Ransomware attacks against Brazilian shops and businesses in recent days have resonated across the country for their destructive power. The use of RansomExx has been attracting attention. With an evolution of the malware to affect not only Windows systems, but also Linux systems, it becomes a much more dangerous threat to organisations and government entities. Therefore, ISH's delivery management and security services team has written a more detailed report on RansomExx and ways to mitigate it.
RansomExx - Overview
RansomExx, also known as Ransom X, Target777, Defray777, Defray and Defray 2018, is a ransomware active since 2018, attacking companies worldwide. Being attributed to the Gold Dupont and Sprite Spider groups, this ransomware is notable for its evolution, attacking not only Windows machines, but being moved to also affect Linux systems.
Windows version
As the malware runs entirely in memory, there are few examples found. It is usually delivered as a payload secondary in memory without ever touching the disk, making it harder to detect. In recent cases, the malware was loaded into memory and executed by Cobalt Strike, which in turn was delivered and loaded by loader Vatet. The Windows variant also has a feature already seen in other ransomware, which disables various security products for its execution on the infected machine.
In an analysis conducted by Cybereason on a sample of the malware, it was revealed that the code is partially obfuscated but includes indicative information, such as the string "ransom.exx". After execution, RansomEXX starts decrypting some strings necessary for its operation, which mainly include logs. RansomEXX then generates a separate thread in the background to handle the logging process. The process continues with shutting down system processes and services that might interfere with execution, but excludes those that are relevant to its execution.
The commands listed below are executed by RansomEXX after encryption. The function of these commands is to prevent the victim from restoring his system by deleting backups and preventing Windows Error Recovery from running, for example. Finally, a ransom note is left on the machine.
| Commands | Shares |
| "C:\Windows\System32\fsutil.exe" usn deletejournal /D C: | fsutil.exe deletes the Update Sequence Number journal |
| "C:\Windows_System32\wbadmin.exe" delete catalog -quiet | wbadmin.exe deletes the backup catalogue |
| "C:\Windows\System32\wevtutil.exe" cl Setup
"C:\Windows\System32\wevtutil.exe" cl System "C:\Windows\System32\wevtutil.exe" cl Application "C:\Windows\System32\wevtutil.exe" cl Security |
wevtutil clears the log events |
| “C:\Windows\System32\bcdedit.exe” /set {default} bootstatuspolicy ignoreallfailures
“C:\Windows\System32\bcdedit.exe” /set {default} recoveryenabled no |
Bcdedit disable recovery mode |
| "C:\Windows\System32\cipher.exe" /w:C: | cipher overwrites deleted files on c drive |
| "C:\Windows&System32\schtasks.exe" /Change /TN "\Microsoft\Windows&SystemRestoreSR" /disable | schtasks disables system restore by scheduled task |
| "C:\Windows\System32\wevtutil.exe" sl Security /e:false | wevtutil disables the security event logs |
Linux version
With the ability to infect Linux systems as early as July 2020, the group operating the ransomware can target infrastructure capable of running ELF binaries, such as VMWare ESXI servers. The victims affected by this version, are organisations that use virtualisation to host many of their corporate systems on these ESXi servers. By deploying the ransomware on these ESXi hosts, the group is able to quickly increase the scope of affected systems within the victim's environments.
The Linux version contains the same file scanning and encryption logic as the Windows version, and is designed to receive a command line argument with a path to the directory where it will start its recursive encryption process. Files are encrypted using AES in ECB cipher mode with a uniquely generated 256-bit key for each file, and implements its cryptographic scheme using functions from the open source library mbedtls. The key is then encrypted using an embedded 4096-bit RSA public key and attached to the encrypted file. In addition, the malware initiates a thread which regenerates and re-encrypts the AES key every 0.18 seconds. Each victim is targeted with a unique build, containing a unique RSA public key. If the victim pays the ransom, they will receive a decryption tool containing a private RSA key that matches the public encryption key.
To compromise ESXi devices, operators attempt to collect credentials that can be used for authentication in the vCenter web interface. Attempts are made to retrieve vCenter credentials stored in web browsers, as well as collect credentials from host memory. After authentication to vCenter, SSH is enabled to allow persistent access to ESXi devices. In some cases, the group also changes the root account password or SSH keys of the host.
Although quite effective, the Linux version of the ransomware lacks many additional features, such as no C&C communication, no shutdown of running processes, no disabling of security software, among others.
