Vohuk Ransomware uses Cipher.exe making files recovery impossible
Recently, the SonicWall Capture Labs Research team analyzed a ransomware called Vohuk. Which uses the genuine Windows tool Cipher.exe to overwrite the deleted files which make the recovery of the files impossible.
Cipher.exe is a command-line tool that can be used to manage encrypted data by using the Encrypting File System (EFS).Whenever any files or folder is deleted the data is not deleted, only the space on the disk that was occupied by the deleted data is deallocated. Until the space is overwritten, there is a possibility that the deleted data can be recovered using a low-level disk editor or data-recovery software. Administrators uses the Cipher.exe to encrypt and decrypt data on drives that use the NTFS file system. In Encrypting process windows makes a backup copy of the file. So the data isn’t lost if an error occurs during the encryption process. After the encryption is complete, the backup copy is deleted. As with other deleted files, the data isn’t removed until it has been overwritten. So to prevent unauthorized recovery of such data windows has provided the tool called Cipher.exe.
Ransomware uses this feature of Cipher.exe to overwrite the deleted data so as to make the recovery of the files impossible.
Infection Cycle:
At the start of the execution it creates a named mutex “Global\\VohukMutes” to avoid different instance of Vohuk Ransomware running on the same system.
It creates a folder on root drive C:\\ProgramData\\Vohuk at below location and copies itself as App.exe and also creates a Log file which is used for logging it’s activities.
At the start of the Log.txt file it mentions the Name as VohukCrypter V1.51 and its version number.
The Ransomware collects the command-line options if any passed at the time of execution. It checks for the following string options in the command line parameter and depending upon the parameter provided it may change its behaviour.
‘/NOKILL’
‘/NOMOUNT’
‘/NOEMPTY’
‘/LAN’
‘/NOLOCAL’
‘/NONETDRIVE’
‘/NOSTARTUP’
‘/FULL’
‘/FAST’
‘/PATH=’
Ransomware calls the GetSystemInfo API and gets the Number of processor presents on the system
The number of threads created is dependent on the number of processors, with one thread being created for each processor.
If the number of processors are more than 64 then maximum thread created by the Ransomware is 64 threads.
Before encrypting the files it first empties the files present from all Recycle Bins on all drives.
It launches the command prompt process and Vssadmin command is passed to the command prompt to delete the volume shadow copies.
Ransomware kills the below running process if found running on the system. So that it is able to encrypt the files which are currently in use.
It also enumerates the services and kills below listed services and also its dependent services if found running on the system.
The Ransomware use multi-threading by using APIs CreateIoCompletionPort(), PostQueuedCompletionStatus(), GetQueuedCompletionPort() to handle multiple files concurrently and thread priority is also set to high for quick encryption.
Ransomware avoids encrypting the files with below filename.
And it also avoids encrypting the files with below extension; so that the common functioning of the Operating system is not hampered.
Ransomware checks the file attributes before encryption, if the attribute is READ_ONLY then it resets the READ_ONLY attribute.
It encrypts the files, renames them and adds the extension “.Vohuk” and drops a ransom note file named R3ADM3.txt,in each folder.
Once all the encryption process is completed it uses genuine Windows tool Cipher.exe on all drives to overwrite the deleted data.
The ransomware also replaces the desktop wallpaper with its own.
SonicWall Capture Labs provides protection against this threat via the following signature:
- GAV: VohukCrypt.RSM (Trojan)
This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.
