When we talk about ransomware, we need to draw a line between what it used to be and what it currently is. Why? Because nowadays ransomware is not just about encrypting data – it’s principally about data exfiltration. After that, it’s about data encryption and leaving convincing is evidence that the attacker was in the network, and finally, it’s extortion. And again, it’s not about the data loss itself but about publishing stolen data on the internet. Let’s call it” Ransomware 2.0″.

Why is it so important to state this? Because many organizations still believe that it’s all about malware, and if your anti-malware protection is good enough, you’ll be OK. As long as people think this way, the ransomware menace actors will continue to succeed again and again.

In most cases, the initial vector of onslaught is exploiting some already known vulnerabilities in commercial VPN software. Other lawsuits involve abusing RDP-enabled machines exposed to the internet. Then there’s the exploitation of the vulnerable router firmware. As “youre seeing”, it’s not inevitably about malware but also bad practices, a lack of patching cycles, and general security procedures.

Sometimes ransomware threat performers may rely on traditional malware like botnet implants previously has decreased by other cybercriminal groups. And eventually, if we recall the Tesla story, the attempt to infect that factory was through someone working at the company. That means physical human access is also a vector. It is complex.

In all cases, the original entering degree is to start network reconnaissance, then lateral movement, then data exfiltration. Once it is done, it eventually comes to the ” coup de grace”- the ransomware. By the time ransomware is deployed, the anti-malware product might be already deleted or disabled by the threat actor because they already had full control over the domain network and could operate as legitimate administrators. So it is a matter of a full red squad operation that relies on different hacking techniques, including those to disable anti-malware solutions largely through legitimate tools and misc scripts. That lane, the threat actor doesn’t bother if the ransomware itself will be saw or not.

Different ransomware groups use different TTPs and different encryption techniques. Today we want to talk about two of them: Ragnar Locker and Egregor- a veteran and a newbie. Both singular and distant at the same time.

Ragnar Locker

Early variants of this malware were discovered in 2019; however, Ragnar Locker gained disrepute in the first three months of 2020 when it started to attack large-scale organizations.

Ragnar Locker is highly targeted, to the fullest extent that each individual sample is specifically tailored for the organization the actors are attacking. The group behind it loves to abuse RDP, while their favor payment technique is bitcoins.

This group owns three. onion domains available on Tor and one Surface Web domain registered on June 16, 2020.

If the victims refuse to pay, their stolen data is published in a so-called Wall of Shame section.

Screenshot of the Wall of Shame where stolen data is exposed

Curiously, this group is positioning itself as a bug bounty hunting group. They claim the payment is their bounty for learn vulnerabilities “thats been” exploited and to provide decryption for the files and OpSec training for the victim; and, ultimately, for not publishing the stolen data. Of course, if the victim refuses to pay, the data goes public. Besides that, if the main victims chats with the Ragnar Locker menace performer and fails to pay, then the chat is exposed together with the steal data.

In July 2020, Ragnar Locker made a public proclamation that the government has joined so-called ” Maze Cartel” distraction notion. It means to say that the groups cooperated, exchanging information stolen from victims and publishing it on their websites.

Example of a victim allegedly provided by Maze and was issued on the Ragnar Locker Wall of Shame page

You can read more about Maze Ransomware here.

Based on the list of victims who refused to pay, the main target of Ragnar Locker are US based corporations, while the type of industry varies.

! role( e, i, n, s ) var t= “InfogramEmbeds”, d= e.getElementsByTagName( “script” )[ 0 ]; if( window[ t ]&& window[ t ]. initialized) window[ t ]. process && window[ t ]. process (); else if (! e.getElementById( n )) var o= e.createElement( “script” ); o.async= 1, o.id= n, o.src= “https :// e.infogram.com/ js/ dist/ embed-loader-min.js”, d.parentNode.insertBefore( o, d )( document, 0, “infogram-async” );

Geography of Ragnar Locker victims( download)

! part( e, i, n, s ) var t= “InfogramEmbeds”, d= e.getElementsByTagName( “script” )[ 0 ]; if( window[ t ]&& window[ t ]. initialized) window[ t ]. process && window[ t ]. process (); else if (! e.getElementById( n )) var o= e.createElement( “script” ); o.async= 1, o.id= n, o.src= “https :// e.infogram.com/ js/ dist/ embed-loader-min.js”, d.parentNode.insertBefore( o, d )( document, 0, “infogram-async” );

Ragnar Locker victims by industry( download)

Technical description

For our analysis we decide to a recently encountered sample of the malware: 1195 d0d18be9362fb8dd9e1738404c9d

When started, Ragnar Locker checks the system locale of the machine it is executing on. If determines that it is the locale of one of the countries listed in the screenshot below, it will cease operation and exit without doing anything else.