IoCs - Indicators of Commitment
Some indicators of commitment can be found below:
- PaloAlto - 1, 2
- CrowdStrike
- Kaspersky - 1, 2
- TrendMicro
- McAfee
- AlienVault
Yara Rule
As a way to assist Threat Hunting teams, McAfee has developed a rule to detect the threat for both Windows and Linux versions, as can be seen below:
Yara rule RANSOM_ransomexx_windows
{
meta:
description = "Rule to detect Windows and Linux version of RansomeXX"
author = "McAfee ATR team "
rule_version = "v1"
mitre_attack = "T1027,T1497.001,T1083,T1057,T1012,T1082,T1033,T1129,T1543.003"
malware_type = "Ransom"
malware_family = "Ransom:Win/RansomeXX"
actor_type = "Cybercrime"
actor_group = "Unknown"
strings:
$0 = {223E95459D82E1E7229F633169D26B57474FA337C9981C0BFB91314D55B9E9
1C5A5EE49392CFC52312D5562C4A6EFFDC10D0685A194D5E2B31581454DEF675FB79
58FEC7DB873E5689FC9D03217C68D8033820F9E65E04D856F3A9C44A4CBDC1D00846
F5983D771C1B137E4E0F9D8EF409F92ED254FCFF021E69D229C9CFAD85FA486C1B54B
8FF0642BFF521F15C1C0B665F3F34011656B429008F3563ECB5F2590723A054303D8A
7EA9889D903E077C6F218F44416AC2D1F53C583303917E6BE9EBE048E31E9E256718F
29229319C19F15BA4058CCFFDBBCB382D1F6F56585D8A4ADEC34C052CC0DA8D7345
1A}
$1 = {FC54612808977EE8F548B2258D310BDC9D2D256B3EE9DAAE347BE6F4DC835A
467FFE8EB208F7E05D987A9B044A8E98C6B087F15A0BFC5D0689EF49D2FAE572B881B
123A85FFA21595F36F71C27109C692C1B56BBDCEB5B9D2865B3708DBC12A053384A9
C0C88E405A06C27DCF49ADA62EB2BB0E20B6E3116640286ED3A87A5713079B21F518
99B752E45573D4B39F4DBD3323CAB82BF63326BFB982F}
$2 = {7C09E81700C11004018D9A9AEAC0F6596F559C6D4DAF59A5F26D9F200857C
A6C3E9CAC524BD9ACC92ADC7E84BFDA79164B7ECD8486985D38604FEBDC6740D20
B3AC88F6AD82A4FB08D71AB47A086E86EEDF39D1C5BBA97C4080126141D67F37BE8
538F5A8BE740E484AE6852F8121067CC4BF7A5765577F39E7E24067817FAE0D7}
$3 = {2A755EE16E1430B26E1430B26E1430B2943729B26C1430B2676CA3B2791430
B26E1431B2811430B201629BB2711430B201629AB2161430B201629FB2451430B20
162AEB2791430B20162ABB26F1430B20162ADB26F1430B2}
$4 = {EC9B9FE9A3EADDA692CD43D2F59598ED858C02C2652FBF922EC454185E6A
16936E39334038ACEF838BFB186FFF7480ADC4289382ECD6D394F0AF85336B597A
FC1A900B2EB21EC949D292DF4C047E0B2153}
$5 = {16918F03F53C52DAC54ED8259740051E9C5FECF64344F7A82260EDCC304C65
28F659C77866A510D9C1D6AE5ECDC80D6FDDF18CAB34C25909C99A4174FCC28B8D}
$6 = {004503615937300CE53865A20D27086D422F631D5F08017241651B402B190
50DDD54D3334D34224351BB2006285551897457671F526F38B091A20CD280000000}
$7 = "!NEWS_FOR" fullword ascii
$8 = "Study this message REGARDFULLY" fullword ascii
condition:
(uint16(0) == 0x5a4d or uint32(0) == 0x464C457F) and filesize < 500KB and 4 of them
}
Outra regra Yara está disponível no Malpedia e é capaz de detectar a versão Windows da ameaça - win.ransomexx:
rule win_ransomexx_auto {
meta:
author = "Felix Bilstein - yara-signator at cocacoding dot com"
date = "2021-06-10"
version = "1"
description = "Detects win.ransomexx."
info = "autogenerated rule brought to you by yara-signator"
tool = "yara-signator v0.6.0"
signator_config = "callsandjumps;datarefs;binvalue"
malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ransomexx"
malpedia_rule_date = "20210604"
malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
malpedia_version = "20210616"
malpedia_license = "CC BY-SA 4.0"
malpedia_sharing = "TLP:WHITE"
/* DISCLAIMER
* The strings used in this rule have been automatically selected from the
* disassembly of memory dumps and unpacked files, using YARA-Signator.
