Cyble-Blogs-Fake-Ransomware-Infection

Fake Ransomware Infection Under widespread

Destructive Fake Ransomware Wiping Out System Drives

Cyble Research and Intelligence Labs (CRIL) has continuously monitored phishing campaigns that distribute different malware families. Recently, CRIL spotted an adult website, distributing a fake ransomware executable. The Fake Ransomware does not encrypt files instead it changes file names and their extensions, drops ransom notes, and threatens victims to pay ransom like usual ransomware families.  

The link of this website may be available on dating websites that redirect the user to download the fake ransomware after opening it. The downloaded executable file has a double extension i.e. SexyPhotos.JPG.exe and masquerading as an image file as shown below.

Figure 1 – Fake Ransomware download from the adult site

Technical Details

The sample hash (SHA256), fbb21d552b04494bf40cf5aded24601449dfa8d597325e8d4169d345fe185f15 was taken for this analysis. The static analysis indicates that the file is a GUI-based x32 architecture installer executable binary written in C/C++ compiler, as shown in the image below.

Figure 2 – Static file details

Upon execution, the malware file drops four executable files (del.exe, open.exe, windll.exe and windows.exe) and one batch file (avtstart.bat) in %temp% directory and executes them. The below figure shows the files dropped by the malware in the victim’s machine.

Figure 3 – Dropped exe & bat files

Persistence:

Initially, “avtstart.bat” runs and it copies all the executable files to Startup folder for persistence as shown below.

Figure 4 – Persistence

While copying the files, the windows throw an error that it could not find a file “dell.exe”, indicating that the malware has dropped the file and wrongly named it as “del.exe”.

Figure 5 – dell.exe not found Alert message

File Rename operation:

After that, the malware executes “windowss.exe” which drops three different files named “windowss.VBS”, “windowss.bat” and “Readme.txt” in the same directory and executes windowss.VBS file. The .VBS file further executes windowss.bat which initiates the Fake ransomware activity and finally opens the “Readme.txt” which contains the payment instructions. The below figure shows the process tree of the fake ransomware.

Figure 6 – Process tree

The “windows.bat” file searches for specific folders, file extensions, and renames file names with “Locked_<number>.Locked_fille” as shown below. The fake ransomware drops a file “exception.lst” which contains the extensions to be excluded from the rename operation.

Figure 7 –  File names changed by the fake ransomware

The below table shows the folders and file extensions used by the malware for performing rename operations.

File extensions*.jpg *.bat *.lnk *.vbs *.css *.js *.apk *.GIF *.ico *.log *.py *.sys *.jar *.inf *.bin *.pdf *.JPEG *.png *.dll *.PSD *.BMP *.aac *.amr *.wav *.wave *.ogg *.wma *.3gp *.flv *.mkv *.mp4 *.mpeg *.mkw *.wmv *.7z *.bin *.gzip *.gz *.jar *.xar *.msi *.zip *.doc *.rar *.docm *.docx *.dotx *.epub *.pdf *.avi *.mht *.htm *.iso *.key *.pak *.svg *.csv *.tgz *.torrent *.xlsx *.xls *.php *.html *.HTML *.xml *aac *.mpeg *.flv *.mp3 *.mp4 *.exe
Folder pathsC:\Users\Windows\Desktop\ C:\Users\Windows\Downloads\ C:\Users\Windows\Music\ C:\Users\Windows\Pictures\ C:\Users\Public\Documents\ C:\Users\Windows\Videos\ C:\users\%username%\downloads\ C:\Users\%username%\Documents\ C:\Users\%username%\Desktop\ C:\Users\%username%\Music\ C:\Users\%username%\Videos\ C:\Users\%username%\Pictures\ C:\DRIVERS C:\Games C:\NVIDIA

The below figure shows the dropped files by “windows.exe” and the code snippet of VBS/BAT file used for the file rename operation.

Figure 8 – Files dropped by windowss.exe and code snippet of VBS/BAT file

The below figure shows the comparison of original and renamed file, showing that the malware does not encrypt file and changes only file names.

