FortiEDR
FortiEDR automates the protection against advanced threats, pre and post-execution, with real time orchestrated incident response functionality.
ralvarez
Staff
Staff

Introduction

 

Spook ransomware is the Prometheus ransomware variant currently employed by the Spook ransomware group. The group began operating in late Sep 2021 and has performed a number of large scale compromises across the globe. Like a number of other ransomware groups, Spook performs ‘double-extortion’ by offering stolen data for sale if the victim does not pay the ransomware as well as encrypting the victim’s files.

 

Most ransomware variants stealthily encrypt the files of the infected system to avoid early detection. In these cases, the victim will only notice they are already infected when a user identifies a ransom note or when they attempt to access one file, and it is inaccessible due to encryption. Spook ransomware is a bit different. It displays a console window while it is encrypting a victim’s files and warns the user not to close it.

 

Spook ransomware renames the infected file by adding a randomized string, "PUUEQS8AEJ", to the filename. During encryption, the ransomware drops two versions of the ransom note (hta and txt), where the only difference is that the hta version has a graphical icon and a string “Spook” with a bigger font.

 

Furthermore, to make the encryption process run smoothly, the ransomware forced terminates processes that may inhibit its operation. It also disables some services that may have an open handle to some data files.

 

In this article, we will take a deeper look into the ransomware’s behaviour and see how FortiEDR protects endpoints from Spook ransomware.

 

Initial Execution

 

Spook ransomware is a .NET executable. For the analysis below, numerous Spook samples were dynamically analysed in a lab environment by executing directly through the Windows GUI in the user context.

 

When executed the Spook ransomware creates a console window with the title, “This console window will close by itself. DON’T CLOSE IT MANUALLY OR THE WHOLE PROCESS WILL TERMINATE”. As the ransomware sample executes, the console displays the name of the files being encrypted, including the time elapsed during the encryption process.

 

figure01.png

Figure 1. Sample of the Spook console windows that is displayed during encryption.

 

Depending on the version, Spook ransomware appends the randomized string “PUUEQS8AEJ” or “NMU7PHR3V5” to the filename of the encrypted file. An example of a new filename is “RecordedTV.library-ms.PUUEQS8AEJ” or “RecordedTV.library-ms. NMU7PHR3V5”, while a sample of the content of an encrypted file is shown below:

ralvarez_spook_fig02.png

Figure 2. content of encrypted “RecordedTV.library-ms.PUUEQS8AEJ” file

 

Registry Modification

 

The ransomware modifies two registry keys, "legalnoticecaption" and "legalnoticetext". These registry keys result in the text displaying as notifications that appear after rebooting a compromised system notifying the user that the system is infected by the Spook ransomware.

 

The registry key “legalnoticecaption” (full path "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption”) is set to "YOUR COMPANY WAS HACKED AND COMPROMISED\!\!\!". The registry key “legalnoticetext” (full path "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext") is set to "All your important files have been encrypted\! Your files are safe\! Only modified.\(AES\) No software available on the internet can help you. We are the only ones able to decrypt your files. We have DOWNLOADED of your PRIVATE SENSITIVE Data”.

 

The “legalnoticecaption” and “legalnoticetext” are used to display a message during Windows startup. Figure 4 shows the notification with the title defined under the ‘legalnoticecaption’ key that is displayed after the infection of the whole system is done, while Figure 5 shows the screen displayed when the user restarts an infected machine, prior to logon.

 

ralvarez_spook_fig03.png

Figure 3. The registry values for “legalnoticecaption” and “legalnoticetext” registry keys were modified by Spook sample to display a ransom note on boot.

 

ralvarez_spook_fig04.png

Figure 4. The notification is displayed once the infection of the whole system is done.

 

ralvarez_spook_fig05.png

Figure 5. Message displayed when an infected system is restarted.

 

Deleting Shadow Copies

 

As well as encrypting files on the compromised host, Spook ransomware also tries to delete volume shadow copies. The deletion is performed by executing the following PowerShell commands “Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }”. Ransomware like Spook is often designed to delete volume shadow copies to prevent them from being used to restore encrypted files.

 

This PowerShell script execution triggers 2 events in FortiEDR as shown in the following sections:

 

Service Access

 

A service access event is triggered in FortiEDR when the spook ransomware uses a PowerShell command “Get-WmiObject” to access the WMI Service.

 

ralvarez_spook_fig06a.png

ralvarez_spook_fig06b.png

 

Figure 6. WMI Service Access rule is triggered when a PowerShell command “Get-WmiObject” is used, in this case to retrieve win32_ShadowCopy objects.

 

File Delete Attempt

 

The File Delete Attempt event is triggered in FortiEDR when spook ransomware deletes a temporary file, in this case, the temporary file is "__PSScriptPolicyTest_hc1qmay3.tm2.ps1", which is generated when PowerShell as used to try to delete the volume shadow copies.