* The code and documentation is published here:
* https://github.com/fxb-cocacoding/yara-signator
* As Malpedia is used as data source, please note that for a given
* number of families, only single samples are documented.
* This likely impacts the degree of generalization these rules will offer.
* Take the described generation method also into consideration when you
* apply the rules in your use cases and assign them confidence levels.
*/
strings:
$sequence_0 = { 8bcf 895dfc 8955f4 e8???????? 85c0 7975 895dfc }
// n = 7, score = 100
// 8bcf | mov ecx, edi
// 895dfc | mov dword ptr [ebp - 4], ebx
// 8955f4 | mov dword ptr [ebp - 0xc], edx
// e8???????? |
// 85c0 | test eax, eax
// 7975 | jns 0x77
// 895dfc | mov dword ptr [ebp - 4], ebx
$sequence_1 = { 2bfe 8945fc 83ff40 721f 8b4508 53 e8???????? }
// n = 7, score = 100
// 2bfe | sub edi, esi
// 8945fc | mov dword ptr [ebp - 4], eax
// 83ff40 | cmp edi, 0x40
// 721f | jb 0x21
// 8b4508 | mov eax, dword ptr [ebp + 8]
// 53 | push ebx
// e8???????? |
$sequence_2 = { 7410 817df8f0070000 7507 56 ff15???????? 5b 56 }
// n = 7, score = 100
// 7410 | je 0x12
// 817df8f0070000 | cmp dword ptr [ebp - 8], 0x7f0
// 7507 | jne 9
// 56 | push esi
// ff15???????? |
// 5b | pop ebx
// 56 | push esi
$sequence_3 = { 6a00 33ff 8d442474 e8???????? 83c404 85c0 0f8535020000 }
// n = 7, score = 100
// 6a00 | push 0
// 33ff | xor edi, edi
// 8d442474 | lea eax, dword ptr [esp + 0x74]
// e8???????? |
// 83c404 | add esp, 4
// 85c0 | test eax, eax
// 0f8535020000 | jne 0x23b
$sequence_4 = { 884736 c1ea10 0fb65640 885737 0fb6464f 884738 c1e908 }
// n = 7, score = 100
// 884736 | mov byte ptr [edi + 0x36], al
// c1ea10 | shr edx, 0x10
// 0fb65640 | movzx edx, byte ptr [esi + 0x40]
// 885737 | mov byte ptr [edi + 0x37], dl
// 0fb6464f | movzx eax, byte ptr [esi + 0x4f]
// 884738 | mov byte ptr [edi + 0x38], al
// c1e908 | shr ecx, 8
$sequence_5 = { f30f7f0a f30f6f4210 f30f6f8ab0000000 660f38dbc0 660f38dbc9 f30f7f82b0000000 }
// n = 6, score = 100
// f30f7f0a | movdqu xmmword ptr [edx], xmm1
// f30f6f4210 | movdqu xmm0, xmmword ptr [edx + 0x10]
// f30f6f8ab0000000 | movdqu xmm1, xmmword ptr [edx + 0xb0]
// 660f38dbc0 | aesimc xmm0, xmm0
// 660f38dbc9 | aesimc xmm1, xmm1
// f30f7f82b0000000 | movdqu xmmword ptr [edx + 0xb0], xmm0
$sequence_6 = { 6a00 ff15???????? 8b1d???????? 57 6a00 6a01 }
// n = 6, score = 100
// 6a00 | push 0
// ff15???????? |
// 8b1d???????? |
// 57 | push edi
// 6a00 | push 0
// 6a01 | push 1
$sequence_7 = { 8b4df8 40 49 8945fc }
// n = 4, score = 100
// 8b4df8 | mov ecx, dword ptr [ebp - 8]
// 40 | inc eax
// 49 | dec ecx
// 8945fc | mov dword ptr [ebp - 4], eax
$sequence_8 = { 897c2418 75a4 8db42460020000 8d5c2470 e8???????? 8bf0 }
// n = 6, score = 100
// 897c2418 | mov dword ptr [esp + 0x18], edi
// 75a4 | jne 0xffffffa6
// 8db42460020000 | lea esi, dword ptr [esp + 0x260]
// 8d5c2470 | lea ebx, dword ptr [esp + 0x70]
// e8???????? |
// 8bf0 | mov esi, eax
$sequence_9 = { 40 8bc8 c1e105 8bb9084c4200 0bb90c4c4200 75c8 5f }
// n = 7, score = 100
// 40 | inc eax
// 8bc8 | mov ecx, eax
// c1e105 | shl ecx, 5
// 8bb9084c4200 | mov edi, dword ptr [ecx + 0x424c08]
// 0bb90c4c4200 | or edi, dword ptr [ecx + 0x424c0c]
// 75c8 | jne 0xffffffca
// 5f | pop edi
condition:
7 of them and filesize < 372736
}
Preventing Ransomware Attacks
Keep encrypted, offline data backups and test them regularly. Backup procedures should be performed regularly. It is important that backups are kept offline, as many variants of ransomware attempt to locate and delete or encrypt accessible backups.
