By Caique Barqueta: Ransomware attacks are constantly on the rise. This increase is due to a new sales model, known as " Ransomware-as-a-Service " ( RaaS). This model is subscription-based and allows affiliates - the buyers - to use the ransomware tools already developed to carry out attacks. In this respect, affiliates earn a percentage of each successful ransom payment the affiliate makes.
Ransomware-as-a-Service is an adoption of the Software-as-a-Service (SaaS) business model and, as a result, criminal agents don't need to be skilled enough to encode a Ransomware code, they just need to make a purchase on demand and receive a certain percentage of the ransom.
In conjunction, Trend Micro, in its Threat Report, mentioned that Ransomware as a Service, showed that there was an increase of 63.2% and new extortion groups in 2022.
Before we delve into some new operators in the course of the report, we illustrate below the number of Indicators of Compromise (IoCs) that the ISH intelligence team collects on a daily basis through GTI (Global Threat Intelligence).
Indicators of Commitment (IoCs)
Below, we illustrate the number of Indicators of Compromise (IoCs) dealt with daily by the GTI , bringing different types of indicators , such as md5, sha1, sha256, malicious IP addresses and others.
Ransomware
83,288 Indicators of Compromise (IoCs) from various Ransomware families were detected, as shown in the image below:
In addition to the various Indicators already listed, the ISH Heimdall team has focused its efforts on enriching the threat database, with the addition of 436,461,027 Indicators of Compromise (IoCs) in the last 30 days.
IP addresses
Another main trace that threat actors leave that helps them to be identified is the IP address, which is considered very valuable information for tracking and studying threat actors in order to protect themselves from the domain and IP address considered malicious.
ISH collects and analyzes the malicious activity of these main offenders on a daily basis according to the printout below, where from 29/10 to 29/11 we collected and analyzed 18,017,176 malicious IP addresses that were promptly shared with customers via MISP.
How does the RaaS model work?
Remember that for RaaS to work, the operator needs ransomware that has been coded and developed by reliable agents to force affiliates to sign up and distribute their malware.
RaaS developers create malicious code with a high chance of successful intrusion and a low level of detection by solutions.
After development, the ransomware is modified for a multi-end-user infrastructure, so it is ready to be licensed to various affiliates. These affiliates have documentation available for integration and a step-by-step guide to launching ransomware attacks.
We should point out that some RaaS distributors even provide them with a dashboard solution to help them monitor the status of each ransomware infection attempt, as is the case with the operators of the Eternity ransomware.
In addition, for a better understanding, we've brought up the difference between Ransomware Operators and Affiliates, defining their competencies:
RaaS operators | RaaS Affiliates |
Recruiting affiliates on forums. | Payment to use Ransomware. You agree to a service fee per ransom collected. |
Gives affiliates access to a "create your own ransomware payload " panel Creates a dedicated "Command and Control" panel for the affiliate to track the payload. | Identifies target victims. Sets ransom demands. Configures post-compromise user messages. |
It compromises the victim's property. Maximizes infection using "living of the land" techniques. Ransomware execution. | |
Sets up a payment portal for victims. "Helps" affiliates negotiate with victims. | It communicates with the victim via chat portals or other communication channels. |
Manages a dedicated leak site. | Manages the decryption keys. |
There are four common RaaS revenue models:
- Monthly subscription for a fixed fee;
- Affiliate programs, which are the same as a monthly fee model, but with a percentage of the profits (usually 20-30%) going to the ransomware developer;
- One-off license fee with no profit sharing;
- Profit sharing.
Examples of RaaS
Below, we list the main RaaS operators:
DarkSide: RaaS operation associated with an eCrime group. They are focused on Windows machines and have expanded to the Linux operating system, targeting corporate environments by running unpatched VMware ESXi hypervisors or stealing vCenter credentials.
REvil: also known as Sodinokibi, has been identified as the ransomware behind one of the largest ransom demands ever recorded, approximately US$10 million. RaaS is sold under the affiliate model and usually takes 40% of the profits. Here, REvil warns victims about the data leak by posting to DLS blogs, containing sample data as proof.
