{"id":15322,"date":"2019-05-15T09:10:10","date_gmt":"2019-05-15T17:10:10","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2019\/05\/15\/news-9071\/"},"modified":"2019-05-15T09:10:10","modified_gmt":"2019-05-15T17:10:10","slug":"news-9071","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2019\/05\/15\/news-9071\/","title":{"rendered":"Threat spotlight: CrySIS, aka Dharma ransomware, causing a crisis for businesses"},"content":{"rendered":"<p><strong>Credit to Author: Pieter Arntz| Date: Wed, 15 May 2019 16:02:13 +0000<\/strong><\/p>\n<p>CrySIS, aka Dharma, is a family of ransomware that has been evolving since 2006. We have noticed that this ransomware has become increasingly active lately, increasing by a margin of 148 percent from February until April 2019. The uptick in detections may be due to CrySIS&#8217; effective use of multiple attack vectors. <\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" data-attachment-id=\"38598\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2019\/05\/threat-spotlight-crysis-aka-dharma-ransomware-causing-a-crisis-for-businesses\/attachment\/graphs\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/05\/graphs.png\" data-orig-size=\"1089,758\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"graphs\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/05\/graphs-300x209.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/05\/graphs-600x418.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/05\/graphs-600x418.png\" alt=\"graph number of detections\" class=\"wp-image-38598\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/05\/graphs-600x418.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/05\/graphs-300x209.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/05\/graphs.png 1089w\" sizes=\"(max-width: 600px) 100vw, 600px\" \/><\/figure>\n<h3>Profile of the CrySIS ransomware<\/h3>\n<p>CrySIS\/Dharma, which Malwarebytes detects as <a rel=\"noreferrer noopener\" href=\"https:\/\/blog.malwarebytes.com\/detections\/ransom-crysis\/\" target=\"_blank\">Ransom.Crysis<\/a>, targets Windows systems, and this family primarily targets businesses. It uses several methods of distribution:<\/p>\n<ul>\n<li>CrySIS is distributed as malicious attachments in spam emails. Specific to this family is the use of malicious attachments that use <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2016\/09\/lesser-known-tricks-of-spoofing-extensions\/\" target=\"_blank\">double file extensions<\/a>, which under default Windows settings may appear to be non-executable, when in reality they are.<\/li>\n<li>CrySIS can also arrive disguised as installation files for legitimate software, including AV vendors. CrySIS operators will offer up these harmless looking installers for various legitimate applications as downloadable executables, which they have been distributing through various online locations and shared networks.<\/li>\n<li>Most of the time, CrySIS\/Dharma is delivered manually in targeted attacks by exploiting <a href=\"https:\/\/blog.malwarebytes.com\/security-world\/business-security-world\/2018\/08\/protect-rdp-access-ransomware-attacks\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">leaked or weak RDP credentials<\/a>. This means a human attacker is accessing the victim machines prior to the infection by brute-forcing the Windows RDP protocol on port 3389.<\/li>\n<\/ul>\n<p>In a recent attack, CrySIS was delivered as a download link in a spam email. The link pointed to a password-protected, self-extracting bundle installer. The password was given to the potential victims in the email and, besides the CrySIS\/Dharma executable, the installer contained an outdated removal tool issued by a well-known security vendor.<\/p>\n<p>This social engineering strategy worked to bring down user defenses. Seeing a familiar security solution in the installation package tricked users into believing the downloadable was safe, and the attack was successful.<\/p>\n<h3>The infection<\/h3>\n<p>Once CrySIS has infected a system, it creates registry entries to maintain persistence and encrypts practically every file type, while skipping system and malware files. It performs the encryption routine using a strong encryption algorithm (AES-256 combined with RSA-1024 asymmetric encryption), which is applied to fixed, removable, and network drives. <\/p>\n<p>Before the encryption routine, CrySIS deletes all the Windows Restore Points by running the <strong>vssadmin delete shadows \/all \/quiet command<\/strong>.