Use Cases – X-PHY

Medusa Ransomware Prevention with X-PHY

X-PHY Editorial — Thu, 25 Sep 2025 14:13:17 +0000

Medusa is a Ransomware-as-a-Service (RaaS) operation that has been active since June 2021, impacting over 300 victims by March 2025. The RaaS model allows the developers to “lease out” ransomware tools to affiliates, who then launch attacks in exchange for a percentage of the ransom paid. When it was first reported in 2021, Medusa was run by a centralized developer team, but over time, it evolved into a hybrid model, where affiliates carried out attacks, with developers managing core operations, such as ransom negotiations.

Unlike other types of ransomware that simply encrypt data and demand ransom payment, the group operates under a double-extortion model, where, in addition to encrypting data and demanding ransom payment, they also threaten to publish exfiltrated data if payment is not made. The threat to publish exfiltrated data is facilitated by their public leak site called Medusa Blog, where the group shames non-paying victims by releasing stolen files.

Medusa Blog

I. Initial Access

Medusa developers typically recruit initial access brokers (IABs) in cybercriminal forums and marketplaces. The affiliates are offered a percentage of the ransom paid on successful attacks with the opportunity to work exclusively for Medusa. Medusa affiliates are known to utilize phishing campaigns and the exploitation of unpatched software vulnerabilities to gain initial access into the targeted organizations’ networks.

Phishing Campaigns
The phishing campaign run by the affiliates is meant to steal credentials or trick users into executing malicious payloads. They achieve this by sending deceptive emails tailored to lure unsuspecting users by impersonating trusted parties such as IT departments or HR. The emails either contain malicious attachments, prompt users to enter login credentials, or trick them into running scripts. A successful phishing campaign is marked by the adversaries gaining access to critical credentials and establishing an initial foothold when the victim executes malware. Once access is achieved, Medusa affiliates quickly escalate privileges and move laterally.

Exploitation of Unpatched Vulnerabilities
Another common technique used by Medusa affiliates to gain initial access is the exploitation of unpatched vulnerabilities in the public-facing applications, such as web apps, VPNs, and remote management tools. The IABs favor this technique because it is silent and does not require user interaction like phishing. Additionally, since they specialize in exploiting such vulnerabilities, they have access to sophisticated tools such as Metasploit that simplify the exploitation process. Some of the Common Vulnerabilities Exposures (CVEs) exploited by the Medusa group include CVE-2024-1709 and CVE-2023-48788. The group exploited CVE-2024-1709, the ScreenConnect Authentication Bypass vulnerability, shortly after its disclosure in early 2024, allowing them to gain full remote access to target systems.

II. Discovery and Enumeration

Once inside the network, the Medusa group takes time to study the environment, learning everything they can. The attackers use this phase to identify high-value targets, map out the network structure, and look for paths to escalate access or spread laterally. This helps them maximize damage and ensure a successful encryption. Common tools and commands used in discovery and enumeration include:

net group /domain — to list domain user groups
net localgroup administrators — to reveal local admin accounts
net view / net use — to map shared drives and folders
nltest /dclist: — to finds all domain controllers
tasklist / taskkill — to kill security software

III. Defense Evasion and Obfuscation

After breaching a network and conducting reconnaissance, Medusa ransomware affiliates take deliberate steps to hide their activity and avoid being detected. This allows them to remain undetected long enough to disable security tools, exfiltrate data, and carry out encryption. The attackers achieve this by disabling any security software on the target networks, living off the land (LOTL), renaming payloads, and using a custom loader.

Disabling Security Software

Medusa affiliates disable security tools before encryption to ensure there are no obstacles that could hinder their execution. They commonly use task-killing commands (taskkill /f /im .exe) to stop antivirus, EDR, and backup agents. They target Windows Defender, Sophos, Trend Micro, Veeam, and backup services. They also tamper with registry keys to permanently disable defenses.

Living off the Land (LOTL)

Instead of deploying flashy custom tools (which might trigger alerts), Medusa abuses legitimate Windows utilities to facilitate attacks. For instance, tools like cmd.exe, powershell.exe, and rundll32.exe are used for stealthy system manipulation. This allows them to perform malicious actions using trusted processes, making it less likely to be flagged by EDR.

Renaming Payloads
Attackers rename payloads, encode scripts, or compress files to avoid detection. The common extensions used for these purposes include .zip or .7z extensions. They may also use Base64 encoding, PowerShell obfuscation, or custom packing to avoid signature-based detection.

Using Custom Loader

Medusa ransomware uses a loader that decrypts and runs the main ransomware payload in memory. This reduces disk-based artifacts and bypasses file-based antivirus detection. This enables them to deploy ransomware at scale and operate for days or weeks without being detected.

IV. Command and Control (C2) Setup

Medusa actors use Ligolo and Cloudflared to support command and control (C2) and evade detection. Ligolo is a reverse tunneling tool used to create secure connections between a compromised host and a threat actor’s machine. Cloudflared is used to securely expose applications, services, or servers to the internet via Cloudflare Tunnel without exposing them directly. This gives attackers total control of the battlefield to execute their intentions without being detected.

V. Credential Access & Lateral Movement

This step involves going from a single compromised user to company-wide access and getting more access. An attacker steals one admin credential and turns it into full domain control, going from a single compromised user to company-wide encryption and extortion. This transforms a small compromise into a full-blown network-wide attack, allowing the attackers to encrypt servers, steal data, and increase ransom pressure.

Medusa operators use OS Credential Dumping to extract usernames, passwords, and authentication tokens from compromised machines. OS Credential Dumping allows them to extract usernames and passwords stored in memory on Windows machines from LSASS. LSASS (Local Security Authority Subsystem Service) is a Windows process responsible for storing credentials in memory. When an attacker accesses LSASS, they dump all stored credentials, stealing admin credentials to enable them to spread across the network silently.

