Monthly Ransomware activity
Written by: Maor Huli
In month November, the ransomware that will be introduced will be:
- Thanos
- Dharma
- STOP
- BlackCocaine
- ChiChi
EXECUTIVE SUMMARY
Rise of REvil and the fallout
First, came GandCrab:
Started as a part of RaaS (Ransomware as a Service) and quickly became the most notorious name for its era, GandCrab was the most frightening Ransomware for late 2018 until the end of the first half of 2019 and by that, was the role model for the later Ransomware attacks.
Many speculations say that GandCrab was the “father” of REvil among other variants that came before.
These speculations started because when GandCrab ended its operations, Sodinokibi rose around this time with a large portion of GandCrab’s Code.
Then, came Sodinokibi:
Sodinokibi, allegedly, a successor of Gandcrab, began its operations in April 2019.
From that point, Sodinokibi has spread rapidly around the world and became the next “target” of the cyber operations world.
Sodinokibi was first spotted in its successful attack in April 2019 while deployed via Oracle WebLogic server vulnerability.
In short, the vulnerability was used for an RCE (Remote Code Execution) which allowed the attackers to run malicious PowerShell commands to download and execute their malicious files, this attack was so successful since the execution did not require any human interactions and by that, the ransomware was able to spread across the attacked organizations.
After a while, Sodinokibi has rebranded to the name we are all familiar with, REvil.
Lastly, came REvil:
Since REvil was built entirely on Sodinokibi, REvil didn’t have to gain a reputation like its ancestors.
However, REvil, even when every respected Cyber company was already familiar with this variant, it came to the public’s consciousness only after the massive attack on Kaseya.
Kaseya is an IT management software for MSP (Managed Service Provider).
The Kaseya supply chain attack was one of the most devastative attacks of the decade.
Using Kaseya’s VSA console was the key to allowing the attackers to inject malicious files (REvil Ransomware) via the software’s update mechanism, here is a graph that will describe how the attack flow was made.
After this successful attack, the attackers demanded $70m to restore all of the affected businesses’ data, however, Kaseya said that the ransom was not paid since Kaseya managed to get their hand on a decryption tool, “the decryption tool has proven 100% effective at decrypting files that were fully encrypted in the attack”.
Since that day, the FBI obtained a universal decryption key, the same that allowed Kaseya and other companies to restore their encrypted files without paying the ransom, however, it appears that law enforcement officials initially withheld the decryptor key since eventually, it was serving their goal to hunt REvil’s staff and by that, bring their operation down.
The fallout:
After the massive attack on Kaseya, a collaboration between the United States (President Joe Biden) and Russia (President Vladimir Putin) has begun.
With both allies joining forces together, they managed to catch five alleged members of the REvil group.
One of the members is a 22 years old named Yaroslav Vasinskyi from Ukraine was arrested while he tried to enter Poland from Ukraine, it appears that Vasinskyi was behind the attack on Kaseya, the attack that affected at least 1500 businesses all over the world.
After Vasinskyi got caught, in mid of July, every dark website that was connected to REvil was apparently shut down.
Biden’s statement:
“When I met with President Putin in June, I made clear that the United States would take action to hold cybercriminals accountable. That’s what we have done today.”
https://www.cynet.com/attack-techniques-hands-on/kaseya-supply-chain-attack/
Bleeping computer is the most up-to-date website that summarizes the newest ransomware variants. Orion team is an integral department of Cynet’s research team, we in Orion team are working around the clock to add more rules and by that strengthen the detection capabilities of Cynet 360, part of the Orion teamwork is to follow Bleeping computer’s recent posts about new ransomware variants threats while our goal is to detect every threat that appeared recently.
In this article, we have summarized ransomware variants from November based on bleepingcomputer.
We will present the recent ransomware and how Cynet 360 platform detects them via several mechanisms.
CYNET 360 VS RANSOMWARE
- Observed since: May 2021
- Ransomware encryption method: AES + RSA.
