The McAfee Advanced Threat Research team recently analyzed a ransomware-as-a-service threat that is available for free and without registration. This malware was first seen in July 2017 with the extension .shifr. It has now appeared in recent detections with the extension .cypher.
Ransomware-as-a-service is a cybercrime economic model that allows malware developers to earn money for their creations without the need to distribute their threats. Nontechnical criminals buy their wares and launch the infections, while paying the developers a percentage of their take. The developers run relatively few risks, and their customers do most of the work.
Some ransomware-as-a-service, such as RaaSberry, use subscriptions while others require registration to gain access to the ransomware. The ransomware developer hosts a service on the “dark web” that allows any buyer to create and modify the malware. For example, the buyer can add custom ransom notes and the amount of the payment. More advanced services offer features such as evasion techniques to avoid detection and analysis. The service can also offer a control server with an administration panel to manage each victim. This system is convenient for both the developer, who makes money by selling malware, and for buyers, who gain ready-to-deploy ransomware without needing any specific coding knowledge.
The underground economy behind this service is well organized, effectively offering a cybercrime infrastructure. Basically, the ransomware is available on a website. The buyer sets up the ransomware by adding a wallet address. The ransomware is then available to download. The buyer just needs to customize and spread the malware. When a victim pays the ransom, a percentage is delivered both to the buyer and to the malware coder.
The ransomware is available on the TOR network at hxxp://kdvm5fd6tn6jsbwh.onion. A web page guides buyers through the configuration process.
On the configuration page, a generic XMPP address suggests we may have found a demo version of the ransomware.
On the page, the buyer need only to add a Bitcoin wallet address and the amount of the ransom. Once that is done, the malware is generated and can be downloaded. With this malware, the developer earns a 10% commission on every payment. Now let’s look at the malware sample.
When the malware launches on the victim’s system, it checks for an Internet connection. If there is none, it exits the process. Otherwise, it contacts the following addresses to download the encryption key:
Once the file is running, it creates several files on the system:
- Encryption_key: the RSA key encrypted in AES
- Lock_file: an indicator that the system is encrypted
- Uuid_file: a reference for the infected machine. A TOR address is generated with this ID.
The encryption key is downloaded from hxxps://kdvm5fd6tn6jsbwh.onion.to/new_c/xmKksHw53W433lmvNsdzGxqWLcPLA44Dyna.
The ransom note is created on the desktop.
The file “HOW_TO_DECRYPT_FILES.html” gives a link to the TOR network.
Once the files are encrypted, the ransom note is displayed in HTML and points to the TOR site hxxp://kdvm5fd6tn6jsbwh.onion/ with the ID of the infected machine.
Allegedly after payment, the victim can download the file decrypter.exe and unlock encrypted files, which have the extension .cypher.
The malware encrypts the following file extensions:
The targeted extensions include many picture and photography files related to Canon, Kodak, Sony, and others. There are also extensions for AutoCAD, Autodesk projects, scalable vector images, and Microsoft Office files. These files are mostly used by designers, photographers, architect—and many others.
The malware runs on 64-bit systems and is coded in Golang (“Go language,” from Google), a programming language similar to C with some improvements in error management. It is not common to find malware using Golang, although this is not the first time that we have analyzed such malware. This threat is pretty big compared with most other malware, larger than 5.5MB. The file size can make analysis more difficult and can also help evade hardcoded antimalware file-inspection sizes.
Reverse engineering in Golang is a bit different than other languages. Golang binaries are usually bigger than other executables. (By default, the compiler statically links the program’s libraries, resulting a bigger file.)
A drawback for attackers is that such big binaries can be easily detected on a corporate network. Large files are “noisier” and may appear suspicious when arriving from an external source. They can also be less convenient for attackers to deal with because they can make the infection process more difficult.
The first interesting function to analyze in a Golang binary is the “main_main.” The malware starts by gathering environment variables. It then checks whether the file “lock_file” exists in the directory C:\Users\<username>\AppData\Roaming.
The function “main_Exists” will check for the file. If it does not exist, the malware exits the process.
If the file does exist, the malware downloads the public key from the control server.
The malware contacts the address hxxps://kdvm5fd6tn6jsbwh.onion/new_c/<nameofmalware>. The encryption public key is stored directly on the website.
This address is generated when the buyer creates the ransomware on the developer’s web page; thus the same malware encrypts files with the same public key.
The malware generates the AES key and tries to find any network share by querying the letters.
This function tries to find network shares:
Before a file is encrypted, the malware creates another file in C:\Users\<username>\AppData\Roaming\uuid_file to use as a victim identifier.
The malware encrypts the files using AES and deletes them after encryption with the function “os.remove” to avoid any simple forensic recovery.
The decrypter, which can be downloaded, works in a similar way but it requests the private key that the victims must pay for at hxxps://kdvm5fd6tn6jsbwh.onion.to/get_privkey/math/big. The mechanism behind the encryption routine seems to be on the online server and the decryption key cannot be easily recovered.
The following information describes the decrypter.
Cybercrime-as-a-service is not new, yet it is now more widespread than ever. In this case, the malware is available for free but the ransomware developer earns a 10% fee from each victim who pays a ransom. The use of Golang is not common for malware. Most ransomware-as-a-service is not free, which could indicate this might be a demonstration version, or a proof of concept for future sale.
This malware is not advanced and was coded without evasion techniques, such as DGA, SSL for control, encryption, or even file compression. Looking at the targeted file extensions suggests the victims can range from general home or business users to the graphics industry. Although such malware is not difficult to analyze, it can be very destructive in a corporate environment.
Keep in mind that paying a ransom is no guarantee of receiving a decryption key. McAfee advises that you never pay a ransom. You can find further information and help on unlocking some ransomware threats at https://www.nomoreransom.org.
McAfee detects this threat as Ransomware-FPDS!0F8CCEE515B8.
Indicators of Compromise
- C:\Users\< username >\Desktop\HOW_TO_DECRYPT_FILES.html