Ransomware is probably the most popular form of cyber-extortion. It has been around for many years, but lately there has been a significant increase in the number of variations of ransomware. Due to its notoriety and potential for a high payout, ransomware is quickly evolving and cybercriminals are developing new ways to distribute malware to make money.
In years past, expert malware authors would package up their know-how into costly exploit kits and sell them on the underground market. Cybercriminals would pay a hefty upfront cost before ever infecting a victim’s machine and realizing a profit.
Ransomware is changing how malware authors and cybercriminals cash in on their efforts. Cryptocurrency has enabled ransomware authors to charge nothing up front and only take a cut of successful ransoms. As you can imagine, this will greatly increase the distribution of ransomware. We look at a recently discovered ransomware-as-a-service (RaaS) known as Satan to show how easy it is for aspiring cybercriminals to access a complex ransomware.
Before going into the details of the RaaS site, let’s take a closer look at the Satan ransomware.
The actual binary is encrypted and contains a lot of anti-debugging and anti-analysis techniques to make dynamic and static analysis difficult. Most likely, malware authors already have a readily available library for these techniques that they include in their malware, since they have been seen in other malwares before.
The following anti-debugging techniques are found in the code:
The following code snippets show some of the anti-debug techniques mentioned above:
Figure 1: Anti-Debugging Techniques
Besides its anti-debugging techniques, Satan also employs the following tricks to avoid easy analysis:
The figure below shows how the malware checks for the above-mentioned processes:
Figure 2: Enumeration of Running Processes
Figure 3 shows the decrypted strings in memory used by the various checks already mentioned. They are not easily viewable in the binary file since they are stored encrypted.
Figure 3: Decrypted Strings in Memory
The following checks to see if the malware is running in a Sandbox environment:
Once the malware has verified that it is not being debugged, analyzed or running in a sandbox, it continues by first creating a suspended process using its own file name. This suspended process will be used later.
Figure 4: Suspended Process
It then proceeds to load into memory another executable binary file. This binary file is stored packed or encrypted in the main executable file and after a doing a series of its decryption routine, the decrypted binary file gets loaded into a specific memory location.
This new binary file is the actual file that contains its ransomware capabilities. At this point, this binary will not be saved into a physical file but instead, it will be written into the previously created suspended process. This technique is known as “Process Hollowing” and again another type of anti-analysis that this malware uses.
The malware reads the new executable using the ZwReadVirualMemory() function, and then calls the ZwWriteVirtualMemory() function to write it to the suspended process. Once the contents of the executable has been successfully written to the suspended process, the malware will call the NtResumeThread() function to resume the suspended process. Once resumed, this process which now contains the generated binary file will continue to execute.
Figure 5: Process Hollowing – a Technique to Execute an Executable Image in Another Process’s Space
The malware then drops a copy of itself under the %appdata% folder and creates an autostart registry entry to allow itself to run every time Windows starts. The malware creates a randomly generated named folder and inside that folder is a copy of itself also with a randomly generated filename.
Satan tries to connect to its Command and Control server to report back a successful infection:
At this point, the malware will now start searching for and encrypting files with specific extensions. It does this by enumerating all local and mapped drives and then recursively scans folders and sub-folders for files with the following extensions:
Figure 6: Targeted File Extensions
Satan will skip scanning files located in system folders such as C:\Windows, C:\Program Files, and C:\Program Files (x86). This ensures that Windows will still function properly after a reboot.
Once it finds a file, it will encrypt it using RSA-2048 and AES-256 encryption. The filenames of all the files that have been encrypted are changed into a randomly generated name with the “.stn” appended as its extension.
Example: “my_document.docx” will be changed to "erwirydj.stn"
Figure 7: Screenshot of Affected Files
When it has successfully encrypted a file or files in a folder, it will also drop an HTML file named “HELP_DECRYPT_FILES.html” in the said folder. The HTML shows the ransom notes and information on how to pay.
Figure 8: The Dropped HTML Files Showing the Ransom Note
Once any of the links provided in the ransom note page has been visited, the victim will be taken to a page with instructions on how to register a bitcoin wallet, purchase bitcoins and how to pay the ransom using bitcoin (BTC).
Figure 9: Pay Ransom Page
Of course, there is no guarantee that the victim can get the files back, even if the victim pays the ransom.
The author of the Satan ransomware has set up a website that allows users to generate their own variants of Satan that they can distribute via their own methods. These soon-to-be cybercriminals will be able to specify the amount of Bitcoin they want to get paid as ransom. They can create as many variants as they want and they can easily monitor the status of infection and ransom paid by their victims through the website. In return, the developer will take a 30% cut from the ransom paid to the users.
Figure 10: Introduction Page
Once registered and logged-in, a user will be taken to the main page and can now start creating their own malware. The user just needs to fill out a form with the necessary details. This page also shows reports of infections and ransom status.
Figure 11: Malware Creation
Once the malware has been created, it will be available in the download area at the bottom of the page. From there the user can now download the malware for distribution.
Figure 12: Download Area
It is now up to the users on how they want to distribute their ransomware and in fact, the page also provides a tool to create a dropper in the form of either a .CHM or a Word Document with a Macro. Users first needs to encrypt the binary executable file with their own key using either the provided Powershell or Python scripts. The scripts provided are just for simple XOR encryption. The encrypted file then needs to be uploaded to the web server where the user would want to host it, and the link to this file will be used in the dropper. Using the page shown below, the user must provide the URL link to the file and the encryption key used.
Figure 13: Dropper Creation Page
Once the “Generate” button is clicked, the user will be provided with the generated scripts for the droppers both for the CHM and Word Document Macro as shown below. Also provided are instructions on how to use the scripts. Like for example in the Macro script, it instructs the user to create a new Word Document with a new Macro named “Autoopen” and copy/paste the macro code in it before saving. Now this Word Document is ready for distribution. These generated scripts for the droppers are just simple ones. Any advanced users should be able to modify it by obfuscating it to evade traditional AV scanners.
Figure 14: Generated Scripts for the Dropper
With the rise of the RaaS model, we expect new ransomware variants to begin following this model to incentivize distribution and lower the barrier to entry. Sophisticated crime organizations with broad distribution networks traditionally used to cash in on pay-per-install schemes or carding theft can now easily jump into the ransomware market. And script kiddies with limited technical capabilities can easily begin spreading malware for profit.
As we showed, the Satan ransomware is a moderately sophisticated ransomware with a significant amount of anti-debugging and anti-analysis capabilities. As with all malware, prevention is your best defense. Ensure your computer has the latest security patches, avoid following links to sketchy sites and do not open documents or executables from untrusted sources. Finally, with ransomware it is paramount that you maintain a solid backup system to preserve irreplaceable files.
If you use our endpoint protection product, CylancePROTECT®, you were already protected from this attack. If you don't have CylancePROTECT, contact us to learn how our AI based solution can predict and prevent unknown and emerging threats.