ownedms17-010

HowRansomwareAttacksWhatdefendersshouldknowaboutthemostprevalentandpersistentmalwarefamiliesRansomware'sbehaviorisitsAchilles'heel,whichiswhySophosspendssomuchtimestudyingit.
Inthisreport,we'veassembledsomeofthebehavioralpatternsofthetenmostcommon,damaging,andpersistentransomwarefamilies.
Ourgoalistogivesecurityoperatorsaguidelinetounderstandthecorebehaviorsthatunderlieransomwareattacks,whichwealsousetoconvictransomwarewithSophos'behavioralengine,InterceptX.
ByMarkLoman,Director,EngineeringHowRansomwareAttacks2ContentsIntroduction3Ransomware4Traits4Dividingransomwareintocategories4Cryptographicallysignedcode4Privilegeescalation(andlateralmovement)5Networkfirst7Multi-threaded7Fileencryption8Rename8Keyblob9Wallpaper9Vssadmin9BCDEdit10Cipher100allocation10Flushbuffers11Encryptionbyproxy11Overview12Colorcoding13WannaCry13Characteristics13WannaCryfilesystemactivity14Matrix15Characteristics15Matrixfilesystemactivity16GandCrab17Characteristics17GandCrabfilesystemactivity18SamSam19Characteristics19SamSamfilesystemactivity20Dharma21Characteristics21Dharmafilesystemactivity21BitPaymer22Characteristics22BitPaymerfilesystemactivity22Ryuk23Characteristics23Ryukfilesystemactivity23LockerGoga24Characteristics24LockerGogafilesystemactivity24Partialencryption24MegaCortex25Characteristics25MegaCortexfilesystemactivity25RobbinHood26Characteristics26RobbinHoodfilesystemactivity26Sodinokibi27Characteristics27Sodinokibifilesystemactivity28IndicatorsofCompromise(IOCs)28HowRansomwareAttacks3IntroductionMostblogsorpapersaboutcrypto-ransomwaretypicallyfocusonthethreat'sdelivery,encryptionalgorithmsandcommunication,withassociatedindicatorsofcompromise(IOCs).
Thisresearchpapertakesadifferentapproach:ananalysisofthefilesystemactivityorbehaviorsofprominentcrypto-ransomwarefamilies(hereafter,simplycalledransomware).
Ransomwarecreatorsareacutelyawarethatnetworkorendpointsecuritycontrolsposeafatalthreattoanyoperation,sothey'vedevelopedafixationondetectionlogic.
Modernransomwarespendsaninordinateamountoftimeattemptingtothwartsecuritycontrols,tillingthefieldforafutureharvest.
It'saloteasiertochangeamalware'sappearance(obfuscateitscode)thantochangeitspurposeorbehavior,andransomwarealwaysshowsitstellwhenitstrikes.
Theincreasingfrequencywithwhichwehearoflargeransomwareincidentsindicatesthatthecodeobfuscationtechniquesransomwarenowroutinelyemploys,suchastheuseofruntimepackers,mustcontinuetobefairlyeffectiveagainstsomesecuritytools,otherwisetheransomwaremakerswouldn'tusethem.
It'simportanttorecognizethere'shopeinthisfight,andanumberofwaysadminscanresist:Windows10ControlledFolderAccess(CFA)whitelistingisonesuchway,allowingonlytrustedapplicationstoeditdocumentsandfilesinaspecifiedlocation.
Butwhitelistingisn'tperfect–itrequiresactivemaintenance,andgapsorerrorsincoveragecanresultinfailurewhenit'smostneeded.
HowRansomwareAttacks4RansomwareTraitsCriminalsareconstantlyreleasingnewransomwarevariants.
Toendpointprotectionproductsthatrelyonstaticanalysis,thesenewvariantsbearnoresemblancetoearliersamples.
Aswithotherformsofmalware,ransomwarecreatorsapplyruntimepackerstotheransomwareprogram,helpingtoconcealitspurposeandavoiddetectionuntilithascompleteditscoretask.
Inmostcases,ransomwarecreatorsuseproprietary,non-commercialpackersthatthwartautomatedunpackingroutinesusedbyendpointprotectionsoftware,makingithardertoclassifyanddeterminetheintentionofthepackedexecutable,aswellasmoredifficultforhumananalyststoreverseengineer.
Therearebehavioraltraitsthatransomwareroutinelyexhibitsthatsecuritysoftwarecanusetodecidewhethertheprogramismalicious.
Sometraits–suchasthesuccessiveencryptionofdocuments–arehardforattackerstochange,butothersmaybemoremalleable.
Mixingitup,behaviorallyspeaking,canhelpransomwaretoconfusesomeanti-ransomwareprotection.
DividingransomwareintocategoriesForthisreportweinvestigatedseveralprominentransomwarefamilies,andhavecategorizedthemintothreecategories,distinguishingthembythemethodattackersusetospreadtheinfection:1.
Cryptoworm-Astandaloneransomwarethatreplicatesitselftoothercomputersformaximumreachandimpact.
2.
Ransomware-as-a-Service(RaaS)–Aransomwaresoldonthedarkwebasadistributionkittoanyonewhocanaffordit.
TheseRaaSpackagesallowpeoplewithlittletechnicalskilltoattackwithrelativeease.
Theyaretypicallydeployedviamaliciousspame-mails(malspam),viaexploitkitsasadrive-bydownload,orsemi-manuallybyautomatedactiveadversaries.
3.
AutomatedActiveAdversary–Here,theransomwareisdeployedbyattackerswhousetoolstoautomaticallyscantheinternetforITsystemswithweakprotection.
Whensuchsystemsarefound,theattackersestablishafootholdandfromtherecarefullyplantheransomwareattackformaximumdamage.
Forexample,servicesthatareopenlyexposedtotheinternet–liketheRemoteDesktopProtocol(RDP)–areasought-afterentrypointastheyaresusceptibletoabrute-forcepassword-guessingattack.
Althoughvictimsmaybelievetheyaretargeted,theattackisusuallyopportunistic.
CryptographicallysignedcodeAttackersmayattempttominimizedetectionbysecuritysoftwarebysigningtheirransomwarewithanAuthenticodecertificate,whichanyonecanbuy(orsteal).
Signedprogramsaresupposedtoofferassurancethatthecodehasnotbeenmodifiedsincethesoftwarecompanyreleasedit,butitoffersnoassurancethatthesoftwareshouldevenberunninginthefirstplace.
Unfortunately,somesecuritytoolsconflate"digitallysigned"with"shouldbeallowedtorun.
"Whenransomwareisproperlycode-signed,anti-malwareoranti-ransomwaredefensesmightnotanalyzetheransomwareasrigorouslyastheywouldotherexecutablesthatlackavaliddigitalsignature.
Endpointprotectionsoftwaremayevenchoosetotrustthemaliciouscode.
https://en.
wikipedia.
org/wiki/Code_signingHowRansomwareAttacks5Newcode-signingcertificatestypicallycostaround$50.
Inadditiontosharingpaymentinformation,thecertificateauthorityrequiresthepersonororganizationpurchasingthecertificatetosupplycontactdetails.
Thecertificateauthoritycontactsthepurchaserviaemailandphonetovalidatetheirexistence.
Whilethisisahurdleandriskformanymalwareauthors,moreorganizedcriminalsmaketheefforttoensuretheirmalwareiscode-signedwithavalidAuthenticodecertificatetopreventdetectionandhelpensuresuccess.
Certificateissuersactquicklytorevokeasigningcertificatewhenthey'renotifiedthatthecertificateisbeingusedinthecommissionofacybercrime.
Oncethecertificateauthorityrevokesthedigitalcertificate,anditbecomesveryeasyforendpointprotectionsoftwaretolocateandquarantineallmalwaresignedwiththerevokedcertificate.
Privilegeescalation(andlateralmovement)Whileitisgoodpracticetogiveuseraccounts–andthereforetheapplicationstheyrun–limitedaccessrights,intoday'sthreatlandscapethatdoesn'thelpmuch.
