Skip Navigation
BlackBerry Blog
  1. BlackBerry Blog
  2. NemeS1S RaaS: Old Ransomware Disguised As New

NemeS1S RaaS: Old Ransomware Disguised As New

/ 02.06.17 / Jim Walter

New ransomware-as-a-service (Raas) offerings are being released more and more frequently. Only three years ago, we would see maybe three or four legitimate RaaS offerings appear every year. Now, we see far more, often several per month.

Needless to say, ransomware is not going anywhere, and the rapid proliferation of new RaaS offerings is making it that much easier for wanna-be cybercriminals to enter this dodgy business. The barrier to entry, in terms of both skill and finances, is essentially zero. There is no need to code, and no need to buy or subscribe to anything up front.

As is typical with this model, NemeS1S allows ‘users’ to generate unique ransomware binaries, track infections, and profit from their installs with absolutely no coding knowledge and no out-of-pocket expense. As is typical, the owner of the service takes a percentage of the profit from any payments received. In the case of NemeS1S, the percentage is set at 35% on every successful payment received.

NemeS1S 0.png

The NemeS1S service went online in early January 2017, available openly via the TOR network. Early on, the service appeared to be incomplete. For example, binary generation and infected host tracking/relay services were not yet functional. However, as of the time of this writing, those kinks appear to have been worked out. The service now offers all the functionality that one would expect from a top-shelf RaaS offering.

These features include:

  • Full interactive technical support, with an SLA of 24 or 48 hours on complex issues
  • Full C2 functionality for tracking and managing infected hosts
  • The ability to generate multiple binaries (the actual ransomware). The system appears to require between 5-10 minutes between requests
  • The ability to create multiple, unique campaigns, and assign binary generation to those campaigns
  • The ability to interact and chat with infected clients (a feature rooted in PadCrypt - more on that soon)
  • Ransom amounts that can be altered per binary or per campaign

The initial NemeS1S dashboard can be seen in Figure 1 and Figure 2:

Fig1-NemeS1S.png
Figure 1: NemeS1S Ransomware Installation Dashboard

Fig2-NemeS1S-1.png
Figure 2: NemeS1S Ransomware Installation Dashboard

Within the NemeS1S control, the ransom amount, as well as the campaign configurations, are handled via the ‘Management’ widget. Within the campaign configuration, the user can generate new campaigns and perform other management and visibility functions. The ransom amount can be entered manually, and the only payment method currently supported is bitcoin (BTC).

Fig3-NemeS1S.png

Figure 3: NemeS1S Dashboard – Campaign Configurations

The owner/maintainer of the service provides a handy message when it comes to setting the ransom note (Figure 4):

Fig4-NemeS1S.png

Figure 4: NemeS1S Ransom Demands – Friendly Guideline

The ‘Installs’ widget allows the user to view successfully infected clients along with relevant system data for each host. Various other stats are also available, including Installs per day/month/year/all-time, and similar breakdowns for payment data (Figure 5).

Fig5-NemeS1S.png

Figure 5: NemeS1S Ransomware Dashboard: Infection Tracking and Management

More data is available when drilling into each specific host (Figure 6).

This includes the ability to send direct messages (DMs) to infected hosts and have those infected hosts respond as well. This is the ‘chat/ support’ feature introduced in PadCrypt. NemeS1S is fully derived (really copied 100%) from PadCrypt.

Fig6-NemeS1S.png

Figure 6: NemeS1S Ransomware: Infected Host Drill-Down

New binaries can be created and downloaded via the ‘Download’ widget. New binaries can be generated frequently, though at least 10 minutes must pass between requests. This is a standard feature to ensure non-detection and evasion. Continually updated/altered copies of the ransomware easily bypass traditional, signature-based, antivirus (AV) controls. Campaign-specific binaries can also be generated in this interface.

Fig7-NemeS1S-1.png

Figure 7: NemeS1S Dashboard – Malware Builder

Fig8-NemeS1S.png

Figure 8: NemeS1S Dashboard – Malware Downloads

But Wait… There’s More

While NemeS1S appears new and unique, and advertises itself as such, the malware code behind it is far from new or novel. The binaries generated are full variants/members of the PadCrypt family. Specifically, these are PadCrypt 3.0.

