Cyble-Blogs-Killnet

Pro-Russian hacktivists targeting adversaries with Killnet ransomware

Rebranded Chaos Ransomware Using Telegram Group to Finance its activities

During a routine threat-hunting exercise, Cyble Research and Intelligence Labs (CRIL) encountered data-destructive ransomware linked to the pro-Russian Threat Actors (TA) group named “Killnet”. The ransomware is a modified version of notorious Chaos Ransomware. Upon execution, the Killnet Ransomware drops a note which contains a link to a pro-Russian Telegram channel containing propaganda posts related to the conflict in Ukraine.

The Telegram group has more than 90,000 subscribers, and the group chats mostly contain social media posts and news related to the conflict in Ukraine and asks subscribers to support the TA. The following figure shows the Telegram page containing propaganda.

Figure 1 – Telegram Channel of Killnet

There are over thirty pinned comments in the group chat. The latest pinned comment translates to “Return of the DDoS tsunami around the world?”. The other posts contain the BTC address and contact information of the TAs.

One pinned post on September 25 by the account name “KillMilk” stated that the person was the operator of the Killnet group and turned to hacktivism to help Russia. The person claims to have attracted more than one hundred thousand people to hacktivism and states that they need financial support for their cause.

In another post, the author asks for money from the citizens, officials, and businessmen of the Russian Federation and provides their Bitcoin, Ethereum, and Tether wallet addresses for donations; the post is shown below.

Figure 2 – Telegram Post for Donations

Following is the translation of the post:

❗️Citizens, officials and businessmen of the Russian Federation. We need to acquire capacities to continue our activities! We do not receive money from the state and we all work on a voluntary basis!

⚡️Nazis from Ukraine collect millions of dollars to commit their crimes. And Killnet participants take loans from banks to protect the information field of Russia.

Addresses are clickable

BTC

bc1qtyjw4wt9avm0vv5yvcpkkewh9tuc2cq3gmgv6g

ETH

0xedA9832a67711f98E128BCB8F21544dfc273C6B1

USDT TRC20

TSQGBoX32EkkmpFDg1gcm6QwiHeoDrACNx

If you need another address, please email @killnet_support

Anti-Ukraine and the TA’s pro-Russia posts Telegram channel indicate that the TAs are sympathetic to Russia and inclined to target Ukraine and its allies. This blog covers the technical analysis of killnet ransomware and explains how it affects the victims using destructive malware.

Technical Analysis

The Killnet ransomware binary is a 32-bit GUI-based binary with SHA256 db1c8ddcdfea93031a565001366ffa9fdb41a689bddab46aec7611a46bb4dc50. The further details are shown in the figure below.

Figure 3 – Static File Information

At the time of initial execution, the malware checks if it is already running in the system. If the malware finds an existing instance running, it terminates itself. The figure below shows the code to check if the malware is already running.

Figure 4 – Checking Running Process

Then ransomware executes itself with admin privileges using the ProcessStartInfo and setting the Verb property of the startInfo object to runas. The figure below shows the code snippet used by the ransomware for privilege escalation.

Figure 5 – Privilege Escalation by Killnet

To achieve persistence, the ransomware drops itself into C:\Users\<username>\AppData\Roaming folder as cmd.exe. and adds a shortcut link for dropped cmd.exe in the StartUp folder.

After the system restart, the link in the startup folder executes the malicious cmd.exe. The figure below shows the code to drop the ransomware and create a startup folder link.

Figure 6 – Killnet Ransowmare Code for Persistence

After achieving persistence, the ransomware disables data recovery and starts encrypting files in parallel. The ransomware deletes shadow copy, disables recovery mode, and deletes the backup catalog from the system.

These operations are performed to disable future data recovery. The figure below shows the commands run by the ransomware to disable the data recovery.

Figure 7 – Ransomware Disabling Data Recovery

The ransomware then encrypts the selected files in the system. Initially, the ransomware looks for logical drives other than C:\ drive and encrypts all files present in those logical drives.

Then ransomware encrypts only specific folders in the C:\ drive, excluding important system files, indicating that threat actors are not interested in crippling the entire system.

Below is a list of the specific folders in C:\ drive targeted by the ransomware :

DesktopLinksContactsDesktop
DocumentsDownloadsPicturesMusic
OneDriveSaved GamesFavoritesSearches
VideosApplicationDataCommonDocumentsCommonPictures

The figure below shows the code used to encrypt files.

Figure 8 – Routine for Data Encryption

The ransomware has a hardcoded list of more than 200 file extensions, and it encrypts files if the file extension matches the existing hardcoded list. The figure below shows the hardcoded extensions.

Figure 9 – File Extensions Targeted by the Killnet Ransomware

After data encryption, the ransomware then appends the “.killnet” extension to the encrypted files and drops a note into the directories. The figure below shows the code for dropping the note.

Figure 10 – Code for Dropping Ransom note

While encrypting the data, the ransomware then changes the desktop background of the system. The figure below has the code to change the desktop background.

Figure 11 – Routine for Changing the Desktop Background

The following figure shows the note dropped by the ransomware and its translation.

Figure 12 – Note Dropped by Killnet Ransomware

Conclusion

With the ongoing conflict in Ukraine, multiple threat actors or hacktivists are creating destructive malware to target adversary nations. Killnet ransomware does not ask for any ransom, indicating that the Killnet group is motivated by geo politics instead of monetary gains.

This type of ransomware shows a new trend where TAs use destructive malware to send a political message. To drop such malware, TAs could drop malware in existing compromised systems or leverage phishing and cracked software.

Our Recommendations

  • Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
  • Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.
  • Avoid downloading pirated software from Warez/Torrent websites. The “Hack Tool” present on sites such as YouTube, Torrent sites, etc., contains such malware.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices.
  • Refrain from opening untrusted links and Email attachments without first verifying their authenticity.
  • Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
  • Monitor the beacon on the network level to block data exfiltration by malware or TAs.
  • Enable Data Loss Prevention (DLP) Solutions on the employees’ systems.

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
PersistenceT1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
DiscoveryT1083File and Directory Discovery
ImpactT1486Data Encrypted for Impact

Indicators of Compromise

IndicatorsIndicator
Type
Description
ff00932cd0294036b814c71b2c4b624c 58307a32323d2784df65b473fd4244ef0d5e7447 db1c8ddcdfea93031a565001366ffa9fdb41a689bddab46aec7611a46bb4dc50MD5 SHA1 SHA256Killnet Executable
13[.]107[.]4[.]52IPNetwork Activity
Scroll to Top