In January, appeared a new ransomware using .hello as its extension in one of our cases that possibly arrived via a SharePoint server vulnerability.
This appeared to be a new ransomware family dubbed as the Hello ransomware (aka WickrMe), named after the chat application that was used to contact the cybercriminals responsible.
Previous variants were observed using .hemming and .strike extensions and did not include the cybercriminals’ WickrMe user handles.
In contrast, newer versions of the ransom notes with .hello extensions now have the WickrMe contact information.
The ransomware arrives at a target system via Microsoft SharePoint vulnerability CVE-2019-0604.
To launch a payload, they abuse a Cobalt Strike beacon to launch the ransomware.
SkyWatchSM Alert Legend
Glesec Information Sharing Protocol
GLESEC CYBER SECURITY INCIDENT REPORTS are in compliance with the U.S. Department of Homeland Security (DHS) Traffic-Light Protocol (TLP).
Disclosure is Not Limited.
Limited Disclosure, Restricted Only to the Community.
Limited Disclosure, restricted to the Participant's Organization.
Not for Disclosure, Restricted/ Classified - Only Shared with US DHS.