Hello and welcome to the Thursday, November 10th, 2020 edition of the Science and Storm Center's Stormcast.

My name is Johannes Ulrich.

And today I'm recording from Jacksonville, Florida.

Not all, ransomware is super sophisticated Xavier ran into a ransomware sample that actually does just with Visual Basic for Application and PowerShell.

Now, the Visual Basic for Application script is just used to create the PowerShell script, and well, then it goes and encrypts more details in the diary that Xavier published,

but just in short, it uses Ncrock.io, the cloud service that's used sort of to test APIs

as a command control server, which really means that all requests are being forwarded to another

server that of course we don't know about. Also, this particular command control server, as well

as the Onion site mentioned in the ransomware node, are no longer available. It does exfiltrate the key directly via NGROC,

so that's sort of how it manages keys,

and then it also has an interesting kind of quirk in

that it does not run on a system

that has a directory called Oracle Kit.

This may just be to sort of prevent multiple infections of the same system.

Now, since it's so simple, it doesn't expeliorate any data.

However, it claims it does so.

And of course, that's also often happening with sort of the lower end ransom

where it makes claims that are just not true.

In some cases, actually, even where it claims that the files are encrypted, even though

they're not actually encrypted, but just renamed.

Now, in this case, your files are encrypted, and also any backups, shadow copies,

and such are deleted as well. And Apple today released two surprise updates, not that they

...