 

ralvarez_spook_fig07a.png ralvarez_spook_fig07b.png

Figure 7. File delete attempt event triggered in FortiEDR

 

Ransom Note

 

Spook ransomware drops two versions of the ransom note. One as an hta file and the other as a txt file, as shown below in Figures 8 and 9. The contents of both ransom note files are similar except that the hta file contains the Spook ransomware logo.

 

ralvarez_spook_fig08.png

Figure 8. hta version of the ransom note, note inclusion of the recognizable Spook logo

 

ralvarez_spook_fig09.png

Figure 9. txt version of the ransom note

 

File Creation Event

 

FortiEDR detects the creation of the txt version of the ransom note, RESTORE_FILES_INFO.txt, as shown below. Due to the suspicious nature of the ‘spook.exe’ executable. Almost all actions taken by the associated process will be flagged as malicious. This can be seen in Figure 8 below where we can see FortiEDR has flagged spook.exe as an ‘Unconfirmed Executable’ and ‘Malicious File Detected’. The ‘Unconfirmed Executable’ flag indicates that FortiEDR has not been able to confirm the file as legitimate and the file contains data in files not enforced by the operating system. The ‘Malicious File Detected’ flag indicates this file has malicious indicators. In combination, this indicates that the machine learning components of FortiEDR have identified anomalies in the executable or process behaviour and/or backend sandboxing of the executable identified malicious indicators.

 

ralvarez_spook_fig10.png

 ralvarez_spook_fig10b.png

Figure 10. Creation of the txt version of the ransom note as detected by FortiEDR

 

File Read Attempt

 

When the malware displays the hta version of the ransom note, it triggers a File Read Attempt event in FortiEDR as shown in the figure below:

 

Content…

 

ralvarez_spook_fig11a.png ralvarez_spook_fig11b.png

Figure 11. File Read Attempt event when displaying the hta version of the ransom note.

 

Terminating Processes

 

Most malware prefers to terminate processes within specific categories such as security applications, anti-malware software, malware analysis tools, or system monitoring applications. For spook ransomware, it has a list of processes that it attempts to terminate that seems random in nature. It tries to terminate processes related to database applications (mysqld.exe, sqlservr.exe, sqlbrowser.exe, and sqlagent.exe), MS office applications (excel.exe, powerpnt.exe, and winword.exe), browser applications (firefoxconfig.exe and tbirdconfig.exe), and other applications. A complete list of applications is listed below.

 

The most likely reason that Spook ransomware tries to terminate these processes is to be able to encrypt the data files controlled by the said applications. It is also noticeable that Spook ransomware never checks if any of the said processes are running. It just executes the command “taskkill.exe /IM <application> /F” where is any <application> from the list, and the parameter “/IM” is to specify the image name of the process to be terminated, and “/F” to force the termination.

 

ralvarez_spook_fig12.png

Figure 12. List of processes terminated but spook ransomware prior to encryption

 

ralvarez_spook_fig13.png

Figure 13. List of processes for termination (in debugger) as shown in the analysed Spook sample.

 

Using the Threat Hunting feature in FortiEDR, we can search for events that show the ransomware’s attempt at terminating these processes by issuing the query below.

Type: ("Process Creation") AND Target.Process.Name: ("taskkill.exe") AND Target.Process.CommandLine: ("\/IM" , "\/F") AND Source.Process.File.Type: (".NET Executable") AND Source.Process.File.Reputation: ("ReputationMalware")

 

ralvarez_spook_fig14.png

Figure 14. Threat Hunting events show the Spook sample attempting to kill a number of processes prior to encryption.

 

Disabling Services

 

Spook ransomware also disables some services that may prevent encryption of some related data files. Most of the disabled services are related to SQL database ( SQLWriter, SstpSvc, SQLTELEMETRY$ECWDB2, and SQLTELEMETRY). It also disables SstpSvc (Secure Socket Tunneling Protocol Service) that provides support to SSTP to connect to remote computers using VPN.

 

Using the Threat Hunting query below, we can identify the disabling of the mentioned services:

Behavior: ("Persistence") AND Type: ("Process Creation") AND Target.Process.Name: ("sc.exe") AND Target.Process.CommandLine: ("config","start\= disabled") AND Source.Process.File.Type: (".NET Executable")

 

ralvarez_spook_fig15.png

Figure 15. Threat Hunting events showing the services disabled by Spook ransomware

 

Threat Hunting

 

To search for the modified “legalnoticecaption” and “legalnoticetext” registry keys:

Type: ("Value Set") AND Registry.Name: ("legalnoticecaption") AND Registry.Data: ("YOUR COMPANY WAS HACKED AND COMPROMISED\!\!\!") AND Registry.Path: ("HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System")
Type: ("Value Set") AND Registry.Name: ("legalnoticetext") AND Registry.Data: ("All your important files have been encrypted\! Your files are safe\! Only modified.\(AES\) No software available on internet can help you. We are the only ones able to decrypt your files. We has DOWNLOADED of your PRIVATE SENSITIVE Data\!\!\!") AND Registry.Path: ("HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System")