Example Workflow:

Gain admin access to a machine (via phishing or exploit)
Use procdump to create a memory dump of LSASS
Transfer the .dmp file to the attacker’s system
Run Mimikatz to extract usernames, passwords, and hashes

Once attackers have valid credentials, they log in to target systems via Remote Desktop Protocol (RDP) and begin moving from system to system. RDP is often enabled on internal systems, giving attackers a broad attack surface. With administrative rights, they use tools like PsExec or wmic to execute commands and install ransomware remotely across multiple systems at once.

When attackers gain access to the Active Directory domain controller, they essentially own the network. This means that they can create new admin accounts, disable security policies, and push ransomware to every system via Group Policy Objects (GPO). Medusa affiliates often disable logging, tamper with logs, or destroy artifacts to cover their tracks after lateral movement.

VI. Exfiltration and Encryption

Once Medusa ransomware affiliates have gained initial access to the network, moved laterally, and obtained administrator-level access, they initiate the data exfiltration process. This involves copying sensitive data from internal systems to external infrastructure controlled by the attacker. They do this before encryption to maximize pressure on victims. “If you don’t pay, we’ll leak your data” is the central threat of Medusa’s extortion strategy. During the exfiltration process, the attackers target:

Example workflow

1. Attackers bundle stolen files into .zip or .7z archives using tools like WinRAR and 7-Zip.

2. They then use Command-Line Upload Tools like Rclone, MegaCMD, or curl to exfiltrate data to a dedicated attacker-controlled infrastructure

Once data is exfiltrated, Medusa affiliates launch the ransomware payload to encrypt files across the network, rendering them inaccessible to the victim without a decryption key.

How the Medusa Encryption Works

Files on infected machines are encrypted using AES (Advanced Encryption Standard). The AES key is then encrypted with RSA and communicated post-payment. Encrypted files typically have a custom extension, .MEDUSA. Ransom notes (!!!READ_ME_MEDUSA!!!.txt) are dropped in affected directories. The ransom notes contain:

Instructions for payment
Links to dark web negotiation sites
A threat to publish exfiltrated data

VII. Extortion

The Medusa ransom note demands victims make contact within 48 hours via either a Tor browser-based live chat or an end-to-end encrypted instant-messaging platform. If the victim does not respond to the ransom note, Medusa actors will reach out to them directly by phone or email. On Medusa Blog, the attackers display their victims’ ID alongside countdowns to the release of information. They also post ransom demands with direct hyperlinks to Medusa-affiliated cryptocurrency wallets. At this stage, Medusa concurrently advertises the sale of the data to interested parties when the countdown timer ends. Victims can additionally pay $10,000 USD in cryptocurrency to add a day to the countdown timer.

Medusa Ransomware Note

How X-PHY Protects Against Medusa Ransomware

Medusa is a highly sophisticated ransomware that uses phishing, vulnerability exploits, credential theft, and double extortion. Unlike traditional ransomware protection tools that rely heavily on software, X-PHY embeds AI-driven protection directly into the SSD, the ultimate target of ransomware attacks. This means that even when all the other defenses have been bypassed, X-PHY will be the last line of defense standing to protect your data right where it resides.

The critical steps involved in the operations of Medusa group will be instantly detected and subsequently stopped by X-PHY. For instance, the attack involves disabling security tools and exfiltrating sensitive data before commencing encryption. With X-PHY, all these will not be successful because the X-PHY AI is embedded in the hardware, watching out for any abnormal data access patterns and stopping threats before they cause any real harm.

For instance, when Medusa attempts to exfiltrate sensitive data, X-PHY’s AI will detect the abnormally high volume of read operations, triggering SSD lockdown. This will instantly block data transfer and send an alert to the security team about the attempted exfiltration. Blocking the exfiltration phase of Medusa ransomware and locking down the SSD halts the rest of the Medusa processes, thus ensuring the organization’s sensitive data remains protected from the attackers.

The most significant phase of the Medusa ransomware involves encrypting files using AES, appending a .MEDUSA extension, and making the data inaccessible. X-PHY detects ransomware encryption patterns through advanced AI models analyzing how files are accessed and written. Once an attack has been detected, X-PHY interrupts the process of encryption in real time and locks the drive instantly. This will ensure that sensitive data is protected from unauthorized encryption, halting the entire Medusa process.

Why X-PHY is Uniquely Effective Against Medusa

X-PHY’s hardware-level protection means that the solution doesn’t rely on OS or AV software that Medusa can disable.
AI-powered anomaly detection gives near 100% detection of unusual patterns even for zero-day threats.
Immediate response by shutting down and locking the drive prevents encryption and data theft in real time.
Zero Trust architecture ensures access is always verified.

Ryuk Ransomware – Healthcare Organizations at Risk

X-PHY Editorial — Fri, 15 Sep 2023 07:14:24 +0000

Healthcare organizations are the leading target for cybercriminals due to the perceived high value of data obtained on a successful attack. The RYUK ransomware healthcare attacks have been a major fiasco in the industry. The number of cyber-attacks on healthcare organizations has been increasing exponentially over the past few years, with the intensity of attacks hitting its bar in the second half of 2020. On October 28, 2020, the federal government released a report concerning an attack on six hospitals in the United States over a period of 24 hours beginning October 26, 2020. In the report, the federal government identified the attacks as the Ryuk Ransomware healthcare attacks.

It noted that a list of 400 hospitals targeted by the ransomware had circulated among Russian hackers. Ryuk Ransomware encrypts information within the computer system of an organization, making it unusable. The hospitals that reported outages following the attack include Sky Lakers Medical Center, which was forced to purchase 2 000 new computers in the recovery process. Other hospitals that were affected include Klamath Falls and St. Lawrence Health System, among others whose names were not revealed. Ever since the increased activity of the ryuk ransomware healthcare has seen massive impact and damage.

How Ryuk Ransomware Infects a System

The user receives a phishing email that, when clicked, downloads a Trojan that paves the way for Ryuk operators. After being downloaded into the system, the malware spreads itself internally to other machines over SMBv1 and steals the system and administrator credentials which it transmits to the attacker. The Trojan then gives the attacker the command and control of victim machines, allowing them to push Ryuk ransomware into the system.

