EXISC Ransomware Targets Corporations and Businesses

ransomware

During our investigation of new submissions on the VirusTotal site, we came across a ransomware program called EXISC. Its primary purpose is to encrypt data and demand payment in exchange for decrypting it.

Upon executing a sample of EXISC on our testing system, we observed that it successfully encrypted files and appended a ".EXISC" extension to their original filenames. For instance, a file named "1.jpg" would be transformed into "1.jpg.EXISC," while "2.png" would become "2.png.EXISC," and so on.

Following the encryption process, EXISC generated a ransom note titled "Please Contact Us To Restore.txt." From the content of this message, it became apparent that the ransomware primarily targets large organizations rather than individual home users.

The ransom note conveys to the victim that their company's network has been compromised. The extent of the damage is outlined as follows: the files have been encrypted, and sensitive or confidential data has been stolen.

According to the note, the victim must make a ransom payment to regain access to their files and prevent the exfiltrated content from being leaked. Although the exact amount of the ransom is not specified, it is explicitly mentioned that payment must be made in either Bitcoin or Monero cryptocurrencies.

Furthermore, the note suggests that a certain number of files can be sent for a test decryption. This should serve as proof to the victim that data recovery is indeed possible.

EXISC Ransom Note Expects Contact Through Tox

The full text of the EXISC ransom note reads as follows:

Hello, your company's computer is encrypted by me, and the database and data are downloaded. If you do not want me to disclose these materials, you must pay me a ransom. After receiving the ransom, I will delete all downloaded files and help you decrypt your computer, otherwise If we do, we will disclose these materials and your company will face unprecedented repercussions.

We only work for money and do not destroy your network, and we are very honest. After receiving the ransom, we will also provide you with information about the vulnerability of your system to help you fix the vulnerability to avoid re-attacks.

If you doubt our ability to decrypt files, you can send me some encrypted files and I will decrypt them to prove it.

Please pay the ransom in Bitcoin or Monero.

Please use TOX to contact me or email me.

Email:HonestEcoZ@dnmx.org

TOX ID:(alphanumeric string)
TOX Download:hxxps://tox.chat/download.html

What Are the Most Common Infection Vectors for Ransomware Like EXISC?

Ransomware like EXISC employs various infection vectors to infiltrate systems and networks. The following are some of the most common infection vectors utilized by ransomware:

  • Phishing Emails: Phishing emails remain a prevalent method for distributing ransomware. Cybercriminals craft convincing emails that appear legitimate, often impersonating trusted entities or individuals. These emails contain malicious attachments or embedded links that, when clicked or opened, initiate the ransomware infection process.
  • Malicious Downloads and Attachments: Ransomware can be downloaded inadvertently from malicious websites or through infected file attachments. This may occur when users visit compromised websites or open email attachments that contain executable files, macros, or script-based payloads.
  • Exploit Kits: Exploit kits are malicious tools that take advantage of software vulnerabilities present in web browsers, plugins, or operating systems. By exploiting these vulnerabilities, ransomware can be silently delivered to a victim's system when they visit a compromised website or click on a malicious advertisement.
  • Remote Desktop Protocol (RDP) Attacks: Ransomware operators often target systems with exposed or weakly secured Remote Desktop Protocol connections. They use brute-force techniques to gain unauthorized access and install the ransomware.
  • Software Vulnerabilities: Ransomware can exploit unpatched or outdated software vulnerabilities to infiltrate systems. This includes vulnerabilities in operating systems, applications, or network services, which allow the ransomware to gain unauthorized access and execute its payload.
  • Malvertising: Malicious advertisements, or malvertisements, can be found on legitimate websites or ad networks. These advertisements contain hidden scripts that redirect users to malicious websites hosting ransomware or trigger automatic downloads of the ransomware payload.
  • Drive-by Downloads: Drive-by downloads occur when ransomware is automatically downloaded without the user's consent or interaction, typically from compromised websites. These websites contain malicious code that exploits vulnerabilities in the user's web browser or plugins, allowing the ransomware to be delivered silently.
May 29, 2023
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.