Hello, welcome to the Monday, June 27, 2016 edition of the Santonet Storms and Stormcast.

My name is Johannes Ulrich and the day I'm recording from Salt Lake City, Utah.

Fishmi is reporting about a new ransomware strain.

The ransomware which calls itself Bard appears to take some at least optical cues from

Locky.

The ransom page looks somewhere, but in a major change from other ransomware, this one doesn't

use a command control channel to actually register exploited hosts and then also retrieve

encryption keys. Instead, whatever keys being used is derived locally. In addition, it does

not sort of implement its own file encryption like other encryption tools. Instead, it just uses

encrypted zip files to encrypt the data.

The ransomware is delivered by the Rockloader, downloader, and the Malver itself is initially

encrypted using a simple XOR key. So when the Malver is downloaded by Rockloader, it's not immediately obvious

that this is a Windows executable. You first have to XOR it with this key in order to actually

discover it as being executable, which may attempt here to bypass some network detection of Ransware or Mather in general.

Fishmi made available a Python script to decode the Ransver executable,

but at this point I don't see a complete analysis of BART.

It would be nice to learn more about how the

encryption keys being derived because, well, if there's no external influence really for

this particular sample, like no command control channel, then it's very possible that a victim

could derive the same key and then decrypt the files.

Rapid 7 announced critical vulnerability in the code generation tool Swagger. Swagger automatically

creates code in various languages that allows applications to interact with rest services.

...