Ransomware Attacks in Belgium – Analysis & Protection

Share on:

Written by: Max Malyutin, Haim Nahmani, and Itamar Meydoni

There are reports lately on a wave of ransomware attacks targeting organizations in Belgium. While the damage this wave inflicts is substantial, the ransomware itself has not been publicly associated with any known malware families or attack groups. The Cynet research team has conducted a thorough analysis of various samples from these attacks and concluded that there is strong resemblance to both GlobeImposter and MedusaLocker ransomware attacks. The full analysis is available below.

Cynet 360 identifies the ransomware used in these attacks with various detection logics and prevents its execution. Blocking this ransomware involves the following mechanisms:

Cynet’s multilayer protection is able to granularly identify various different malicious particles in the overall process execution, providing airtight protection against these types of attacks.

Ransomware Analysis and Conclusions

ATTACK FLOW

The attacker uses a PowerShell script file, which was distributed to all the systems that were encrypted.

The PowerShell Script is a known PowerSploit Module called Invoke – reflective PE Injection which can be found here:

http://clymb3r.wordpress.com/2013/04/06/reflective-dll-injection-with-powershell/

https://github.com/clymb3r/PowerShell/tree/master/Invoke-ReflectivePEInjection

The PowerShell script, when run, compiles an independent 32-bit instance of PowerShell, calls it “svhost.exe” and locates it in Appdata\Roaming directory:

The PowerShell script follows to create a scheduled task to run each 15 minutes and attempt to remove all backup shadows from VSSADMIN using the SVHOST.exe that was created earlier. The SVHOST.exe executes the following command that responsible for deleting all backups: “vssadmin.exe Delete Shadows /All /Quiet”

The SVHOST.exe is running by the process DLLhost.exe which runs with the following command to bypass the need for User Access Control when doing so:

C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}

This method is a known as CMSTP:

By extracting the Base64 Encoded Ransom payload from the initial PowerShell script (DMX_CnC.tmp), we were able to create an executable version of the ransomware:

By reading all the strings in the file line by line we were able to locate a certain string which we suspected to be an unchanging string among various variants of the ransom.

When analyzing the encrypted files’ extension, the encryption method and the ransomware note, we can conclude that the said ransomware has indicators that are associated with two qwll known malware families:

GlobeImposter Ransomware – Cynet researchers have identified unique memory strings that are linked to Globelmposter ransomware.
MedusaLocker – when investigating the ransom note file, it was noted that the ransom note file is highly similar to previous notes used by the initiators of MedusaLocker.