Evenifthelogged-inuserhasstandardlimitedprivilegesandpermissions,today'sransomwareusesexploitstoelevatetheirownprivilegesandabusestolenadministratorcredentialstomakesuretheattackisperformedusingaprivilegedaccount.
Someexamples:EternalBlueisanexploitdevelopedbytheU.
S.
NationalSecurityAgency(NSA).
Itwasleakedand,later,usedaspartoftheworldwideWannaCryransomwareattackin2017.
InconjunctionwiththeDoublePulsarcodeinjectiontechnique,theexploitallowstheinstallationofmalwarewiththehighestprivilegesonanendpoint,regardlessoftheprivilegesoftheloggedinuser.
TosuppressaUserAccessControl(UAC)promptthatnormallyoccursduringprivilegeelevation,someransomwareemploysaUACbypassexploitthatsetsthepathtotheransomwareinaspecificregistrykey.
Whenthisisset,runningtheWindowsEventViewerprocess(eventvwr.
msc,aMicrosoftSavedConsolefile)willinadvertentlylaunchtheransomware(forexample,DharmaandBitPaymer)withelevatedprivileges,regardlessoftheprivilegesoftheloggedinuser.
ThisexploitworksforeveryversionofWindowsuntilWindows10CreatorsUpdate(April2017).
CVE-2018-8453isaWin32kElevationofPrivilege(EoP)use-after-freevulnerability.
Malwarethatsuccessfullyexploitsthisvulnerabilitycanrunarbitrarycodeinkernelmode.
Forexample,themalwarecaninstallprograms;view,change,ordeletedata;orcreatenewaccountswithfulluserrights,regardlessoftheprivilegesoftheloggedinuser.
TheSodinokibiransomware,forexample,exploitsthisvulnerabilitytoelevateitsprivileges.
Oncetheattackerscompromiseaserverorendpoint,manyactiveadversariesabuseexistingWindowstools,aswellasopen-sourcesecurityorpenetrationtestingtools.
Forinstance,theymightuseTASKKILL.
EXEtoterminateprocessesbelongingtoendpointprotectionsoftware.
TheymayevenintroduceatoollikeProcessHackertointeractivelymakethemachinetheirown.
They'llinstallaremoteaccesstool(RAT)likeCobaltStrike,Meterpreter,orPowerShellEmpireforflexibilityandtomaintainpersistenceontheirfootholdmachineuntilthemissioniscomplete.
https://docs.
microsoft.
com/en-us/security-updates/securitybulletins/2017/ms17-010https://enigma0x3.
net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/HowRansomwareAttacks6Oncethemachineisowned,manyattackersattempttoharvestalocaldomainadministrator'scredentialsusingapost-exploitationtoollikeMimikatz.
TheattackersmayaddanewdomainadministratoraccounttotheActiveDirectory(AD),justforthemtouse,incasetherealdomainadminschangepasswords.
Afterthekeystothekingdomhavebeenobtained,it'stimetousethem.
SomeactiveadversariesuseatoolcalledBloodHoundtomaptheActiveDirectorydomainanddeterminewherethemetaphoricalcrownjewels–serversorotherhigh-valuetargets—arestored.
Manyattackersspendthetimeinteractivelylookingforfileserversandthoseusedfordatabackups,asacorruptedordamagedbackupleavesthevictimmorelikelytoagreetopaytheransom.
We'veobservedransomwarethreatactorstakeoveraserverviatheRemoteDesktopProtocol(RDP),anddestroythebackupsviaransomencryption,orsometimesjustbydeletingthemnormally.
Lastly,theywilldistributeransomwaretopeerendpointsandfileserversusingthosesamedomainadmincredentialsandtheWindowssoftwaremanagementutilityWMI.
Toautomaticallydistributeransomwaretopeerendpointsandservers,adversariesmayleverageatrusteddual-useutilitylikePsExecfromMicrosoftSysInternals.
TheattackercraftsascriptthatliststhecollectedtargetedmachinesandincorporatesthemtogetherwithPsExec,aprivilegeddomainaccount,andtheransomware.
Thisscriptsuccessivelycopiesandexecutestheransomwareontopeermachines.
Thistakeslessthananhourtocomplete,dependingonthenumberofmachinestargeted.
Bythetimethevictimspotswhat'sgoingonitistoolate,astheseattackstypicallyhappeninthemiddleofthenightwhentheITstaffissleeping.
AsanalternativetoPsExec,activeadversarieshavealsobeenseenleveragingalogonandlogoffscriptviaaGroupPolicyObject(GPO),orabusingtheWindowsManagementInterface(WMI)tomass-distributeransomwareinsidethenetwork.
Attackershavebeenobservedleveragingstolencredentialsfor,orexploitingvulnerabilitiesin,remotemonitoringandmanagement(RMM)solutionslikeKaseya,ScreenConnect6,andBomgar.
TheseRMMsolutionsaretypicallyusedbyamanagedserviceprovider(MSP)thatremotelymanagesitscustomers'ITinfrastructureand/orend-usersystems.
RMMsolutionstypicallyrunwithhighprivilegesand,oncebreached,offeraremoteattacker"handsonkeyboard"access,resultinginunwanteddatahostagesituations.
Withsuchaccess,attackerscaneasilydistributeransomwareintonetworksremotely,potentiallyhittingmultipleMSPcustomersatonce.
Itisimportanttoenablemulti-factorauthentication(MFA)oncentralmanagementtoolsandleaveTamperProtectiononendpointprotectionsoftwareenabled.
ActiveadversarieswillattempttodisablelocalprotectionservicesviatoolslikeProcessHacker,butalsotrytologinintocentralsecurityportalstodisableprotectionacrossthenetwork.
https://github.
com/BloodHoundAD/BloodHoundhttps://www.
darkreading.
com/attacks-breaches/customers-of-3-msps-hit-in-ransomware-attacks/d/d-id/1335025https://www.
bleepingcomputer.
com/news/security/sodinokibi-ransomware-spreads-wide-via-hacked-msps-sites-and-spam/https://www.
darkreading.
com/risk/how-ransomware-criminals-turn-friends-into-enemies/a/d-id/1335778HowRansomwareAttacks7NetworkfirstToensurevictimspaytheransommoney,ransomwarewilltrytoencryptasmanydocumentsaspossible,sometimesevenrisking,orpurposelycrippling,theendpoint.
Thesedocumentscanbestoredonlocalfixedandremovabledrives,aswellasonmappedremoteshareddrives.
Theransomwaremightevenprioritizecertaindrivesordocumentsizesfirsttoensuresuccessbeforebeingcaughtbyendpointprotectionsoftwareornoticedbyvictims.
Forexample,ransomwaremaybeprogrammedtoencryptseveraldocumentsatthesametimeviamultiplethreads,prioritizesmallerdocuments,orevenattackdocumentsonmappedremoteshareddrivesfirst.
Innetworkedenvironments,endpoints–inbothlocalandremoteoffices–aretypicallyconnectedtoafileserverpark.
Businessdocuments,includingdrawingsandotherfiles,arestoredononeormorecentralfileservers,whichareaccessiblefromclientendpointsviaoneormoresharedfolders.
Usually,anendpointcouldhaveseveraldrivemappingstodifferentfileservershares,containingdocumentsfromindividualoffices,departments,teams,andprojectstosegregatethedata.
Ransomwarecausesthemostimmediatedamagetoanorganizationwhenitencryptsthesemappednetworkdrivesfirst,asitimmediatelyaffectsmostemployeesnomatterwheretheyaregeographicallylocated.
Whenemployeescannotdotheirwork,itdisruptstheentireorganization,puttingpressureonmanagementtopaytheransomdemand.
Andeventhoughmostbusinessesdocreatebackupsoftheirdata,mostbackupsaremadeperiodicallyandarenotalwaysuptodate.
Further,restoringmultipleserversfrombackupcantakemanydays,dependingonthesizeofthedataandnumberofaffectedservers.
Thefinancialimpactofsuchdelayscanmountupquickly.
Itisimportanttomentionthatthefileserversthemselvesareoftennotinfectedwiththeransomware.
