Threat Coverage: How FortiEDR protects against Spook Ransomware

Introduction

Spook ransomware is the Prometheus ransomware variant currently employed by the Spook ransomware group. The group began operating in late Sep 2021 and has performed a number of large scale compromises across the globe. Like a number of other ransomware groups, Spook performs ‘double-extortion’ by offering stolen data for sale if the victim does not pay the ransomware as well as encrypting the victim’s files.

Most ransomware variants stealthily encrypt the files of the infected system to avoid early detection. In these cases, the victim will only notice they are already infected when a user identifies a ransom note or when they attempt to access one file, and it is inaccessible due to encryption. Spook ransomware is a bit different. It displays a console window while it is encrypting a victim’s files and warns the user not to close it.

Spook ransomware renames the infected file by adding a randomized string, "PUUEQS8AEJ", to the filename. During encryption, the ransomware drops two versions of the ransom note (hta and txt), where the only difference is that the hta version has a graphical icon and a string “Spook” with a bigger font.

Furthermore, to make the encryption process run smoothly, the ransomware forced terminates processes that may inhibit its operation. It also disables some services that may have an open handle to some data files.

In this article, we will take a deeper look into the ransomware’s behaviour and see how FortiEDR protects endpoints from Spook ransomware.

Initial Execution

Spook ransomware is a .NET executable. For the analysis below, numerous Spook samples were dynamically analysed in a lab environment by executing directly through the Windows GUI in the user context.

When executed the Spook ransomware creates a console window with the title, “This console window will close by itself. DON’T CLOSE IT MANUALLY OR THE WHOLE PROCESS WILL TERMINATE”. As the ransomware sample executes, the console displays the name of the files being encrypted, including the time elapsed during the encryption process.

Figure 1. Sample of the Spook console windows that is displayed during encryption.

Depending on the version, Spook ransomware appends the randomized string “PUUEQS8AEJ” or “NMU7PHR3V5” to the filename of the encrypted file. An example of a new filename is “RecordedTV.library-ms.PUUEQS8AEJ” or “RecordedTV.library-ms. NMU7PHR3V5”, while a sample of the content of an encrypted file is shown below:

Figure 2. content of encrypted “RecordedTV.library-ms.PUUEQS8AEJ” file

Registry Modification

The ransomware modifies two registry keys, "legalnoticecaption" and "legalnoticetext". These registry keys result in the text displaying as notifications that appear after rebooting a compromised system notifying the user that the system is infected by the Spook ransomware.

The registry key “legalnoticecaption” (full path "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption”) is set to "YOUR COMPANY WAS HACKED AND COMPROMISED\!\!\!". The registry key “legalnoticetext” (full path "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext") is set to "All your important files have been encrypted\! Your files are safe\! Only modified.\(AES\) No software available on the internet can help you. We are the only ones able to decrypt your files. We have DOWNLOADED of your PRIVATE SENSITIVE Data”.

The “legalnoticecaption” and “legalnoticetext” are used to display a message during Windows startup. Figure 4 shows the notification with the title defined under the ‘legalnoticecaption’ key that is displayed after the infection of the whole system is done, while Figure 5 shows the screen displayed when the user restarts an infected machine, prior to logon.

Figure 3. The registry values for “legalnoticecaption” and “legalnoticetext” registry keys were modified by Spook sample to display a ransom note on boot.

Figure 4. The notification is displayed once the infection of the whole system is done.

Figure 5. Message displayed when an infected system is restarted.

Deleting Shadow Copies

As well as encrypting files on the compromised host, Spook ransomware also tries to delete volume shadow copies. The deletion is performed by executing the following PowerShell commands “Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }”. Ransomware like Spook is often designed to delete volume shadow copies to prevent them from being used to restore encrypted files.

This PowerShell script execution triggers 2 events in FortiEDR as shown in the following sections:

Service Access

A service access event is triggered in FortiEDR when the spook ransomware uses a PowerShell command “Get-WmiObject” to access the WMI Service.

Figure 6. WMI Service Access rule is triggered when a PowerShell command “Get-WmiObject” is used, in this case to retrieve win32_ShadowCopy objects.

File Delete Attempt

The File Delete Attempt event is triggered in FortiEDR when spook ransomware deletes a temporary file, in this case, the temporary file is "__PSScriptPolicyTest_hc1qmay3.tm2.ps1", which is generated when PowerShell as used to try to delete the volume shadow copies.

Figure 7. File delete attempt event triggered in FortiEDR

Ransom Note

Spook ransomware drops two versions of the ransom note. One as an hta file and the other as a txt file, as shown below in Figures 8 and 9. The contents of both ransom note files are similar except that the hta file contains the Spook ransomware logo.

Figure 8. hta version of the ransom note, note inclusion of the recognizable Spook logo

Figure 9. txt version of the ransom note

File Creation Event

FortiEDR detects the creation of the txt version of the ransom note, RESTORE_FILES_INFO.txt, as shown below. Due to the suspicious nature of the ‘spook.exe’ executable. Almost all actions taken by the associated process will be flagged as malicious. This can be seen in Figure 8 below where we can see FortiEDR has flagged spook.exe as an ‘Unconfirmed Executable’ and ‘Malicious File Detected’. The ‘Unconfirmed Executable’ flag indicates that FortiEDR has not been able to confirm the file as legitimate and the file contains data in files not enforced by the operating system. The ‘Malicious File Detected’ flag indicates this file has malicious indicators. In combination, this indicates that the machine learning components of FortiEDR have identified anomalies in the executable or process behaviour and/or backend sandboxing of the executable identified malicious indicators.

