On the heels of WannaCry, or even in parallel, another type of ransomware is making the rounds: AES-NI. Over the past three months, researchers have identified three different versions – or generations – which have been detected in the wild and found at impacted organizations. Read the technical writeup from our Threat Guidance team here.
See Cylance in action against AES-NI ransomware here:
VIDEO: Cylance vs. AES-NI/ SOREBRECT Ransomware
The earliest iterations of AES-NI ransomware trace their origin to December 2016. From the beginning, it had a “fileless,” self-destructing nature. In simple terms, the initial binary disappears and spawns additional functionality to encrypt files and speak to a command-and-control (C2) server.
Cylance’s unique research found that the XData version came out in mid-May. Its code is based on the original AES-NI version, but there are some notable differences such as XData not using TOR for its C2 server and a different usage of process injection techniques.
In an unusual twist, the original developer came out on Twitter disassociating himself from the newer variants, and actually issued decryption keys. He claims that others are trying to frame him for the newer, wider-spread versions.
While the command and control is to targeted TOR servers, there doesn’t appear to be an actual targeted attack (based on how dispersed the affected countries are).
Industries affected include manufacturing, technology, and telecommunication, but we believe that these industries are mostly random, rather than targeted attacks on these organizations.
The initial version of AES-NI was found in Middle Eastern countries Kuwait and Lebanon. By the beginning of May, however, our sensors detected AES-NI (aka SOREBRECT) in Canada, China, Croatia, Italy, Japan, Mexico, Russia, Taiwan, and the United States.
The initial self-destructing binary initially lands a payload to gather system-level information along with geo-location. This could be valuable in targeted attacks, such as one on the Ukrainian government, or other scenarios that require the ransomware to communicate with servers associated with a specific region.
AES-NI encrypts files using AES-256 and RSA-2048 keys. In the initial version, it renames files with the appendix string .aes_ni_0day. In the newer version, this changed to .~xdata~.
This is actually a pretty intelligent type of ransomware for a couple of reasons. First, it’s smart enough to avoid system folders and ultra small files. This allows the ransomware to not disrupt the machine operation, to allow it to maximize damage, and focus on valuable assets rather than small dummy files.
Next, AES-NI impacts folders on open network shares (notably of the C$ and IPC$ variety).
Finally, instead of popping up a message, it places a text file in each directory in which it encrypts files. This allows the ransomware to be unseen and invisible – it’s silent destruction, and the longer it lives on in your system, the more access it gets.
What we’ve seen is that there is no slowdown in ransomware, regardless of developer source. While much was made of the EternalBlue NSA leak – leading to WannaCry and other variants – newer, more advanced ransomware continues to exist in the wild, though they may not get the media attention of WannaCry.
The fact that they aren’t getting much media attention actually makes this type of ransomware potentially more powerful, as fewer organizations are alerted to the threat and therefore don’t take the necessary steps to protect themselves from it.
CylancePROTECT® stops both file and fileless malware, including that of the self-destructing variety. Since it operates pre-execution – before it enters memory – ransomware never has a chance to do damage or communicate with C2 servers.
It runs silently in the background to detect malicious files, with configurable options across memory, script, file, and network protection. In essence, Cylance predict attacks – far in advance – without the blind spots in legacy tools.
Finally, the CylancePROTECT Dashboard offers insight into “what could have been,” aiding in investigations on unprotected machines. But those with CylancePROTECT won’t require remediation or cleanup.