Thethreattypicallyrunsononeormorecompromisedendpoints,abusingaprivilegeduseraccountwithadministrator-levelpermissionstoremotelyattackthedocuments.
Soevenifthefileserverisprotectedbyantivirussoftware,thethreatitselfisnotactuallyrunningontheserver.
Tomakemattersworse,manyendpointprotectionsolutionsdonotinspectdocumentchangesonremotesharedstoragedrives,evenwhentheyofferanti-ransomware.
Poorimplementationandpartialdrivecoverage–outofperformanceconcernsortechnicaldebt–arethemainreasonswhymostsecurityproductsandevenanti-ransomwaresolutionsfailtodetectaransomwareattack.
Multi-threadedComputersnowhaveoneormoremulti-coreCPUswithSimultaneousMultithreading(SMT)orHyper-Threading(HT)technology.
Suchadvancesinmicroprocessorhardwareofferhugeperformancebenefitsforday-to-daybusinessoperations,astheyallowparallelexecutionandbettersystemutilizationtospeedupproductivity.
SomeransomwareisspecificallydesignedtomakeefficientuseofmodernCPUhardwareandparallelizesindividualtaskstoensurefasterand,subsequently,moreharmfulimpactbeforevictimsdiscoverthey'reunderattack.
Theseattackscanachievehigherthroughputandlowerlatencysincedatainafastermedium(suchasmemory)canberetrievedbyonethreadwhileanotherthreadretrievesdatafromaslowermedium(suchasstorage),withneitherthreadwaitingfortheothertofinish.
HowRansomwareAttacks8Forexample,theSodinokibiransomwarehasstorageaccess(readingoriginaldocument,writingencrypteddocument),key-blobembedding,anddocumentrenamingonmultipleindividualthreads.
AndtheLockerGogaandMegaCortexransomwarelaunchsub-processesforeveryfewdocuments,tobothaccelerateandmakeithardertodetectandstoptheirattacks.
FileencryptionFromafilesystemactivityview,basedonhowitencryptsdocuments,ransomwarecanbedividedintotwogroups:overwriteandcopy.
OVERWRITE(IN-PLACE)COPYEncrypteddocumentisstoredonsamedisksectorsasoriginaldocument.
Steps:Encrypteddocumentisstoredonfreeavailabledisksectors.
Steps:1.
Readoriginaldocument;openedforRead/Write2.
Writeencryptedversionoveroriginaldocument3.
Renamedocument1.
Readoriginaldocument;openedforReadonly2.
Write(create)encryptedcopy(withdifferentfilenameorfileextension)3.
DeleteoriginaldocumentRemarksImpossibletorecoveroriginaldocumentswithdatarecoverytoolsSomeransomware,likeLockerGoga,renametheoriginaldocumentbeforeencryptionThefilenameoftheencryptedcopyisliketheoriginaldocumentWithoutadditional"wipe"actionsafterwards,itispossibletorecoversomeoriginaldocumentswithdatarecoverytoolsSomeransomware,likeWannaCry,maydeletetheoriginaldocumentsviaanotherapplicationorprocessRenameRansomwaretypicallyrenamesthedocumentsatthetimeofencryption.
Preciselywhentherenameprocesstakesplace(itcanhappenbeforeoraftertheransomwareencryptsthefile)usuallyremainsconsistentwithinaransomwarefamily.
Andsomeransomware(notablyRobbinHood)evenchangestheentirefilenameofthedocument.
Eitherway,theactofrenamingthefileshelpstheattackerinseveralways:1.
Makestheharmmorevisibletovictims,includingbothadministratorsandusers,asthedocumentfiletypeiconchangesinExplorerandapplications.
2.
Preventsdoubleencryptionofdocumentsshouldtheransomwarerunagainonthesamemachine.
Ifransomwarewereabletoencryptadocumenttwice,adecryptiontoolmaynotbeabletorecovertheoriginalfile.
3.
Preventsotherransomwarefromencryptingthefile,asransomwaretypicallyencryptsdocumentswithacertainfilenameextensiononly.
Thiswouldcertainlycomplicatedecryption,evenifthevictimpaidbothattackers,asthevictimwouldneedtoknowwhichransomwareranfirst.
4.
Breaksthefiletyperelationshiptothefile'sparentapplication,andalsopreventstheuserfromrecoveringtheirfilesfromearlierversionsintheWindowsVolumeShadowCopyService.
HowRansomwareAttacks95.
Complicatesthesalvageofdeleteddocumentsusingspecialrecoverysoftware.
RecoverysoftwaretypicallyscanstheMasterFileTable(MFT)fordeletedfilesthathaveacertainfilenameextension.
Insituationswheretheransomwarehasencryptedacopyofthedocumentinsteadofperformingin-placeencryption,therecoverysoftwareneedstodoafulldisksurfaceanalysisinstead,whichtakesalotmoretime.
Butsinceafilesystemwillreusesectorspreviouslyoccupiedbynow-deletedfiles,recoveryresultsmaybelimited.
6.
Someransomwarechangesthefilenameextensiontoanemailaddressoftheattackersovictimscanclearlyseewhomtocontactfortheransompaymentandthedecryptiontool–althoughthereisnoguaranteeallencrypteddocumentscanbecorrectlydecryptedtotheiroriginalstate.
Manyransomwareattackersmakepoorsoftwaredevelopers.
KeyblobInordertorecovertheencrypteddocuments,ransomwarestoresakeythatadecryptiontoolwiththeprivatekeycanusetorevertthedamage.
Thisblobofdataisprepended,appended,orstoredinoneormoreseparatefiles,dependingontheransomwarefamily.
WallpaperToensurevictimsimmediatelyunderstandwhathashappenedandurgethemtopaytheransomdemand,someransomwarelikeWannaCryandSodinokibireplacetheWindowsdesktopwallpaperwithamessagethatconfrontsthevictim.
VssadminMicrosoftWindowsofferstheabilitytoperformrecovery"rollbacks.
"ItaccomplishesthiswiththeVolumeShadowService(VSS).
Windowsmaintainspriorversioncopiesofdocuments(andsystemfiles)thathavechanged–notjustasinglepreviousversion,butpotentiallymanypreviousversions.
Thesepreviousversionfilesareeasilyrecoverableevenifthecurrentversionhasbeensuccessfullywiped.
TheVSSrequiresthevolumesitshieldstobeformattedwiththeNTFSfilesystem.
Typically,ransomwarewillrenameyourdocumentsduringitsattack,breakingtherelationshipwithapreviousversionfilestoredbytheVSS.
Theoretically,youcouldrenameanencrypteddocumentbacktoitsoriginalfilename–thusrestoringtherelationship–andthenrestoretheoriginalfromVSStoundotheeffectsofaransomwareattack.
Unfortunately,attackersroutinelydeletethevolumeshadowcopiesduringtheattack,viaaWindowsutilitycalledVSSADMIN.
EXE.
Thisutilityprovidesacommand-lineinterfacewiththevolumeshadowcopyserviceandrequireselevatedadministratorprivileges.
Attackerstypicallystealoralreadypossessprivilegedcredentialsoruseanexploittoelevateprivileges.
AnalternativemethodtodeletethevolumeshadowcopiesisviaWindowsManagementInstrumentation(WMI).
Windowsincludesacommand-lineutilitycalledWMIC.
EXEtoaccessWMI,whichisusedbymanyapplicationsasascriptinginterface.
SimplyblockingorusingGroupPolicytorestrictWMIC.
EXEwilllikelybreaksomeday-to-daytasks.
HowRansomwareAttacks10BCDEditAlongwithremovingbackupsofdocumentsandotherfilesstoredbytheWindowsVolumeShadowService,ransomwarecanalsotrytopreventvictimsandWindowsfromembarkingonarecoveryproceduretorepairthecomputer.
Toachievethis,itabusestheWindowscommandBCDEDIT.
EXE,whichallowsmanipulationoftheWindowsBootConfigurationData(BCD).