After gaining access and taking control over the system, Ryuk places ransomware payloads on the devices connected to the affected network through PowerShell Empire. It establishes persistence and deletes backups as well as shadow files before initiating the file encryption process. The ransomware then begins downloading additional exploitation tools while at the same time encrypting files using RSA-2048 and AES-256. The files are renamed to include a .ryk, an extension used by Ryuk. Finally, the display on computer screens is changed; in most cases, they display a note “Shadow of the Universe”, a typical Ryuk phrase.

X-PHY Protection Method

Ryuk ransomware healthcare attack initiates by user action involving downloading Trojan into a system device, creating a backdoor, which gives the attackers command and control over the compromised system. At this point, your files’ safety relies on the NAND level protection only offered by X-PHY AI Cyber Secure SSD. X-PHY trusts no one and will always be your last line of defense to protect your valuable data.When Ryuk gets into the storage, X-PHY detects it, raising an alarm and initiating lockdown to keep data safe.

The SECURITY SCOUT and GUARDIAN PRO-X features of the X-GUARD THREAT LOCK perform continuous security checks on the storage device to detect any anomalies in the device activity. In this case, the first course of action taken by the malware involves stealing and sending system and administrator credentials to the attacker. These operations will lead to increased read operations which surpasses the normal read operations in the Nand flash. The trained AI algorithm will detect an abnormal increase in the read operations associated with stealing of system and administrator credentials. As such, it will classify this activity as malicious, triggering the X-Factor Encryption lock feature to initiate system lockdown and raise an alert. The lockdown will prevent Ryuk from accessing Nand flash, keeping system data safe, and stopping the attack.

What is WannaCry Ransomware and How to Protect Your Data

X-PHY Editorial — Mon, 26 Dec 2022 22:03:09 +0000

What is WannaCry Ransomware?

WannaCry Ransomware is a type of malware/computer worm that targets the windows operating system. It is also known as WannaCrypt0r, WannaCrypt, WCRY and WRypt. WannaCry has two malicious components combined which is ransomware variant and worm. It works together during the attack stage. In 2017, it attacked a huge number of computers from more than 150 countries and companies including FedEx, Telefonica were targeted. In Singapore, Tiong Bahru Plaza and White Sands are believed to be targeted by the WannaCry ransomware attack. The 2017 incident is one of the most high profile ransomware attacks that ever took place. Across the globe, the estimated cost of the cybercrime caused by the WannaCry ransomware is calculated as $4 billion USD. It mainly targets the older version of windows operating system. The employees working in the office are the main targets which is around 43% of the victims.

Sample screenshot of the WannaCry attack ransom payment procedure

Attack flow
Source: https://dig.watch/trends/wannacry
Additional Reference

Source: https://www.europol.europa.eu/wannacry-ransomware

X-PHY protection against Wanna Cry

Flexxon tested the WannaCry ransomware on a X-PHY® SSD and a normal SSD to see the responses. In less than 5 seconds, X-PHY® stopped the attack dead in its tracks, locked all data keeping it untouched, and immediately notified the user via email.

Here are the screenshots of the results,

Testing without X-PHY,

As the first step, the ransomware was tested on the normal SSD and the laptop security only relies on the antivirus software. The antivirus shows that the computer is safe and it doesn’t detect the ransomware. It can only detect the known ransomware as it relies on the signature based detection and it won’t be able to detect the unknown ransomwares.

The WannaCry.py is the modified version of the ransomware and it wasn’t detected by the antivirus software. This folder contains a few GB of data for the testing purpose and it will be attacked by the WannaCry ransomware.

Currently, the ransomware is activated and it starts to encrypt the files in the test folder.

The WannaCry ransomware encrypted all the files in the test folder. The encrypted files are ending with .crypt. In real life scenarios, it can only be recovered if the victim pays the ransom to the hacker to get the decryption key.

Testing with X-PHY

Before running the ransomware with the X-PHY SSD inside the laptop, please check the configuration settings in the X-PHY tool and make sure that the security features are turned on to protect against the ransomware attack. If it’s not enabled, you need to click apply and verify again with the password that you used to log in the X-PHY tool along with the 2FA.

After enabling the security features, the WannaCry ransomware activated in the test folder.

Within a few seconds, the X-PHY is able to detect the ransomware by recognising the ransomware behavior in the read and write pattern at firmware level. The X-PHY SSD locks and the laptop shutdowns immediately.

At the same time, you will be receiving the email alert regarding the ransomware attack.

When you restart the laptop after the ransomware attack, it goes into the boot menu as the X-PHY SSD is locked to secure the data inside. To unlock it, the user needs to open the X-PHY mobile application and connect to the X-PHY SSD via bluetooth.

Once you unlock it, the data inside the test folder is secured and protected because of the X-PHY protection. The files inside the folder aren’t encrypted and it can be accessed as per normal.

X-PHY^® Response Flow

X-FILE FORENSIC AGENT features ACTIVE DETECTIVE and DEEP INVESTIGATION introduce extra file protection features by preventing any illegal data modifications. They also record all activities and their application, making it easy for X-PHY® to identify suspicious actors.
X-GUARD THREAT LOCK features SECURITY SCOUT and GUARDIAN PRO-X work together to stop any attempt by the ransomware to breach or clone your sensitive data.
After noticing suspicious activity to breach and/or to encrypt user data, it will trigger X-FACTOR ENCRYPTION LOCK. KEYCODE 2-FACTOR feature within X-FACTOR ENCRYPTION LOCK locks down all the data in X-PHY® making it inaccessible to the ransomware.
X-PHY® SSD sends notification to the user in their computer showing that ransomware has been detected. An email notification is also sent to the user simultaneously through the user’s registered email. The user will require OTP to unlock the SSD.
X-PHY® records the attack activity in the event log, and will automatically stop any action with the same behavior in the future.

