The Rise of Ransomware Hybrids from Existing Code
Ransomware continues to pose a persistent and evolving threat in the cybersecurity landscape, with Threat Actors (TAs) constantly refining their techniques to maximize their financial gains. These TAs employ various extortion techniques, including double extortion, countdown timers, etc. Obsidian ORB is one such ransomware variant that uses gift cards for Ransom payments.
In the double extortion technique, the attackers gain unauthorized access to a corporate network, exfiltrate sensitive data, and encrypt files. TAs then threaten the victims by stating that if the ransom is not paid, the stolen data will be published on a public leak site, potentially causing reputational damage or legal consequences.
The countdown timer technique creates a sense of urgency and quickly pressures the victim into paying the ransom. The TAs set a specific timeframe within which the ransom must be paid. Failure to meet the deadline may result in the permanent deletion of the decryption key or an increase in the ransom amount, further increasing the pressure on the victim. These techniques demonstrate how ransomware attackers exploit psychological tactics, fear, and the potential consequences of non-compliance to coerce victims into paying the ransom.
In our recent investigation, Cyble Research and Intelligence Labs (CRIL) has come across a new and unique ransomware strain named “Obsidian ORB.” Extensive analysis has revealed compelling evidence that suggests a significant correlation between Obsidian ORB Ransomware and the underlying source code of the notorious Chaos ransomware.
CRIL has analyzed several ransomware families in detail, such as Blacksnake and Onyx, which have originated from the Chaos ransomware source code.
The Obsidian ORB group focuses primarily on file encryption as their core strategy. By employing sophisticated encryption algorithms, they effectively encrypt victims’ data and present ransom demands for decryption.
This ransomware group’s unique approach to demanding payment from victims has gained attention. Unlike traditional ransomware actors who typically request cryptocurrency payments, the TAs associated with Obsidian ORB have adopted an alternative method. They now demand payment through gift cards, including popular platforms such as Roblox, Paysafe, Payday, Steam, etc.
This strategic shift underscores the adaptability of ransomware attackers, as they constantly explore new avenues to exploit for extortion purposes.
Technical Analysis
We have taken the below hash for analysis:(Sha256: 290072a9e1cf3872487cf586a592be534abc894d20ffd1121fe8338f1b52b451), which is a 32-bit PE binary compiled using .NET, as demonstrated in the following figure:
Upon execution, the ransomware first checks for the presence of any existing instances of itself. If another instance is found, the ransomware terminates its execution.
After ensuring that no previous instance of the ransomware exists, Obsidian creates a copy of itself in the %appdata% directory with the file name “svchost.exe” and executes the newly created process.
After launching the new process successfully, the ransomware proceeds to create a shortcut file in the Windows Startup folder (C:\Users\User-Profile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost). This enables the ransomware to run automatically when the user logs into their system during subsequent reboots. The figure below shows the ransomware code snippet adding itself to the startup folder.
Next, the ransomware scans the victim’s machine to identify the available drives using the GetDrives() function. Once the drives are detected, the ransomware calls the encryption function for each identified drive, except the root of the “C:” drive. Moreover, the ransomware includes multiple specific directories for encryption. The accompanying image shows the paths of the directories targeted by the ransomware.
Also, the Obsidian ORB ransomware looks for specific file extensions to encrypt. The pre-determined list of targeted file extensions that are intended for encryption is shown in the below table:
| .txt | .jar | .dat | .contact | .settings | .doc | .docx | .xls | .xlsx | .ppt | .pptx |
| .odt | .jpg | .mka | .mhtml | .oqy | .png | .csv | .sql | .mdb | .php | .asp |
| .aspx | .html | .htm | .xml | .psd | .xla | .cub | .dae | .indd | .mp3 | |
| .mp4 | .dwg | .zip | .rar | .mov | .rtf | .bmp | .mkv | .avi | .apk | .lnk |
| .dib | .dic | .dif | .divx | .iso | .7zip | .ace | .arj | .bz2 | .cab | .gzip |
| .lzh | .tar | .jpeg | .mpeg | .torrent | .mpg | .core | .pdb | .ico | .pas | .wmv |
| .swf | .cer | .bak | .backup | .accdb | .bay | .p7c | .exif | .vss | .raw | .m4a |
| .wma | .flv | .sie | .sum | .ibank | .wallet | .css | .crt | .xlsm | .xlsb | .cpp |
| .java | .jpe | .ini | .blob | .wps | .docm | .wav | .3gp | .webm | .m4v | .amv |
| .m4p | .svg | .ods | .vdi | .vmdk | .onepkg | .accde | .jsp | .json | .gif | .log |
| .config | .m1v | .sln | .pst | .obj | .xlam | .djvu | .inc | .cvs | .dbf | .tbi |
| .wpd | .dot | .dotx | .xltx | .pptm | .potx | .potm | .pot | .xlw | .xps | .xsd |
| .xsf | .xsl | .kmz | .accdr | .stm | .accdt | .ppam | .pps | .ppsm | .1cd | .3ds |
| .3fr | .3g2 | .accda | .accdc | .accdw | .adp | .ai3 | .ai4 | .ai5 | .ai6 | .ai7 |
| .ai8 | .arw | .ascx | .asm | .asmx | .avs | .bin | .cfm | .dbx | .dcm | .dcr |
| .pict | .rgbe | .dwt | .f4v | .exr | .kwm | .max | .mda | .mde | .mdf | .mdw |
| .mht | .mpv | .msg | .myi | .nef | .odc | .geo | .swift | .odm | .odp | .oft |
| .orf | .pfx | .p12 | .pls | .safe | .tab | .vbs | .xlk | .xlm | .xlt | .xltm |
| .svgz | .slk | .tar.gz | .dmg | .psb | .tif | .rss | .key | .vob | .epsp | .dc3 |
| .iff | .onetoc2 | .opt | .p7b | .pam | .r3d |
After identifying the appropriate files for encryption, the ransomware verifies if the file length is below 2 MB. If this condition holds true, the ransomware employs the “Microsoft Enhanced RSA and AES Cryptographic Provider” libraries to encrypt the victim’s machine.
