New 'NBLOCK' Ransomware Emerges, Using AES-256 Encryption and Tor for Anonymous Extortion

Executive Summary

Researchers from the CYFIRMA Research and Advisory Team have discovered a new ransomware strain dubbed NBLOCK Ransomware. This malware functions as a traditional file-encrypting threat, designed to render victim data inaccessible and extort payment for its recovery. NBLOCK uses AES-256 encryption to lock files, appending the .NBLock extension to them. Communication with the attackers is facilitated exclusively through a Tor-based portal to maintain anonymity. While the analysis is ongoing, NBLOCK's current presentation suggests a primary focus on encryption for impact, rather than the double-extortion tactic of data exfiltration, though this cannot be ruled out. No public decryption tool is currently available.

Threat Overview

NBLOCK is a newly identified file-encrypting malware that targets both local files and accessible network shares. Its attack chain follows a typical ransomware pattern:

1. Initial Access: The malware is likely distributed through common vectors such as phishing emails with malicious attachments, downloads from compromised websites, or bundled with cracked software installers.
2. Execution & Encryption: Once executed on a victim's machine, NBLOCK enumerates files on local drives and connected network storage. It then encrypts these files using the AES-256 encryption algorithm.
3. Extortion: After encryption, the malware drops a ransom note (README_NBLOCK.txt) in affected directories and may change the desktop wallpaper. The note instructs the victim on how to contact the attackers via a specific .onion address using the Tor Browser and warns against modifying a key.bin file, which presumably contains cryptographic information necessary for decryption.

Technical Analysis

Based on the analysis by CYFIRMA, NBLOCK exhibits the following characteristics:

• Encryption: Explicitly states the use of AES-256, a strong symmetric encryption algorithm.
• File Extension: Appends the .NBLock extension to all encrypted files (e.g., document.docx becomes document.docx.NBLock).
• Ransom Note: Drops a text file named README_NBLOCK.txt containing payment instructions.
• Key File: Creates a file, potentially named key.bin, which is critical for the decryption process. The ransom note warns victims not to delete or alter this file.
• Command and Control (C2): Communication is handled via a Tor-based negotiation portal. This is a standard TTP for modern ransomware to anonymize the interaction between the attackers and the victim, falling under T1071.001 - Web Protocols.

The primary MITRE ATT&CK technique employed is T1486 - Data Encrypted for Impact.

Impact Assessment

The primary impact of an NBLOCK ransomware attack is the immediate and widespread loss of access to critical data. This can lead to severe business disruption, operational downtime, and financial losses associated with recovery efforts. For organizations without robust and tested backups, the impact can be catastrophic, potentially forcing them to consider paying the ransom. The psychological pressure on victims is increased by warnings in the ransom note, designed to create a sense of urgency and fear.

IOCs

Detection & Response

Early detection is key to limiting the blast radius of a ransomware attack.

Detection:

• File Integrity Monitoring (FIM): Use FIM solutions to monitor for the rapid creation of files with the .NBLock extension or the appearance of README_NBLOCK.txt notes. This is a high-confidence indicator of an active infection. This aligns with D3-SFA: System File Analysis.
• Behavioral Analysis: EDR solutions can detect ransomware-like behavior, such as a process rapidly reading, modifying, and renaming a large number of files. This technique, known as D3-PA: Process Analysis, is effective against new and unknown strains.
• Canary Files: Place 'honeypot' files on file shares. These files should not be accessed during normal operations. Configure alerts to trigger if these canary files are modified or encrypted, providing an early warning.

Response:

1. Isolate: Immediately isolate the infected machine(s) from the network to prevent the ransomware from spreading to other systems and network shares.
2. Identify: Determine the strain of ransomware and search for publicly available decryptors (none are available for NBLOCK at this time).
3. Restore: If a decryptor is not available, wipe the affected systems and restore data from clean, offline backups.

Mitigation

Preventing ransomware requires a defense-in-depth approach.

1. Backup and Recovery: Maintain regular, offline, and immutable backups of critical data. Regularly test the restoration process to ensure backups are viable.
2. Email Security: Implement an advanced email security gateway to block phishing emails, malicious attachments, and malicious links, which are primary delivery vectors.
3. User Training: Conduct ongoing security awareness training to educate users on how to identify and report phishing attempts. This maps to M1017 - User Training.
4. Patch Management: Keep operating systems, software, and security tools patched and up-to-date to close vulnerabilities that could be used for initial access.
5. Network Segmentation: Segment the network to limit an attacker's ability to move laterally. Critical systems should be isolated from the general user network.