Monthly Ransomware activity

Written by: Maor Huli

In month November, the ransomware that will be introduced will be:

  1. Thanos
  2. Dharma
  3. STOP
  4. BlackCocaine
  5. ChiChi

EXECUTIVE SUMMARY

Rise of REvil and the fallout

First, came GandCrab:

A picture containing text, plant, leaf, vector graphics Description automatically generated

Started as a part of RaaS (Ransomware as a Service) and quickly became the most notorious name for its era, GandCrab was the most frightening Ransomware for late 2018 until the end of the first half of 2019 and by that, was the role model for the later Ransomware attacks.

Many speculations say that GandCrab was the “father” of REvil among other variants that came before.

These speculations started because when GandCrab ended its operations, Sodinokibi rose around this time with a large portion of GandCrab’s Code.

Then, came Sodinokibi:

Graphical user interface, text Description automatically generated

Sodinokibi, allegedly, a successor of Gandcrab, began its operations in April 2019.

From that point, Sodinokibi has spread rapidly around the world and became the next “target” of the cyber operations world.

Sodinokibi was first spotted in its successful attack in April 2019 while deployed via Oracle WebLogic server vulnerability.

In short, the vulnerability was used for an RCE (Remote Code Execution) which allowed the attackers to run malicious PowerShell commands to download and execute their malicious files, this attack was so successful since the execution did not require any human interactions and by that, the ransomware was able to spread across the attacked organizations.

After a while, Sodinokibi has rebranded to the name we are all familiar with, REvil.

Lastly, came REvil:

A picture containing dark Description automatically generated

Since REvil was built entirely on Sodinokibi, REvil didn’t have to gain a reputation like its ancestors.

However, REvil, even when every respected Cyber company was already familiar with this variant, it came to the public’s consciousness only after the massive attack on Kaseya.

Kaseya is an IT management software for MSP (Managed Service Provider).

The Kaseya supply chain attack was one of the most devastative attacks of the decade.

Using Kaseya’s VSA console was the key to allowing the attackers to inject malicious files (REvil Ransomware) via the software’s update mechanism, here is a graph that will describe how the attack flow was made.

After this successful attack, the attackers demanded $70m to restore all of the affected businesses’ data, however, Kaseya said that the ransom was not paid since Kaseya managed to get their hand on a decryption tool, “the decryption tool has proven 100% effective at decrypting files that were fully encrypted in the attack”.

Since that day, the FBI obtained a universal decryption key, the same that allowed Kaseya and other companies to restore their encrypted files without paying the ransom, however, it appears that law enforcement officials initially withheld the decryptor key since eventually, it was serving their goal to hunt REvil’s staff and by that, bring their operation down.

The fallout:

Graphical user interface, text, application, email Description automatically generated

After the massive attack on Kaseya, a collaboration between the United States (President Joe Biden) and Russia (President Vladimir Putin) has begun.

With both allies joining forces together, they managed to catch five alleged members of the REvil group.

One of the members is a 22 years old named Yaroslav Vasinskyi from Ukraine was arrested while he tried to enter Poland from Ukraine, it appears that Vasinskyi was behind the attack on Kaseya, the attack that affected at least 1500 businesses all over the world.

After Vasinskyi got caught, in mid of July, every dark website that was connected to REvil was apparently shut down.

Biden’s statement:

“When I met with President Putin in June, I made clear that the United States would take action to hold cybercriminals accountable. That’s what we have done today.”

https://www.cynet.com/attack-techniques-hands-on/kaseya-supply-chain-attack/

Bleeping computer is the most up-to-date website that summarizes the newest ransomware variants. Orion team is an integral department of Cynet’s research team, we in Orion team are working around the clock to add more rules and by that strengthen the detection capabilities of Cynet 360, part of the Orion teamwork is to follow Bleeping computer’s recent posts about new ransomware variants threats while our goal is to detect every threat that appeared recently.

Graphical user interface, text, application, email, website Description automatically generated

In this article, we have summarized ransomware variants from November based on bleepingcomputer.

We will present the recent ransomware and how Cynet 360 platform detects them via several mechanisms.

