Romania Urges Power Sector Of Proactive Scanning Amid LYNX Ransomware Menace

Overview

The Romanian Nationwide Cyber Safety Directorate (DNSC) has issued a crucial advisory urging all entities, particularly these within the vitality sector, to scan their IT and demanding infrastructure for malicious binaries related to the LYNX ransomware cybercrime group. This advice follows a ransomware assault concentrating on the Electrica Group, Romania’s main vitality supplier.

DNSC mentioned even organizations unaffected by the assault should act proactively to detect and mitigate potential dangers. The Directorate suggested utilizing the offered YARA scanning scripts to establish the malicious binary and stop additional infiltration.

The Electrica Group Ransomware Incident

On December 9, 2024, the Electrica Group reported a ransomware assault to DNSC and claimed that the ‘cyberattack was in progress.’ The incident prompted quick intervention from DNSC specialists and different nationwide authorities. Whereas crucial energy provide programs stay operational, investigations into the assault are ongoing.

Electrica Group, in its notification to the London Inventory Trade, reassured its dedication to managing the incident swiftly and transparently. CEO Alexandru Aurelian Chirita informed stakeholders that the corporate’s main focus is sustaining the continuity of electrical energy distribution and defending delicate knowledge.

The Group urged shoppers to stay vigilant in opposition to potential scams and keep away from sharing private info by unsecured channels.

Validated Indicators of Compromise (IOCs)

DNSC has launched crucial technical particulars to help entities in figuring out LYNX ransomware exercise. Key IOCs embrace:

File hash: c02b014d88da4319e9c9f9d1da23a743a61ea88be1a389fd6477044a53813c72
Malicious URL: hXXp://lynxblog.internet/

The accompanying YARA guidelines had been particularly designed to detect LYNX ransomware binaries. Entities ought to use these guidelines to carry out thorough scans of their IT environments.

YARA Guidelines:

rule ransomware_LYNX_1 {

meta:

description = “Detect LYNX ransomware”

creator = “DNSC”

date = “2024-12-10”

hash1 = “c02b014d88da4319e9c9f9d1da23a743a61ea88be1a389fd6477044a53813c72”

strings:

$s1 = “[+] Efficiently decoded readme!” fullword ascii

$s2 = “[-] Did not get service info for %s: %s” fullword large

$s3 = “–file C:temp.txt,D:temp2.txt” fullword ascii

$s4 = “–file C:temp.txt” fullword ascii

$s5 = “AppPolicyGetProcessTerminationMethod” fullword ascii

$s6 = “[-] Did not open service supervisor for %s: %s” fullword large

$s7 = “[-] Did not open service deal with for %s: %s” fullword large

$s8 = “[-] Did not enum dependent providers for %s: %s” fullword large

$s9 = “[-] Did not kill dependent providers for %s: %s” fullword large

$s10 = “[%s] Attempt to cease processes by way of RestartManager” fullword large

$s11 = “[%s] Kill processes and providers” fullword large

$s12 = “Load hidden drives (will corrupt boot loader)” fullword ascii

$s13 = “README.txt” fullword large

$s14 = “[-] Did not mount %s: %s” fullword large

$s15 = “[-] Did not decode readme: %s” fullword ascii

$s16 = “Attempt to cease processes by way of RestartManager” fullword ascii

$s17 = “Kill processes/providers” ascii fullword

$s18 = “–stop-processes ” ascii fullword

$s19 = “–stop-processes” fullword large

$s20 = “[%s] Encrypt community shares” fullword large

$op0 = { e8 22 c8 01 00 01 46 30 6a 00 11 56 34 6a 13 ff }

$op1 = { 23 d1 89 55 d0 8b 55 e4 81 f2 ff ff ff 03 f7 d2 }

$op2 = { 23 d1 89 55 d4 8b d7 81 f2 ff ff ff 01 f7 d2 8b }

situation:

uint16(0) == 0x5a4d and file measurement < 500KB and

( 8 of them and all of ($op*) )

}

rule ransomware_LYNX_2 {

meta:

description = “Detect LYNX ransomware”

rating = 80

md5 = “2E8607221B4AB0EB80DE460136700226”

strings:

$s1 = “tarting full encryption in” large

$s2 = “oad hidden drives” large

$s3 = “ending notice to printers” ascii

$s4 = “efficiently delete shadow copies from %c:/” large

$op1 = { 33 C9 03 C6 83 C0 02 0F 92 C1 F7 D9 0B C8 51 E8 }

$op2 = { 8B 44 24 [1-4] 6A 00 50 FF 35 ?? ?? ?? ?? 50 FF 15}

$op3 = { 57 50 8D 45 ?? C7 45?? 00 00 00 00 50 6A 00 6A 00 6A 02 6A 00 6A 02 C7 45 ?? 00 00 00 00 FF D6 FF 75 ?? E8?? ?? ?? ?? 83 C4 04 8B F8 8D 45 ?? 50 8D 45 ?? 50 FF 75 ?? 57 6A 02 6A 00 6A 02 FF D6 }

$op4 = { 6A FF 8D 4? ?? 5? 8D 4? ?? 5? 8D 4? ?? 5? 5? FF 15?? ?? ?? ?? 85 C0 }

$op5 = { 56 6A 00 68 01 00 10 00 FF 15 ?? ?? ?? ?? 8B F0 83 FE FF 74 ?? 6A 00 56 FF 15 ?? ?? ?? ?? 68 88 13 00 00 56 FF 15 ?? ?? ?? ?? 56 FF 15}

situation:

uint16(0) == 0x5A4D and

(

3 of ($s*)

or 3 of ($op*)

or (2 of ($s*) and a pair of of ($op*) )

)

}

Suggestions for Incident Containment

DNSC advises all organizations, significantly within the vitality sector, to undertake the next steps instantly:

Scan and Isolate:

Use the YARA scanning script to establish the malicious binary.
- Isolate affected programs from the community to forestall additional unfold.

Protect Proof:

Retain copies of ransom notes and communications from attackers for investigative functions.
- Gather related logs from affected gadgets, community tools, and firewalls.

Analyze and Safe:

Look at system logs to establish the preliminary compromise vector.
- Replace all software program, functions, and working programs to deal with identified vulnerabilities.

Notify Stakeholders:

Inform staff, prospects, and enterprise companions in regards to the incident.
- Stay vigilant in opposition to phishing messages purporting to be from trusted entities.

Leverage Obtainable Sources:

Broader Name to Motion

DNSC’s proactive measures spotlight the escalating threats dealing with crucial infrastructure. The vitality sector, usually focused as a result of its very important function, should stay vigilant. The Directorate stresses that paying the ransom is strongly discouraged, because it fuels legal actions and doesn’t assure knowledge restoration.

DNSC’s collaboration with nationwide authorities underscores the significance of a united response to cyber threats. Organizations should implement sturdy safety practices and take part in information-sharing initiatives to strengthen collective defenses.

A Essential Reminder

The LYNX ransomware assault exhibits the vulnerabilities inside IT and operational expertise infrastructures. Whereas Electrica Group’s crucial programs stay intact, the incident showcases the significance of proactive measures, together with scanning for IOCs, isolating threats, and updating defenses.

Organizations throughout all sectors ought to act decisively to safeguard their operations. DNSC’s steerage is a roadmap for stopping ransomware assaults and minimizing their impression on crucial infrastructure. By taking these steps, entities can strengthen their cybersecurity posture and contribute to a safer digital ecosystem.