Fig9-NemeS1S.png

Figure 9: PadCrypt Strings

This fact becomes immediately apparent upon infection, but can also be observed quickly during standard static analysis procedures. Simply viewing strings on the malware will highlight the references to PadCrypt 3.0.

Fig10-NemeS1S.png

Figure 10: PadCrypt 3.0 Strings

During dynamic analysis, or legitimate infection for that matter, the PadCrypt-specific behaviors fully reveal themselves. This is readily observable in the updated desktop images and ransom note set for the infected user.

Fig11-NemeS1S.png

Figure 11: NemeS1S/ PadCrypt Ransomware Messages

Fig12-NemeS1S.png

Figure 12: NemeS1S/ PadCrypt Ransomware Messages

Fig13-NemeS1S.png

Figure 13: NemeS1S/ PadCrypt Ransomware Messages

Infected clients are instructed to browse to a known PadCrypt decryption service in order to proceed with their payments.

Fig14-NemeS1S.png

Figure 14: NemeS1S/ PadCrypt – Decryption Service

Technical Details

The full details on PadCrypt’s functionality and internals are well documented at this point. The malware binaries generated by the NemeS1S service are no different than any other PadCrypt 3.0 binary that might be encountered outside of this context.

Some specific high-level features include:

  • AES-256-based file encryption
  • Interactive chat
  • Encryption of all files and data types
  • Deletion of VSS (Volume Shadow Copies)
  • An uninstaller: The utility removes traces of the malware itself, but does not reverse the encryption of affected files
  • Embracement and offering within multiple affiliate operations
  • Anti-Analysis: Detection of virtual environments, with the intention of complicating automated analysis systems, sandboxes, etc.

The binaries analyzed to date are all written and in .NET (x86 .NET Framework 4.5), therefore, can be easily decompiled and fully analyzed via whatever .NET toolset you prefer. Some examples of a decompiled binary are provided below (via dnSpy):

Fig15-NemeS1S.png

Figure 15: NemeS1S Viewed in dnSpy

Fig16-NemeS1S.png

Figure 16: NemeS1S Viewed in dnSpy

Fig17-NemeS1S.png

Figure 17: NemeS1S Viewed in dnSpy

Fig18-NemeS1S.png

Figure 18: NemeS1S Resources in Dissasembly

Fig19-NemeS1S.png

Figure 19: NemeS1S Viewed in dnSpy

Fig20-NemeS1S.png

Figure 20: NemeS1S Viewed in dnSpy

Mitigation

Cylance’s artificially intelligent endpoint protection product CylancePROTECT® fully detects and prevents execution of the NemeS1S/PadCrypt family of binaries. The maintainer of this service makes attempts to ensure evasion of traditional signature-based antivirus (AV) controls, and that has an impact on the dwell time for these binaries on systems employing those older-style controls.

However, they are no match for Cylance’s machine learning-based approach. Our advanced mathematical approach ensures that attacks like NemeS1S fail continuously (see Figures 21 and 22). You can learn more about how CylancePROTECT blocks the execution of binaries generated by Nemes1s's services here.

No More Ransom

Cylance is a proud partner in the No More Ransom project. For additional resources pertaining to the prevention of (and recovery from) ransomware threats, please visit: https://www.nomoreransom.org/.


Fig21-NemeS1S.png

Figure 21: CylancePROTECT Client Notifications

Fig22-NemeS1S.png

Figure 22: CylancePROTECT Console

Believe the Math!!!