LockBit: In operation since mid-September 2019, LockBit is available as a RaaS also announced on its Data Leak website, as shown in the image below with a message to affiliates.
In addition to those mentioned above, the Heimdall team identified new groups of ransomware operators at work , such as AXLocker, Octocrypt and Alice, of which we carried out an analysis of relevant artifacts in order to understand their behavior.
AXLocker ransomware
The ransomware operators have created yet another tool, called AXLocker, which can encrypt various types of files and render them completely unusable. In addition, the ransomware steals Discord tokens from the victim's machine and sends them to the server, after which a ransom note is displayed on the victim's system to obtain the decryption tool used to recover the encrypted files.
In technical analysis, the 256 hash sample was analyzed: c8e3c547e22ae37f9eeb37a1efd28de2bae0bfae67ce3798da9592f8579d433c, which, in previous analysis, is an executable compiled in .NET based on a 32-bit GUI.
Static analysis revealed that it uses the EncryptFile, AES Decrypt and AES Encrypt functions to encrypt data.
Another piece of information found is that the Ransomware accesses some folders in order to exfiltrate data from the directories listed below:
- \Discord
- \discordcanary
- \discordptb
- \\Opera Software\Opera Stable
- \Google\Chrome\User Data\Default
- \BraveSoftware\Brave-Browser\User Data\Default
- \Yandex\YandexBrowser\User Data\Default
- \Local Storage\leveldb
In addition, the function used by the startencryption() ransomware contains code to search for files by enumerating the directories available on the C:\ drive. It searches for specific file extensions to encrypt and excludes a list of directories from the encryption process. Examples of extensions that the ransomware seeks to encrypt:
.rar | .zip | .m3u | .m4a | .mp3 |
.wma | .ogg | .wav | .sqlite | .sqlite3 |
.img | .nrg | .doc | .docx | .docm |
.odt | .rtf | .wpd | .wps | .csv |
.key | .pps | .ppt | .pptm | |
.pptx | .psd | .vcf | .xlr | .xls |
.xlsx | .xlsm | .ods | .odp | .indd |
.dwg | .dxf | .kml | .kmz | .gpx |
.cad | .wmf | .txt | .3fr | .ari |
.arw | .bay | .bmp | .cr2 | .crw |
.cxi | .dcr | .dng | .eip | .erf |
.fff | .gif | .iiq | .j6i | .k25 |
.kdc | .mef | .mfw | .mos | .mrw |
.nef | .nrw | ;orf | .pef | .png |
.raf | .raw | .rw2 | .rwl | .rwz |
.sf2 | .srf | .srw | .x3f | .jpg |
.jpeg | .tga | .tiff | .tif | .3g2 |
.3gp | .asf | .avi | .flv | .m4v |
.mkv | .mov | .mp4 | .mpg | .swf |
.vob | .wmv |
After execution, the malicious payload is hidden in the folder from which it was executed, and during analysis it shows a way of obfuscating itself in the operating system.
After encryption, this Ransomware displays a "task" message warning that the files have been encrypted, as shown in the image below:
As for encryption, this ransomware does not change the name or extension of the file, but only encrypts the file content, as shown below:
Finally, we can conclude that this ransomware uses the following functions ProcessFilefunction, which then executes the EncryptFilefunction, identified earlier, and then starts encrypting the files with AES encryption.
After this encryption, the ransomware collects and sends hostname information, username, machine IP address, system UUID and Discord tokens to C2 identified by the URL: https://discord.com/api/webhooks/1039930467614478378/N2J80EuPMXSWuIBpizgDJ-75CB6gzTyFE72NQ0DJimbA7xr.
Octocrypt Ransomware
A new ransomware operator has been identified that targets all versions of the Windows operating system. Its developer compiled the threat using the Golang language. In addition, it operates via Ransomware-as-a-service (SaaS) and appeared on forums with posts aimed at cybercriminals around October 2022.
