Hello, welcome to the Friday, August 7th, 2020 edition of the Sands and with Storms on a stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Well, where does old ransomware go to die?

It turns out it doesn't die.

It just gets modified.

Xavier ran into a new version of FT code.

FT code first surfaced in 2013

and probably because it's written in PowerShell,

which makes it somewhat easy for an attacker

to grab the old code, modified, and re-release it.

That's probably why we sort of see this particular ransomware coming back over the last few years.

This latest version has some fairly interesting obfuscation techniques up its sleeves. So Xavier walks you through

how to obfuscate this particular sample. For persistence, it uses a scheduled task. Now,

one modification compared to the original code is that it keeps randomizing its extension.

Not only sure why they do that, but maybe they want to delay the detection of the ransomware.

Often just by looking for files with a certain extension, you kind of know what kind that you are infected with ransomware.

Maybe some of the anti-malware tools have sort of picked up on that,

and that's why they are randomizing the extension.

Let me have a little bit of catch-up to do on a couple of things that came up earlier this week.

One story is about Windows Defender and how it monitors

the hosts file. The host file is used for host name resolution. So if you're going to

Google.com, the system will first check the host file if an IP address is listed for that host name. And if not, which is usually the case, it will do its DNS lockup using an external DNS server. So the host file can be used to essentially overwrite the IP addresses for different host names. And that can be used, well, like so many things, either beneficial or maliciously.

...