For countries not on the above list, it will proceed to stop services with epithets containing any of the substrings hardcoded in the malware sample and obfuscated by RC4 😛 TAGEND

Afterwards, Rangar Locker will abort operating processes according to another substring listing contained inside the Trojan body 😛 TAGEND

Finally, when all the preparation is done, the Trojan will search for available drives and encrypt the victim’s files.

For file encryption RagnarLocker uses a tradition creek cipher based on the Salsa2 0 cipher. Instead of the standard initialization’ magic’ constants sigma=” expand 32 -byte k” and tau=” expand 16 -byte k” normally used in Salsa2 0, the Trojan produces new random values for each processed file. This is an unnecessary step which induces the cipher incompatible with the standard Salsa2 0, but doesn’t in fact enhance its security.

The key and nonce values are likewise uniquely generated for each file, and will be encrypted along with the constants described above by RSA employing the public 2048 -bit key hardcoded in the Trojan’s body.

The RNG is based on the MS CryptoAPI function CryptGenRandom, which is considered secure, and the SH-A2 56 hash algorithm. The RNG implementation appears a bit awkward, but we haven’t found any critical flaws in it.

The RNG procedure pseudocode used by a recent Ragnar Locker variant

After encrypting the content of each of the victim’s files, Ragnar Locker will append the encrypted key , nonce and initialization constants to the encrypted file, and finalize by adding the marker “!@# _( r) agna( r) _ #@!”

Trailing bytes of a file encrypted by Ragnar Locker

The ransom notes dropped by the Trojan contain the name of the victim organization which clearly indicates that the criminals utilize a targeted approach, identify their victim and carefully prepare the attack.

The ransom note also attempts to further scare the victim into paying by emphasizing that the threat actors have stolen confidential data in addition to the file encryption performed by the Trojan.

Egregor

Egregor ransomware is a new strain that was discovered in September 2020, and after the initial analysis we noticed code similarities between this new threat and Sekhmet ransomware, as well as the notorious Maze ransomware, which announced on November 1st, 2020 that they shut down.

Egregor continues at least one. onion realm and two Surface Web domains. The first Surface Web domain was registered on September 6, 2020 and the second one on October 19, 2020. At the time of preparation of, both Surface Web domains were intermittent. That is probably why on the main page of the Onion domain, there is a big disclaimer with this notice 😛 TAGEND

The Egregor ransomware is typically distributed by the criminals following a network breach. The malware sample is a DLL file that needs to be launched with the remedy password given as a command line argument. The DLL is usually dropped from the Internet. On occasions, the domains used to spread it exploit names or terms used in the victim’s industry.

Egregor is probably the most aggressive Ransomware family in terms of negotiation with the main victims. It commits merely 72 hours to contact the threat actor. Otherwise, the victim’s data is processed for publishing.

The ransomware pay is negotiated and agreed upon via a special chat assigned to each victim. The payment is received in BTC.

Example of a chat negotiating to pay the ransom

Technical description

b2 19303068 69 a3cdb85ca0d073a738c5

As mentioned above, the malware sample only runs if a correct password is provided during launch. The packer of the malware will use this password to decrypt the payload binary. A missing or incorrect argument will result in an incorrect decryption of the warhead, which will be unable to execute and will crash instead.

This technique is intended to hinder both automatic analysis in sandbox-type systems, and manual analysis by researchers: without the remedy password it is impossible to unpack and analyze the payload binary.

After unpacking two layers of the malicious packer, we be brought to an end with an obfuscated binary which is still not suitable for static analysis. The obfuscation techniques used in Egregor strongly resemble those in Maze and Sekhmet: the code is’ torn apart’ by control flowing obfuscation using conditional and unconditional hops, PUSH+ JMP instead of RETN, and so on.