Indicators of Compromise (IOCs):

MD5

e6d79abb5f20574f61fa8a86bbda4ca5
1c4af05a60b03e75c171b98d9fb3dd50
1b1b1f710316fb2c9eb7d38297f6c3a8
4dc9aedb7cebad54fbff8bdc8d9ab8a3
c0e417a0eafca7e2fa70949493c68937
1add8d4044e0feca9c98857c2739ada1
56f4e976bb660c4fad5aea07771e071d
050c26f82839385398c3a15d433179ea
098420f9dc7160bf1618481906aa2f41
3c99c3876c478d9b83762baf29610a3e
2d8a5879d305dcccfd8fabe688cf61c9
145e84bc8829ead1c1ffd0e2ecb57d61
f551bb29abf0408176c4183e1745e274
05b0ae78456a5322836549840633d148
b845a7f4061c026bd9d85e918f300647
26e4a2bd78ca0fdeb93327a5fa925cdd
70c8c043ea8ae3547c19031287889aea
becf1d6b5ad2ef615aeb618bade0db14

SHA256

bbea53ddbb4962c01866a56f8dd9cbd695b392b0b17cea2dccb97ecb3b7bb8c5
f8e1f5fedd8d2bf4d686638e1aaa55d38fcf47dbd5d70011ba4ca7995866f375
b7cc45ba01b69534c0c1ad7ebbfd122c2f34907fc4025460550793f0b3710e0a
aa334fc337cf3e3b3ace5899a37c86295c7d54c036c94c43c216025a7284dfd3
f7d8cdf871d6aadd9f7f5033cb136561a1899339bb88846d6244733ea7b5a69e
5bbd43b7e9b5fff27dbab9dae9ac5b9fe9e50795f826884f4239f8d50208a75a
8805cc57f71ad809d49cf906401520c399bd6042b4ca2223f4cd981ed6a688fc
4b1245ccf1a708b4579df8702b3addbff03ec65f5ff66e919a4195e70e9c8133
af9f78b3c27e505b6a41be953a62b9273121983b29e8bd7e042d63a7556cb07c
93bd1d34a9a5b8282370a4629c59934e87966a8d9f759b81498018615e46e56d
2927a33e9fcc1c6306b00cf04ced067f0ff5cccffb5b9723ffbf46bc0044b061
ccaca0010fed565efa13134631f55c0d5393e50ed7639a97a2c457effb89ca2c
4cd4d58643094080af399d345ee76793b9677822f304c22ed1670aa47c1f16df
9e74311fc783f27c13dc84aa26b6339a504d762122d48edaf8d06c9d537afd3c
f3663cdc4be918b26091ee3572aa12d5ff732bc867a4025db4e1b4fd72fb3b9c
6547d2f70880549f768c2598d47eb53e1fb327adca96c63ce59d376ba56bad31
b7fa18a33f48d493cf881a71222ee4014d70f075f31d51b07681bbba8bdf7006
8ed2a0b4632e6789353630f51ff031364617529f51f9556e5f97c9b2a98d966c

Domains/ URLS

http://padcrympj5rvgwed(dot)onion
http://nemesiqoaxtca4ve(dot)onion
http://padcrympj5rvgwed(dot)onion.to
http://padcrympj5rvgwed(dot)onion.link
http://padcrympj5rvgwed(dot)tor2web.org
http://padcrympj5rvgwed(dot)onion.cab

