, , ,

A look at the latest Snatch Ransomware

This week, the Sonicwall Capture Labs Research team analyzed the latest Snatch ransomware. Snatch operates as a ransomware-as-a-service (RaaS), a business model where the malware authors lease out the ransomware program to affiliates who then launch the attacks.

Infection Cycle:

The malware file  arrives as an executable  using a random name such as:

  • rljybc.exe

This ransomware is written in Go language and is apparent in the many references to Go packages in its strings.

go lang packages

Upon execution it creates multiple copies of the same batch file into the %temp% directory:

Simultaneously it also writes a randomly named file with a .dll extension that appears to be a library file.

But upon careful inspection, it actually was a log file of its execution showing files it had accessed and created.

The batch file created is used to run commands to delete shadow copies and to disable certain services that are related to Antivirus, back up software, database, email among many others.

It appends “.lqepjhgjczo” extension to all files it encrypts and adds the ransomware note to every directory in the system.

The ransom note only lists email addresses on how to reach the malware authors and no amount of ransom is mentioned. Presumably, this amount may vary depending on their victim and how disruptive the attack would cost a business or an organization.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Snatch.RSM_13  (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

, , ,

A new variant from Chaos Ransomware family surfaces

The SonicWall Capture Labs Research team has received a sample of a new variant from Chaos Ransomware family which is a customizable ransomware builder that emerged in underground forums, by falsely marketing itself as the .NET version of Ryuk.

It provided the following customizable options which a cybercriminal can use to customize a ransomware.

  • processName = "svchost.exe";
  • sleepTextbox = 10;
  • spreadName = "surprise.exe";
  • userDir = "C:\\Users\\";
  • checkAdminPrivilage = true;
  • checkCopyRoaming = true;
  • checkdeleteBackupCatalog = true;
  • checkdeleteShadowCopies = true;
  • checkdisableRecoveryMode = true;
  • checkSleep = false;
  • checkSpread = true;
  • checkStartupFolder = true;
  • droppedMessageTextbox = "read_it.txt";
  • encryptedFileExtension = "";
  • encryptionAesRsa = true;
  • messages = new string[]; #Ransomware message content

Infection Cycle:

At the start of the execution it checks its own filename and the location from where it is running.

If the process name and the location name is not %appdata%\\svchost.exe, it drops a copy of itself to %appdata%\\svchost.exe and launches it.

After that it checks for the "checkSleep" variable which is provided at the time of building ransomware, if the value is False is will skip executing the sleepOutOfTempFolder(), function which also checks the folder location form where it is running and if the path does not matches, it uses another count variable "sleepTextbox" whose value is multiplied by 1000 times and resulting value is passed to thread and sleeps for that many milliseconds.

It then checks for the checkStartupFolder flag and if its true it calls addLinkToStartup() function.

It creates a file svchost.url in which it adds the location of the file and copy the file into User Startup folder to
enable its automatic execution at every system startup

It has a hardcoded list of directories and files with valid extension in those directories are only encrypted.

List of the extension

Before encrypting the file it checks for the list of valid file extensions and the filename should not be one in the droppedMessageTextbox supplied at the time of building the ransomware.

This droppedMessageTextbox contains the name of the file which contains the ransomware message.
In our case the filename is "read_it.txt";

Before encrypting the file it checks for the File length.
If the file length is below 2,117,152 bytes, it encrypts the file using EncryptFile method and if the size is bigger than
2,117,152 bytes a random string of a random length between 200000000 and 300000000 bytes is generated and encoded using the randomEncode method.

It creates a 20 byte random password and converts the password to a byte array using UTF8 encoding.
The content of the file is then AES encrypted using that key.
It then encrypts the key generated earlier using the RSA encryption

AES encrypted content are again converted into Base64 encoding.

It then concat the RSAEncrypted key and base64 encoded content into the file using File.WriteAllText method.

Finally, original file is moved to same location by appending a random extension using the RandomStringForExtension method.
It then drops the "read_it.txt" containing the ransomware message on that location.

Once the encryption is done it delete Shadow Copies, disable Recovery Mode and delete Backup Catalog file using below commands.

