Hackers Compromised Russian Bank And Used SWIFT for Withdrawal
Gibon Ransomware Analysis
On 15 December 2017, a Russian bank lost somewhere between $100,000 and $1 million US dollars after hackers sent SWIFT wire transfers abroad to Europe, Asia, and America. The bank was compromised (medium confidence) by a hacker group who sent malicious attachments to a number of different banks a few weeks prior. SWIFT was not compromised, but was used as a tool to siphon money from the compromised bank. The bank is going through ownership reorganization. Prior to this incident, it was receiving financial regulator warnings regarding its cyber security posture.
Wapack Labs has cataloged and reported on attacks targeting banks and SWIFT in the past. An archive of related reporting can be found in the Red Sky Alliance portal.
TLP AMBER ANNOUNCEMENT:
Wapack Labs analysts recently observed a handful of Gibon malware samples in the wild and are providing this report in the event the malware becomes more widespread. Gibon is a new ransomware family named due to its USER-AGENT and name in the specimen’s ASCII strings. The malware was originally marketed on May 11 and 12 to several hacker forums for $500. Advertised functionality includes recursive encryption of all files that are on the computer, a README.txt file with instructions to the victim, and encryption/decryption keys which are sent to the admin panel and used for decryption. It is delivered via spam emails with a link to download a Microsoft Word document.
Wapack Labs has cataloged and reported on ransomware variants in the past. An archive of related reporting can be found in the Red Sky Alliance portal.
This TLP AMBER report is available only to Red Sky Alliance members.