[ALERT] ADVISORY ON HELLO (WICKRME) RANSOMWARE

BACKGROUND

A brand new ransomware variant called .hello ransomware or WickrMe Ransomware uses a Microsoft SharePoint 2019 vulnerability (CVE-2019-0604) to enter the victims’ network. From there, the threat actor leverages Cobalt Strike to pivot to the domain controller and launch ransomware attacks.

.hello (WickrMe) ransomware encrypts files and appends the ".hello" extension. For example, it renames a file named "1.jpg" to "1.jpg.hello", "2.jpg" to "2.jpg.hello", etc.

A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account.

 

IMPACT

  • All files are encrypted and cannot be accessed or opened.
  • Additional password-stealing trojans and malware infections can be installed together with a ransomware infection.

 

RECOMMENDATIONS

  • Always have files backed up and store them on a remote server or unplugged storage device (or both of them).
  • Do not back up files to the same hard disk that Windows is installed on. For example, do not back up files to a recovery partition.
  • Always store media used for backups (external hard disks, DVDs, or CDs) in a secure place to prevent unauthorized people from having access to your files; a fireproof location separate from your computer is recommended.
  • Consider encrypting the data on your backup.
  • Attachments and/or links in irrelevant emails that were received from suspicious, unknown addresses should not be opened.
  • Operating system, software and antivirus should be updated frequently from the official website.
  • Provide security awareness training to all employees and end users on how to identify phishing emails.