Control flowing obfuscation example

When the payload starts executing, first of all, it will check the system and user language of the OS to avoid encrypting machines having one of the following languages installed 😛 TAGEND

Armenian( Armenia)

Azerbaijani( Cyrillic, Azerbaijan)

Azerbaijani( Latin, Azerbaijan)

Belarusian( Belarus)

Georgian( Georgia)

Kazakh( Kazakhstan)

Kyrgyz( Kyrgyzstan)

Romanian( Moldova)

Russian( Moldova)

Russian( Russia)

Tajik( Cyrillic, Tajikistan)

Tatar( Russia)

Turkmen( Turkmenistan)

Ukrainian( Ukraine)

Uzbek( Latin, Uzbekistan)

Then it will attempt to terminate the following entry processes 😛 TAGEND

This is intended to make writable potentially valuable files such as documents or databases that may have been in use at the moment of infection. In addition, some programs typically used by researchers, e.g ., procmon or dumpcap, are also listed for termination to further hinder dynamic analysis.

Egregor uses a hybrid file encryption strategy based on the creek cipher ChaCha and the asymmetric cipher RSA.

The RS-A2 048 master public key of criminal matters is embedded in the trojan’s body.

When executing on a victim’s machine, Egregor generates a new unique pair of conference RSA keys. The conference private RSA key is exported and encrypted by ChaCha with a uniquely made key+ nonce, then the key and nonce are encrypted by the master public RSA key. The results are saved in a binary file( in our case it’s named C :\ ProgramData \ dtb.dat ), as well as a base6 4-encoded string in the ransom notes.

For each data file Egregor processes, it generates a new 256 -bit ChaCha key and 64 -bit nonce, encrypts the file content by ChaCha, then encrypts them use the session public RSA key, and saves them along with some auxiliary datum in the end of the encrypted file.

The last 16 bytes of each encrypted file are comprised of a dynamic marker: a random DWORD and this same DWORD xor’ed with the value 0xB16B00B5 which equals’ BIGBOOBS’ in so-called leet speak, originally used by” hackers, crackers and script kiddies”, according to Wikipedia.

Part of the file encryption procedure pseudocode

The main page of the data leak website contains news about recently assaulted corporations together with some sarcastic remarks written by the ransomware group.

The archive part of the site lists the victims of the extortionists and the links to download the theft data.

Based on the information of those victims who refused to pay, the geographic reach of Egregor is route more extensive than that of Ragnar Locker 😛 TAGEND

! role( e, i, n, s ) var t= “InfogramEmbeds”, d= e.getElementsByTagName( “script” )[ 0 ]; if( window[ t ]&& window[ t ]. initialized) window[ t ]. process && window[ t ]. process (); else if (! e.getElementById( n )) var o= e.createElement( “script” ); o.async= 1, o.id= n, o.src= “https :// e.infogram.com/ js/ dist/ embed-loader-min.js”, d.parentNode.insertBefore( o, d )( document, 0, “infogram-async” );

Geography of Egregor victims( download)

The same is true for the number of assaulted industries 😛 TAGEND

! function( e, i, n, s ) var t= “InfogramEmbeds”, d= e.getElementsByTagName( “script” )[ 0 ]; if( window[ t ]&& window[ t ]. initialized) window[ t ]. process && window[ t ]. process (); else if (! e.getElementById( n )) var o= e.createElement( “script” ); o.async= 1, o.id= n, o.src= “https :// e.infogram.com/ js/ dist/ embed-loader-min.js”, d.parentNode.insertBefore( o, d )( document, 0, “infogram-async” );

Egregor victims by industry( download)

Conclusions

Unfortunately, Ransomware 2.0 is here to stay. When we talk about 2.0, we mean targeted ransomware with data exfiltration. The whole extortion process is primarily about the victims’ data not being published on the internet and only then about decryption. Why is it so important for the victims that their data is not published? Because possible suits and fines due to violations of regulations like HIPAA, PIC or GDPR can result in immense financial losses, reputational injury and potential bankruptcy.

As long as companies determine ransomware menace actors as typical malware threats, they will also fail. It is not about merely endpoint protection; it is about red teaming, business analysts working with exfiltrated documents evaluating the ransom to pay. It is also about data theft, of course, and public shaming, leading to all sorts of troubles in the end.

Our next chapter will cover something else- a perfect umbrella for different threat performers with different motivations operating under the aegis of Ransomware 2.0.

Read more: securelist.com