 

To search for encrypted files based on added file extensions:

Type: ("File Create") AND Target.File.Ext: ("PUUEQS8AEJ" OR "NMU7PHR3V5")  AND Source.Process.File.Type: (".NET Executable") AND Source.Process.File.Reputation: ("ReputationMalware")

 

To search for the hta version of the ransom note:

Type: ("File Create") AND Target.File.Name: ("RESTORE_FILES_INFO.hta") AND Source.Process.File.Type: (".NET Executable") AND Source.Process.File.Reputation: ("ReputationMalware")

 

To search for the txt version of the ransom note:

Type: ("File Create") AND Target.File.Name: ("RESTORE_FILES_INFO.txt")  AND Source.Process.File.Type: (".NET Executable") AND Source.Process.File.Reputation: ("ReputationMalware")

 

To search for hta version of ransom note opened by mshta:

Type: ("File Read") AND Source.Process.Name: ("mshta.exe") AND Target.File.Name: ("RESTORE_FILES_INFO.hta")

 

To search for PowerShell execution that tries to delete shadow copies:

Behavior: ("Log deletion") AND Type: ("File Delete") AND Source.Process.Name: ("powershell.exe") AND Target.File.Name: ("*.tm2.ps1") AND Source.Process.CommandLine: ("& Get\-WmiObject Win32_Shadowcopy | ForEach\-Object \{ $_Delete\(\); \}") 

 

To search for invoking PowerShell process to execute a malicious script:

Behavior: ("Scripting") AND Type: ("Process Creation") AND Target.Process.Name: ("powershell.exe") AND Target.Process.CommandLine: ("& Get\-WmiObject Win32_Shadowcopy | ForEach\-Object \{ $_Delete\(\); \}") 

 

To search for the list of processes that the ransomware tries to terminate:

Type: ("Process Creation") AND Target.Process.Name: ("taskkill.exe") AND Target.Process.CommandLine: ("\/IM" , "\/F") AND Source.Process.File.Type: (".NET Executable")

 

To search for services disabled by Spook ransomware:

Behavior: ("Persistence") AND Type: ("Process Creation") AND Target.Process.Name: ("sc.exe") AND Target.Process.CommandLine: ("config","start\= disabled") AND Source.Process.File.Type: (".NET Executable")

 

MITRE ATT&CK

 

TA0005 - Defense Evasion

 

Technique ID

Technique Description

Observed Activity

T1112

Modify Registry

Spook ransomware modifies registry values under the “legalnoticetext” and “legalnoticecaption” registry keys to display ransom notes after reboot

 

Technique ID

Technique Description

Observed Activity

T1562.001

Impair Defenses: Disable or Modify Tools

Spook ransomware uses taskkill.exe to terminate processes on affected endpoints prior to starting the encryption process.

 

T1059 - Execution

 

Technique ID

Technique Description

Observed Activity

T1059.001

Command and Scripting Interpreter: PowerShell

Spook ransomware uses PowerShell commands to delete the volume shadow copies.

 

Technique ID

Technique Description

Observed Activity

T1047

Windows Management Instrumentation

Spook ransomware uses the PowerShell command “Get-WmiObject” to access the WMI service to identify and then delete volume shadow copies

 

TA0040 - Impact

 

Technique ID

Technique Description

Observed Activity

T1486

Data Encrypted for Impact

Spook ransomware encrypts files in the infected system.

 

Technique ID

Technique Description

Observed Activity

T1490

Inhibit System Recovery

Spook ransomware tries to delete the shadow copies by executing the PowerShell script “Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }”

 

Technique ID

Technique Description

Observed Activity

T1489

Service Stop

Spook ransomware disables services to allow the encryption process to more effectively encrypt key files on affected endpoints.

 

IOCs

 

Indicator Description

Indicator

Indicator Type

Associated Tactic

Notes

Spook binary

a63a5de26582af1438c9886cfb15c4baa08cce2e

SHA1 Hash

Impact

Spook ransomware

vhash:215036651511f01e4c21001016 tlsh:T15C1480B41A96816DF3AB47B4903E40CDB620F0E61A75DACE18CC4CDF4A81BF7BA550D6

Spook binary

bfd0ab7eec4b282cc5689a48e8f438d042c9d98f

SHA1 Hash

Impact

Spook ransomware

vhash:215036651511f01e4c21001016 tlsh:T15C1480B41A96816DF3AB47B4903E40CDB620F0E61A75DACE18CC4CDF4A81BF7BA550D6

Spook binary

e2b098d36e51d2b7405fadbd578cf9774433f85a

SHA1 Hash

Impact

Spook ransomware

Spook binary

7f58174891abc9b764d5cdd010078f107c1febb5

SHA1 Hash

Impact

Spook ransomware

 

Contributors