Suchransomwaretypicallysetthefollowingoptions:1.
recoveryenabledNo–DisabletheWindowsdiagnosticandrepairfeature,soitnolongerrunsautomaticallyafterathirdunsuccessfulbootofyourcomputer.
2.
bootstatuspolicyIgnoreAllFailures–Ignoreerrorsifthereisafailedboot,failedshutdown,orfailedcheckpoint.
Thecomputerwillattempttobootnormallyafteranerroroccurs.
CipherRansomwarelikeLockerGogaandMegaCortexabusetheCIPHER.
EXEcommand-linetoolfromMicrosofttomakesureransomwarevictimscannotrecoverdeleteddocumentsfromtheirstoragedrives.
ThistoolhasbeenpartofWindowssinceWindows2000andisintendedtomanagelegitimatelyencrypteddatausingtheEncryptingFileSystem(EFS).
CIPHER.
EXEalsoprovidestheabilitytopermanentlyoverwrite(or"wipe")allofthedeleteddataonastoragedrive–asabusedbysomeransomware.
ThefeatureismeanttoimprovesecuritybyensuringthatevenanattackerwhogainedcompletephysicalcontrolofaWindowscomputerwouldbeunabletorecoverpreviouslydeleteddata.
Inthehandsofransomwareattackers,CIPHER.
EXEaddstoanalreadybigproblem.
0allocationInsteadofperforminganin-placeencryption,someransomwarefirstcreatesanencryptedcopyofthedocumentitattacksandthendeletestheoriginalfile.
Comparedtoin-placeencryption,inthiscasetheencryptedcopiesarestoredelsewhereonthestoragedrive.
Adatarecoverytoolcouldlifttheoriginalfilesaslongasthemarked-freesectorsofthedeletedfileshavenotyetbeenoverwritten.
Tofrustratethisrecoveryavenue,theDharmaransomwaresetsthefilesizeofeachoftheattackeddocumentsto0bytesbeforedeletion.
DatarecoverytoolslikeRecuvacanquicklylistdeletedfilesandtheirclusterallocationsandcanlift(copy)thesefilesfromtheaffectedstoragedrive.
ItcandosothankstotheMasterFileTable(MFT),whichoftenstillholdsrecordsofthedeleteddocuments,includingthephysicallocationofthesefilesonthestoragedrive.
Therecordsofthedeleteddocumentshavethedeletedbitsetandarecoverytoolcanfocusonthisbittohelpvictimstogetsomedataback.
Butsettingthefilesizeto0afterdeletionwillupdatetherecordofthefileintheMasterFileTable(MFT),makingitmoredifficultfordatarecoverytoolstorecoverdeleteddocuments.
https://support.
microsoft.
com/en-us/help/298009/cipher-exe-security-tool-for-the-encrypting-file-systemHowRansomwareAttacks11FlushbuffersWindowsimprovessystemperformancebyusingwrite-cachingonfixed,removable,andnetworkmappedstoragedevices.
Butransomwarevictimswhoareinapanicandphysicallypowerofftheirmachinemightcausedatalossordatacorruption(whichisstillbetterthanallowingallyourdocumentstobeencryptedandheldforransom).
Thisisalsothereasonwhy,beforeWindows10v1809,youhadtofollowtheSafelyRemoveHardwareprocedurefore.
g.
portableUSBstoragedevicesthatholduserdataandfiles,suchasexternalharddrivesandthumbdrives.
FileserversaretypicallysetupwithRAIDstorage,oftenwithabattery-backedwritecache.
Onthesemachines,write-cachebufferflushingisusuallydisabledtofurtheroptimizeperformance,asthebattery-backedwritecacheallowsthemachinetoflushitsbufferincaseofpowerfailurewithoutriskingdatalossorcorruption.
Atthecostofsomeperformance,someransomware(likeWannaCry,GandCrabandBitPaymer)makecertainthatthewrittendataoftheencrypteddocumentsareimmediatelypersistedtothestoragedrive.
TheydosobyeithercallingtheFlushFileBuffersfunctionorusingWriteThrough.
EncryptionbyproxySomeransomware–likeGandCrabandSodinokibi–abuseWindowsPowerShelltohoistinaPowerShellscriptfromtheinternet,whichissettoautomaticallystarttheransomwareafterseveraldays,makingtheattackappeartocomeoutofnowhere.
Inthisscenario,theactualfileencryptionattackitselfisperformedbythetrustedWindowsPOWERSHELL.
EXEprocess,makingendpointprotectionsoftwarebelieveatrustedapplicationismodifyingthedocuments.
Toachievethesamegoal,ransomwarelikeRyukmayinjectitsmaliciouscodeintoatrustedrunningprocesslikeSVCHOST.
EXE.
AndtheMegaCortexransomwareusestheWindowsRUNDLL32.
EXEapplicationtoencryptdocumentsfromatrustedprocess.
RansomwarelikeBitPaymermayrunfromaNTFSAlternateDataStream(ADS)inanattempttohidefrombothvictimusersandendpointprotectionsoftware.
9https://support.
microsoft.
com/en-us/help/4495263/windows-10-1809-change-in-default-removal-policy-for-external-mediahttps://en.
wikipedia.
org/wiki/RAIDHowRansomwareAttacks12OverviewWANNACRYGANDCRABSAMSAMDHARMABITPAYMERTypeCryptowormRansomware-as-a-Service(Raas)AutomatedActiveAdversaryAutomatedActiveAdversaryAutomatedActiveAdversaryCode-signedPrivilegeescalationExploitCredentialsCredentialsCredentialsExploitNetworkfirst---YesYesMulti-threaded---Yes-FileencryptionCopy,In-placeIn-placeCopyCopyIn-placeRenameAfterAfterAfterAfterAfterKeyblobHeaderEndoffileHeaderEndoffileRansomnoteWallpaperYesYes---VssadminAfterAfterBeforeBefore,AfterBeforeBCDEditAfter----Cipher0allocation---Yes-FlushbuffersYesWriteThrough--YesEncryptionbyproxy-Yes---RYUKLOCKERGOGAMEGACORTEXROBBINHOODSODINOKIBITypeAutomatedActiveAdversaryAutomatedActiveAdversaryAutomatedActiveAdversaryAutomatedActiveAdversaryRansomware-as-a-Service(Raas)Code-signed-YesYes--PrivilegeescalationCredentialsCredentialsCredentialsCredentialsExploitNetworkfirstMulti-threadedYes---YesFileencryptionIn-placeIn-placeIn-placeCopyIn-placeRenameAfterBeforeBeforeAfterAfterKeyblobEndoffileEndoffileSeparatefileNewEndoffileWallpaper----YesVssadminAfter-AfterBeforeBeforeBCDEdit---BeforeAfterCipher-AfterAfter--0allocationFlushbuffersEncryptionbyproxyYes-Yes--HowRansomwareAttacks13ColorcodingInthefollowingchapters,theterm'documents'alsocoversotherproductivityfiletypeslikespreadsheets,drawings,images,andphotos.
FILESYSTEMACTIVITYCOLORCODINGCLARIFICATION:Queryfileinformationoractivity,notdirectlyassociatedwiththeencryptionattackitselfOpenafileforreadonlyCreateanewfileonfreeavailabledisksectorsOpenanexistingfileforreadingandwritingtomakefilechangesOpenfilefordeleteorrenameWannaCryWannaCryisacrypto-ransomwarenetworkworm(orcryptoworm)whichtargetscomputersrunningtheMicrosoftWindows7operatingsystem,encryptingdocumentsanddemandingransompaymentsinthebitcoincryptocurrency.
BetweenMay12and15,2017,anoutbreakofthiscrypto-ransomwaretookplace,infectingmorethan230,000computersin150countries.
WannaCryisconsideredanetworkwormbecauseitalsoincludesitsowntransport.
Thistransportcodescansforvulnerablesystems,thenusestheEternalBlueexploittogainaccess,andtheDoublePulsarcodeinjectionmethodtoinstallandexecuteacopyofitself.
