Analyzing the encryption method of emerging ransomware families

Cyble has recently published an analysis of AXLocker ransomware, a new ransomware that has been seen for the first time in november this month.

As the article explains, the ransomware encrypts and exfiltrates data using discord. In this report we will focus on the encryption routine of this new artifact, which we can see in its “EncryptionFile” method.

First, it obtains a string stored in the variable “password” (“WnZr4u7xh60A2W4Rzt”) which is hashed using the SHA256 algorithm.

c889bdf9d6ba1d89aa7b99043f2e78d923158ff245b664d247be26840b97bd2a

Using this password and a “salt” initialized to the first 8 bytes, the program derives a 256-bit key that it will use to encrypt the files with AES-256.

When ransomware uses this type of symmetric encryption, it usually generates a random password or “salt” that it sends to the C2 before encryption. This way the attackers are the only ones who know the key used for encryption.

Since this is the AES-256 algorithm in CBC mode, it will also require a 128-bit initialization vector (IV) that performs an XOR operation with the first block.Therefore, the key we will derive will be 384 bits (256 bits for the key + 128 bits for the IV).

In this case, since the password and “salt” values are static, the same key and IV will always be generated.

To check that it works properly, let’s perform a small proof of concept. For the test, we are going to use the following file “test.txt”

When the ransomware is executed, the content of the file looks like this.

Finally, if we use the above key and IV, we can easily decrypt the file.

Performing an active search in public sources, we have found several .NET samples that use the same “insecure” encryption method. These samples belong to the following ransomware families:

Comparing the samples we noticed that GetF**ed and Clownic share an identical “Main()” function. Which is quite similar to the AXLocker main function.

This “Main()” matches the main function of hiden-tear, the first ransomware that was released as open-source in August 2015 by Uktu Sen. The code is publicly available on github and can be easily modified.

Hiden-tear has specific functions to create a random password and send it to a C2 controlled by the attacker. However, these families do not seem to have the necessary infrastructure to be able to implement this and have opted to leave the password hardcoded in the binary.

On the other hand, ElevateRansom, A.E.S.R.T, SLAM and CBTL share very similar “Start()” functions that perform almost the same functions.

These ransomwares have more capabilities than the previous ones by deleting shadow copies, the backup catalog and disabling the widows security mode. These capabilities match those provided by the Chaos builder ransomware also based on hiden-tear, so these three groups may have based some of their logic on that builder.

Therefore, since all samples are hiden-tear based and none use random password generation it is not difficult to extract the decryption keys from each of the samples.

As these are emerging groups and relatively new samples, all indications are that the operators behind the ransomware are testing their artifacts. It is interesting to have them located in these early iterations in order to be able to observe their evolution.

Customers with Lab52’s APT intelligence private feed service already have more tools and means of detection for this campaign.
In case of having threat hunting service or being client of S2Grupo CERT, this intelligence has already been applied.

If you need more information about Lab52’s private APT intelligence feed service, you can contact us through the following link