<\/p>\n<p>The Trojan that drops the ransomware collects the computer\u2019s name and a number of encrypted files by certain formats, sending them to a remote <a href=\"https:\/\/blog.malwarebytes.com\/glossary\/cc\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">C2 server<\/a> controlled by the threat actor. On some Windows versions, it also attempts to run itself with administrator privileges, thus extending the list of files that can be encrypted.<\/p>\n<p>After a successful RDP-based attack, it has been observed that before executing the ransomware payload, CrySIS uninstalls security software installed on the system.<\/p>\n<h3>The ransom<\/h3>\n<p>When CrySIS has completed the encryption routine, it drops a ransom note on the desktop for the victim, providing two email addresses the victim can use to contact the attackers and pay the ransom. Some variants include one of the contact email addresses in the encrypted file names.<\/p>\n<p> The ransom demand is usually around 1 Bitcoin, but there have been cases where pricing seems to have been adapted to match the revenue of the affected company. Financially sound companies often have to pay a larger ransomware sum.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" data-attachment-id=\"38599\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2019\/05\/threat-spotlight-crysis-aka-dharma-ransomware-causing-a-crisis-for-businesses\/attachment\/crysis_ransom-note-600x328\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/05\/crysis_ransom-note-600x328-1.png\" data-orig-size=\"600,328\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"crysis_ransom-note-600&#215;328\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/05\/crysis_ransom-note-600x328-1-300x164.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/05\/crysis_ransom-note-600x328-1-600x328.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/05\/crysis_ransom-note-600x328-1-600x328.png\" alt=\"crysis ransom note\" class=\"wp-image-38599\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/05\/crysis_ransom-note-600x328-1.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/05\/crysis_ransom-note-600x328-1-300x164.png 300w\" sizes=\"(max-width: 600px) 100vw, 600px\" \/><\/figure>\n<\/div>\n<p>Some of the older variants of CrySIS can be decrypted using free tools that have been made available through the <a href=\"https:\/\/www.nomoreransom.org\/nl\/decryption-tools.html\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">NoMoreRansom project<\/a>.<\/p>\n<h3>Countermeasures<\/h3>\n<p>While you do have a choice to deploy other software to remotely operate your work computers, RDP is essentially a safe and easy-to-use protocol with a client that comes pre-installed on Windows systems, as well as clients available for other operating systems. There are a few measures you can take to make it a lot harder to gain access to your network over unauthorized RDP connections:<\/p>\n<ul>\n<li>To make it harder for a brute force attack to succeed, it helps to use <a href=\"https:\/\/blog.malwarebytes.com\/101\/2017\/05\/dont-need-27-different-passwords\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">strong passwords<\/a>.<\/li>\n<li> Do not disable <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/en.wikipedia.org\/wiki\/Network_Level_Authentication\" target=\"_blank\">Network Level Authentication (NLA)<\/a> as it offers an extra authentication level. Enable it if it wasn\u2019t already.  <\/li>\n<\/ul>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" data-attachment-id=\"25033\" data-permalink=\"https:\/\/blog.malwarebytes.com\/security-world\/business-security-world\/2018\/08\/protect-rdp-access-ransomware-attacks\/attachment\/nla\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/NLA.png\" data-orig-size=\"426,474\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"NLA\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/NLA-270x300.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/NLA.