ransomware

Another Bright Night Ransomware attack?

Bright Night Ransomware caught up in action

We would like to inform you that at least one of our Deception Devices has detected a new Bright Night Ransomware wave variant recently.

As of today this #malware variant can be distributed completely undetected by traditional #antivirus running in organizations and corporations. When the payload is executed in an endpoint, local and network share files will become immediately encrypted. This means the files won’t be accessible anymore.

Why do we think is especially dangerous?
The MD5 Hash/SHA1 signature of the payload suggests that instead of being a CryptoLocker Ransomware application, the ‘File is Distributed by Microsoft’ completely trusted and operating as a system process running undetected by any antivirus out there.

You can check the #VirusTotal results following this link 

It is likely the MD5 Hash / SHA1 signature to have been counterfeited or spoofed (collision attack) and this is why this Zero-Malware can have potentially catastrophic results for victims out there.

We’d love to hear from Malware Researchers and Ransomware teams fighting this type of attacks. One of our #DeceptionStrike devices detected this attack last night and we have gathered a lot of Threat Intelligence around it ( entry vector, payload, source IP addresses of the attacker etc..).

The possibility to reverse engineer the process identifying the encryption key used is real; if you or your team have experience around this, let us know!

On the contrary, if you are a victim of this new Ransomware variant do not pay the ransom, we might be able to help you.

Visit and bookmark this link https://lnkd.in/ewf6wTjc as further analysis will be conducted and shared and I hope we can help.

Very, very nasty stuff is happening out there, if you are Information Security Professionals do yourselves a favor and check whether last night-backup is healthy or not !

Stay safe, stay informed!

#deceptiontechnology #ransomware #cyberdeception #infosec #threathunting #cybersecurity #pentesting #blockchain #cryptolocker #malware #malwareresearch #threatintelligence #devsecops #reverseengineering #informationtechnology #business #investors #vc #crowdfunding #startups #Network #NetworkSecurity #endpointsecurity #redteam #technology #DataSecurity #windows #DFIR #ethicalhacking #MDR #DetectionRespoonse #crowdstrike #cylance #paloaltonetworks #sentinelone #trustlook

All Your Files Have Been Encrypted By Bright Night!​ Another Knock Knock crypto locker attack?
All Your Files Have Been Encrypted By Bright Night!​ Another Knock Knock crypto locker attack?

What can we research further?

The straight forward answer is to execute it on a safe malware lab that mimics your organization:

Lets say your company is using a Microsoft Environment ( Win 10, Win 11) running Microsoft Defender for Endpoint. 

Running this malware in 1 computer that is completely isolated will tell what Microsoft Defender can or cannot do. It will likely be picked up by behavioral based engines such as EDR (Endpoint Detection and Response ).

More to come..

https://www.virustotal.com/gui/file/e5f980c96792299f370297144034e3a57bce500a723faf99ffaa031696c025a0/detection/f-e5f980c96792299f370297144034e3a57bce500a723faf99ffaa031696c025a0-1674244914

Another Knock Knock ransomware crypto locker attack?

Bright Night

We’ve seen it many times

Another Zero-day ransomware detected by Deception Strike

The file isnt detected by any antivirus out there in the market.

https://www.virustotal.com/gui/file/e5f980c96792299f370297144034e3a57bce500a723faf99ffaa031696c025a0/detection/f-e5f980c96792299f370297144034e3a57bce500a723faf99ffaa031696c025a0-1674244914

The result is always the same

!!!All of your files are encrypted!!!

Your System Key 

 

All Your Files Have Been Encrypted By Bright Night Ransomware

Another Bright Night Ransomware attack?

general steps to follow in case of ransomware

Ransomware attacks can be extremely disruptive and can cause significant financial and reputational damage to businesses. Here are some best practices to follow in case of a ransomware attack:

  1. Isolate the infected systems: As soon as you detect the ransomware attack, disconnect the infected system(s) from the network to prevent the malware from spreading to other systems.

  2. Identify the ransomware variant: Identify the type of ransomware variant that has infected your system. This will help you determine if there are any known methods to decrypt your files.

  3. Notify law enforcement: Contact law enforcement, such as the FBI, to report the ransomware attack. This can help to track down the attackers and prevent future attacks.

  4. Backup your data: If you have backups of your data, make sure they are not infected and restore them once the infected systems have been cleaned.

  5. Do not pay the ransom: While paying the ransom may seem like an easy way out, it can encourage attackers to continue their attacks and there is no guarantee that you will get your data back.

  6. Consult with experts: Consult with IT security experts or a reputable cybersecurity firm to help you recover from the attack and prevent future incidents.

  7. Educate employees: Educate your employees about the risks of ransomware attacks and how to identify and avoid phishing emails and other common attack vectors.

  8. Implement security best practices: Implement security best practices such as using strong passwords, multi-factor authentication, and regularly patching and updating software to help prevent future attacks.

This time however, it can be different

Bright Night caught in action

Deception Strike has seen and caught this ransomware payload in action, and all we need to do is run a reverse engineering session of the payload.

[Update 2nd of May 2023 ] – Opening the page for replies.

We can share the encryptor file we captured in our attack – but this file needs to be analyzed and reversed engineered to try to obtain more details. It is a good file though to be run in a sandboxed environment. Let us know if you need the file. 

 

If you are a victim, contact us

If you are a victim of this crypto locker contact us!

Our Threat Intelligence Platform captured this attack and our Threat Detection Service might be able to recover your files.

Contact Us
Contact Info

Deception Strike

Address:

EMEA

Phone:

+44 (0) 7738473845

Mobile:

+44 (0) 7738473845

About us
Quick Links
Subscribe to our newsletter

Subscribe to our newsletter and get updates direct to your email

Copyright © 2024 Deception Strike – Threat Intelligence Platform – Tricking your opponents

Facebook Twitter Tumblr Stack-overflow Odnoklassniki

Contact Us