2. Kill Antivirus Process
After uploading the hacking kit to a compromised host, the hacker attempts to kill the antivirus process using the process management tool ProcessHacker.
3. Perform Scanning
The hacker then uses scanners KPortScan, NASP and NetworkShareNetworkShare to scan LAN hosts in order to find more vulnerable targets.
4. Password Dump
The hacker uses Mimikatz to dump the host login password and WebBrowserPassView to access passwords stored by the browser. Since there is a possibility that different users use the same login password, the hacker can use stolen passwords to log onto other hosts.
5. Perform Brute-force Attack
The hacker uses DUBrute to perform an RDP brute-force attack against LAN hosts.
6. Run Ransomware
HW contains the ransomware vector HW.5.0.2.exe and a HW.txt file which stores the powershell command used for performing fileless ransom. The hacker can run ransomware vector or execute powershell command to perform the ransom.
The attack procedure is as follows:
Perform process traversal and kill the following processes:
At the time of writing, there is no decryption tool for victims although infected hosts may be quarantined or disconnect them from network. Sangfor recommends that you perform a virus scan and set up protections as soon as possible.
1.Sangfor offers customers and users free anti-malware software to scan for and remove the ransomware virus. Simply download it from:
2. Sangfor NGAF is capable of detecting this ransomware virus.
1. Fix the vulnerability by installing the corresponding patch on the host.
2. Back up critical data files regularly to other hosts or storage devices.
3. Do not click on any email attachment from unknown sources and not download any software from untrusted websites.
4. Disable unnecessary file sharing.
5. Strengthen computer passwords and avoid using the same passwords for multiple computers. Of one computer is compromised, all other computers may also be compromised.
6. Earlier GandCrab ransomware sometimes makes use of RDP. Please disable RDP if it is unnecessary for your business. When a computer is attacked, Sangfor NGAF or EDR is recommended to block port 3389 and other ports to stop ransomware from spreading.
7. Sangfor NGAF can prevent brute-force attacks. Turn on brute-force attack prevention on NGAF and enable Rule 11080051, 11080027 and 11080016.
8. For Sangfor NGAF customers, update NGAF to version 8.0.5 and enable antivirus Engine Zero. For customers using Sangfor NGAF versions earlier than 8.0.5, update your antivirus database to 20181017.