SKYWATCHSM ALERTS

HELLO RANSOMWARE USES UPDATED CHINA CHOPPER WEB SHELL, SHAREPOINT VULNERABILITY

June 22, 2021
skywatcg-alert-2

In January, appeared a new ransomware using .hello as its extension in one of our cases that possibly arrived via a SharePoint server vulnerability.

This appeared to be a new ransomware family dubbed as the Hello ransomware (aka WickrMe), named after the chat application that was used to contact the cybercriminals responsible.

Previous variants were observed using .hemming and .strike extensions and did not include the cybercriminals’ WickrMe user handles.

In contrast, newer versions of the ransom notes with .hello extensions now have the WickrMe contact information.
The ransomware arrives at a target system via Microsoft SharePoint vulnerability CVE-2019-0604.
To launch a payload, they abuse a Cobalt Strike beacon to launch the ransomware.

SkyWatchSM Alert Legend

  • small-bell

    Warning

  • active-threat0-lt-green

    Active Threat

  • malware-lt-green

    Malware

  • ransome-lt-green

    Ransomware

  • warning-green

    Phishing

  • file-green

    Network/IOT

Glesec Information Sharing Protocol

GLESEC CYBER SECURITY INCIDENT REPORTS are in compliance with the U.S. Department of Homeland Security (DHS) Traffic-Light Protocol (TLP).

  • TLP-White

    Disclosure is Not Limited.

  • TLP-Green

    Limited Disclosure, Restricted Only to the Community.

  • TLP-Amber

    Limited Disclosure, restricted to the Participant's Organization.

  • TLP-Red

    Not for Disclosure, Restricted/ Classified - Only Shared with US DHS.

Discover Glesec.

Authority. Consistency.

Sign-up today for SkywatchSM Alerts.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.