Rebranded Chaos Ransomware Using Telegram Group to Finance its activities
During a routine threat-hunting exercise, Cyble Research and Intelligence Labs (CRIL) encountered data-destructive ransomware linked to the pro-Russian Threat Actors (TA) group named “Killnet”. The ransomware is a modified version of notorious Chaos Ransomware. Upon execution, the Killnet Ransomware drops a note which contains a link to a pro-Russian Telegram channel containing propaganda posts related to the conflict in Ukraine.
The Telegram group has more than 90,000 subscribers, and the group chats mostly contain social media posts and news related to the conflict in Ukraine and asks subscribers to support the TA. The following figure shows the Telegram page containing propaganda.
There are over thirty pinned comments in the group chat. The latest pinned comment translates to “Return of the DDoS tsunami around the world?”. The other posts contain the BTC address and contact information of the TAs.
One pinned post on September 25 by the account name “KillMilk” stated that the person was the operator of the Killnet group and turned to hacktivism to help Russia. The person claims to have attracted more than one hundred thousand people to hacktivism and states that they need financial support for their cause.
In another post, the author asks for money from the citizens, officials, and businessmen of the Russian Federation and provides their Bitcoin, Ethereum, and Tether wallet addresses for donations; the post is shown below.
Following is the translation of the post:
❗️Citizens, officials and businessmen of the Russian Federation. We need to acquire capacities to continue our activities! We do not receive money from the state and we all work on a voluntary basis!
⚡️Nazis from Ukraine collect millions of dollars to commit their crimes. And Killnet participants take loans from banks to protect the information field of Russia.
❕Addresses are clickable❕
BTC
bc1qtyjw4wt9avm0vv5yvcpkkewh9tuc2cq3gmgv6g
ETH
0xedA9832a67711f98E128BCB8F21544dfc273C6B1
USDT TRC20
TSQGBoX32EkkmpFDg1gcm6QwiHeoDrACNx
❕If you need another address, please email @killnet_support
Anti-Ukraine and the TA’s pro-Russia posts Telegram channel indicate that the TAs are sympathetic to Russia and inclined to target Ukraine and its allies. This blog covers the technical analysis of killnet ransomware and explains how it affects the victims using destructive malware.
Technical Analysis
The Killnet ransomware binary is a 32-bit GUI-based binary with SHA256 db1c8ddcdfea93031a565001366ffa9fdb41a689bddab46aec7611a46bb4dc50. The further details are shown in the figure below.
At the time of initial execution, the malware checks if it is already running in the system. If the malware finds an existing instance running, it terminates itself. The figure below shows the code to check if the malware is already running.
Then ransomware executes itself with admin privileges using the ProcessStartInfo and setting the Verb property of the startInfo object to runas. The figure below shows the code snippet used by the ransomware for privilege escalation.
To achieve persistence, the ransomware drops itself into C:\Users\<username>\AppData\Roaming folder as cmd.exe. and adds a shortcut link for dropped cmd.exe in the StartUp folder.
After the system restart, the link in the startup folder executes the malicious cmd.exe. The figure below shows the code to drop the ransomware and create a startup folder link.
After achieving persistence, the ransomware disables data recovery and starts encrypting files in parallel. The ransomware deletes shadow copy, disables recovery mode, and deletes the backup catalog from the system.
These operations are performed to disable future data recovery. The figure below shows the commands run by the ransomware to disable the data recovery.
The ransomware then encrypts the selected files in the system. Initially, the ransomware looks for logical drives other than C:\ drive and encrypts all files present in those logical drives.
Then ransomware encrypts only specific folders in the C:\ drive, excluding important system files, indicating that threat actors are not interested in crippling the entire system.
Below is a list of the specific folders in C:\ drive targeted by the ransomware :
| Desktop | Links | Contacts | Desktop |
| Documents | Downloads | Pictures | Music |
| OneDrive | Saved Games | Favorites | Searches |
| Videos | ApplicationData | CommonDocuments | CommonPictures |
The figure below shows the code used to encrypt files.
The ransomware has a hardcoded list of more than 200 file extensions, and it encrypts files if the file extension matches the existing hardcoded list. The figure below shows the hardcoded extensions.
After data encryption, the ransomware then appends the “.killnet” extension to the encrypted files and drops a note into the directories. The figure below shows the code for dropping the note.
While encrypting the data, the ransomware then changes the desktop background of the system. The figure below has the code to change the desktop background.
The following figure shows the note dropped by the ransomware and its translation.
Conclusion
With the ongoing conflict in Ukraine, multiple threat actors or hacktivists are creating destructive malware to target adversary nations. Killnet ransomware does not ask for any ransom, indicating that the Killnet group is motivated by geo politics instead of monetary gains.
This type of ransomware shows a new trend where TAs use destructive malware to send a political message. To drop such malware, TAs could drop malware in existing compromised systems or leverage phishing and cracked software.
Our Recommendations
- Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
- Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.
- Avoid downloading pirated software from Warez/Torrent websites. The “Hack Tool” present on sites such as YouTube, Torrent sites, etc., contains such malware.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices.
- Refrain from opening untrusted links and Email attachments without first verifying their authenticity.
- Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
- Enable Data Loss Prevention (DLP) Solutions on the employees’ systems.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Persistence | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
| Discovery | T1083 | File and Directory Discovery |
| Impact | T1486 | Data Encrypted for Impact |
Indicators of Compromise
| Indicators | Indicator Type | Description |
| ff00932cd0294036b814c71b2c4b624c 58307a32323d2784df65b473fd4244ef0d5e7447 db1c8ddcdfea93031a565001366ffa9fdb41a689bddab46aec7611a46bb4dc50 | MD5 SHA1 SHA256 | Killnet Executable |
| 13[.]107[.]4[.]52 | IP | Network Activity |