- Ransomware extension: .BlackCocaine
- Ransomware note: HOW_TO_RECOVER_FILES.BlackCocaine.txt
- Sample hash: 41f533f7b8f83e5f0d67e90c7b38d1fdc70833a70749c756bae861ec1dc73c5c
Cynet 360 Detections:
BlackCocaine ransomware renames the encrypted files with .blackcocaine in the extension,
Once a computer’s files have been encrypted and renamed, it drops a note as HOW_TO_RECOVER_FILES.BlackCocaine.txt
Notice that the ransomware couldn’t execute properly in our simulation lab, therefore, no encryption has been made
STOP Ransomware
- Observed since: December 2018
- Ransomware encryption method: AES + RSA.
- Ransomware extension: .qdla
- Ransomware note: _readme.txt
- Sample hash: 0ab744026ca4c7d38409a24369fedd15c918729f40455306b5bfa65c8e8ff3ae
Cynet 360 Detections:
STOP ransomware renames the encrypted files with a .qdla extension for each file:
Once a computer’s files have been encrypted and renamed, it drops a note as a text (.txt) file named _readme.txt, In the text file it writes instructions on how to pay to get the encrypted files back.
- Observed since: Nov 2021
- Ransomware encryption method: RSA + AES.
- Ransomware extension: .chichi
- Ransomware note: Guide To Recover Your Files.txt
- Sample hash: 15464657cfae95a326426093c9e12daab54bd9f61c3bc63a2cf5abe975a0e278
Cynet 360 Detections:
ChiChi ransomware, renames the encrypted files with .chichi in the extension for each file:
Once a computer’s files have been completely encrypted and renamed, a ransomware note named Guide To Recover Your Files.txt dropped on the host with payment and contact details:
- Observed since: 2016
- Ransomware encryption method: RC4.
- Ransomware extension: .thmx.id-[A-Z0-9]{8}.[[email protected]].WORM
- Ransomware note: thmx.id-[A-Z0-9]{8}.[[email protected]].WORM
- Sample hash: e01d44a06e045ada736c76fec5eaa8a27f6baecffae24563031b7ff3c2c61985
Cynet 360 Detections:
After execution, Dharma ransomware renames the encrypted files with .thmx.id-[A-Z0-9]{8}.[[email protected]].WORM for each file, when the ransomware ends the encryption it popup a window with the attacker details:
- Observed since: Feb 2020
- Ransomware encryption method: RSA
- Ransomware extension: .stepik
- Ransomware note: RESTORE_FILES_INFO.txt
- Sample hash: 720f92a0233c07cfdafca70dc95b841682fdefd434835eca106c308f1dc8dc50
Cynet 360 Detections:
Thanos Overview
After execution, Thanos ransomware renames the encrypted files with .stepik in the extension for each file:
Once a computer’s files have been completely encrypted and renamed, it drops and opens a note named RESTORE_FILES_INFO.txt with the contact details of the attacker and the identifier key:
CYNET VARIOUS MECHANISMS
- AV/AI – This alert triggers when Cynet’s AV/AI engine detects a malicious file that was either dumped on the disk or executed
- Malicious Binary – This alert triggers when Cynet detects a file that is flagged as malicious in Cynet’s EPS (endpoint scanner) built-in threat intelligence database. This database contains only critical IoCs (such as IOCs of ransomware, hacking tools, etc.).
- Memory Pattern – This alert triggers when Cynet detects memory strings that are associated with Malware or with malicious files
- Ransomware Heuristic – This alert triggers when Cynet detects suspicious behavior which can be associated with Ransomware (such as changing file extensions to “.Lock”).
- Malicious Binary – Process Create Malicious File – This alert triggers when Cynet detects a process that creates a file that is either flagged as malicious in Cynet’s Threat Intelligence database, or associated with suspicious patterns (such as loaded to sensitive directories).
- Process Monitoring – This alert triggers when a process runs with certain parameters which can indicate suspicious activity (for example, a vssadmin with suspicious parameters such as delete shadow copies).
- Threat Intelligence Detection – Malicious Binary – This alert triggers when Cynet detects a file that is flagged as malicious in Cynet’s internal threat intelligence database.