Figure 9 – Comparison of original and renamed file

Dropping Ransom Notes:

In the next process, the malware executes “windll.exe” file and further drops three files in the same folder named “windll.VBS”, “windll.bat” and “Readme.txt” and executes “windll.VBS”. Similarly, the windll.VBS executes “windll.bat” which further copies “Readme.txt” into specific folders and opens ransomware note file “Readme.txt”. The below figure shows the dropped files by “windll.exe” and code snippet of VBS/BAT file used for copying the ransom notes into different locations.

Figure 10 – Files dropped by windll.exe and code snippet of VBS/BAT file

Deleting System Drives:

The malware now tries to execute a file “dell.exe” file but the file is not available in the victim’s machine as the malware has wrongly named it as “del.exe” while dropping the file initially. The “del.exe” has code to drop three files named “dell.VBS”, “dell.bat” , “Readme.txt and executes “dell.VBS”. The “dell.VBS” executes “dell.bat” which further deletes all system drives [A:\ – Z:\] except C:\ drive. The below figure shows the files present inside “del.exe” and code snippet of VBS/BAT file.

Figure 11 – Files dropped by del.exe and code snippet of VBS/BAT file

Network communication:

Finally, the malware executes “open.exe” which drops three files named “open.VBS”, “open.bat” and “Readme.txt” in the same directory and executes “open.VBS” file. The “open.VBS” file executes “open.bat” which further connects to the URL mentioned below and opens “readme.txt”

  • hxxps[:]//lllllllllll.loseyourip[.]com/downloads

The below figure shows the dropped files by “open.exe” and code snippet of VBS/BAT file.

Figure 12 – Files dropped by open.exe and code snippet of VBS/BAT file

In the dropped “Readme.txt” ransom note, victims are given instructions (multiple languages) on how they can contact the TAs for file recovery along with the ransom amount.

Figure 13 – Ransom note

Conclusion

Fake ransomware acts as a usual ransomware but does not encrypt the files. The Fake ransomware show false information that the files are encrypted and threaten the user to pay ransom for decryption. There is a possibility that victims can pay ransom to recover the files as they are renamed and unusable. We are not sure about the authenticity of the decryptor if the ransom is paid. Even if the decryptor is provided, renaming files to their original file name is not possible as the malware is not storing them anywhere in during the infection.

Cyble Research and Intelligence Labs will continue monitoring the latest phishing or malware strains in the wild and update blogs with actionable intelligence to protect users from such notorious attacks.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

Safety Measures Needed to Prevent Ransomware Attacks

  • Conduct regular backup practices and keep those backups offline or in a separate network.
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
  • Refrain from opening untrusted links and email attachments without verifying their authenticity.

Users Should Take the Following Steps After the Ransomware Attack

  • Detach infected devices on the same network.
  • Disconnect external storage devices if connected.
  • Inspect system logs for suspicious events.

Impacts And Cruciality of Ransomware

  • Loss of valuable data.
  • Loss of the organization’s reputation and integrity.
  • Loss of the organization’s sensitive business information.
  • Disruption in organization operation.
  • Financial loss.

MITRE ATT&CK® Techniques

 

TacticTechnique IDTechnique Name
ExecutionT1204
T1059
T1064
User Execution
Command and Scripting Interpreter
Scripting
PersistenceT1547Registry Run Keys / Startup Folder
Defense EvasionT1027
T1045
T1036
Obfuscated Files or Information
Software Packing
Masquerading
DiscoveryT1082
T1083
System Information Discovery
File and Directory Discover
ImpactT1486Data Encrypted for Impact

Indicators of Compromise (IOCs)

