X-Industry

UNIZA Ransomware - Researchers recently came across a new ransomware variant called UNIZA.  Like other ransomware variants, it encrypts files on victims’ machines to extort money.  

It uses the Command Prompt (cmd.exe) window to display its ransom message, and interestingly, it does not append the filename of the files it encrypts, making it more difficult to determine which files have been impacted.[1]

Infection Vector - Information on the infection vector used by the UNIZA ransomware threat actor is not currently available however, the likely attack vector is via email as many ransomware variants are distributed that way.

At the time of this research, there is no indication that UNIZA ransomware is widespread.

Ransomware Execution -

UNIZA ransomware is a typical ransomware that encrypts files on compromised machines and demands a ransom payment for recovering the affected files.

The ransomware targets all directories and files found under %userprofile% and Desktop for file encryption.

Figure 1. UNIZA ransomware encryption code

Figure 1. displays the ransomware encryption code.  Elements of this image are as follows:

• The green box represents the encryption key
• The yellow box represents a file limit
• Any file smaller than the value gets encrypted
• Any file equal or greater to the value gets skipped
• The red box represents the encryption method used
• Each byte in the file gets added to a single byte in the rolling key (defined in the green box)

Although the ransomware does not append any file extension to the encrypted files, they are indeed encrypted, as shown below:

Figure 2. Text file before being encrypted by the UNIZA ransomware

Figure 3. Text file in Figure 1 after being encrypted by the UNIZA ransomware

Instead of dropping a ransom note, it launches the Command Prompt and the ransom note gradually shows up as if the attacker is remotely typing the message. This may be a scare tactic to make victims believe that the attacker can remotely control their machine.

The ransom message asks victims to contact the attacker via TikTok and demands 20 Euros worth of Bitcoin.  As the ransom fee is relatively low, we believe the UNIZA ransomware threat actor is targeting consumers.

At the time of Fortinet’s research, the attacker’s Bitcoin wallet has not recorded a single transaction, which means that no victims have yet fallen prey to this ransomware.

IOCs

File-based IOCs:

Best Practices include Not Paying a Ransom - Organizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom partly because the payment does not guarantee that files will be recovered. According to a U.S. Department of Treasury's Office of Foreign Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to target additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit activities that could potentially be illegal. For organizations and individuals affected by ransomware, the FBI has a Ransomware Complaint page where victims can submit samples of ransomware activity via their Internet Crimes Complaint Center (IC3).

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com

Weekly Cyber Intelligence Briefings:

• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.got

[1] https://www.fortinet.com/blog/threat-research/ransomware-roundup-uniza-coverage/