Morethantwoyearson,modifiedWannaCryvariantsstillcauseheadachesforITadminsandsecurityanalysts:https://news.
sophos.
com/en-us/2019/09/18/the-wannacry-hangover/CharacteristicsSample(SHA-256)ED01EBFBC9EB5BBEA545AF4D01BF5F1071661840480439C6E5BABE8E080E41AASingle-threaded,i.
e.
itencryptsonedocumentatatimeConfigurestheDiscretionaryAccessControlList(DACL)oneachdocumenttogivegroupEveryonefullaccesspermissionsFirstcreatesencryptedcopiesofalldocuments,thusincreasing(doubling)diskusageEncryptsoriginaldocumentinplaceandinchunksof256KB(262,144bytes)andmovesittothe%temp%folderwithanewfilenameandfileextensionAseparateapplicationTASKDL.
EXEdeletesthescrambledoriginalsinthe%temp%folder,afteralldocumentsareencryptedDeletesvolumeshadowcopiesviaVSSADMIN.
EXE,afterthedocumentsareencryptedDeletesthebackupcatalogonthelocalcomputerviaWBADMIN.
EXE,afterthedocumentsareencryptedChangesthedesktopwallpaperhttps://en.
wikipedia.
org/wiki/WannaCry_ransomware_attackhttps://en.
wikipedia.
org/wiki/EternalBluehttps://en.
wikipedia.
org/wiki/DoublePulsarHowRansomwareAttacks14WannaCryfilesystemactivitySTEPOPERATIONPURPOSE1SetSecurityFileModifydiscretionaryaccesscontrollist(DACL)oforiginaldocumenttoFullforgroupEveryone,viatheWindowsapplicationICACLS.
EXE.
2CreateFileCheckifencrypteddocumentwith'.
WNCRY'fileextensionexists.
3CreateFile(GenericRead)Openoriginaldocumentforreadonly.
4QueryBasicInformationFileRecordtimestampsonoriginaldocument.
5ReadFileReadfirst8bytesoforiginaldocument.
6CreateFile(GenericWrite)Createencryptedfilewith'.
WNCRYT'fileextension,forwriteonly.
7WriteFileWrite'WANACRY!
'string(8bytes)inencryptedfile.
8WriteFileWrite4bytes,atoffset8bytes,inencryptedfile.
9WriteFileWrite256bytes,atoffset12bytes,inencryptedfile.
10WriteFileWrite4bytes,atoffset268bytes,inencryptedfile.
11WriteFileWrite8bytes,atoffset272bytes,inencryptedfile.
12ReadFileReadoriginaldocument,entirely(0bytestoEndOfFile).
13WriteFileWriteencryptedfile,entirely,atoffset280bytes.
14SetBasicInformationFileGiveencryptedfilesametimestampsasoriginaldocument.
15CloseFileCloseoriginaldocument.
16CloseFileCloseencryptedfile.
17SetRenameInformationFileChangefileextensionofencryptedfilefrom'.
WNCRYT'to'.
WNCRY'.
18CreateFile(GenericWrite)Openoriginaldocumentforwriteonly.
20WriteFileWrite1,024bytes(1KB)inoriginaldocument.
AtoffsetEndOfFile-1,024bytes.
21FlushBuffersFileCommitallbuffereddatatobewrittentodisk.
21WriteFile(Non-cached)Write4,096bytes(4KB)inoriginaldocument,atoffsetAllocationSizeondisk-4,096bytes.
22WriteFileWriteinchunksof262,144bytes(256KB)inoriginaldocument.
23CloseFileCloseoriginaldocument,nowencryptedfile.
24OpenFile(ReadAttributes)Openencryptedfile.
25SetRenameInformationFileRenamefileto%temp%\.
WNCRYT.
ReplaceIfExists:True.
26CloseFileCloseencryptedfile.
#SetDispositionInformationFileOncealldocumentsonthediskareencrypted,aseparateapplicationTASKDL.
EXEisruntodelete%temp%\*.
WNCRYT(i.
e.
all'.
WNCRYT'files).
HowRansomwareAttacks15MatrixTheransomwarewecallMatrixhighlightsanothergrowingtrendwithinthecybercriminalcommunity:toengageinactive,targetedattacksagainstvictimnetworkswiththegoalofdeliveringmalwareinsidethevictim'snetwork.
ThisthreatvectorhasbeengainingprominencesincethewidelypublicizedSamSamransomwarebegantocapitalizeonit.
Themalwareisdelivered,inmostcases,bytheattackersperforminganactivebrute-forceattackagainstthepasswordsforWindowsmachinesaccessiblethroughafirewallthathastheremotedesktopprotocol(RDP)enabled.
Themalwareexecutablebundleswithinitselfseveralpayloadexecutablesitneedstoaccomplishitstasks.
Onceithasgainedafootholdinsidethenetwork,MatrixusestheRDPwithinthenetworksithasinfected.
Amongtheembeddedcomponentsaresomefree,legitimatesystemadministratortoolsthemalwareusestoachievesomeofitsgoals.
Acomprehensivebutmoretraditionalmalwareresearchreportonthisransomwareisavailablehere:https://www.
sophos.
com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-matrix-report.
pdfCharacteristicsSample(SHA-256)2A12EEB58AC0A2A3E9CD1DBBF1752086EE19387CAAA0E1232EAA13CBFED2C80ASingle-threaded,i.
e.
itencryptsonedocumentatatimeOpensdocumentsforread/writeforin-placeencryptionEncrypts65,536bytesatthebeginningand65,536bytesofdataattheendofthedocument;notentiredocumentRenamesthedocumentbyaddinganidentifiertothefiletypeextensionDeletesvolumeshadowcopiesviaWMIC.
EXEandVSSADMIN.
EXE,beforethedocumentsareencryptedChangesthedesktopwallpaperHowRansomwareAttacks16MatrixfilesystemactivitySTEPOPERATIONPURPOSE1QueryStandardInformationFileDeterminefilesizeoforiginaldocumentondisk.
2QueryStandardInformationFileDeterminefilesizeoforiginaldocumentondisk.
3QueryStandardInformationFileDeterminefilesizeoforiginaldocumentondisk.
4QueryStandardInformationFileDeterminefilesizeoforiginaldocumentondisk.
5QueryStandardInformationFileDeterminefilesizeoforiginaldocumentondisk.
6QueryStandardInformationFileDeterminefilesizeoforiginaldocumentondisk.
7QueryStandardInformationFileDeterminefilesizeoforiginaldocumentondisk.
8QueryStandardInformationFileDeterminefilesizeoforiginaldocumentondisk.
9CreateFile(Read/Write)Openoriginaldocumentforreadandwrite.
10QueryStandardInformationFileDeterminefilesizeoforiginaldocumentondisk.
11ReadFileRead61,440bytes(60KB)fromoriginaldocument,atoffset0bytes.
12ReadFileRead4,096bytes(4KB)fromoriginaldocument,atoffset61,440bytes(60KB).
13QueryStandardInformationFileDeterminefilesizeoforiginaldocumentondisk.
14ReadFileRead61,440bytes(60KB)fromoriginaldocument,atoffsetEndOfFile-65,536bytes(64KB).
15ReadFileRead4,096bytes(4KB)fromoriginaldocument,atoffsetEndOfFile-4,096bytes(4KB).
16QueryStandardInformationFileDeterminefilesizeoforiginaldocumentondisk.
17WriteFileWrite61,440encryptedbytes(60KB),infile,atoffset0bytes.
18WriteFileWrite4,096(4KB)encryptedbytesinfile,atoffset61,440bytes(60KB).
19QueryStandardInformationFileDeterminefilesizeof–nowpartiallyencrypted–fileondisk.
20WriteFileWrite61,440encryptedbytes(60KB)infile.
AtoffsetEndOfFile-65,536bytes(64KB).
21WriteFileWrite4,096encryptedbytes(4KB)infile.
AtoffsetEndOfFile-4,096bytes(4KB).
22QueryStandardInformationFileDeterminefilesizeofencryptedfileondisk.
23WriteFileWrite1,384bytes,atoffsetEndOfFile,inencryptedfile.
24CloseFileCloseoriginaldocument,nowencryptedfile.
