New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
The script was shared earlier.
The script overwrites the partition table and part of the file system. The code to display the contact info is then written into the first sector of the disk. So saying it is "bootable" might be stretching the definition of "bootable" a bit.
I find it quite interesting that they install nasm to then assemble the new boot sector instead of just writing the new binary there (and patching the UUID).
It's been nearly 48 hours, and I still can't connect to the VPS or reinstall the system.
I think @HostSlick was affected too ... Check out http://lg.hostslick.com , my VPS is down on hostslick.
It screams ai written, so I'm not too surprised
my shits all fucked but idc anymore, im just gonna smoke some and go to bed, have a joyful weekend.
So with the raw disk data, file carving would be a possibility.
Hello fellow kรถrvรคlskare
(emphasis mine)
^THAT!
Nope, that's like x (e.g. a dozen) virtual disks on one physical disk.
well, this was a good game
we will be better next time and btw spammers, spamming on our keys.php will do nothing
in total we made 1k, but still not bad
we will learn our mistakes, hope you will hear about us soon!
Any questions - @cloudcone_Raidbot
What kind of person will risk prison for 100 dollar?
https://urlscan.io/domain/oldenvale.ru
anyone can change that, you just have to change your Youtube location
Only 1k?
Take it from an ex-blackhat: Hone your skills and use it for something more useful than shit-tier ransomware. If you have a 0day in Virtualizer, even if it only works on relatively obscure configurations, there is so much more you could have done. FFS, I can think off the top of my head four different ways you could have used your access to make roughly $20k with no effort whatsoever in a week. No, I won't tell you what they are. Also, improve your OPSEC.
You are a script kiddie right now and your actions (the shit-tier extortion, not the actual compromises) are going to keep you a script kiddie. Maybe spend some time learning real vulndev and you won't have to settle for extorting a couple of desperate MJJs who want the data on their $7 VPS back.
"New hits" sounds to me like they're scanning for Virtualizor endpoints accessible on the public net?
Not too familiar with Virtualizor, but if these don't strictly have to be publicly accessible, any future providers who get hit by this due to being too retarded to lock their shit down behind a VPN should be held liable for all damages.
This can happen if the Virtualizor Master server has been compromised. Once inside, Virtualizor has a built-in Terminal feature that gives root access to all connected nodes. So yes, their main server was most likely compromised.
As for how they got in... doesn't look like a 0-day to me. If attackers had a real exploit, every provider running Virtualizor would be having a very bad day right now, not just a few. ๐คท
More likely a data leak from virtualizor... wouldn't be the first time.
If you can spot AI writing that fast, you're probably using it quite a bit yourself ๐
But seriously, we're all tech people here. Using tools to get things done faster is literally what we do.
I doubt the poor guy even knows what nasm is, much less how to write even the most basic assembly.
Looking at the code, the comments, were enough. It talks about preventing data loss in the install chain... Data loss, a serious concern for a ransomware tool ๐คฃ
I didn't understand the comments and didn't bother to translate them, but Russian comments and then very descriptive names in English including a size
_IN_MBwas a bit of a giveaway that the code has been stolen from an example of some kind. That and lots of small functions in a small bag script looks copied, but then where would you find an example function to compile a bit sector and write it to a disk? So AI is likely.Data corruption is a concern if you are serious about decrypting the data after payment, but this just erases data at the end of the disk. Many people won't have any data there but some will.
I suspect the script kiddie was intending to make the contents decryptable, but couldn't even succeed at doing that reliably, and so gave up and decided just to scam people.
Where is the script, can someone re-share?
https://pastebin.com/SrpYNVUx
No, as a rarecloud customer, I'm just used to getting 8 AI generated emails in a month
Same what I thought. They are either really really dumb or their decryption tool just didn't work so they couldn't restore data to those who paid.
This was all executed very poorly, but I guess it was expected - LowEnd target, even Lower End skibidi minecraft skid.
I don't think this script was even mildly edited manually, this is pure AI. Even being so lazy to leave comments and verbose logging with colors. Installing nasm to compile payload in the victim environment is also unheard of.
Maybe next time they will open a support ticket asking for help with installing tools on the hypervisor.
Happened on my Hostslick VM. No comms from Hostslick so far.
sad
Hostslick VM too
No interaction with the VM in the panel for you as well?