HelloKitty Ransomware Prevention with X-PHY SSD

Reference Links

HelloKitty Ransomware Prevention with X-PHY SSD

X-PHY Editorial — Thu, 17 Nov 2022 01:54:40 +0000

The HelloKitty ransomware (aka FiveHands), has its earliest traces from November 2020, discovered by FBI in January 2021, and has potential ties with the DeathRansom. This Ransomware was highly active in December 2020, targeting organizations across multiple industries and countries. The ransomware demands a bitcoin payment written in a ransom note after encrypting files on a system. It too uses the trending double extortion technique of threatening data destruction and confidentiality breach, extended to DDoS attacks on public facing assets in some cases. It means that upon failure to acquire a ransom payment, the victim’s data will either be published on the Babuk site payload.bin or would be sold to a third-party data broker.

Attack Vectors

How does the HelloKitty ransomware gain access to the victims? Well, it uses a number of attack vectors like using compromised credentials and recently patched security flaws in SonicWall products (CVE-2021-20016, CVE-2021-20021, CVE-2021-20022, CVE-2021-2002). It may also use phishing emails or cause secondary infection from an initial malware attack. After initial access, HelloKitty operators use some common red team penetration tools like Cobalt Strike, Mandiant’s Commando, or PowerShell Empire preloaded with tools like Bloodhound and Mimikatz. Using these for reconnaissance and data collection, they first map the network and escalate privileges before exfiltration and encryption.

Attack Victims

Video Game Manufacturing – Poland

The most well-known attack by HelloKitty was on the systems of CD Projekt Red in February 2021, that claimed to have stolen Cyberpunk 2077, Witcher 3, Gwent, and other games’ source code. It later claimed having sold the sensitive files to another threat actor. Below is the ransom note it left for CD Projekt Red on its encrypted machines:

CEMIG Powerplant – Brazil

A Brazilian electric power company called CEMIG (Companhia Energética de Minas Gerais) announced falling victim to a cyber attack in December 2020. HelloKitty ransomware was involved as revealed later, and stole a huge volume of data from the company, causing suspension of the company’s WhatsApp, SMS channels, and online app service.

Healthcare Service – UK

Another HelloKitty attack targeted a UK Healthcare organisation earlier in January 2021. Below is the ransom note found on encrypted computers of the facility. The organization’s name has been omitted.

IT Service – France

Another French IT service was attacked around Christmas 2020, leaving another HelloKitty ransom note.

In July 2021, the ransomware operators introduced a Linux variant for targeting VMware ESXi virtual machine platform, and its activity went up since July. Targeting enterprise virtual machines, the threat actors could encrypt multiple servers simultaneously, with a single command, saving time and effort.

The FBI also shared an extensive collection of indicators of compromise (IOCs), as usually happens in case of any cyber attack chain.

Attack Workflow

Once the ransomware is sent to the victim’s computer via malspam campaigns, fake software updating tools, untrusted download sources, unofficial (third party) software activation tools and Trojans, the .exe file is executed on the system and the below workflow begins to unfold.

1. Termination of processes and Windows services.

HelloKitty upon execution begins to terminate all processes and windows services that may interrupt its infection. These are usually associated with security, backup or accounting softwares, as well as email and database servers.

2. Encryption of files with .KITTY or .CRYPTED file extensions.

On Windows systems, HelloKitty ransomware uses a combination of AES-128 + NTRU encryption. On Linux systems, it uses the combination AES-256 + ECDH. It appends the extension .kitty or .crypted to locked file names.

3. Ransom note.

After encryption of files, it leaves a plain text ransom note on the desktop of victim machines. It addresses the victim, demands a ransom amount in BTC and gives further directions or bitcoin address. It usually contains a .onion URL that the victim can open using the Tor browser.

4. Deletion of shadow copies.

After successful encryption, HelloKitty deletes shadow copies and backups of encrypted files from the affected systems. This is to make sure no data is retrieved from backups.

HelloKitty; A Sample

Hundreds of Indicators of Compromise are circulating on threat forums to enable security teams to secure their assets based on signature-based detection. This means that firms reliant on IoCs may fall victim to new variants and only known IoCs can be blocked. Below is just one sample of the ransomware in SHA-256 algorithm.

9a7daafc56300bd94ceef23eac56a0735b63ec6b9a7a409fb5a9b63efe1aa0b0

This particular sample was detected as malicious by 58 out of 69 detection tools. It targets Intel 386 or later processors and compatible processors.

Protection from HelloKitty Ransomware using X-Phy Cybersecurity SSD Protection

X-Phy AI-embedded cyber secure SSD is protected by all known and unknown cyber threats. It is designed to thwart all cyber attacks without signature-based detections. The SSD detects a malware or cyber attack in a matter of seconds and securely locks the device before attackers can access any data.

Flexxon tested the HelloKitty ransomware on a X-PHY^® SSD and a normal SSD to see the responses. In less than 5 seconds, X-PHY^® stopped the attack dead in its tracks, locked all data keeping it untouched, and immediately notified the user via email and OTP.

Testing with the normal SSD/without the X-PHY

The HelloKitty ransomware is added to the device.

The Hello Kitty ransomware is executed.

After executing the HelloKitty ransomware, all the files are encrypted. The infected file names are ending with the extension .crypted.

Testing with the X-PHY^® SSD

To protect from the ransomware attack, go to the X-PHY tool’s configuration and enable the ransomware protection feature as well as the email alert.

After executing the Hi_Kitty_2 file, HelloKitty ransomware is detected and the X-PHY drive is locked, the device is shut down immediately to stop the ransomware’s execution.

To unlock X-PHY^®, the user will have to use connected duo authentication to unlock X-PHY^®, otherwise, it remains locked. After unlocking, X-PHY® will have recorded all events in the event log, and the user can now access data in a normal way.

As attackers utilise more sophisticated attack techniques, it is becoming harder and harder for companies to stay ahead of the attacker’s techniques and keep their data secure from cyberattacks. That’s why we brought X-PHY^® to you, it automatically detects suspicious behavior since it is highly trained with huge databases of malware to understand all possible behavior for malware.

X-PHY^® AI core is placed closest to your data and is highly trained to protect you from any threat that can touch your data.