25CreateFile(ReadAttributes)Openencryptedfile.
26SetRenameInformationFileRenameFile.
ReplaceIfExists:True.
Example:BEM1IkKW-iLpTMM6H.
[barboza40@yahoo.
com]27CloseFileCloseencryptedfile.
HowRansomwareAttacks17GandCrabInthefirsthalfof2019,GandCrabwasthemostpopularransomwareusedinlargescale,untargetedattacksthatusemaliciouswebsitesoremailattachmentstoinfectasmanyvictimsaspossible.
ItscreatorspeddledittoanyonewhowantedtouseitusingtheRansomware-as-a-Service(RaaS)model,whichnettedthemapercentageofeachransomitextorted.
GandCraboperatorschoosetheransomtheywanttodemand,typicallysomewherebetweenafewhundredtoafewthousanddollarspercomputer.
Inthelastcoupleofyears,anewtemplateforransomwareattackshasemerged.
Somecriminalsareturningawayfrom"fireandforget"distributioninfavorofhighlyfocused,guidedattacks,generallyreferredtoastargetedattacks.
Thedistributioniscarriedoutbyanadversary,whousestoolstoautomaticallyscantheinternetforITsystemswithweakprotection.
Althoughvictimsmaybelievetheyhavebeentargeted,theattackisusuallyopportunistic,thankstothevulnerabilityscannersused.
RansomwareattackscarriedoutbyautomatedactiveadversarieshavetypicallybeenassociatedwithBitPaymer,SamSam,orRyuk.
RaaSofferingslikeGandCraballowcrookswithlesstechnicalabilitytoalsogetinontheactwithoutneedingtocreatetheirownransomware,commandandcontrolinfrastructure,orpaymenthandling.
InFebruary2019werevealedhowautomatedactiveadversariesdeliveredaGandCrabransomwarebyhandtoattackahospital:https://nakedsecurity.
sophos.
com/2019/02/14/inside-a-gandcrab-targeted-ransomware-attack-on-a-hospital/CharacteristicsSample(SHA-256)6FBA19BF0CC1BB764E063C1DE51CAF0CF0A6CC90FA76B592BCDE28CEEE161BDCSingle-threaded,i.
e.
itencryptsonedocumentatatimeOpensdocumentsforread/writeforin-placeencryptionUsesWriteThroughtoensurethewriteispersistedtodiskwithoutpotentialcachingdelaysDeletesvolumeshadowcopiesviaVSSADMIN.
EXEafterdocumentsareencryptedChangesthedesktopwallpaperHowRansomwareAttacks18GandCrabfilesystemactivitySTEPOPERATIONPURPOSE1CreateFile(Read/Write)Openoriginaldocumentforreadandwrite.
2QueryStandardInformationFileDeterminefilesizeoforiginaldocumentondisk.
3ReadFileRead540bytesfromoriginaldocument.
AtoffsetEndOfFile-540bytes.
4ReadFileReadoriginaldocument,entirely(0bytestoEndOfFile).
5WriteFile(WriteThrough)Overwriteoriginaldocumentwithencryptedversion,entirely.
Length:EndOfFile.
6WriteFile(Non-cached)Overwriteoriginaldocumentwithencryptedversion.
Length:AllocationSize.
7QueryStandardInformationFileDeterminefilesizeofnowencrypteddocumentondisk.
8WriteFileWrite540bytestoencryptedfile,atoffsetEndOfFile.
9WriteFileWrite4,096(4KB)toencryptedfile.
AtoffsetAllocationSize-4,096bytes(4KB).
10CloseFileCloseoriginaldocument,nowencryptedfile.
11CreateFile(ReadAttributes)Openencryptedfile.
12SetRenameInformationFileRenameencryptedfile(addfileextension,e.
g.
'.
gxjei').
ReplaceIfExists:True.
13CloseFileClosedocument.
HowRansomwareAttacks19SamSamSamSammalwarefirstappearedinDecember2015,andsincethenmorethan$6millionhasbeendepositedintoSamSambitcoinwallets.
ThepatternofattacksandtheevolutionoftheSamSammalwaresuggeststhatit'stheworkofasmallgroupatmost.
Attacksareinfrequent(aroundoneaday)comparedtootherkindsofransomware,buttheyaredevastating.
AfterbreakinginviatheRemoteDesktopProtocol(RDP),theattackerattemptstoescalatetheirprivilegestothelevelofDomainAdminsothattheycandeploySamSammalwareacrossanentirenetwork,justlikeasysadmindeployingregularsoftware.
Theattackerseemstowaituntilvictimsarelikelytobeasleepbeforeunleashingthemalwareoneveryinfectedmachinesimultaneously,givingthevictimlittletimetoreact.
Aransomnotedemandspaymentofabout$50,000inbitcoinsanddirectsthevictimstoadarkwebsite(ahiddenserviceonTheOnionRouter(TOR)network).
TheallegedattackersbehindtheSamSamransomware,whooperatedfromIran,havebeenidentifiedandarewantedbytheFBI,thefederallawenforcementagencyoftheUnitedStates.
SincethesuspectswereindictedinDecember2018,theSamSamransomwarehasnotbeenseenagain.
Beforethen,morethan230entitieswereinfected,$6millioninransompaymentswasextorted,andanestimated$30billionindamagesaffectedprivateandpublicinstitutions,includinghospitalsandschools.
Anin-depthreportontheSamSamransomwareisavailablehere:https://news.
sophos.
com/en-us/2018/07/31/sophoslabs-releases-samsam-ransomware-report/CharacteristicsSample(SHA-256)8C0425ECA81E1EEAF8043764EB38A2BC103598163D3307E583F4E5AD7EB0E708Single-threaded,i.
e.
itencryptsonedocumentatatimeUsesa3,072bytesheaderwithanXMLstructure,i.
e.
basedonASCII-onlycharacters,thatcanskewanalysisoftheencryptedbinaryfileCreatesanencryptedcopyoftheoriginaldocumentonfreeavailabledisksectors.
Theoretically,ifnotoverwrittenbyotherdata,theoriginaldocumentcanberecoveredfromdiskDeletesvolumeshadowcopiesviaVSSADMIN.
EXE,beforethedocumentsareencryptedhttps://www.
justice.
gov/opa/press-release/file/1114746/downloadhttps://www.
fbi.
gov/news/stories/iranian-ransomware-suspects-indicted-112818HowRansomwareAttacks20SamSamfilesystemactivitySTEPOPERATIONPURPOSE1CreateFile(GenericWrite)Createencryptedfilebasedonoriginaldocumentfilenamewithaddedfileextension,e.
g.
'.
weapologize.
'2WriteFileWrite3,072bytesinencryptedfile,atoffset0bytes.
3CloseFileCloseencryptedfile.
4CreateFile(GenericRead)Openoriginaldocumentforreadonly.
5ReadFileReadoriginaldocument,entirely(0bytestoEndOfFile).
6CloseFileCloseoriginaldocument.
7CreateFile(GenericWrite)Openencryptedfileforwriteonly.
8WriteFileWriteencryptedversionoforiginaldocument,entirely,atoffset3,072bytes.
9CloseFileCloseencryptedfile.
10CreateFile(GenericWrite)Openencryptedfile.
11WriteFileWrite2,492bytesinencryptedfile,atoffset0bytes.
12CloseFileCloseencryptedfile.
13CreateFile(ReadAttributes)Openoriginaldocument.
14SetDispositionInformationFileDelete:True.
15CloseFileCloseoriginaldocument,committingdelete.
HowRansomwareAttacks21DharmaCharacteristicsSample(SHA-256)B8D32ED92E3227836054ED6BB4E53AD2E0ABE4617F1215D5E81162F9F5513EC2DharmaisalsoknownasCrySISDeletesvolumeshadowcopiesviaVSSADMIN.
EXE,bothbeforeandafterthedocumentsareencryptedMulti-threaded,i.
e.
itencryptsmultipledocumentsatatimeOpensoriginaldocumentforread/writebutdoesn'tchangecontents.
