[MART] - Daily Diary #311 - Meet Phoenix Locker

CTAS-MAT ctas-mat at appgate.com
Fri Jul 23 22:37:39 UTC 2021

I hope everyone is doing well!

Below is the entry for today.

07/23/2021 - Diary entry #311

Phoenix CryptoLocker is a new ransomware strain. First spotted on March this year, it was responsible for the attack on the insurance giant CNA. Recent reports revealed that the initial infection vector was a false browser update executable. After infecting the company, the attackers used MEGAsync to exfiltrate files into a Mega NZ Limited account controlled by them.

In late 2019, the US sanctioned two Russian citizens, accusing them to be part of the Evil Corp. Evil corp (not to be confused with REvil Corp) is responsible for Dridex, covered in our Daily Diary #114, WastedLocker, covered in our Daily Diary #63, and many other malware strains.

Since then, most ransomware negotiations firms are no longer facilitating WastedLocker ransom payments to avoid facing fines. Evil Corp already tried to bypass this launching a ransomware named "Hades", but this turned out to be just a rebranded WastedLocker. Phoenix Locker also shares code similarity with Wasted Locker, so some sources believe it could be a new strain from Evil Corp, in a strategy to receive ransom payments again.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Duarte Domingues
Security Researcher

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 19 98840 2509

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20210723/b85da4dd/attachment.html>

More information about the MART mailing list