In addition, create, maintain and execute a basic cyber incident response plan, a recovery plan and an associated communications plan:
- The cyber incident response plan should include response and notification procedures for ransomware incidents. We recommend the CISA and Multi-State Information and Sharing Center (MS-ISAC) Joint Ransomware Guide for more details on creating a cyber incident response plan.
- The recovery plan should address how to operate if you lose access to or control of critical functions. CISA offers no-cost, non-technical cyber resilience assessments to help organisations assess their operational resilience and cyber security practices.
Also mitigate Internet-facing vulnerabilities and misconfigurations to reduce the risk of actors exploiting this attack surface:
- Employ best practices for using Remote Desktop Protocol (RDP) and other remote desktop services. Threat actors often gain initial access to a network through exposed and poorly secured remote services and later propagate ransomware;
- It is still important to audit the network for systems using RDP, close unused RDP ports. Apply account locks after a specified number of attempts, apply multi-factor authentication (MFA) and log RDP login attempts;
- Perform regular vulnerability scans to identify and address vulnerabilities, especially those in Internet-facing devices. CISA offers a range of free cyber hygiene services, including vulnerability scanning, to help critical infrastructure organisations assess, identify and reduce their exposure to cyber threats such as ransomware. By taking advantage of these services, organizations of any size will receive recommendations on ways to reduce their risk and mitigate attack vectors;
- Update software, including operating systems, applications and firmware, in a timely manner. Prioritize timely remediation of critical vulnerabilities and vulnerabilities in Internet-facing servers-as well as Internet data processing software such as web browsers, browser plug-ins, and document readers. If rapid remediation is not feasible, implement vendor-provided mitigations;
- Ensure devices are configured correctly and security features are enabled, for example disable ports and protocols that are not being used for a business purpose;
- Disable or block the incoming and outgoing Server Message Block (SMB) protocol and remove or disable outdated versions of SMB.
Reduce the risk of phishing emails reaching end users:
- Enabling spam filters;
- Implement a cyber security user awareness and training programme that includes guidance on how to identify and report suspicious activity (e.g. phishing) or incidents.
Use the best available cyber security practices:
- Ensure antivirus software, anti-malware software and signatures are up to date;
- Implement application allowlisting;
- Ensure that user accounts and privileges are limited through account usage policies, user account control and privileged account management;
- Employ MFA for as many services as possible, especially for webmail, virtual private networks (VPNs) and accounts that access critical systems.
References
- https://kc.mcafee.com/corporate/index?page=content&id=KB93665
- https://malpedia.caad.fkie.fraunhofer.de/details/win.ransomexx
- https://otx.alienvault.com/pulse/611ecd98c0e17d68bf061a06/
- https://www.trendmicro.com/en_ie/research/21/a/expanding-range-and-improving-speed-a-ransomexx-approach.html
- https://www.cybereason.com/blog/cybereason-vs.-ransomexx-ransomware
- https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/
- https://www.kaspersky.com.br/blog/ransomexx-egregor-ransomware-ataques/16712/
- https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/4/
- https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3/
- https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/
- https://unit42.paloaltonetworks.com/ransomware-threat-assessments/8/
- https://github.com/pan-unit42/iocs/blob/master/Defray777_IOC.text
- https://www.cisa.gov/sites/default/files/publications/CISA_Fact_Sheet-Protecting_Sensitive_and_Personal_Information_from_Ransomware-Caused_Data_Breaches-508C.pdf
By Nathalia Ordonio Magalhaes Palmeira and Paulo Trindade