Instead,itsetsthefilesizeoforiginaldocumentto0bytesbeforeitisdeletedCreatesanencryptedcopyoftheoriginaldocumentonfreeavailabledisksectors;theoretically,ifnotoverwrittenbyotherdata,theoriginaldocumentwouldberecoverablefromdisk.
However,thisiscomplicatedasthefilesizeofthedocumentissetto0bytesbeforeitisdeletedSettingthefilesizeoftheoriginaldocumentto0bytesmayhinderbehavior-baseddetectioninanti-ransomwaretechnologyDharmafilesystemactivitySTEPOPERATIONPURPOSE1CreateFile(GenericRead/Write)Openoriginaldocumentforreadingandwriting.
3CreateFile(GenericWrite)Createencrypteddocumentbasedonoriginaldocumentfilenamewithaddedfileextension.
Example:Desert.
jpg.
id-.
[veracrypt@foxmail.
com].
adobe4ReadFileReadoriginaldocument,entirely.
5WriteFileWriteencryptedfile,entirely,+11bytesatEndOfFile.
6ReadFileReadoriginaldocument,atoffsetEndOfFile,1,048,560bytes.
7WriteFileWrite212bytes+(lengthoriginalfilename*2bytes),inencryptedfile,atoffsetsizeoforiginaldocument.
8SetEndOfFileInformationFileSetEndOfFileofencryptedfiletosizeoforiginaldocument+addedbytes.
9SetAllocationInformationFileSetAllocationSizeofencryptedfiletoEndOfFileofencryptedfile.
10CloseFileCloseencryptedfile.
10SetEndOfFileInformationFileSetEndOfFileoforiginaldocumentto0bytes.
11SetAllocationInformationFileSetAllocationSizeoforiginaldocumentto0bytes.
12CloseFileCloseoriginaldocument.
13CreateFile(ReadAttributes)Openoriginaldocument.
14SetDispositionInformationFileDelete:True.
15CloseFileCloseoriginaldocument,committingdelete.
HowRansomwareAttacks22BitPaymerCharacteristicsSample(SHA-256)655C44BEBB2A642E665316236A082C94F88A028721C19BD28B5F25E1C40A13B8DeletesvolumeshadowcopiesviaVSSADMIN.
EXE,beforethedocumentsareencryptedSingle-threaded,i.
e.
itencryptsonedocumentatatimeKnowntoabuseanalternatedatastream(ADS),afeatureoftheNTFSfilesystemthatallowstheransomwaretohideitselffromplainsightandevadesecuritytoolsthatarenotabletolookintoanADSEmploysFlushBuffersFiletoensurebuffereddataisimmediatelycommittedtothediskRenamesdocumentafterencryptionForeachencrypteddocument,BitPaymercreatesaransomnotetextfilethatalsocontainsthekeyblobinbase64fordecryptionBitPaymerfilesystemactivitySTEPOPERATIONPURPOSE1CreateFile(GenericRead/Write)Opendocumentforreadingandwriting.
2ReadFileReaddatafromdocument.
3WriteFileWriteencrypteddataintodocument.
4FlushBuffersFileCommitchangestodisk.
5CloseFileClosenowencrypteddocument.
6CreateFile(ReadAttributes)Openencrypteddocument.
7SetRenameInformationFileRenameencrypteddocument:add'.
'fileextension.
8CloseFileCloseencrypteddocument.
9CreateFile(GenericRead/Write)Createransomnotetextfile'_readme'.
10WriteFileWritedata,includingkeyblob,intoransomnote.
11CloseFileCloseransomnotetextfile.
HowRansomwareAttacks23RyukCharacteristicsSample(SHA-256)830F83578F3A5593B103EA4A682788DC376E96247CD790417F2630884D686E9FBasedonHermesransomwareMulti-threaded,i.
e.
itencryptsmultipledocumentssimultaneouslyEncryptsdataonmappednetworkdrivesAddsthekeyblobattheendoftheencrypteddocumentRyukfilesystemactivitySTEPOPERATIONPURPOSE1CreateFile(GenericRead/Write)Opendocumentforreadingandwriting.
2ReadFileReaddatafromdocument.
3WriteFileWriteencrypteddataintodocument.
4CloseFileClosenowencrypteddocument.
5CreateFile(ReadAttributes)Openencrypteddocument.
6SetRenameInformationFileRenameencrypteddocument:add'.
RYK'fileextension.
7CloseFileCloseencrypteddocument.
HowRansomwareAttacks24LockerGogaCharacteristicsSample(SHA-256):2CE4984A74A36DCDC380C435C9495241DB4CA7E107FC2BA50D2FE775FB6B73CEThesampleisdigitallycode-signedwithavalidAuthenticodecertificateissuedto'ALISALTD';thisisanattemptbythemalwareauthortominimizeanti-malwaredetection,asexecutablesthataresignedusingvalidcertificatesmaynotbeanalyzedasrigorouslyasexecutableswithoutsignatureverificationSingle-threaded,i.
e.
itencryptsonedocumentatatimeRenamesdocumentbeforeencryptingitEncryptsentiredocumentsinchunksof64kilobytesDoesnotencryptmappednetworkdrives,butLockerGogaisusuallydistributedacrossthenetworktootherendpointsandserversviaPsExecorWMIusingstolen(domain)credentialsAddsthekeyblobattheendoftheencrypteddocumentRunstheWindowsstandardapplicationCIPHER.
EXEwiththe/wswitchtowipeunuseddiskspace,afterthedocumentsareencryptedChangesthepasswordsofalluseraccountsLockerGogafilesystemactivitySTEPOPERATIONPURPOSE1CreateFile(ReadAttributes)Opendocument.
2SetRenameInformationFileRenamedocument:add'.
locked'fileextension.
3CloseFileCloserenamedoriginaldocument.
4CreateFile(GenericRead/Write)Openrenameddocumentforreadingandwriting.
5ReadFileReaddatafromdocument.
6WriteFileWriteencrypteddataintodocument.
7CloseFileClosenowencrypteddocument.
PartialencryptionAblogonLockerGogabyUnit42inMarch2019discussespartialencryptionoffilesbyasamplefromJanuary2019.
SophosLab'ssampleisfromapreviouslyundiscussedtargetedattackthatencryptsdocumentsentirely.
https://unit42.
paloaltonetworks.
com/born-this-way-origins-of-lockergoga/HowRansomwareAttacks25MegaCortexCharacteristicsSample(SHA-256)F5D39E20D406C846041343FE8FBD30069FD50886D7D3D0CCE07C44008925D434Thesampleisdigitallycode-signedwithavalidAuthenticodecertificateissuedto'3ANLIMITED';Ifthiswasanattemptbythemalwareauthortominimizeanti-malwaredetection,itwasunsuccessful.
Analystsquicklydiscoveredthatthesamecertificatehadbeenusedtosignexecutablesusedbythe(completelyunrelated)RietspoofmalwarefamilyMegaCortexdropsadynamiclinklibrary(DLL)modulethatisrunviaRUNDLL32.
EXE,anapplicationpartofWindowsthatloads32-bitDLLs;thismaythwartsomeanti-ransomwaresolutionsthatdonotmonitororareconfiguredtoignoreencryptionactivitybydefaultWindowsapplicationsTheMegaCortexsampleisprotectedbyauniquebase64passwordandonlyrunsinacertaintimeframe;thisfrustratesboththreatresearchersandsandboxanalysisthatattempttorevealthepurposeofthesampleRenamesdocumentbeforeencryptingitDoesnotencryptmappednetworkdrives,butMegaCortexisusuallydistributedacrossthenetworktootherendpointsandserversviaPsExecorWMIusingstolen(domain)credentialsForeverytendocumentstobeencrypted,anewRUNDLL32.
EXEprocessisspawned–oneprocessatatime–controlledviasharedmemoryallocatedbyMegaCortex.
Thismaythwartsomeanti-ransomwaresolutionsthatdonottrackencryptionofafewdocumentsbyasingleprocessid.