X-PHY^® Response Flow

XPHY FORENSIC^TM AGENT features ACTIVE DETECTIVE and DEEP INVESTIGATION introduce extra file protection features by preventing any illegal data modifications. They also record all activities and their application, making it easy for X-PHY^® to identify suspicious actors.
XPHY GUARD^TM THREAT LOCK features SECURITY SCOUT and GUARDIAN PRO-X work together to stop any attempt by the ransomware to breach or clone your sensitive data.
After noticing suspicious activity to breach and/or to encrypt user data, it will trigger XPHY FACTOR ENCRYPTION^TM LOCK. KEYCODE 2-FACTOR feature within XPHY FACTOR ENCRYPTION^TM LOCK locks down all the data in X-PHY^® making it inaccessible to the ransomware.
X-PHY^® SSD sends notification to the user in their computer showing that ransomware has been detected. An email notification is also sent to the user simultaneously through the user’s registered email. The user will require OTP to unlock the SSD.
X-PHY^® records the attack activity in the event log, and will automatically stop any action with the same behavior in the future.
To unlock X-PHY^®, the user will have to use connected duo authentication to unlock X-PHY^®, otherwise, it remains locked. After unlocking, X-PHY^® will have recorded all events in the event log, and the user can now access data in a normal way.

Conclusion

As cyberattacks grow in number and malware variants are introduced every single day, cybersecurity solutions reliant on IoCs are at a high risk of falling victim to a new malware. The consequences in case of ransomware attack include data deletion, loss of backup, extortion, confidentiality breach, etc. Therefore it is advisable that firms should switch to protection at the firmware level, the x-phy SSD that does not allow any unauthorized access.

LockBit Ransomware – A Use Case Of Accenture

X-PHY Editorial — Mon, 07 Nov 2022 01:09:58 +0000

LockBit ransomware gang recently hit Accenture, one of the top technological consulting organizations in the world.

The Dublin-based company cited that the attack was not classified as a ransomware attack since they claimed that their operations were not affected.

According to one of their representatives, Stacey Jones, Accenture’s security controls and protocols spotted abnormal behavior in one of their settings. The issue was quickly resolved, and the impacted servers were separated. All of the afflicted systems were entirely recovered from backups. Neither Accenture’s operations nor their client’s systems were impacted.

Russian ransomware gang, which operates in ransomware-as-a-service model, claimed responsibility for the attack. The attackers demanded $50 million in ransom for six terabytes of data.

According to VX Underground, a company that says it has the largest collection of malware source codes globally, tweeted that LockBit shared more than 2000 files to the dark web for a brief time. The files contained case studies and presentations.
A screenshot from the ransomware operator’s dark web page where they had revealed the attack shows the attackers mentioning that Accenture’s security services were not at the level they could expect. This could highly affect the company’s reputation since it shows a bad picture to Accenture’s clients who share their valuable and confidential data with the company.

How LockBit Ransomware works

LockBit ransomware gang uses ransomware-as-a-service model whereby it is offered to others based on an affiliate model. If an attack goes through and a ransom is paid, the payments are shared between the gang and the entities behind the attack.

Once a single host in a network is affected, the ransomware can scan the network and infect other devices that are accessible in the network. The ransomware also uses windows native tools and protocols making it very difficult for endpoint security tools to identify it as malicious.

Here is a summary of how the ransomware works;

1. Entry into Victim’s machines

The attackers find a way to get into the victim’s system by brute force or through phishing emails.

2. Lateral movement and internal reconnaissance

An internal Ip address over DCE-RPC starts performing WMI commands to multiple internal destinations. The command is followed by many other WMI commands over the DCE-RPC, which happen throughout the encryption process.

The infected device starts to write executable files over SMB to hidden shares on multiple destinations.

The ability to write this means that the ransomware escalates privileges to act as admin.

If not able to escalate privileges, the ransomware attempts to bypass Windows User Account Control.
The WMI commands continue, and the writing of executable files continues in different hidden destinations (Windows/Temp).

3. File Encryption

The ransomware starts encrypting files while appending the .lockbit extension. At the same time, it continues utilizing the SMB to share to other devices via srvsvc and scanning critical TCP ports.

The ransomware continues to adopt new features making it more complicated and harder to detect. For example, recent ransomware variants have started to adopt the double extortion method whereby they perform data breaches before encrypting victim’s systems.

Stolen data may be published or sold to competitors if requested ransoms are not paid. This adds more pressure for the victims to pay.

X-PHY^® Protection against LockBit Ransomware

X-PHY^® engineers took LockBit ransomware and tested it with X-PHY^® and a normal SSD to see the response. In less than 5 seconds, X-PHY^® stopped the attack dead in its tracks, locked all data keeping it untouched, and immediately notified the user via email and OTP.

In the normal SSD, all data was compromised, and the PC could not boot up. It just showed the following pop-up screen;

When tested with X-PHY^®, the ransomware was detected within 5 seconds and the SSD was locked.

On locking the SSD, X-PHY® notifies the user via email that a ransomware attack has been detected and the device locked.

To unlock X-PHY^®, the user will have to use connected duo authentication to unlock X-PHY^®, otherwise, it remains locked. After unlocking, X-PHY^® will have recorded all events in the event log, and the user can now access data in a normal way.

HelloKitty Ransomware Prevention with X-PHY SSD

What is WannaCry ransomware and How to protect your data from the WannaCry ransomware?

X-PHY^® AI core is placed closest to your data and is highly trained to protect you from any threat that can touch your data.

X-PHY^® Response Flow

X-GUARD THREAT LOCK features SECURITY SCOUT and GUARDIAN PRO-X work together to stop any attempt by the ransomware to breach or clone your sensitive data.
X-FILE FORENSIC AGENT features ACTIVE DETECTIVE and DEEP INVESTIGATION introduce extra file protection features by preventing any illegal data modifications. They also record all activities and the application behind them, making it easy for X-PHY^® to identify suspicious actors.
The other features trigger X-FACTOR ENCRYPTION LOCK after noticing suspicious activity to breach and/or to encrypt user data. KEYCODE 2-FACTOR feature within X-FACTOR ENCRYPTION LOCK locks down all the data in X-PHY^® making it inaccessible to the ransomware.
X-PHY^® sends notifications to the user in their computer showing that ransomware has been detected. An email notification is also sent to the user simultaneously through the user’s registered email. The user will require OTP to unlock the SSD.
X-PHY^® records the attack activity in the event log, and will automatically stop any action with the same behavior in the future.

