Pen testing
C2
Nosu is a ransomware that encrypts files and demands payment to release them. It spreads through email attachments and compromised network shares and can cause significant data loss and downtime for affected organisations.
Nosu gets into systems through phishing emails with infected attachments. Once a user opens the attachment the ransomware runs and starts encrypting files. Nosu can also spread through network shares, exploiting weak security to get deeper into an organization.
Encryption
Once run Nosu uses strong encryption to lock files and adds a specific extension to each file. The data is then inaccessible without the decryption key which the attackers will provide once the ransom is paid.
Operational Impact
Encryption of critical files can cause significant downtime, disrupting business and potentially leading to financial loss. Organizations will be forced to restore operations and will have to make the tough decision of whether to pay the ransom.
APT15, Ke3chang, Vixen Panda
Segment networks to prevent lateral movement and ensure all sensitive data is protected by strict access control policies.
Regular patching and monitoring of all endpoints can help identify and mitigate any potential vulnerabilities early.
Implement robust email filtering to block malicious attachments.
Maintain up-to-date backups stored offline to facilitate recovery.
Nosu has been active in targeting government agencies, defense contractors, energy companies, and diplomatic entities. These industries are prime targets for espionage and intelligence gathering.
Nosu is attributed to the Chinese state-sponsored cyber espionage group APT15 (also known as Ke3chang or Vixen Panda).