DGA-Generated

kkbdddooabfbdddd.co.uk
nblcebnaabffbflb.co
lbeblelldldoofff.net
kmalnnlecomcfddk.co
baalafacdcfckkfd.website
bbdlaaknebmakccc.tk
accocbeffcedafla.co.uk
ncefocnecaafbcdb.net
eabnlfbemedakmkc.ga
mdmccddfadfbobbn.com
nobkemcocndmlbad.website
facecaneblkdelaa.ga
mbcblddknffclkdn.co
oodlnabfcndadllc.org
eedbeacdmkfockbn.com
nclaamaobdancdfc.ga
kfeedednfffbmadc.de
cddfafadfocfbdkb.com
ffballdffbccckmf.org
bnccanelbfnndcmd.cc
cacdadondfefdfco.org
dmokcaadaebfmmda.com
fkdkmbaooeddlcel.co.uk
bnemfbmamacadccn.co
emcnadaalnlocbab.net
efollobdlkldfdcl.com
obblbenecaddabcl.cc
foloaacbcdbaoaco.org
aclbaodabalnaaea.info
eeefdcbfdkdfdekd.com
fonbbcnoffoadlcc.ga
fblddomdfcnfcncc.com
lfacbmfcbfoddkec.com
kfcakcfadkednfek.net
lababbmmablcfokf.website
cnebkkabblcbbmnc.cc
baadaddbbcdddfbf.com
afeabbbbdflnfdcb.cc
fbldlbeldeaffedd.de
ackacmemeccdlfak.com
bddcdfbbcflobcfc.cc
bolkomlakbfbcmof.com
bnkefbfbmcbmafad.info
alkecncdokffccfl.cc
bcnknnnmdddeffbl.co.uk
kacdlbcdkdfbbdan.info
obefnemdccedacom.co.uk
bmkdafbkmmekeafb.com
enmfonlfcfldbldb.tk
ocffdfbddkecaodn.ga
blnaccnbclndnlee.info
ffofdnebbmmccaeb.com
kooefoaafdaffefm.com
clmaadncfaaablca.com
cdcbbabfaaofdabc.co.uk
afocecddbaeeaefk.cc
bdndcfdebdadkbac.com
fkeabfbdodalcadd.de
fkfkffdbaccdofco.info
feoffbmdfdddakad.co
obacldaocmbdcbab.com
kfcldmcdcbdfcfcm.info
kknmfdaabmdkckdl.com
dmadcnbdddnkbcaf.cc
cmloccdfddalkcon.com
kbdkccncefclamfd.tk
olacoebnbfcbbfco.website
fclbbddffceccaaf.cc
nkaffdckkocakdnl.com
adcakdclncddbfmm.co
bfkacnklaaobddeb.tk
mcmfaedcbcaacbmk.ga
bdmedlmolffobcan.de
odolcmeobfdoceoc.ga
dnocdoffabmboadb.co.uk
lldfbancbdedlcmc.cc
bcobmbobnkaabclo.co
fkkldbbfbakbbble.website
cmbfcdkdfmekkffk.ga
ebfdeddkoanakkoa.com
nmbacaccbldffbdd.com
obnldafdlkmomfce.com
bmldmencfnalmcal.de
cbdkfnccfacbkbde.info
fdldadakknbfaacf.org
dcamlelafmmbalmf.ga
kbclcaemaobfccof.tk
bcoclbkomeanafma.org
mlbdldcfbnlcofma.com
kodccemfldndfcfn.website
bloafankomocmfoc.com
mbbafbfbaafdbcel.ga
ccalaabldoeaaalf.info
dedaeoffafeandkn.tk
fecbdcfkeacfeand.ga
delfbklnmaabcfdf.online
clacflfodfllncen.net
fabaclalffclemdb.org
fnabnlfdbkacaacb.net
fencnnccaaoacadb.org
dcfkafkeacbmnlaa.com
fokoflbadfdadolb.com
blfddcakbfbkfmed.com
edbcfnlfalodbmeo.online
cnbackbeffbclefa.info
cladddldfbflkdcd.cc
edaaneakfkkfbnaa.cc
olmmecoammdaeoaf.ga
aofbnlfmddaceanc.com
kcdemmbalaeddeel.info
bfadafcclbfanfom.com
foaffccoaellbkmk.co
fbeblcffncndobab.org
fdfefccfefddckkd.de
dbabmfffanfnclbc.co.uk
bkaadddmnmdfanan.online