The ad identified stated that the Ransomware has the features:
- Builder, Encryptor and Decrypter written in Golang;
- Encryption of all Windows versions;
- Encryption of documents, photos, databases, drives, etc;
- Encryption using AES-256-CTR;
- Secure exchange with ECDSA;
- Simple web interface for building encryptors and decryptors;
- Dynamic compilation obfuscation;
- Easy configuration of the web interface via Docker;
- Changing the desktop background after infection.
The ransomware was advertised for US$400.00, with other support channels such as Telegram. Another relevant fact is that several prints were published by the user who made the sale, as shown below:
Therefore, in an analysis of the malicious artifact sha256: 9a557b61005dded36d92a2f4dafdfe9da66506ed8e2af1c851db57d8914c4344, we can see that it is packaged. Some relevant strings have been identified before it is executed, such as data referring to the ransom note created by the ransomware.
In summary, this ransomware enumerates and identifies the folders on the host and begins the process of encrypting the files using the AES-256 algorithm, changing the file extension to .octo. After that, the ransomware dumps the ransom notes under the file name "INSTRUCTIONS.html" and changes the victim's wallpaper demanding the ransom amount to a specific Monero wallet address.
Before being executed, the Ransomware makes sure the system is connected to the internet, and then checks the TCP connection to access the API URL.
Therefore, after analyzing the behavior of these ransomwares, we have listed all the Tactics, Techniques and Procedures (TTPs) used by them.
TTPs identified
Tactics: Execution
- T1059 - Command and Script Interpreter.
- T1204 - Execution of the artifact by the user.
- T1047 - Windows Management Instrumentation (WMIC).
Tactic: Defense Evasion
- T1497-Virtualization and Sandbox Evasion.
Tactic: Access to credentials
- T1528 - Application access token stolen.
Tactic: Discovery
- T1087 - Account discovery.
- T1082 - Discovery of system information
- T1083 - Discovery of files and directories
Tactic: Persistence
- T1547.001 - Registry Execution Keys/Initialization Folder.
- T1053 - Use of scheduled task/work.
Tactics: Command and Control
- T1071-Application Layer Protocol.
Tactic: Impact
- T1486-Data encrypted for impact.
Tactic: Exfiltration
- T1020-Automated exfiltration
Commitment Indicators
ISH Tecnologia handles a number of Indicators of Compromise collected through open sources, closed sources and analysis carried out by the Heimdall security team. In view of this, below we list all the Indicators of Compromise (IoCs) related to the analysis of the artifact(s) in this report:
Indicators of malicious artifact compromise/analyzed | |
md5: | a18ac3bfb1be7773182e1367c53ec854 |
sha1: | c3d5c1f5ece8f0cf498d4812f981116ad7667286 |
sha256: | c8e3c547e22ae37f9eeb37a1efd28de2bae0bfae67ce3798da9592f8579d433c |
Imphash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
Authenthash: | 4e66b0300b44f80b12619c3a6ad6906cf31018f67b2c6bd99ce62637a525b4a2 |
Size in bytes: | 74752 bytes |
Indicators of malicious artifact compromise/analyzed | |
md5: | ad1c2d9a87ebc01fa187f2f44d9a977c |
sha1: | 03d871509a7369f5622e9ba0e21a14a7e813536d |
sha256: | d9793c24290599662adc4c9cba98a192207d9c5a18360f3a642bd9c07ef70d57 |
Imphash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
Authenthash: | bbb846f427711ff608da75e4dc5a6e816d508ff1798b90a2abea3c511c61f590 |
Size in bytes: | 90624 bytes |
Indicators of malicious artifact compromise/analyzed | |
