Sorebrect – a fileless ransomware that aims at enterprises

Sorebrect is a recently discovered fileless malware[1] that aims at various businesses. During data encryption, it appends .pr0tect file extension and drops a ransom note called “READ ME ABOUT DECRYPTION.txt” where cyber criminals ask to contact them.
Malware has been spotted attacking technology, manufacturing, and telecommunication enterprises in Kuwait, Lebanon, Croatia, Italy, Russia, China, Japan, U.S, Canada, Taiwan, and Mexico.[2] However, it is expected to continue spreading in other countries.
The virus launches attacks at servers and endpoint. Once it affects one device, it continues spreading through all the devices that are connected to the same network.
Cyber criminals might use PsExec utility and Remote Desktop Protocol (RDP) to operate on the affected device. However, the first method is simpler and more effective because it helps to execute commands from the remote server.
Sorebrect virus communicates with its Command and Control (C&C) server using Tor network that assures anonymity.
One of the main significant features of the ransomware is the encryption strategy. Sorebrect uses a brute forcing attacks to compromise administrator’s credentials. Then it exploits a Microsoft’s Sysinternals PsExec command-line and starts data encryption procedure.
Once it injects malicious code to svchost.exe – a legitimate Windows process – it deletes the binary. This feature makes ransomware fileless and hard to detect.
Usually, ransomware viruses are designed to install malware executable directly to the hard drive. However, such cyber threats are quite easy to identify. Meanwhile, to find and delete fileless ransomware, users have to employ a professional security software. We recommend performing Sorebrect removal with the help of FortectIntego.

Third-party software does not help to restore encrypted files
During data encryption, the ransomware appends .pr0tect file extension to each of the targeted documents, audio, video, image and other files, and continues its malicious activity in all devices connected to the same network.
After the attack, all encrypted files become useless. If enterprises do not have backups, they are in serious problem.
Sorebrect ransomware is designed to delete system event logs by exploiting wevtutil.exe and Shadow Volume Copies by using vssadmin. Thus, data recovery with third-party software is nearly impossible.
Following data encryption, ransomware also delivers a ransom note. In the short message, criminals tell victims to contact them via provided email addresses (pr0tector@india.com and pr0tector@tutanota.com ) and send their unique ID number.
It’s unknown how much Bitcoins ransomware asks to pay for data recovery. It may differ based on the size and amount of encrypted files. However, paying the ransom is not recommended.
If you have backups, you have to remove Sorebrect from the PC immediately, and then connect the external storage device.
Prevention measures
Malware aims at systems and networks and might cause serious damage to various enterprises. Thus, it’s important to follow these few tips to avoid Sorebrect attack:
Backup files. Keeping copies of the data and frequently updating it helps to recover from the ransomware attack quite easily and without paying the ransom.
Update system and networks. Keeping software, system and software updates helps to prevent malware from using security flaws to launch the attack.
Limit accessibility to PsExec. Sorebrect exploits this feature that is widely used in enterprise networks. Thus, it’s important to limit it.
Restrict user write permissions. Limiting user’s permissions, strengthening and adjusting security of the shared folders on the networks are important measures to avoid this malware.
Removal of the Sorebrect ransomware virus
The only safe way to remove Sorebrect form the device is to scan the computer with reputable malware removal program, such as FortectIntego, SpyHunterCombo Cleaner or MalwarebytesMalwarebytes.
Manual elimination is impossible because it’s a fileless malware. Thus, you cannot find its binary and delete it together with its components. What is more, manual removal is never recommended due to the difficulty of such cyber threats.
Sometimes ransomware prevents users from accessing security software. If you cannot install your preferred removal program, you have to reboot the computer to Safe Mode with Networking.
If you are dealing with some problems with Sorebrect removal, please follow the instructions below.
Was this guide helpful?
Be the first to comment