"vssadmin delete shadows /all /quiet & wmic shadowcopy delete"
"bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no"
"wbadmin delete catalog -quiet"

In order or spread, it loops through all the available drives on the system and if the drive is not a C:\ drive and the spreadName file is not present on the system, It copies the malware’s file to that drive with the specified spreadName.

This way the malware can potentially infect other machines whose drives are mapped onto the victim's machine.

Once the encryption is completed it displays the ransomware message text.

It set the below wallpaper

SonicWall Capture Labs provides protection against this threat via the following signature:

GAV:MalAgent.RSM_99 (Ransomware)

, ,

Akira ransomware double-extortion scheme encrypts and publicly leaks sensitive data

The SonicWall Capture Labs threats research team has been tracking a newly discovered form of ransomware called "Akira". This malicious software is actively targeting numerous organizations and stealing sensitive data. To maximize the likelihood of receiving payment, the Akira ransomware employs a dual-extortion technique, whereby it both steals and encrypts the victim's data and threatens to sell or leak the stolen data on the dark web unless the ransom is paid to decrypt the compromised information.  Akira ransomware appeared in April 2023 and has already affected a variety publicly disclosed victims, primarily located in the United States.  These victims span various sectors such as construction, education, healthcare, and manufacturing.

 

Infection cycle:

 

Once the malware is run, the following command prompt is briefly shown:

 

Files on the system are encrypted and given a ".akira" file extension.  During this process, the following ransom note (akira_readme.txt) is dropped on to the desktop:

 

The malware obtains details on all connected drives:

 

The malware can be seen setting up its encryption key and encrypting data.  It uses the "Microsoft Enhanced RSA and AES Cryptographic Provider" API in order to achieve this.  The public key can be seen in the code when being run in a debugger:

 

The tOr link from the ransom note leads to the following page:

 

After entering the code contained in the ransom note, the following page is presented summarizing what has happened and how to retrieve lost files.  The page is designed in a Linux terminal style with a list of commands:

 

The "leaks" command leads to the following page listing of companies that have fallen victim to the attackers.  These companies have not paid their ransom and as a result, their data is downloadable via bittorrent magnet links:

[[[

 

The "contact" command brings up a page where victims can have direct conversations with the attackers.  It appears to also show past conversations between victims and the operator:

 

This victim tries to reason with the attacker but the attackers stresses that their data will be released if a $1M ransom is not paid.  As motivation, invoices and bank statements are used by the attacker to prove that the victim is capable of paying the ransom:

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Akira.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

, ,

Akira ransomware double-extortion scheme encrypts and publicly leaks sensitive data

The SonicWall Capture Labs threats research team has been tracking a newly discovered form of ransomware called "Akira". This malicious software is actively targeting numerous organizations and stealing sensitive data. To maximize the likelihood of receiving payment, the Akira ransomware employs a dual-extortion technique, whereby it both steals and encrypts the victim's data and threatens to sell or leak the stolen data on the dark web unless the ransom is paid to decrypt the compromised information.  Akira ransomware appeared in April 2023 and has already affected a variety publicly disclosed victims, primarily located in the United States.  These victims span various sectors such as construction, education, healthcare, and manufacturing.

 

Infection cycle:

 

Once the malware is run, the following command prompt is briefly shown:

 

Files on the system are encrypted and given a ".akira" file extension.  During this process, the following ransom note is dropped on to the desktop:

 

The malware obtains details on all connected drives:

 

The malware can be seen setting up its encryption key and encrypting data.  It uses the "Microsoft Enhanced RSA and AES Cryptographic Provider" API in order to achieve this.  The public key can be seen in the code when being run in a debugger:

 

The tOr link from the ransom note leads to the following page:

 

After entering the code contained in the ransom note, the following page is presented summarizing what has happened and how to retrieve lost files.  The page is designed in a Linux terminal style with a list of commands:

 

The "leaks" command leads to the following page listing of companies that have fallen victim to the attackers.  These companies have not paid their ransom and as a result, their data is downloadable via bittorrent magnet links:

 

The "contact" command brings up a page where victims can have direct conversations with the attackers.  It appears to also show past conversations between victims and the operator:

 

This victim tries to reason with the attacker but the attackers stresses that their data will be released if a $1M ransom is not paid.  As motivation, invoices and bank statements are used by the attacker to prove that the victim is capable of paying the ransom:

 

, , ,

Money message Ransomware actively targeting large organization

Recently, the SonicWall Capture Labs Research team analyzed a ransomware called Money message. Written in C++, this ransomware encrypts the victim's files without changing the filename or appending the extension, making it more difficult to identify which files have been compromised. Once the files are encrypted, the attackers demand a ransom payment in exchange for the decryption key.

Infection Cycle:

At the start of the execution it creates a named mutex “12345-12345-12235-12354” to avoid different instance of Money message Ransomware running on the same system.

It uses WMI (Windows Management Instrumentation) Query and Service Control Manager to disable the specific list of services.

Associators of {Win32_ServiceName='sql'} Where AssocClass=Win32_DependentService Role=Antecedent­

It opens the Service Control Manager (SCM) by calling OpenSCManagerW() function.
It then calls OpenServiceW() function to open the service from the list and EnumDependentServicesW() function to enumerate all its dependent services, If any of the services present from the list is found to be running, the ransomware stops them using ControlService() function.

Below are the list of the services that are stopped by the ransomware

vss
sql
svc$
memtas
mepocs
sophos
veeam
backup
vmms

It then enumerates the running processes on the system and terminates the below list of processes.

sql.exe
oracle.exe
ocssd.exe
dbsnmp.exe
synctime.exe
agntsvc.exe
isqlplussvc.exe
xfssvccon.exe
mydesktopservice.exe
ocauto upds.exe
encsvc.exe
firefox.exe
tbirdconfig.exe
mdesktopqos.exe
ocomm.exe
dbeng50.exe
sqbcoreservice.exe
excel.exe
infopath.exe
msaccess.exe
mspub.exe
onenote.exe
outlook.exe
powerpnt.exe
steam.exe
thebat.exe
thunderbird.exe
visio.exe
winword.exe
wordpad.exe
vmwp.exe

It deletes the volume shadow copies using ShellExecuteW() function by passing below command

It avoids encrypting the files from below directories

It also has a list of files which it avoids encrypting:

The files which are not present in the whitelisted directories nor the files are whitelisted are encrypted by the ransomware.
Once the files are encrypted the filename of the original file remains the same nor the extension of it is changed.

Once the files are encrypted it displays below ransom message

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV:MoneyMsg.RSM (Trojan)

SonicWall RTDMI engine - part of capture ATP - has a proactive 0-day protection against this ransomware.

, , ,

Vohuk Ransomware uses Cipher.exe making files recovery impossible

Recently, the SonicWall Capture Labs Research team analyzed a ransomware called Vohuk. Which uses the genuine Windows tool Cipher.exe to overwrite the deleted files which make the recovery of the files impossible.

Cipher.exe is a command-line tool that can be used to manage encrypted data by using the Encrypting File System (EFS).Whenever any files or folder is deleted the data is not deleted, only the space on the disk that was occupied by the deleted data is deallocated. Until the space is overwritten, there is a possibility that the deleted data can be recovered using a low-level disk editor or data-recovery software. Administrators uses the Cipher.exe to encrypt and decrypt data on drives that use the NTFS file system. In Encrypting process windows makes a backup copy of the file. So the data isn't lost if an error occurs during the encryption process. After the encryption is complete, the backup copy is deleted. As with other deleted files, the data isn't removed until it has been overwritten. So to prevent unauthorized recovery of such data windows has provided the tool called Cipher.exe.

Ransomware uses this feature of Cipher.exe to overwrite the deleted data so as to make the recovery of the files impossible.

Infection Cycle:

At the start of the execution it creates a named mutex "Global\\VohukMutes" to avoid different instance of Vohuk Ransomware running on the same system.

It creates a folder on root drive C:\\ProgramData\\Vohuk at below location and copies itself as App.exe and also creates a Log file which is used for logging it's activities.

At the start of the Log.txt file it mentions the Name as VohukCrypter V1.51 and its version number.

The Ransomware collects the command-line options if any passed at the time of execution. It checks for the following string options in the command line parameter and depending upon the parameter provided it may change its behaviour.

'/NOKILL'
'/NOMOUNT'
'/NOEMPTY'
'/LAN'
'/NOLOCAL'
'/NONETDRIVE'
'/NOSTARTUP'
'/FULL'
'/FAST'
'/PATH='

Ransomware calls the GetSystemInfo API and gets the Number of processor presents on the system

The number of threads created is dependent on the number of processors, with one thread being created for each processor.
If the number of processors are more than 64 then maximum thread created by the Ransomware is 64 threads.

Before encrypting the files it first empties the files present from all Recycle Bins on all drives.

It launches the command prompt process and Vssadmin command is passed to the command prompt to delete the volume shadow copies.

Ransomware kills the below running process if found running on the system. So that it is able to encrypt the files which are currently in use.

It also enumerates the services and kills below listed services and also its dependent services if found running on the system.

The Ransomware use multi-threading by using APIs CreateIoCompletionPort(), PostQueuedCompletionStatus(), GetQueuedCompletionPort() to handle multiple files concurrently and thread priority is also set to high for quick encryption.

Ransomware avoids encrypting the files with below filename.

And it also avoids encrypting the files with below extension; so that the common functioning of the Operating system is not hampered.

Ransomware checks the file attributes before encryption, if the attribute is READ_ONLY then it resets the READ_ONLY attribute.

It encrypts the files, renames them and adds the extension “.Vohuk" and drops a ransom note file named R3ADM3.txt,in each folder.

Once all the encryption process is completed it uses genuine Windows tool Cipher.exe on all drives to overwrite the deleted data.

The ransomware also replaces the desktop wallpaper with its own.

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: VohukCrypt.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

, , ,

Magniber ransomware seen distributed via ISO disc image files

This week, the Sonicwall Capture Labs Research team analyzed a ransomware called Magniber.  This ransomware has been around since 2017 as a successor to Cerber and initially only targeted a specific country when we first covered it in the past. It has since widened its target and adopted many forms from javascript to archive files and more recently to Microsoft software installer (msi) files and ISO image. What has not changed is that it still purports to be a software security update to lure victims to installing it.

Infection Cycle:

The ransomware installer arrives as a fake windows update in the form of an optical disc image or ISO.

Within the iso are two files that can use the following filenames:

  • 5G offer.LNK
  • 5G-installer. MSI

The LNK file is a windows shortcut file that serves as a pointer to load the MSI file using msiexe.exe

The windows installer file (MSI) uses the following file properties.

And once executed displays the following installation progress window. Note that the Knowledge base code (KB5023921) referenced is nonexistent and completely made up.

Upon execution, the first thing it does is to delete the Volume Shadow copies via the following command and then proceeds to encryption.

vssadmin.exe Delete Shadows /all /quiet

It changes the desktop background upon successful infection.

A readme.html present in all directories that have encrypted files show instructions on how to retrieve the victim’s files.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Magniber.RSM_1 (Trojan)
  • GAV: Magniber.RSM_2 (Trojan)
  • GAV: Magniber.RSM_3 (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

, , ,

Cryptonite Ransomware leaves files unrecoverable

This week, the Sonicwall Capture Labs Research team analyzed a ransomware called Cryptonite. It is an open-sourced ransomware that was once available on GitHub but has now been taken down. It exhibited behavior consistent of most ransomware but later versions were found to malfunction and leaving encrypted data unrecoverable.

Infection Cycle:

The ransomware installer arrives as a fake windows update and can use the following filename:

  • WindowsUpdate.exe

This ransomware is written in Python thus a Python interpreter needs to be present in the victim’s machine for it to successfully run. Therefore upon execution, all the necessary files and modules are dropped in the temp directory under a randomly named folder.

A window then pops up showing the status of the supposed download of a software update, complete with the progress bar.

Meanwhile, encryption of the files are happening in the background. Encrypted files have the file extension “.cryptn8” appended to them.

This ransomware uses the Python cryptography module and more specifically uses an implementation of Fernet to perform encryption.

In our static analysis, we found that this unique key generated using this Fernet implementation appears to be sent out to a remote server hosted on this domain - hxxps://e4c0660414bf.eu.ngrok.io

Upon successful encryption a standard warning message is then presented to the victim which allows the victim to enter a decryption key if they decide to contact the ransomware operator.