md5: | 9be47a6394a32e371869298cdf4bdd56 |
sha1: | ca349c0ddd6cda3a53ada634c3c1e1d6f494da8a |
sha256: | 9e95fcf79fac246ebb5ded254449126b7dd9ab7c26bc3238814eafb1b61ffd7a |
Imphash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
Authenthash: | 5015f41c8f309b7d52e7e1adb2d45285daa003ca1cb649d44998dab67d9f14ac |
Size in bytes: | 413696 bytes |
Indicators of malicious artifact compromise/analyzed | |
md5: | 07563c3b4988c221314fdab4b0500d2f |
sha1: | a5f53c9b0f7956790248607e4122db18ba2b8bd9 |
sha256: | 0225a30270e5361e410453d4fb0501eb759612f6048ad43591b559d835720224 |
Imphash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
Authenthash: | f9dfc44a1a52c15b633782931ee2dae0b8f21ff0a7f41db626151edb0ae514f9 |
Size in bytes: | 1547264 bytes |
Indicators of malicious artifact compromise/analyzed | |
md5: | ab2c19f4c79bc7a2527ab4df85c69559 |
sha1: | 60a692c6eaf34a042717f54dbec4372848d7a3e3 |
sha256: | d51297c4525a9ce3127500059de3596417d031916eb9a52b737a62fb159f61e0 |
Imphash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
Authenthash: | e2f5d36c75e1289051613a4ba84a2c0b9b0b0fda69c961b623be075aa09d8cf5 |
Size in bytes: | 71168 bytes |
Indicators of malicious artifact compromise/analyzed | |
md5: | 346e7a626d27f9119b795c889881ed3d |
sha1: | ce25203215f689451a2abb52d24216aec153925a |
sha256: | 9a557b61005dded36d92a2f4dafdfe9da66506ed8e2af1c851db57d8914c4344 |
Imphash: | 9cbefe68f395e67356e2a5d8d1b285c0 |
Authenthash: | aaa6af90f28c35da27e32cd1d307498760366fdec81d91beb15315dc0f112795 |
Size in bytes: | 5054976 bytes |
Indicators of malicious artifact compromise/analyzed | |
md5: | 5a39a2c4f00c44e727c3a66e3d5948c2 |
sha1: | 07e7341b86ace9935c4f1062d41a94f3b31f9bf6 |
sha256: | 65ad38f05ec60cabdbac516d8b0e6447951a65ca698ca2046c50758c3fd0608b |
Imphash: | 9cbefe68f395e67356e2a5d8d1b285c0 |
Authenthash: | faf8f5d166135deaaef70c115cf18e95468a5ab7703f04c3a27780bcb05ac374 |
Size in bytes: | 5054976 bytes |
Indicators of malicious artifact compromise/analyzed | |
md5: | 2afdbca6a8627803b377adc19ef1467d |
sha1: | 13a0ce1c3ac688c55ba3f7b57fb6c09ad0e70565 |
sha256: | e65e3dd30f250fb1d67edaa36bde0fda7ba3f2d36f4628f77dc9c4e766ee8b32 |
Imphash: | 6ed4f5f04d62b18d96b26d6db7c18840 |
Authenthash: | 6213361e9f102fe42b033da2dc97f5ce6c8ce3d133ff2430286f5f969c8181f0 |
Size in bytes: | 1936896 bytes |
Indicators of malicious artifact compromise/analyzed | |
md5: | 8dea06f2ba3faf074876e78324412375 |
sha1: | 1a3f94b59728358da7c149f240a734293492a7d2 |
sha256: | a7528fefccbb36949a97476e4717bc0af1359c13d028a5df6a5c8c8687d851e8 |
Imphash: | 9cbefe68f395e67356e2a5d8d1b285c0 |
Authenthash: | f5627003a7c26ff0ddf43dc8dd512fb833f34908a84f7a2203a27632208b9ea9 |
Size in bytes: | 5054976 bytes |
Mitigation
We've listed some security tips to adopt and use for all your organization's assets and infrastructure.
- Implement strong passwords;
- Activate Dual Factor Authentication (MFA);
- Re-evaluate and simplify user account permissions;
- Always have backups of the entire system and snapshots/images of the local machine prepared and stored securely so that they can be used in the event of ransomware;
- Use tools to monitor e-mails, the network and other methods of inputting and outputting files and company data, in order to immediately identify potentially malicious files;
- We also recommend using the information extracted by consuming the IOCs in continuous infrastructure monitoring tools.
References:
- Heimdall by ISH Tecnologia
- GTI by ISH Tecnologia
- VX-underground
- Malware Bazzar