Figure 10. Creation of the txt version of the ransom note as detected by FortiEDR

File Read Attempt

When the malware displays the hta version of the ransom note, it triggers a File Read Attempt event in FortiEDR as shown in the figure below:

Content…

Figure 11. File Read Attempt event when displaying the hta version of the ransom note.

Terminating Processes

Most malware prefers to terminate processes within specific categories such as security applications, anti-malware software, malware analysis tools, or system monitoring applications. For spook ransomware, it has a list of processes that it attempts to terminate that seems random in nature. It tries to terminate processes related to database applications (mysqld.exe, sqlservr.exe, sqlbrowser.exe, and sqlagent.exe), MS office applications (excel.exe, powerpnt.exe, and winword.exe), browser applications (firefoxconfig.exe and tbirdconfig.exe), and other applications. A complete list of applications is listed below.

The most likely reason that Spook ransomware tries to terminate these processes is to be able to encrypt the data files controlled by the said applications. It is also noticeable that Spook ransomware never checks if any of the said processes are running. It just executes the command “taskkill.exe /IM <application> /F” where is any <application> from the list, and the parameter “/IM” is to specify the image name of the process to be terminated, and “/F” to force the termination.

Figure 12. List of processes terminated but spook ransomware prior to encryption

Figure 13. List of processes for termination (in debugger) as shown in the analysed Spook sample.

Using the Threat Hunting feature in FortiEDR, we can search for events that show the ransomware’s attempt at terminating these processes by issuing the query below.

Type: ("Process Creation") AND Target.Process.Name: ("taskkill.exe") AND Target.Process.CommandLine: ("\/IM" , "\/F") AND Source.Process.File.Type: (".NET Executable") AND Source.Process.File.Reputation: ("ReputationMalware")

Figure 14. Threat Hunting events show the Spook sample attempting to kill a number of processes prior to encryption.

Disabling Services

Spook ransomware also disables some services that may prevent encryption of some related data files. Most of the disabled services are related to SQL database ( SQLWriter, SstpSvc, SQLTELEMETRY$ECWDB2, and SQLTELEMETRY). It also disables SstpSvc (Secure Socket Tunneling Protocol Service) that provides support to SSTP to connect to remote computers using VPN.

Using the Threat Hunting query below, we can identify the disabling of the mentioned services:

Behavior: ("Persistence") AND Type: ("Process Creation") AND Target.Process.Name: ("sc.exe") AND Target.Process.CommandLine: ("config","start\= disabled") AND Source.Process.File.Type: (".NET Executable")

Figure 15. Threat Hunting events showing the services disabled by Spook ransomware

Threat Hunting

To search for the modified “legalnoticecaption” and “legalnoticetext” registry keys:

Type: ("Value Set") AND Registry.Name: ("legalnoticecaption") AND Registry.Data: ("YOUR COMPANY WAS HACKED AND COMPROMISED\!\!\!") AND Registry.Path: ("HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System")

Type: ("Value Set") AND Registry.Name: ("legalnoticetext") AND Registry.Data: ("All your important files have been encrypted\! Your files are safe\! Only modified.\(AES\) No software available on internet can help you. We are the only ones able to decrypt your files. We has DOWNLOADED of your PRIVATE SENSITIVE Data\!\!\!") AND Registry.Path: ("HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System")

To search for encrypted files based on added file extensions:

Type: ("File Create") AND Target.File.Ext: ("PUUEQS8AEJ" OR "NMU7PHR3V5")  AND Source.Process.File.Type: (".NET Executable") AND Source.Process.File.Reputation: ("ReputationMalware")

To search for the hta version of the ransom note:

Type: ("File Create") AND Target.File.Name: ("RESTORE_FILES_INFO.hta") AND Source.Process.File.Type: (".NET Executable") AND Source.Process.File.Reputation: ("ReputationMalware")

To search for the txt version of the ransom note:

Type: ("File Create") AND Target.File.Name: ("RESTORE_FILES_INFO.txt")  AND Source.Process.File.Type: (".NET Executable") AND Source.Process.File.Reputation: ("ReputationMalware")

To search for hta version of ransom note opened by mshta:

Type: ("File Read") AND Source.Process.Name: ("mshta.exe") AND Target.File.Name: ("RESTORE_FILES_INFO.hta")

To search for PowerShell execution that tries to delete shadow copies:

Behavior: ("Log deletion") AND Type: ("File Delete") AND Source.Process.Name: ("powershell.exe") AND Target.File.Name: ("*.tm2.ps1") AND Source.Process.CommandLine: ("& Get\-WmiObject Win32_Shadowcopy | ForEach\-Object \{ $_Delete\(\); \}") 

To search for invoking PowerShell process to execute a malicious script:

Behavior: ("Scripting") AND Type: ("Process Creation") AND Target.Process.Name: ("powershell.exe") AND Target.Process.CommandLine: ("& Get\-WmiObject Win32_Shadowcopy | ForEach\-Object \{ $_Delete\(\); \}") 

To search for the list of processes that the ransomware tries to terminate:

Type: ("Process Creation") AND Target.Process.Name: ("taskkill.exe") AND Target.Process.CommandLine: ("\/IM" , "\/F") AND Source.Process.File.Type: (".NET Executable")

To search for services disabled by Spook ransomware:

Behavior: ("Persistence") AND Type: ("Process Creation") AND Target.Process.Name: ("sc.exe") AND Target.Process.CommandLine: ("config","start\= disabled") AND Source.Process.File.Type: (".NET Executable")

MITRE ATT&CK

TA0005 - Defense Evasion

T1059 - Execution

TA0040 - Impact

IOCs