IndicatorsIndicator
Type
Description
9d8c4e31390d8c425577eb8c485dad30
5894425efcd316df81e771caf84f0bf8b96a0251
fbb21d552b04494bf40cf5aded24601449dfa8d597325e8d4169d345fe185f15
MD5
SHA1
Sha256
Main Exe
79d233b0784662d36e9d00709ce07cee
15dc593f9ab6eae478375701a2136cb7bcda5281
a7cc8279079b0607b26e96f015f80fdc2d859c718580cefdcd71f68d3f2343ae
MD5
SHA1
Sha256
avtstart.bat
792e7f12a74f494924b911af0ac6b53d
1f1da277f3f756663928bce3b1000a6c9afb27b9
ebdd62038e493a6ea99ce4dfbb77802ef262bfb3926f3ab50d13df466ae9f254
MD5
SHA1
Sha256
windowss.exe
3b237feb1de10cdbd9080acadbf9d0d1
ecada6346700c5a4037cf84a812cbb22a64fdcc7
8db5124c8f806d68e5c1450d31e4f549fb348970d30e53584664fd38ebaf7a85
MD5
SHA1
Sha256
windowss.VBS
8047af7083f55057c39240ee8a3c59a0
3b33087ca9562314d2eeb16668e8d6880d271ebc
8d7ccc382aac3c819754979a38f8dfe1c5774fb055f0e098fa056f01b681289b
MD5
SHA1
Sha256
windowss.bat
fd40fee3640520ab245ed4e24cfcae18
5dd95715a5db5d994c660c4861d7f96bec2049ef
caf3910f98aa039b2a61cdc77cc56b9c3521d0b932087e57dc4b2f8bbe1c61ec
MD5
SHA1
Sha256
windll.exe
14adc56e6cdc9eea2da31cd37e80ff40
c9ca7e941c56f617ac912b3ca933d240fb5d72ef
ec5fb2a9908a2a6ea9e83cf530bcaf3ffaa8a709d730fb5bb9e6ca1b40b67f0c
MD5
SHA1
Sha256
Windll.VBS
4fbbad020707058b240686f8a403e281
dd10ec5c703a607dafa25840ff9e8b3b48ab7c06
e0d0c643c747815e168a886f1f609397e95ba3fc89847d50f624746a287815c6
MD5
SHA1
Sha256
Windll.bat
8796357b6900783ab224a75a6cbf46c3
3b7144e8c71be40e22d40a6ee50d74f1eb965b38
c7b26217ecb945a302be47c50f101a18229110563b0aa1ecb1d1d393ed93b71e
MD5
SHA1
Sha256
open.exe
dde2870ea6242ddfb4d992ce9cd6be66
a77c0c5b742b78ff7ac2ead64bce2a551c8014da
d8f3400a4c5ac2301b01a099c078a315bf12431a82207607864400d9fdb803c6
MD5
SHA1
Sha256
Open.VBS
06da87c602a37145a81f3a9bf86abfd5
2e3029d669e73da1fc1ab4ffb2680aac259eded5
5bf85ad97158158378d76ece4a7da510d9a1c918f38ee7bfc62d90deb71f1957
MD5
SHA1
Sha256
Open.bat
fcd71b274250cfee5479c9e81cdc3320
c80407f332d8480e5274aabb6ad86c022cccbd78
5e742ede76bded5a5dc6d7a8f5594d013c50e6a0d6b703a21ffebb5f541b5304
MD5
SHA1
Sha256
del.exe
2b15f0f4ce39439e3ec3583a4826b2fa
2f3231259be584810eebf7b3625dda18ed9c18c9
7355fc8d1bd95d26fe04801f79b84b4e2a1aa56bbb89fa6553e5ad6d1311e84b
MD5
SHA1
Sha256
del.VBS
55851108c7cffec56fb17205a6ba9f0f
06ba09725a56f149d04fa8d86f353f8fae0a187c
f6b98b28fd26f29c33894be4a705e274778a462a472a8c171e07a3345935d243
MD5
SHA1
Sha256
del.bat
007c699ccbb642be83ef3e3a19b0006f
5e311d75a42298613be4e42e8d0ee45aa4e3651c
9e030b3b69466b16751a7ee5cbe1c3f54fe4816b5664ed53ad892a4ade9e7482
MD5
SHA1
Sha256
Readme.txt
Scroll to Top