SOREBRECT is a fileless ransomware variant that targets Windows OS and is distributed through the brute-forcing of administrator credentials against open RDP ports. Once access to the targeted server is obtained, the hacker behind the campaign uses PsExec, a Microsoft Windows command-line utility, to remotely install SOREBRECT. Once installed, SOREBRECT injects malicious code into the Windows svchost.exe process while its primary binary self-terminates. The system process then proceeds to execute the payload and encrypt targeted files, appending .pr0tect to their names. It also eliminates evidence by using wevtutil.exe to delete event logs from the infected system and prevents file restoration by the victim by using vssadmin.exe to delete Shadow Volume Copies. SOREBRECT scans the network to look for open shares with read-write access and encrypts any files contained within them. Once the encryption process is done, SOREBRECT drops a ransom note named READ ME ABOUT DECRYPTION.txt. The ransom payment demand is currently unknown.
- Trend Micro provides more information about SOREBRECT here.
- The NJCCIC is not currently aware of any free decryption tool available for SOREBRECT.