How does X-PHY^® SSD help protect against RaaS

Cyber Attacks on Transportation Infrastructure

X-PHY Editorial — Mon, 17 Oct 2022 23:47:20 +0000

When discussing a cyberattack in transportation industry, it is important to look at the recent technological advancements that the industry enjoys. The transportation system has gone through many significant transformations by technological evolution. It has now on the verge of Intelligent Transportation System (ITS) is making a better and safer driving and traffic management for everyone. New transportation and new technology on-road are emerging to support transit-oriented development. Even vehicle specifications are upgrading with IoT facility that connects to the network infrastructure for a better and real-time management.

Synchronizing traffic signals, prioritizing signals in lanes, electronic information signs, and variable speed limit signs are all part of the growing ITS industry. It automatically distributes real-time traffic data to the websites, social media feeds, mobile apps, and local TV and radio stations. On the other hand, connected technology focuses on wireless communications for smart vehicles and control speed, heading, and direction. However, the evolution of technology and unsecured network connection can open a loophole to cyberattack in transportation industry and it may create fatalities.

Cyberattack in Transportation Industry

The advancement of information technology and interactive has improved efficiency and functionality for the transportation facility. It attributed the network in aviation, roads and bridges, inland waterways, ports, railway as well as in transit. This also increases the risk of cyberattack in transportation industry that is also important to have top-notch protection for a safe and continuous operation of the transportation system. 116 cyber-attacks occur every day globally and 40% of these attacks occur due to data breaches by hackers.

Cyberattack in transportation industry can cause potential risk associated with various reasons, such as network disruption, unauthorized access, data breach, and unintentional data disclosure. It will involve the information system and cause vulnerabilities.

The number of cyberattack in transportation industry is growing. The related losses are also huge that require the implementation of a resilient and firmware-based cybersecurity solution. The transportation infrastructure can solely achieve success with technological improvements with the X-PHY^® AI Cyber Secure. Flexxon introduces the world’s first AI-Embedded cybersecurity technology that can eliminate the risks of cyberattack in transportation industry.

Benefits of X-PHY^® AI Cyber Secure Solution

The X-PHY^® AI Cyber Secure Solution has been attributed with built-in AI technology that is optimized for dense computing in shared networks. The integrated AI Co-Processor Quantum Engine monitors threats in real-time and prohibits attacks to ensure secure data transfer. It also comprises with self-learning feature that patches the gateway of the vulnerable threats and enables firmware-level protection. It has high-functioning threat detection and a hardware sensor for anomaly detection through data access patterns.

The X-PHY^®facilitates continual vigilance for constant data protection because it never trusts anyone. It is a perfect solution with the following benefits:

Prohibits Network Disruption: The hackers can launch DDoS or MitM attacks and cause network disruption in transportation infrastructure. The X-PHY^®facilitates Keycode Encryption, Signalock, and Security Scout enables protection in Rooted Firmware Protected Engine and Power Shield.

Defense Cyber Extortion: Systems can be hacked by social engineering by installing malware software by clicking on malicious links or attachments through phishing emails and takes control by spoofing. The X-PHY^®is featured with Guardian Pro-X, Anti-Virus Warden, and Active Detective along with AI-based Security Engine forbids attacks.

Prevents Data Breach: The attackers will invade the system through lost or stolen devices or inject malicious code into the server or by error configuration that will put some serious harmful effect on the transportation infrastructure. Rapid Purge-X, Anti-Virus Warden, and Security Scout paired with Hardware Shield, Secure Connectivity, and Intelligent Activity App to prevent cyber-attacks.

Forbids Unauthorized Access: The threat agent can invade into the transportation system infrastructure by password attack and decrypt access verification with fraudulent access. The Keycode 2-Factor and Active Detective features with Secure Connectivity of X-PHY^®forbid certain actions from happening.

Safe Transportation Infrastructure Ensured with the X-PHY^®

The transportation infrastructure must ensure a safer network facility to eliminate the fatalities caused by a cyberattack in transportation industry. By implementing X-PHY^® AI Cyber Secure solution will provide firmware-based security so that the network can have a safe data transmission and control over the traffic system. Close multiple potential entry points for hackers into the transportation facility by implementing AI-embedded cybersecurity solutions and build risk-free smart cities.

Human Factor – Cyber Attack Due to Human Negligence

X-PHY Editorial — Thu, 22 Sep 2022 19:59:28 +0000

Who are they?

Gio Environment Ltd is a reputed organization that provides practical and cost effective solutions for sowing plants incorporate offices, commercial, residential and retail sectors to make the world greener and better. All their services are highly technology driven to ensure the best quality service against the value of the investment.

DATA BREACHED. HOW DID IT HAPPEN?

During the process, they unknowingly opened loopholes for cyber-threats while installing various designs through diverse applications resulted in cyber attacks where all the personal data of their employees were encrypted. The attacker managed to bypass the anti-virus protection and made a successful cyber attack through ransomware attack. Sadly, the firm had no ransomware protection in place.

What they did not do?

> No Firewall Protection Installed
> Anti-Virus Software Not Updated
> No Proper Servers Backup
> No Passwords Management System
> No Cyber Security Awareness Training

> No Ransomware Protection

ORGANISATION’S IMPACT DUE TO LACK OF RANSOMWARE PROTECTION

> Reputation and Branding Loss
> Lost of Customers’ Trust
> Penalty and Fine
> Paid Ransom
> Additional Cost Incurred to Remediate Actions

X-PHY Ransomware Protection Method

1. Active Detective and Deep Investigation of the X-File Forensic agent detects the ransomware data encryption activity as soon as it starts.

2. The X-File Forensic Agent triggers X-Factor Encryption Lock.

3. Key Code 2-Factor within the X-Factor Encryption Lock locks the data and it can only be accessed by pairing multiple encryption keys which prevent the ransomware from accessing the data.

