Koxic Ransomware

Industry: N/A | Level: Tactical | Source: Cyble

Research from Cyble Research Labs provides a deep-dive analysis of Koxic ransomware. During malware execution, the sample collects system information and modifies registry keys to assist with lateral movement and tamper with system defenses such as Windows Defender and anti-virus. Any security apps running are terminated and shadow copies are deleted. Prior to ransomware encryption, sensitive information is collected and output to a file in TEMP. Once the desired data is collected, it is exfiltrated to the attacker with the ransomware note distributed to victim hosts on the environment. Encrypted files are appended with the extension “KOXIC_KLIBD.”

• Anvilogic Scenario: Koxic Ransomware
• Anvilogic Use Cases:
• Executable Process from Suspicious Folder
• Modify Registry Key
• Inhibit System Recovery commands
• Output to File