ceklnalebcbbfbma.cc
fkcbakbadlaldanb.com
mlckcdokneodacbk.com
enfbbecfeamdklca.com
fekbecdkbomndlad.co.uk
amdbkdfcaaoccbfd.co.uk
fmebfddlflnkfccf.co.uk
akfmadbaboaccloa.co
fcfnbdmbndcaoldf.com
nkbbccllfcccalcm.com
omdacfababafbabk.net
ldckmlbdbddlomod.org
eabalfdoaoaknman.cc
acadbdlbbbfkeabf.cc
lkbakbafanbnmlbd.net
coaafccolfafdbfl.co
bbfcdkamnmbofdal.com
acadclallcdeafmb.cc
fmmokbdbefddokda.online
ckceeeeldlkcdnff.online
ecelmbfdldfffado.com
dlmcoaneceefdbkd.org
dlmckanokclbfaaf.ga
akfkfbmkedobbaad.de
cbdmolcdlbnfemed.co
bamblnlbddadalma.online
alddoabaadnblcnc.com
bmcefdoaebodaaco.net
fldfcmdcmckccccc.info
dedlblodekfcoaff.website
dfbkleacfdbdnkcl.com
eafffobofkbffacd.org
bbdclfmmobfancdn.cc
bffebmbmmffabadd.cc
ddlklbfcfcobdnfl.online
ffnlneadkmbnbfmf.org
lbbcdfdcfocfckne.com
blcmelkkblnalbac.org
bcafebcmbccnfecc.cc
mballkcnkdmlbffk.online
flmmbfadnbcdmbkk.com
mfadbefoobcanfde.com
dkoacdblfoneccmb.co.uk
lbocfmddcnkaodcb.info
eddmbbbamaobffak.co.uk
encmedobbafdcleb.com
mlaollkmdkddalda.com
aldbaamkbaldcdcm.com
dafbacbclodmbbff.com
bfobbnncfkmdfbco.com
fmnblcbclfobanck.com
mabfkcddcdlffnan.website
bodeebaknflflban.com
cfaacocbbffckfka.com
dmbnffcabnobocfd.com
fccckcdecdocfcom.info
ealnodkmddncedab.com
oabddnmllkanenda.ga
eelkekffadddmdlk.com
focnobafmfeoaacb.tk
nkckbkalcabkkndc.website
eblblkobffalcfbm.com
ccdkdedodcbanoba.com
eabcabfbldlcbnfb.website
lcokmaccnboaeald.ga
fobfokenldomocaf.ga
cckebcnnbadbadom.net
ddcfocelddfbbcnk.cc
ammodffdccnadmnm.net
baakfambknnndakd.com
mkfcecfcdlnbnokl.online
mcfaocbaooeflbee.ga
falckabmkaloecln.net
edcndnbcbbmddffb.net
adnklcencefcdldk.co
akfcdakbfoeembfa.com
boabbfbcfndkclbc.cc
eboacbfbadcmlakk.de
bcncfafolddbfoan.tk
cbdfamnanafmcdao.ga
faealbefbceckakf.net
addbdfcamfocmcnf.cc
mfadbbekcbnedbfb.co
laomaeffoacdmfca.cc
bbnlafmannmambfa.com
clakkbocadnffbnf.com
mnaeekbandcfkffm.website
bcambnfaaldlalal.com
cfafkcaabmdaeboc.ga
kfelcckclckcmoco.org
mkfckbolcbafldmf.website
daffcaekoffbcfam.com
ofbocoomadaooala.com
mabbcofcbcbdfcfm.com
dakccbkacecddabc.de
ccklkdkacndacbbd.tk
aaekcmfldkbalcab.online
lbbdmkocnmdmbemf.com
bbkknaabfaoaccmd.website
nffcfmdceanedkfn.info
lbfonkdcdkcbffdd.co.uk
oclddcafaecdlbaf.com
ddfmeblbfbaadfcf.com
aanccmlaakbnocal.org
dffneaoaccmanmde.cc
adfenofdfbcfdanc.website
momdabaelmkfolko.cc
kcndnleemdcmfbcb.com
eccbkcelfklakdfl.website
fkndadkcbmbcfaon.net
fekndfmlcbfkfbfa.co
abclamecbdaancdd.ga
cfafnamacdoakbaf.com
mmmacldnndkdalom.ga
acafbalfmfakaoef.co.uk
cbafacolamaneead.de
