The matrix used for Salsa20 is 64 bytes in size, where 8 bytes defines the stream position, so the ransomware removes 16 bytes from the second key to be matched with the matrix size, and leaves the stream position values with zero bytes. Ragnar Locker uses the Salsa20 encryption algorithm with a custom matrix, which is filled in with generated keys placed in rearranged order. Ragnar Locker then commences the encryption process in 64 simultaneous threads.Ī whitelist includes the following folders, files and extensions to skip during encryption: With the keys for encryption in hand, the malware next deletes any extant shadow copies by running processes with the following commands: To import a RSA-2048 key, the ransomware decodes it from Base64, then executes CryptDecodeObjectEx() to decode the structure of the RSA-2048 key.Īfter getting the value ‘1.2.840.113549.1.1.1’ - which stands for RSAES-PKCS1-v1_5 encryption scheme - Ragnar Locker imports the public key by using CryptImportPublicKeyInfo(). These keys are encrypted by the master RSA-2048 public key and added to the footer of a file. Ragnar Locker generates two key data arrays of 40 bytes and 32 bytes for use by Salsa20 cipher.Ī custom-named GenKey function uses CryptGenRandom(), then manually initializes a SHA-512 hash with corresponding constants and effects some permutation to encrypt using randomly-generated keys. The hardcoded ransom note includes the name of the target organization. The embedded master RSA-2048 public key uses the PEM format. As a result, after terminating the processes, valuable target files such as documents, documents, and emails are released and available for encryption. The blacklist of processes includes text, database, and email processors.
Download crypto locker software#
Next, it references a list of services to be terminated by Ragnar Locker that include strings related to backup and antivirus solutions (such as ‘sophos’ and ‘veeam’), as well as remote management software (RMM) tools like ConnectWise and Kaseya that are typically used by managed service providers (MSPs). The first decrypted value is a unique sample ID. The ransomware uses hardcoded obfuscated strings, decrypted in runtime. The payload PE file contains a section with the name “.keys” in which the crypto keys and obfuscated configuration strings are stored. text section, the ransomware jumps to the original entry point (OEP) of the unpacked sample. The hashes of the decrypted payload are as follows: The second call of VirtualAlloc() allocates 48640 (BE00) bytes of memory to store the decrypted payload (PE file). The first call of VirtualAlloc() allocates 9218 bytes of memory to store the encrypted payload. The shellcode’s main goal is to allocate the ransomware executable in memory and call it. It then fills the memory space with shellcode to run it.
Download crypto locker code#
The sample code snippet below shows such junk arithmetic instructions, the results of which are not used:Īfter performing its most resource-intensive operations, Ragnar Locker allocates 7680 (1E00) bytes of free memory space in the current process via VirtualAllocEx().
The ransomware code is protected with obfuscation techniques that include adding junk code as well as encryption. Finally, before launching Ragnar Locker ransomware, the attacker steals sensitive files and uploads them to one or more servers to publish them if the victim refuses to pay the ransom. Next, the Ragnar Locker operator deletes any extant shadow copies, disables any detected antivirus countermeasures, and uses a PowerShell script to move from one company network asset to another one. To the host files, the encryption appears to be a trusted VirtualBox process and thus will be ignored by many security products.
This allows the ransomware process running inside the VM to encrypt all files. The specially-crafted VM image is loaded to the VirtualBox VM, mapping all local drives as read/writable into the virtual machine.
The technique has been adopted since by the Maze family of ransomware operators.
Download crypto locker windows#
Having achieved privilege escalation, the attacker sometimes deploys a VirtualBox virtual machine (VM) with a Windows XP image to evade detection: an early use of a virtual machine image in this manner to run the ransomware encryption attack. To elevate privileges, the attacker exploits the CVE-2017-0213 vulnerability in the Windows COM Aggregate Marshaler to run arbitrary code with elevated privileges. Next, the attacker performs second-stage reconnaissance. The threat actor begin the attack by compromising the company’s network via RDP service, using brute force to guess weak passwords or with stolen credentials bought on the Dark Web.
0 kommentar(er)
