Everbe ransom payment tracked to a website promoting sensual massages

EverBe/ Paymen45 ransomware attacked Israeli company: researchers followed the money

EverBe hacker launder moneyResearch suggests that a known hacker group is laundering money through a masseuse ratting portal

Recently, a cyber attack on an Israeli computer farm and its networks has crippled the company. Threat actors infected devices with Cobalt Strike[1] and numerous other malware, one of them being ransomware payload files. When such malware is executed on an infected computer or network, all non-system files, such as archives, databases, documents, etc., get encrypted and are inaccessible until a necessary decryptor is used.

Israeli cybersecurity companies Profero and Security Joes were hired to investigate the incident. Their report[2] states that the ransomware samples seemed like no other in the wild at first. Still, upon a thorough investigation, the malware displayed significant similarities to the one used by EverBe[3] cybercriminal gang.

Investigation on one of the infected machine revealed some of the details about the threat that allowed experts to dig further:

During our investigation of the infected machines, we came across what seemed to be a treasure trove of information. It consisted of the ransomware binary itself, along with several other files—some encrypted, some not—that we believe the threat actors used to gather intelligence and propagate through the network.

Ever101 ransomware was hiding in a Music folder

Cybersecurity companies revealed that the attack's arsenal was hidden in a Music folder which was uploaded to each infected device and contained multiple tools. Some of the tools were encrypted; therefore, they weren't identified. The know malware in the folder consisted of:[4]

  • xDedicLogCleaner – Cleans all Windows logs.
  • PH64.exe – Gathers information about system processes, applications, etc.
  • Cobalt Strike – offensive security tool enabling assailants to take over the device remotely, survey the network, upload or download any files, including ransomware.
  • SystemBC – proxy malware used to hide communications between the infected device and assailants' remove command and control server.

When enough systems were infected, and the threat actors were ready to encrypt them, they deployed ransomware that locked all non-system files and renamed them by adding the .ever101 extension to original filenames.[5] That's where the file-locking parasite got its name from. After successful file lockage, a ransom note, titled !=READMY=!.txt, is generated and dropped in contaminated folders.

The cryptovirus encrypted the data using Salsa20 stream cipher and RSA-2048 military-grade coding algorithms. Without the necessary decryption key, the locked files would remain useless forever. Due to the complexity of the cyber attack, the before mentioned cybersecurity experts presume that the ransomware was developed through a Ransomware-as-a-Service[6] builder.

Demanded ransom payment traced back to a masseuse service in the US

Cybercriminals usually ask for ransom payments to be transferred using cryptocurrency Bitcoins. The same applies to the EverBe group. But during the investigation of the cyberattack, security experts used CipherTrace to locate the money flowing through numerous cryptocurrency wallets.

They were astounded when they discovered that a small portion of the ransomware payment (0.01378880 BTC or approximately $590) was located in a Tip Jar on RubRattings portal meant to, needless to say, tip a masseuse for their provided services.

The portal allows various massage providers to advertise themselves in the US. And each member profile has a Tip Jar button using which satisfied customers can leave a tip in Bitcoins. The discovery baffled researchers as there are two plausible versions of how the ransomware payment money got used on the website.

Either a gang operative in the US used his cut to give thanks for an excellent service, or the RubRattings portal is used to launder money. Threat actors could create fake profiles and tip themselves, hiding the trace behind masseuse services.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions