Mongo-Lock Ransomware

By

Overview:

SonicWall Capture Labs Threat Research Team, recently found, MongoLock ransomware. MongoLock tries to remove files, along with formatting drives using special commands through “cmd” and targets databases with weak security settings. MongoLock will drop a ransom note in the form of a “warning.txt” using notepad or as an entry inside any database it may find on the system. This is a new form of MongoLock ransomware that is actively being used in the wild today with a global reach. The ransom note is asking for 0.1 BTC to a specified Bitcoin wallet. A picture of the ransom note is below:

Sample Static Information:

Unpacked Hash Information:

Entropy and Packer Information:

Now that we know what the packer and protector information is we can start to unpack it below.

Unpacking The Sample:

Unpacking this sample is trivial because CFF Explorer allows us to click just a single button to unpack it.

Once you unpack the sample with CFF Explorer press “Save As” to save the unpacked sample. The new hash information now looks like the following:

RDG tells us that the unpacked sample has traces from aPLib compression and it’s using IsDebuggerPresent().

The following crypto signatures were found, Base64, CryptCreateHash, CryptEncrypt, CryptGenRandom, CryptHashData.

Ransom Note:

A long static ransom string is checked, then written to a warning file.

A glimpse into how they write the warning:

Directory List:

SHGetFolderPathW API is a deprecated API. This API gets the path of a folder identified by a CSIDL value.

Removal of Directories and Files:

Formatting:

The string, : /fs:ntfs /q /y will be updated with “format”, a drive letter and “cmd” will be called upon to execute the formatting of your drives.

Supported Systems:

The sample was tested and debugged on (x86) – 32 Bit, Windows 7 Professional.

SonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:

  • GAV: MongoLock.A
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.