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/NLA.png\" alt=\"Network Level Authentication\" class=\"wp-image-25033\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/NLA.png 426w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/NLA-270x300.png 270w\" sizes=\"(max-width: 426px) 100vw, 426px\" \/><\/figure>\n<\/div>\n<ul>\n<li><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/tunecomp.net\/change-remote-desktop-port-windows-10\/\" target=\"_blank\">Change the RDP port<\/a> so port-scanners looking for open RDP ports will miss yours. By default, the server listens on port 3389 for both TCP and UDP. <\/li>\n<li>Or use a <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/turbofuture.com\/computers\/What-is-Remote-Desktop-Gateway-and-how-to-install\" target=\"_blank\">Remote Desktop Gateway Server<\/a>, which also gives you some additional security and operational benefits like <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/blog.malwarebytes.com\/101\/2017\/01\/understanding-the-basics-of-two-factor-authentication\/\" target=\"_blank\">2FA<\/a>. The logs of the RDP sessions can prove especially useful when you are trying to figure out what might have happened. As these logs are not on the compromised machine, they are harder to falsify by intruders.<\/li>\n<li><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/support.managed.com\/kb\/a2499\/restrict-rdp-access-by-ip-address.aspx\" target=\"_blank\">Limit access to specific IPs<\/a>, if possible. There should be no need for a whole lot of IPs that need RDP access.<\/li>\n<li>There are several possibilities to elevate user privileges on Windows computers, even when using RDP, but all of the known methods have been patched. So, as always, make sure your systems are fully up-to-date and patched to prevent privilege elevation and other exploits from being used.<\/li>\n<li>Use an effective and easy-to-deploy <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/blog.malwarebytes.com\/101\/2017\/04\/3-2-1-go-make-backups-of-your-data\/\" target=\"_blank\">backup strategy<\/a>. Relying on Restore Points doesn\u2019t qualify as such and is utterly useless when the ransomware first deletes the restore points, as is the case with CrySIS.<\/li>\n<li><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/blog.malwarebytes.com\/101\/2017\/01\/how-do-i-get-my-employees-to-stop-clicking-on-everything\/\" target=\"_blank\">Train your staff<\/a> on the dangers of email attachments and downloading files from unofficial sources.<\/li>\n<li>Finally, use a multi-layered, <a href=\"https:\/\/www.malwarebytes.com\/business\/endpointprotectionandresponse\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"advanced security solution (opens in a new tab)\">advanced security solution<\/a> to protect your machines against ransomware attacks.<\/li>\n<\/ul>\n<figure class=\"wp-block-image\"><img decoding=\"async\" data-attachment-id=\"38601\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2019\/05\/threat-spotlight-crysis-aka-dharma-ransomware-causing-a-crisis-for-businesses\/attachment\/quarantained\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/05\/quarantained.png\" data-orig-size=\"439,310\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"quarantained\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/05\/quarantained-300x212.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/05\/quarantained.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/05\/quarantained.png\" alt=\"crysis quarantined \" class=\"wp-image-38601\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/05\/quarantained.png 439w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/05\/quarantained-300x212.png 300w\" sizes=\"(max-width: 439px) 100vw, 439px\" \/><\/figure>\n<h3>IOCs<\/h3>\n<p>Ransom.Crysis has been known to append these extensions for encrypted files:<\/p>\n<p>.crysis, .dharma,&nbsp;wallet,&nbsp;.java,&nbsp;.adobe,&nbsp;.viper1,&nbsp;.write,&nbsp;.bip,&nbsp;.zzzzz,&nbsp;.viper2,&nbsp;.arrow,&nbsp;.gif,&nbsp;.xtbl,&nbsp;.onion, .bip, .cezar,&nbsp;.combo, .cesar,&nbsp;.cmb,&nbsp;.AUF,&nbsp;.arena,&nbsp;.brrr,&nbsp;.btc,&nbsp;.cobra,&nbsp;&nbsp;.gamma,&nbsp;.heets,&nbsp;.java,&nbsp;.monro,&nbsp;.USA,&nbsp;.bkp,&nbsp;.xwx,&nbsp;.btc,&nbsp;.best,&nbsp;.bgtx,&nbsp;.boost,&nbsp;.heets,&nbsp;.waifu,&nbsp;.qwe,&nbsp;.gamma,&nbsp;.ETH,&nbsp;.bet,&nbsp;ta,&nbsp;.air,&nbsp;.vanss,&nbsp;. 