4. Guardian Pro-X and Security Scout within the X-Guard Threat Lock prevents any activity of the ransomware to breach or clone the data.

5. X-PHY® SSD then enters safe mode and require 2-factor authentication to unlock the access to the data.

This is how X-PHY works for ransomware protection.

Timing Attack

X-PHY Editorial — Tue, 20 Sep 2022 02:02:32 +0000

Use Case in the Daily Usage

Jerry attended a meeting in London last week. As a manager, he keeps crucial information on his laptop which has a built-in X-PHY® storage facility. During his travel to London, he accidentally lost his laptop in a cab which was then found by another passenger. The passenger had a dishonest desire and wanted to access all the data from the laptop.

The passenger found that all the data is protected by self-encryption so he performed a side-channel attack on the X-PHY®. He tried brute force by sending different signals and observing the output on the oscilloscope of logical operation to execute the cryptographic algorithms. But the AI security engine detected the anomalous signals for brute-forcing and triggered Signalock of the X-Stream Protection feature and immediately applied the password to lock the data. At the same time, all the activities in the X-PHY® are monitored in real-time by AI and the X-File Forensic.

At a certain point, the Layerlock+ within the X-Stream Protection provided additional layers of protection wipes for the security keys. So, the data remained locked and activated by the Keycode 2-factor feature to ensure complete safety and protection.

X-PHY Protection Method

1. The AI real-time monitoring activates the Signalock within the X-Stream Protection feature to detect and analyze the activities of time taken to execute the cryptographic algorithms.

2. The brute-forcing attempt to achieve the encryption password further triggers Layerlock+ under the X-Stream protection to wipe the secured keys.

3. Keycode 2-Factor within the X-Factor Encryption locks down the data by entering into the safe mode.

4. While all these actions take place, the X-File Forensic features monitor and log them into X-PHY® using Deep investigation and Active detective.

NotPetya Ransomware – Cyber-Attack on Pfizer for COVID-19 Vaccine Data

X-PHY Editorial — Sun, 11 Sep 2022 04:17:14 +0000

According to Yonhap News Agency, South Korea’s National Intelligence Service (NIS) accuses that North Korea launched a cyber-attack on Pfizer, using NotPetya ransomware, targeting information about the COVID-19 vaccine they developed in partnership with BioNTech. With a surge in the number of COVID-19 infections, there is increased pressure on drug-makers to develop the associated vaccine in large quantities. Employees of these firms have to work harder than before, and for longer hours, a factor that exposes the firms to cyber-attacks as cyber security measures falls to the bottom of priority lists among employees.

Technical Analysis of the NOTPETYA Ransomware Attack

Even though Pfizer has not released details of the attack, experts liken it to the notorious NotPetya, a malware associated with the 2017 Merck & Co attack. After invading a system, NotPetya ransomware launches a series of activities including dropping files, self-propagation, privilege checking, process hashing, credential theft, system shutdown, and anti-forensics processes. These activities enable attackers to perform their intended operations on the target without detection.

How NotPetya RANSOMWARE Compromises the Target

1: File Dropping
When NotPetya is launched, it drops various files including Ransomware DLL (located at C:windowsperfc.dat), Ransomware splash and warning files, Credential theft module ( written as .temp file in the temp directory), and writes the contents of its resource to C:Windowsdllhost.dat. The replacement makes it possible to execute processes on other systems.

2. Process hashing and Privilege Checks
After dropping the files, the malware is launched as DLL using rundll32.exe and starts a subroutine that hashes every process to check whether Kaspersky, Notion Security, or Symantec processes are running on the system while at the same time attempts to gain viable levels of privilege.

3. Credential Theft
The malware decompresses either 0x1 or 0x2 resource, depending on the OS, and writes the resulting content in a .temp file located in the %TEMP% folder. It sets up a CNG provider which looks for wdigest.dll and lsass.exe modules responsible for digesting authentication security package and component respectively. At this point, the Local Security Authority (LSA) responsible for managing security package and enforcing security policies is compromised. The file then extracts credentials and transmits them to NotPetya through the named pipe.

4. Anti-forensics
After execution, the malware deletes the file contents to ensure that they cannot be recovered through disk forensics. It then loads itself in the memory and deletes itself from the disk.

How NotPetya Compromises the Target

X-PHY Protection Method

Detecting the Malicious Activity

The first instruction of NotPetya ransomware involves dropping files and adjusting privileges. Guardian Pro-X and Security Scout features within the X-Guard Threat Lock use AI at the firmware level to monitor the instructions sent to the target. The module mirrors the instructions sent to the target addresses by the host as well as the content of all the LBAs.

The trained neural network uses the mirrored instructions and contents to determine whether the activity is malicious or not. This is achieved by comparing read/write/overwrite access requested by the stager against the average read/write/overwrite access indicated in the master boot records, master file tables, boot sectors, parameter blocks of file systems associated with the operating systems, or the secondary storage operations.

The first instruction by NotPetya is to drop various files and writes the contents of its resource to C:Windowsdllhost.dat. Security Scout features will classify these activities as malicious since they intent to compromise the device. Upon detecting the malicious intent of file dropping and file replacement by the malware, the X-Factor Encryption lock feature will trigger data lockdown to prevent malicious access to data.

Detection of Malicious Activity

Prevention of Malicious Cloning

When it is determined that there is an attempt to illegally drop and replace files, the X-Factor Encryption lock feature responds by triggering data lockdown to prevent the attacker from accessing data and activates the Keycode2-factor immediately. X-PHY enters safe mode and asks for a password to complete the 2-factor authentication. At this point, multiple unique keys must be provided to gain access to data. Otherwise, data remains locked preventing malicious theft of credentials, keeping data safe.