kddcffdacaccoaac.cc
cmekeolemkacbofo.com
ffbbkfdlbccbofkm.ga
odddmofbklffkokd.net
bdnanaccfbabmnae.info
fbdfmcabnbcfafaf.com
onfmkconknbafddf.com
dnmfkbadalkdbceo.net
edafbdcemfeccakm.com
ocmdakofbmcboofn.com
oadnbbblebbdlald.tk
fdkdaadbcefedcac.com
oacbaccdocembcbb.co.uk
bfcbcdfmdmedmckb.com
bmakmcedbckadkal.website
nonlckdkednfmkfb.com
klldnacbalobemdc.de
fcnbencocmafaaod.info
ocalcoobalcfaclm.info
ofamfdkfdnaeccbb.tk
booacmnccdfmacbk.tk
amdooblcfcbdkmck.co
cnmfafcdokfbldcc.tk
oacbckdcndddcode.net
amcabcfokcafmlal.com
ecbclfnddamfdddc.cc
dcdamdbdmdclmbea.ga
ffaccdcledeaedcc.ga
abaeaddoccadccnb.cc
cabfaffobbabkmml.ga
lcacckcbfemabfcd.tk
cddcaflfdfcaekob.org
keccalblnmafabfa.website
bdaffkbdlaeemdbm.com
ladcmbafanmcbecd.website
edkcconbffakfcfe.co
bafceeacafammdlb.co.uk
kbdacfcdfcadcnbb.com
ebfbaaomcalabffc.ga
cbbkbfecafkcccbn.cc
flkffobnfbnafebo.com
bfondbdbamfobfbm.org
efecmamccdfnklaf.de
dabaaedkbecleanf.co
kafbbkfcddmeaafk.ga
dcldocbednaeacba.de
ocbclbaakaloambo.com
mdacnaabcbneabbb.online
obkbobmnbbcfofaf.tk
nadcbbaccoolddad.co.uk
dbambofalabmkdon.co.uk
faolballoknebebd.info
oemfencladabbkan.com
bfdmbafdaefeabfm.com
akkecbdbaecbamab.info
mnfelfmffalmlabf.net
dafocoldceoaacml.cc
doadanalkbbccbcf.com
dcnabdbcbmndffcd.info
cdlmnonbndbokofe.ga
alnadfkbacdebcdn.com
cckafmfcdlcbckec.ga
bdcenbnoacfffadc.org
ccknfakabdffffed.info
dkbealmeofefcfaa.ga
ckkonmbocdbckfca.com
aelbannnlnbbcffl.com
bfkkffkckaflfona.tk
alalmlanamcodoof.co
ldecodelnncmbccb.com
debbaeekmeekaaco.com
nonfckfaeebkbkmn.org
kccnmafkakcacckk.info
lmbdmaocadfcaene.website
bdmmndckdleabmfn.cc
fbmdnaccnacafacd.online
aebdfdkkocodbabo.de
abffccbcobnemfam.net
fmmofnnefdklmnld.info
naebcoddebaeadeb.tk
lakcbafkbkcdcdfo.de
dkdnkbnkdaedbfla.cc
dfoabbcbnkelbeef.co.uk
kbflklncbnmfnbda.com
bfbcebcanffdcbkn.ga
afccmdabcnoaocnk.co
ffacnoafnfdaafkd.info
abdcalekeccdmofo.info
cfmelolbbfcnemmb.com
nofkfnfdmaklfdlb.online
ofmfffabbnbcledd.org
dkdlnbcfokbebflc.co
fcbecfdlfokddfbc.cc
oekadmbkdcmenbda.com
faecbfcbncbbeace.com
aoaebcbakonflkce.co
nbaccbooblbceclf.co.uk
nkalmobbfecfdfnb.co
cadbmbnaocdedlko.com
bdfadaadcmmekamo.website
ocoaadaoefbckodf.tk
afcmncnffcocacnb.org
ncfdanfombncbmcf.co
dlbceacdbadoeaaa.website
noafodmdbkdcknfo.ga
fmonlfmffnoalbdm.org
cfeackbacblmdedk.tk
cefafdkffdambcfa.ga
naddandedlfffdcc.org
dacalacdadecflae.website
odcbdeknaldcbnnb.com

Jim Walter

About Jim Walter

Senior Security Researcher at Cylance

Jim Walter is a Senior Security Researcher at Cylance.
Back