Trending

ee-track">
Link copied!

ColdLock Ransomware Hits Taiwanese Organizations

On one side where the organizations are striving hard from recovering from the ongoing COVID-19 phase, on the other side they are struggling to cope up with their security measures for defending themselves from the…

May 12, 2020 · 3 min read

On one side where the organizations are striving hard from recovering from the ongoing COVID-19 phase, on the other side they are struggling to cope up with their security measures for defending themselves from the various types of cyberattacks. Recently, a new targeted cyberattack has infected several organizations in Taiwan with a new ransomware family, which has been named as ColdLock. Recently, Cyble’s researchers detected a big mining company also falling as a victim of this ransomware family. According to the security researchers, this ransomware-type mainly targets databases and email servers for encryption. Along with that, the security researchers seem to find similarities between ColdLock and previously discovered ransomware variants such as Lockergoga, Freezing, and EDA2.

As per the information gathered it indicates that this ransomware started to strike organizations based in Taiwan from the starting of May 2020. To execute this attack cybercriminals infuse the ransomware payload as a .NET executable (as a .DLL file), which is packed/protected using the ConfuserEx packer. It uses PowerShell reflective loading of .NET executables to run the .DLL file. To verify if the ransomware file is running, the hacker runs two checks on it. Firstly, the hacker checks for the presence of %System Root%ProgramDatareadme.tmp, which is used by the ransom note. This check prevents a system from being reinfected by the same threat. Secondly, the hacker would check the system clock. It will only run at or later than 12:10 PM on any given day; if it is earlier, it will sleep for 15 seconds until it is past the said time. Just to ensure the cyberattack to launch successfully, before encrypting the files ColdLock performs certain preliminary routines to terminate multiple services on the system which might be preventing file access. Along with that, the ransomware also takes note of the Windows version running on the system. For instance, if it is running windows 10 then it carries out several windows 10-specific routines such as disabling the windows defender, the push notifications, and the ability to send the malware samples further to Microsoft.

How to remove ColdLock Ransomware and decrypt .locked files ...

Original Text of ColdLock Ransomware Note Displayed on the Affected System

This ransomware-type has connections to multiple other ransomware families such as its code share similarities with the open-source EDA2 ransomware kit, and it shares a similar method of propagation with networks, reflective injection methods, and internal module architecture. As stated, before that this ransomware has only affected organizations based in Taiwan, but it is seen as fast-spreading and malicious ransomware by our security researchers. It is advised that the organizations should ensure that their security measures are all up to date and efficient in preventing the organization from being cyber struck.

About Cyble:

Cyble Inc.’s mission is to provide organizations with a real-time view of their supply chain cyber threats and risks. Their SaaS-based solution powered by machine learning and human analysis provides organizations’ insights to cyber threats introduced by suppliers and enables them to respond to them faster and more efficiently.

Cyble strives to be a reliable partner/facilitator to its clients allowing them with unprecedented security scoring of suppliers through cyber intelligence sourced from open and closed channels such as OSINT, the dark web and deep web monitoring and passive scanning of internet presence. Furthermore, the intelligence clubbed with machine learning capabilities fused with human analysis also allows clients to gain real-time cyber threat intel and help build better and stronger resilience to cyber breaches and hacks. Due to the nature of the collected data, the company also offer threat intelligence capabilities out-of-box to their subscribers.

AI Threat Intelligence

Stop Executive Threats
Before They Strike

Monitor dark web chatter, detect lookalike domains, and protect your C-suite from targeted impersonation — in real time, across 50+ countries.

Scroll to Top

Book your session

Request a Personalized Demo

See how Cyble's threat intelligence protects your organization. A specialist will reach out within one business day.

Select one or more options

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Your information is encrypted and never shared.
SOC 2 Type II GDPR compliant Trusted by 1,000+ teams

Download the brochure

Get the Cyble Vision Brochure

Explore how Cyble Vision delivers AI-powered threat intelligence across your attack surface. Fill in your details to access the brochure.

Select one or more options

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Your information is encrypted and never shared.
SOC 2 Type II GDPR compliant Trusted by 1,000+ teams