Through recent internal monitoring, the ASEC analysis team confirmed that the Surtr ransomware, which adds “[DycripterSupp@mailfence.com].[<random string>].Surtr” extension to the original extension name after file encryption, was distributed.

Surtr was distributed through a phishing email with an attached file named [ProductName]_File.zip. When the malicious file is extracted, the Surtr ransomware executable file is created as tmp/surterr.exe and executed as a scheduled task named “{<random string>.bat}” in system32/Tasks/.

The analysis team stated that although not all computers are vulnerable to the vulnerability exploited by Surtr ransomware, users should always be cautious of suspicious files and emails. In addition, they added that the Surtr ransomware is a variant of the BitPaymer ransomware and that the delivery method appears to be similar to those used in recent attacks.

The ASEC analysis team also urged the public to follow certain precautions so as to remain safe from such threats.

“Users should always be cautious of suspicious files and emails. They should avoid visiting malicious websites, and instead use a legitimate anti-malware software application. When using email, users should check the validity of mail senders by opening up an email from a suspected source in a separate browser tab before opening it on their computer’s main browser tab which may be infected with malware. If a file extension ends with .exe or .com, users should not double-click on it. Instead, they should right-click and select open with a different application to check for malicious software before opening the file.”

‍

Source: Surtr ransomware is being distributed in Korea - AlienVault - Open Threat Exchange