888,&nbsp;.FUNNY,&nbsp;.amber,&nbsp;.gdb,&nbsp;.frend,&nbsp;.like,&nbsp;.KARLS,&nbsp;.xxxxx,&nbsp;.aqva,&nbsp;.lock,&nbsp;.korea, .plomb,&nbsp;.tron,&nbsp;.NWA,&nbsp;.AUDIT,&nbsp;.com,&nbsp;.cccmn,&nbsp;.azero,&nbsp;.Bear,&nbsp;.bk666,&nbsp;.fire,&nbsp;.stun, .myjob,&nbsp;.ms13,&nbsp;.war,&nbsp;.carcn,&nbsp;.risk,&nbsp;.btix,&nbsp;.bkpx,&nbsp;.he, .ets,&nbsp;.santa,&nbsp;.gate,&nbsp;.bizer,&nbsp;.LOVE,&nbsp;.LDPR,&nbsp;.MERS,&nbsp;.bat,&nbsp;.qbix,&nbsp;.aa1, and .wal<\/p>\n<p>The following ransom note names have been found:<\/p>\n<ul>\n<li>README.txt<\/li>\n<li>HOW TO DECRYPT YOUR DATA.txt<\/li>\n<li>Readme to restore your files.txt<\/li>\n<li>Decryption instructions.txt<\/li>\n<li>FILES ENCRYPTED.txt<\/li>\n<li>Files encrypted!!.txt<\/li>\n<li>Info.hta<\/li>\n<\/ul>\n<p>Common file hashes:<\/p>\n<ul>\n<li>0aaad9fd6d9de6a189e89709e052f06b<\/li>\n<li>bd3e58a09341d6f40bf9178940ef6603<\/li>\n<li>38dd369ddf045d1b9e1bfbb15a463d4c<\/li>\n<\/ul>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2019\/05\/threat-spotlight-crysis-aka-dharma-ransomware-causing-a-crisis-for-businesses\/\">Threat spotlight: CrySIS, aka Dharma ransomware, causing a crisis for businesses<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2019\/05\/threat-spotlight-crysis-aka-dharma-ransomware-causing-a-crisis-for-businesses\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Pieter Arntz| Date: Wed, 15 May 2019 16:02:13 +0000<\/strong><\/p>\n<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/threat-analysis\/2019\/05\/threat-spotlight-crysis-aka-dharma-ransomware-causing-a-crisis-for-businesses\/' title='Threat spotlight: CrySIS, aka Dharma ransomware, causing a crisis for businesses'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/05\/crisis_management.jpg' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>CrySIS, aka Dharma, is a ransomware family making waves over the last two months, often being used in targeted attacks through RDP access. What other tricks are up its sleeve?<\/p>\n<p>Categories: <\/p>\n<ul class=\"post-categories\">\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/threat-analysis\/malware-threat-analysis\/\" rel=\"category tag\">Malware<\/a><\/li>\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/threat-analysis\/\" rel=\"category tag\">Threat analysis<\/a><\/li>\n<\/ul>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/anti-ransomware\/\" rel=\"tag\">Anti-Ransomware<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/crysis\/\" rel=\"tag\">crysis<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/dharma\/\" rel=\"tag\">dharma<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/malware\/\" rel=\"tag\">malware<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/ransom\/\" rel=\"tag\">ransom<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/ransomware\/\" rel=\"tag\">ransomware<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/rdp\/\" rel=\"tag\">rdp<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/rdp-access\/\" rel=\"tag\">rdp access<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/threat-analysis\/2019\/05\/threat-spotlight-crysis-aka-dharma-ransomware-causing-a-crisis-for-businesses\/' title='Threat spotlight: CrySIS, aka Dharma ransomware, causing a crisis for businesses'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2019\/05\/threat-spotlight-crysis-aka-dharma-ransomware-causing-a-crisis-for-businesses\/\">Threat spotlight: CrySIS, aka Dharma ransomware, causing a crisis for businesses<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[11152,21796,21783,3764,18276,3765,18324,21797,10494],"class_list":["post-15322","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-anti-ransomware","tag-crysis","tag-dharma","tag-malware","tag-ransom","tag-ransomware","tag-rdp","tag-rdp-access","tag-threat-analysis"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15322","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=15322"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15322\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=15322"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=15322"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=15322"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}