Cyber Attacks on Point-of-Sale via Rdasrv Malware

X-PHY Editorial — Sat, 10 Sep 2022 23:12:32 +0000

Point of Sale (POS) Attack is a technique utilized by cybercriminals to obtain credit card and debit card information at the point of sale and payment terminals, using POS malware. The attackers apply man in the middle attack to intercept data processing at the retail checkout point of sale system. For instance, they employ RAM scrapping approach that involves accessing the memory of the system and exporting data through Remote Access Trojan (RAT). This technique is accompanied by minimum software and hardware tampering thus difficult to detect. Among the POS malware variants utilized by the attackers to scrape the RAM include Rdasrv, Alina, VSkimmer, Decter, BlackPOS, FastPOS, PunkeyPOS, Multigrain Malware, CenterPOS, and MalumPOS.

How Rdasrv Infects the System

Rdasrv installs itself into a windows computer as an executable file named rdasrv.exe. The POS malware scans through credit card data extracting confidential credit card information including the name, account number, expiry date, and other information that the attackers intend to steal. After scraping the information, the malware stores into a file named data.txt or current block.txt and transmits it to the hacker.

X-PHY Protection Method

The POS cyber criminals utilize a number of weaknesses in the system terminals to launch an attack. For instance, the POS targeted POS malware gets into the system when employees use the terminals for internet browsing or receive emails. Additionally, the need for regular remote access to the terminals for central updates and troubleshooting also provides a surface for the malware to attack the system. X-PHY AI Embedded Cyber Secure SSD offers the most advanced protection with the cyber security solution comprising of X-Guard Threat Lock, X-Stream Protection, X-Factor Encryption Lock, and X-Site secure to ensure that confidential data in the POS system is secure.

X-PHY AI Embedded Cyber Secure SSD offers the most advanced protection with the cyber security solution comprising of real-time security monitoring. All the incoming and outgoing data streams are monitored to ensure that a threat is detected before it causes any harm. In this case, a POS malware will be detected as soon as it is downloaded into the system. As such, the malware will be stopped before it compromises the integrity of the credit information in the system.

When the malware gets into the system, it resides at the retailer endpoints where it scans POS terminal memory for card data to send to the botmaster. When a transaction is recorded, the associated data is instantly stored on the retailer endpoints. Even though the system is designed to encrypt the data immediately, the POS malware utilizes a tiny window where the data remains unencrypted as it awaits authorization and be saved in process memory.

The Firmware Digital Signature solution in X-PHY AI Embedded Cyber Secure SSD enables digital signature in the firmware to verify the authenticity and integrity of the stored data. As such, the malware residing at the retailer endpoints will fail the test and be identified before it causes harm. Early identification would trigger system lockdown protocol that would protect the data from malicious attackers.

Also, businesses in high-risk industries can benefit from specialized solutions like financial sector cybersecurity and healthcare cybersecurity, which protect critical payment and patient information from similar endpoint malware threats.

For high-value, regulated environments, secure government operations and energy sector cybersecurity provide robust endpoint and data protection against sophisticated malware such as Rdasrv.

Organizations adopting zero-trust security frameworks and ransomware protection strategies can further reduce attack surface and contain threats before exfiltration or system compromise occurs.

Use Cases – X-PHY

Medusa Ransomware Prevention with X-PHY

Medusa Blog

I. Initial Access

II. Discovery and Enumeration

III. Defense Evasion and Obfuscation

IV. Command and Control (C2) Setup

V. Credential Access & Lateral Movement

Example Workflow:

VI. Exfiltration and Encryption

Example workflow

How the Medusa Encryption Works

VII. Extortion

Medusa Ransomware Note

Why X-PHY is Uniquely Effective Against Medusa

Ryuk Ransomware – Healthcare Organizations at Risk

How Ryuk Ransomware Infects a System

X-PHY Protection Method

What is WannaCry Ransomware and How to Protect Your Data

What is WannaCry Ransomware?

X-PHY protection against Wanna Cry

Testing without X-PHY,

Testing with X-PHY

X-PHY® Response Flow

How does X-PHY® SSD help protect against RaaS

HelloKitty Ransomware Prevention with X-PHY SSD

Reference Links

HelloKitty Ransomware Prevention with X-PHY SSD

Attack Vectors

Attack Victims

Video Game Manufacturing – Poland

CEMIG Powerplant – Brazil

Healthcare Service – UK

IT Service – France

Attack Workflow

1. Termination of processes and Windows services.

2. Encryption of files with .KITTY or .CRYPTED file extensions.

3. Ransom note.

4. Deletion of shadow copies.

HelloKitty; A Sample

Protection from HelloKitty Ransomware using X-Phy Cybersecurity SSD Protection

Testing with the normal SSD/without the X-PHY

Testing with the X-PHY® SSD

X-PHY® Response Flow

Conclusion

LockBit Ransomware – A Use Case Of Accenture

How LockBit Ransomware works

X-PHY® Protection against LockBit Ransomware

How does X-PHY® SSD help protect against RaaS

Cyber Attacks on Transportation Infrastructure

Cyberattack in Transportation Industry

Benefits of X-PHY® AI Cyber Secure Solution

Safe Transportation Infrastructure Ensured with the X-PHY®

Human Factor – Cyber Attack Due to Human Negligence

Who are they?

DATA BREACHED. HOW DID IT HAPPEN?

What they did not do?

ORGANISATION’S IMPACT DUE TO LACK OF RANSOMWARE PROTECTION

X-PHY Ransomware Protection Method

Timing Attack

Use Case in the Daily Usage

X-PHY Protection Method

NotPetya Ransomware – Cyber-Attack on Pfizer for COVID-19 Vaccine Data

Technical Analysis of the NOTPETYA Ransomware Attack

How NotPetya RANSOMWARE Compromises the Target

X-PHY Protection Method

Cyber Attacks on Point-of-Sale via Rdasrv Malware

How Rdasrv Infects the System

X-PHY Protection Method

X-PHY^® Response Flow

How does X-PHY^® SSD help protect against RaaS

Testing with the X-PHY^® SSD

X-PHY^® Response Flow

X-PHY^® Protection against LockBit Ransomware

How does X-PHY^® SSD help protect against RaaS

Benefits of X-PHY^® AI Cyber Secure Solution

Safe Transportation Infrastructure Ensured with the X-PHY^®