CYNET 360 VS RANSOMWARE

BlackCocaine Ransomware

  • Observed since: May 2021
  • Ransomware encryption method: AES + RSA.
  • Ransomware extension: .BlackCocaine
  • Ransomware note: HOW_TO_RECOVER_FILES.BlackCocaine.txt
  • Sample hash: 41f533f7b8f83e5f0d67e90c7b38d1fdc70833a70749c756bae861ec1dc73c5c

Cynet 360 Detections:

A screenshot of a computer Description automatically generated with medium confidence

A screenshot of a computer Description automatically generated with medium confidence

BlackCocaine Overview

BlackCocaine ransomware renames the encrypted files with .blackcocaine in the extension,

Once a computer’s files have been encrypted and renamed, it drops a note as HOW_TO_RECOVER_FILES.BlackCocaine.txt

Notice that the ransomware couldn’t execute properly in our simulation lab, therefore, no encryption has been made

 

STOP Ransomware

  • Observed since: December 2018
  • Ransomware encryption method: AES + RSA.
  • Ransomware extension: .qdla
  • Ransomware note: _readme.txt
  • Sample hash: 0ab744026ca4c7d38409a24369fedd15c918729f40455306b5bfa65c8e8ff3ae

Cynet 360 Detections:

 

A screenshot of a computer Description automatically generated with medium confidence

STOP Overview

STOP ransomware renames the encrypted files with a .qdla extension for each file:

Text Description automatically generated

Once a computer’s files have been encrypted and renamed, it drops a note as a text (.txt) file named _readme.txt, In the text file it writes instructions on how to pay to get the encrypted files back.

Graphical user interface, application Description automatically generated Graphical user interface, text, application Description automatically generated

 

ChiChi (Babuk) Ransomware

  • Observed since: Nov 2021
  • Ransomware encryption method: RSA + AES.
  • Ransomware extension: .chichi
  • Ransomware note: Guide To Recover Your Files.txt
  • Sample hash: 15464657cfae95a326426093c9e12daab54bd9f61c3bc63a2cf5abe975a0e278

Cynet 360 Detections:

A screenshot of a computer Description automatically generated with medium confidence

Graphical user interface, text, application Description automatically generated

A screenshot of a computer Description automatically generated with medium confidence

ChiChi Overview

ChiChi ransomware, renames the encrypted files with .chichi in the extension for each file:

 

A screenshot of a computer Description automatically generated with medium confidence

Once a computer’s files have been completely encrypted and renamed, a ransomware note named Guide To Recover Your Files.txt dropped on the host with payment and contact details:

Graphical user interface, text, application Description automatically generated Chart Description automatically generated with low confidence

Dharma Ransomware

  • Observed since: 2016
  • Ransomware encryption method: RC4.
  • Ransomware extension: .thmx.id-[A-Z0-9]{8}.[[email protected]].WORM
  • Ransomware note: thmx.id-[A-Z0-9]{8}.[[email protected]].WORM
  • Sample hash: e01d44a06e045ada736c76fec5eaa8a27f6baecffae24563031b7ff3c2c61985

Cynet 360 Detections:

A screenshot of a computer Description automatically generated with medium confidence

Dharma Overview

After execution, Dharma ransomware renames the encrypted files with .thmx.id-[A-Z0-9]{8}.[[email protected]].WORM for each file, when the ransomware ends the encryption it popup a window with the attacker details:

Text Description automatically generated

Graphical user interface, application Description automatically generated

Thanos Ransomware

  • Observed since: Feb 2020
  • Ransomware encryption method: RSA
  • Ransomware extension: .stepik
  • Ransomware note: RESTORE_FILES_INFO.txt
  • Sample hash: 720f92a0233c07cfdafca70dc95b841682fdefd434835eca106c308f1dc8dc50

Cynet 360 Detections:

Thanos Overview

After execution, Thanos ransomware renames the encrypted files with .stepik in the extension for each file:

Text Description automatically generated

Once a computer’s files have been completely encrypted and renamed, it drops and opens a note named RESTORE_FILES_INFO.txt with the contact details of the attacker and the identifier key:

 

Graphical user interface, text, application Description automatically generated Text Description automatically generated

CYNET VARIOUS MECHANISMS

  • AV/AI – This alert triggers when Cynet’s AV/AI engine detects a malicious file that was either dumped on the disk or executed
  • Malicious Binary – This alert triggers when Cynet detects a file that is flagged as malicious in Cynet’s EPS (endpoint scanner) built-in threat intelligence database. This database contains only critical IoCs (such as IOCs of ransomware, hacking tools, etc.).
  • Memory Pattern – This alert triggers when Cynet detects memory strings that are associated with Malware or with malicious files
  • Ransomware Heuristic – This alert triggers when Cynet detects suspicious behavior which can be associated with Ransomware (such as changing file extensions to “.Lock”).
  • Malicious Binary – Process Create Malicious File – This alert triggers when Cynet detects a process that creates a file that is either flagged as malicious in Cynet’s Threat Intelligence database, or associated with suspicious patterns (such as loaded to sensitive directories).
  • Process Monitoring – This alert triggers when a process runs with certain parameters which can indicate suspicious activity (for example, a vssadmin with suspicious parameters such as delete shadow copies).
  • Threat Intelligence Detection – Malicious Binary – This alert triggers when Cynet detects a file that is flagged as malicious in Cynet’s internal threat intelligence database.