However, later samples have been found to not complete the entire infection cycle. During encryption the ransomware application abruptly crashes with an error. Encryption completes but that key never gets sent to the remote server leaving the files unrecoverable. Subsequent execution of the ransomware just encrypts the already encrypted files and thus ransomware essentially just wiped out the data in the victim’s machine.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Cryptonite.RSM  (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

 

,

TOR chat with Black Basta ransomware operator runs dry

The SonicWall Capture Labs threat research team has recently been tracking a ransomware family called Black Basta. Black Basta first appeared in April 2022 and is believed to be operated by a well organized cybercrime group called Fin7. It has been reported that this group has already breached over 90 organizations and caused over $1B USD in damage.

 

Infection Cycle:

 

Upon execution, a console appears with the following text:

 

It then quickly disables console output using the FreeConsole Windows API:

 

It obtains information about storage volumes attached to the system and begins its encryption process:

 

Encrypted files are given a ".basta" file extension.

 

The malware uses RSA encryption.  The key is hardcoded and can be seen in the decompiled binary:

 

Various configuration options can also be seen in the decompiled code:

 

In order to prevent system recovery, the malware disables volume shadow copies using the vssadmin.exe program:

 

The malware drops dlaksjdoiq.jpg

 

dlaksjdoiq.jpg contains the following image:

 

A ransom message is written to readme.txt.  This file is copied into all directories containing encrypted files:

 

readme.txt contains the following ransom message:

 

fkdjsadasd.ico is dropped onto the system:

 

It contains the following icon:

 

The tOr link leads to the following page:

 

After logging in using the requested information, a chat interface is presented:

 

We had the following conversation with the attacker but were unable to obtain information about file retrieval costs:

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: BlackBasta.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

, , ,

Fake picture installs a data wiper malware

The Sonicwall Capture Labs Research team came across a malware which purports to be a picture but has the intention to wipe the hard drive thus deleting data and programs. It is a multicomponent infection which starts with a fake image which then drops several files to carry out malicious behaviors.

Infection cycle:

The malware arrives as a picture entitled “SexyPhotos.jpg".

This is in fact a self-extracting archive that drops the following files:

  • %temp%/avtstart.bat
  • %temp%/del.exe
  • %temp%/windll.exe
  • %temp%/open.exe
  • %temp%/windowss.exe

It ensures persistence by executing avtstart.bat and adding the rest of the files into Startup.

copy dell.exe "C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
copy windowss.exe "C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
copy windll.exe "C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
copy open.exe "C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"

The other executables that were dropped are all self-extracting archive files that each would drop a bat file and a vbs file to continue the infection.

Each of the files were executed successively as follows:

Windowss.exe drops the following files:

  • windowss.bat
  • windowss.vbs
  • readme.txt (a ransom note)

The vbs file, windowss.vbs, contains a simple command which will use wscript exe (Microsoft Windows script host utility for executing scripts) to execute the batch file, windowss.bat.

This batch file then renames all target files in the victim’s machine as “Locked_!counter!.Locked_fille.”

These files will appear encrypted as if a ransomware had locked the file, but they were simply just renamed as in the screenshot below.

Windll.exe drops the following files:

  • windll.bat
  • windll.vbs
  • readme.txt (a copy of the ransom note)

These files executed similarly with the vbs calling wscript exe to execute the batch file. Windll.bat copies readme.txt into the directories where the locked files are.

Open.exe then drops the following files:

  • open.bat
  • open.vbs
  • open.txt

Again, the open.vbs script runs wscript to execute open.bat. This time the only purpose is to open a URL (that is currently down) and to open the readme.txt which contains instructions on how to unlock the seemingly locked files by paying cryptocurrency worth $300 to a bitcoin address.

However the infection cycle ends here. The original malware then looks for “dell.exe” which is unavailable since the file that was dropped was named “del.exe” with a single –L. If this was not misspelled the infection would have continued. In turn, an error message was shown instead.

Del.exe should have dropped the following files:

  • del.bat
  • del.vbs
  • del.txt

Del.vbs would have executed del.bat using wscript exe and would have wiped the victim’s machine, deleting all data in the drive.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Ransom.FK (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.