

Known IOCs - Files | Known IOCs – Events | Known IOCs – Logged Processes | Potential IOC IP Addresses for Compromise or Exfil: |
HOW_TO_DECRYPT.txt typically in directories with encrypted files | System, Security and Application Windows event logs wiped | wevtutil.exe cl system | 84.32.188[.]57 |
*.key typically in the root directory, i.e., C:\ or /root | Microsoft Windows Defender AntiSpyware Protection disabled | wevtutil.exe cl security | 93.115.26[.]251 |
hive.bat | Microsoft Windows Defender AntiVirus Protection disabled | wevtutil.exe cl application | 181.231.81[.]239 |
shadow.bat | Volume shadow copies deleted | vssadmin.exe delete shadows /all /quiet | 186.111.136[.]37 |
asq.r77vh0[.]pw - Server hosted malicious HTA file | Normal boot process prevented | wmic.exe SHADOWCOPY /nointeractive | 158.69.36[.]149 |
asq.d6shiiwz[.]pw - Server referenced in malicious regsvr32 execution | wmic.exe shadowcopy delete | 108.62.118[.]190 | |
asq.swhw71un[.]pw - Server hosted malicious HTA file | bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures | 185.247.71[.]106 | |
asd.s7610rir[.]pw - Server hosted malicious HTA file | bcdedit.exe /set {default} recoveryenabled no | 5.61.37[.]207 | |
Windows_x64_encrypt.dll | 185.8.105[.]103 | ||
Windows_x64_encrypt.exe | 5.199.162[.]220 | ||
Windows_x32_encrypt.dll | 5.199.162[.]229 | ||
Windows_x32_encrypt.exe | 89.147.109[.]208 | ||
Linux_encrypt | 5.61.37[.]207 | ||
Esxi_encrypt | 5.199.162[.]229; | ||
46.166.161[.]123; | |||
46.166.162[.]125 | |||
83.97.20[.]81 | |||
84.32.188[.]57 | |||
93.115.25[.]139; | |||
93.115.27[.]148 | |||
158.69.36[.]149/span> | |||
185.8.105[.]67 | |||
185.8.105[.]112 | |||
186.111.136[.]37 |
Initial Access | Exfiltration | ||
External Remote Services | T1133 | Transfer Data to Cloud Account | T1537 |
Exploit Public-Facing Application | T1190 | Impact | |
Phishing | T1566.001 | Data Encrypted for Impact | T1486 |
Execution | Inhibit System Recovery | T1490 | |
Command and Scripting Interpreter | T1059 | ||
Defense Evasion | |||
Indicator Removal on Host | T1070 | ||
Modify Registry | T1112 | ||
Impair Defenses | T1562 |