However, for files larger than 2 MB, the ransomware destroys the files by overwriting them with random data, making them forever inaccessible. The accompanying image showcases the code snippet where the ransomware utilizes a hybrid encryption approach, leveraging both the RSA and AES cryptographic algorithms.
Subsequently, the malware appends a 4-character alphanumeric random string to the existing file extension of the encrypted files. The image below depicts the code snippet responsible for generating random file extensions.
The figure below shows the encrypted files and their extensions.
Furthermore, the malware generates a ransom note titled “read_it.txt” within each directory where it has performed file encryption. This ransom note serves as a means of communication from the TA to the victim, conveying instructions or demands related to the ransom.
Its presence in the directories ensures that the victim becomes aware of the compromised state of their files and establishes a channel for potential negotiation or payment.
The figure below displays the ransom note dropped by Obsidian ORB ransomware.
Upon completing the file encryption process on the victim’s machine, the ransomware executes specific commands via cmd.exe. These commands are designed to delete backups and disable recovery mode on the infected system, effectively preventing the victim from utilizing backup copies or recovery options to restore their data.
The image below shows the process chain of the Obsidian ORB ransomware and showcases the specific commands it utilizes to disable data backup on the compromised system.
The Obsidian ORB ransomware includes a mechanism to propagate to other drives within the infected system. It systematically goes through the available drives and verifies if the current drive is not the “C:” drive and if a file named “surprise.exe” is not already present on the newly identified drive.
If both conditions are satisfied, the ransomware proceeds to copy itself onto the target drive using the File.Copy() method. This allows the ransomware to potentially spread its malicious payload to other drives, thereby expanding its reach across the system.
The figure below shows the code snippet responsible for the ransomware’s propagation to other drives.
As a final step, the ransomware modifies the desktop background image on the compromised system. The accompanying image shows the altered desktop background of the infected machine.
Conclusion
There have been numerous instances where new ransomware variants have emerged using the leaked ransomware code of existing ransomware. This approach is effective and convenient for threat actors (TAs) as they can modify and customize the code to their preferences.
In this specific case, the TA modified the Chaos ransomware code, creating Obsidian ORB ransomware. Notably, this ransomware employs a distinctive ransom payment method, demanding that victims pay the ransom via gift cards.
Cyble Research & Intelligence Labs continuously monitor ransomware campaigns and will keep updating our readers with the latest information.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
Safety Measures Needed to Prevent Ransomware Attacks
- Conduct regular backup practices and keep those backups offline or in a separate network
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile
- Refrain from opening untrusted links and email attachments without verifying their authenticity
Users Should Take the Following Steps After the Ransomware Attack
- Detach infected devices on the same network
- Disconnect external storage devices if connected
- Inspect system logs for suspicious events
Impact of Ransomware
- Loss of valuable data
- Loss of the organization’s reputation and integrity
- Loss of the organization’s sensitive business information
- Disruption in organization operation
- Financial loss
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Execution | T1059 T1204 | Command and Scripting Interpreter User Execution |
| Persistence | T1547.001 | Registry Run Keys / Startup Folder |
| Discovery | T1083 | File and Directory Discovery |
| Defense Evasion | T1070 | Delete shadow drive data |
| Impact | T1486 T1490 | Data encrypted for impact Inhibit System Recovery |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| 290072a9e1cf3872487cf586a592be534abc894d20ffd1121fe8338f1b52b451 d6c5408fabbf943721946073c80049c3c65f8c8d 3566f930e73eacee6933e672c1085d98 | Sha256 Sha1 Md5 | Obsidian ORB Ransomware |