Also,oninfectedendpointsandserverswithmanydocumentsthiscangeneratealotofactivityforEndpointDetectionandResponse(EDR)solutionstomonitorandrecordDeletesvolumeshadowcopiesviaVSSADMIN.
EXE,afterthedocumentsareencrypted,toavoidrecoveryofearlierversionsoftheaffecteddocumentsRunstheWindowsstandardapplicationCIPHER.
EXEwiththe/wswitchtowipeunuseddiskspace,afterthedocumentsareencryptedStoresthekeyblobsinonerandomlynamedsinglefileMegaCortexfilesystemactivitySTEPOPERATIONPURPOSE1CreateFile(Read/Write)Opendocumentforreadingandwriting.
2SetRenameInformationFileRenamedocument:add'.
aes128ctr'fileextension.
3ReadFileReaddatafromdocument.
4WriteFileWriteencrypteddataintodocument.
5CloseFileClosenowencrypteddocument.
HowRansomwareAttacks26RobbinHoodCharacteristicsSample(SHA-256)3BC78141FF3F742C5E942993ADFBEF39C2127F9682A303B5E786ED7F9A8D184BRobbinHoodfilesystemactivitySTEPOPERATIONPURPOSE1CreateFile(GenericRead)Opendocumentforreadonly.
2CreateFile(GenericWrite)Createencryptedfilenamed'Encrypted_'+randomstringandadd'.
enc_robbinhood'fileextension.
#ReadFileReaddatafromoriginaldocument,inchunksof10KB.
#WriteFileWriteencrypteddataintodocument,inchunksof10KB.
5WriteFileAddkeyblobtoencrypteddocumentatendoffile.
6CloseFileCloseoriginaldocument.
7CloseFileCloseencrypteddocument.
8CreateFile(ReadAttributes)Openoriginaldocument.
9SetDispositionInformationFileDelete:True.
10CloseFileCloseoriginaldocument,committingdelete.
HowRansomwareAttacks27SodinokibiCharacteristicsSample(SHA-256)06B323E0B626DC4F051596A39F52C46B35F88EA6F85A56DE0FD76EC73C7F3851AppearedonthethreatlandscapeinApril2019,alsoknownasSodinandREvilransomwareDistributionanddeliveryviamaliciousspame-mails(malspam)andautomatedactiveadversary(targeted)attacks:Maliciousspame-mails(malspam)withacompressed(zip)archiveattachedthatholdsaWorddocument.
ThisdocumentcontainsanobfuscatedmacrowritteninVisualBasicforApplications(VBA)whichusesWindowsPowerShelltodownloadtheransomwareintextform(ascriptwiththeransomwareencodedinbase64)fromPastebin.
com,apopularwebsitewhereanyonecanstoretextonlineforasetperiodoftime;thetextisdeletedafterafewhoursmakinginvestigationafterwardsmoredifficult.
TheransomwareisloadedstraightintomemorybyPowerShellwithoutdroppingaPortableExecutable(PE)fileonthedisk,makingitmorecomplicatedforsomedisk-basedanti-malwaretoscanitwithe.
g.
virussignaturesandmachinelearning(ML).
Note:Therecipientisexpectedtoopenthespame-mail,opentheattachedziparchive,opentheWorddocumentthatisinside,andenablethemacrosinWordAutomatedactiveadversary(targeted)attacksthatuseWindowsPowerShelltohoistinaPowerShellscriptfromPastebin.
com,whichissettoautomaticallystarttheransomwareafteronemillionseconds(10.
5days),makingtheattackseemtocomeoutofnowhere.
Nointeractionwiththevictimisrequired.
Initialaccessisvia:--VulnerableOracleWeblogicservers(CVE-2019-2725)--Brute-forced/purchased/stolencredentialsforinternet-exposedWindowsserversthatadvertiseRDP--Hackedmanagedserviceproviders(MSPs)thatuseKaseya,ScreenConnect,BomgarandotherremotemonitoringandmanagementproductsElevatesprivilegestoSYSTEMbyexploitingCVE-2018-8453,aWin32kelevationofprivilegevulnerability.
Elevationofprivileges(EoP)isrequiredtoencryptdocumentsincasethevictimisastandarduserwithoutadministrativeprivileges.
ItisalsorequiredtodeletevolumeshadowcopiesanddisableWindowsStartupRepairTheransomwareismulti-threaded;documentreadingandwritingtheencryptedversiontodisk,key-blobembeddinganddocumentrenamingareonindividualthreadsOpensdocumentsforread/writeforin-placeencryptiontoimpederecoveryviadatarecoverytoolsKeyblobfordecryptionisstoredattheendoftheencrypteddocumentRenamesdocumentafterencryptingitHowRansomwareAttacks28DeletesvolumeshadowcopiesviaVSSADMIN.
EXEbeforethedocumentsareencryptedtoavoidrecoveryofearlierversionsoftheaffecteddocumentsDisablestheWindowsStartupRepairtooltopreventvictimsfromattemptingtofixsystemerrorsthatmayhavebeencausedbytheransomwareChangesthedesktopwallpaperonaffectedsystemsintoanoticeinformingusersthattheirfileshavebeenencryptedRansomistypically$2,500-$5,000USD,tobepaidinbitcoin.
PaymentviaautomatedsiteonTOR,akathedarkwebSodinokibifilesystemactivitySTEPOPERATIONPURPOSE1CreateFile(GenericRead/Write)Opendocumentforreadingandwriting.
2ReadFileReaddatafromdocument.
4WriteFileWriteencrypteddataintodocument.
5WriteFileAddkeyblobtoencrypteddocumentatendoffile.
6CloseFileClosenowencrypteddocument.
7CreateFile(ReadAttributes)Openencrypteddocument.
8SetRenameInformationFileRenamedocument:add'.
4pqrk340'fileextension.
9CloseFileCloseencrypteddocument.
IndicatorsofCompromise(IOCs)RANSOMWARESHA-256HASHOFANALYZEDSAMPLEWannaCryED01EBFBC9EB5BBEA545AF4D01BF5F1071661840480439C6E5BABE8E080E41AAMatrix2A12EEB58AC0A2A3E9CD1DBBF1752086EE19387CAAA0E1232EAA13CBFED2C80AGandCrab6FBA19BF0CC1BB764E063C1DE51CAF0CF0A6CC90FA76B592BCDE28CEEE161BDCSamSam8C0425ECA81E1EEAF8043764EB38A2BC103598163D3307E583F4E5AD7EB0E708DharmaB8D32ED92E3227836054ED6BB4E53AD2E0ABE4617F1215D5E81162F9F5513EC2BitPaymer655C44BEBB2A642E665316236A082C94F88A028721C19BD28B5F25E1C40A13B8Ryuk830F83578F3A5593B103EA4A682788DC376E96247CD790417F2630884D686E9FLockerGoga2CE4984A74A36DCDC380C435C9495241DB4CA7E107FC2BA50D2FE775FB6B73CEMegaCortexF5D39E20D406C846041343FE8FBD30069FD50886D7D3D0CCE07C44008925D434RobbinHood3BC78141FF3F742C5E942993ADFBEF39C2127F9682A303B5E786ED7F9A8D184BSodinokibi06B323E0B626DC4F051596A39F52C46B35F88EA6F85A56DE0FD76EC73C7F3851UnitedKingdomandWorldwideSalesTel:+44(0)8447671131Email:sales@sophos.
comNorthAmericanSalesTollFree:1-866-866-2802Email:nasales@sophos.
comAustraliaandNewZealandSalesTel:+61294099100Email:sales@sophos.
com.
auAsiaSalesTel:+6562244168Email:salesasia@sophos.
comCopyright2019.
SophosLtd.
Allrightsreserved.
RegisteredinEnglandandWalesNo.
2096520,ThePentagon,AbingdonSciencePark,Abingdon,OX143YP,UKSophosistheregisteredtrademarkofSophosLtd.
Allotherproductandcompanynamesmentionedaretrademarksorregisteredtrademarksoftheirrespectiveowners.
191104WPEN(DD)TodiscovermorecontentfromtheSophosLabsteamvisit:Sophos.
com/Labs