FortiEDR
FortiEDR automates the protection against advanced threats, pre and post-execution, with real time orchestrated incident response functionality.
agat
Staff
Staff
Article Id 319544

Introduction

 

Psoglav is a cybercriminal ransomware/extortion group which emerged in April 2024 and was first advertised on a Russian cybercrime forum 'RAMP' in the same month. The group operates under the Ransomware-as-a-Service (RaaS) business model and offers their ransomware (Psoglav) to affiliates for use in their intrusions. The ransomware provided by the group is developed in C#, and is designed to target Windows operating systems, while promoting its fast file encryption process as one of its features. Once granted access to the program, the group provides the affiliates with the ransomware builds privately over Tox communication. The group does not currently have any affiliate panel or an onion site for listing victims. Due to the absence of the onion site, there is no centralized information about past victims of Psoglav ransomware and there has been limited reporting of intrusions related to this ransomware family. Although the initial advertisement on 'RAMP' forum does not specify any conditions for targeting organizations with Psoglav, the group has specified to affiliates through online communication that targeting post-Soviet states is prohibited. Notably, the group also allows their affiliates to target organizations belonging to healthcare, pharmaceutical, and critical infrastructure sectors, as well as educational institutions, which is prohibited by many other ransomware groups. Following Figure 1 shows the advertisement by the threat actor in the dark web forum.

 
 

Psoglav_advertisement.png

Figure 1. Psoglav ransomware advertisement on dark-web forum.

 

Per the advertisement on the forum, Psoglav is written in C# and is designed to work on all Windows platforms. It uses AES-256 and RSA-2048 encryption algorithms and boasts ‘fast and reliable file encryption, ensuring that files can always be decrypted correctly’. Notable features include no need for an internet connection to process files, disabling common processes and services before encryption, deleting shadow copies, and self-deletion after the encryption process. None of these features are novel and reflect ‘best practice’ amongst other RaaS offerings.

In their advertisements the group emphasizes an interest in ‘long-term cooperation’ with affiliates and claims to maintain a ‘strict no-deception policy’. Recently within the RaaS ecosystem a number of affiliates have had RaaS providers fail to provide their portion of the payment and then disband leaving affiliates without proceeds[1]. This has resulted in a lack of trust between many RaaS providers, hence the likely inclusion of these (unsubstantiated) claims aimed at building trust. The cost to decrypt the files of the victims can be decided by the affiliate. Interested affiliates are required to provide brief information about themselves, their experience, distribution methods, and contact details.

This article will analyze the operation of Psoglav ransomware and demonstrate FortiEDR’ s ability to detect and mitigate its execution activity. Whilst FortiEDR will likely detect an intrusion prior to the deployment of ransomware, coverage at all stages of an intrusion is important. Also included at the end of this article are MITRE ATT&CK mappings for activity exhibited by the analyzed sample and FortiEDR Threat Hunting queries that can be used to identify potential Psoglav activity.

 

Analysis

To demonstrate FortiEDR’s ability to detect and mitigate activity associated with the deployment of Psoglav ransomware we detonated a Psoglav sample and analyzed its behavior. It should be noted that FortiEDR was set to ‘Log Only’ mode to observe the complete malware behavior. In prevention mode behavior associated with these security events would be prevented by FortiEDR.

When the Psoglav ransomware sample was executed, it was detected as malicious by FortiEDR based upon machine learning. As a result of this classification, FortiEDR blocked the execution of the file. We can observe this event in Figure 2.

 

Initial_Execution_Demo EDR2 US-2024-05-31 15_23_24.png

Figure 2. FortiEDR flagged ransomware sample as malicious based on Machine Learning.

 

When the ransomware sample is allowed further execution, it loads a DLL file with name ‘saveMySettingsOnExit  *  XmlWriter.WriteBase64.dll’. This file was embedded within the executable itself and ransomware loads this code directly from memory. Thus, changing its own in-memory code due to which the file on hard-disk and file in memory were mismatched.  We were able to get memory dump of this DLL file using FortiEDR. When we analyzed this dumped file it was a .NET DLL file but it had one more layer of obfuscation in it. This method of defensive evasion would be able to bypass signature-based checks but it was detected by FortiEDR due to its behavioral based detection capabilities.

 This behavior generates an ‘In-memory Execution’ event triggered by the ‘Unconfirmed Executable’ rule from the FortiEDR security policy ‘Exfiltration Prevention’. The  resulting security event can be observed in Figure 3 below.

 

unconrifmed_executable_inmemory_execution_Demo EDR2 US-2024-05-31 18_44_00.png

Figure 3. FortiEDR detects ransomware sample as Unconfirmed executable.

 

Then the Psoglav ransomware process begins encryption preparation by executing multiple commands using windows utilities ‘powershell.exe’, ‘cmd.exe’ and ‘net.exe’ to stop services and disable antivirus on victim machine. These activities are likely performed to prevent services from locking key files and databases that could reduce the impact of encryption activity and, to disable or reduce the effectiveness of defensive products (like antivirus solutions) from impacting the encryption activity. The following table, Table 1, contains the commands executed by the process with brief command description.

 

Command

Description

cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no

Configures boot options to ignore all failures and disable automatic recovery on failure.

cmd.exe /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete

Deletes all Volume Shadow Copy Service (VSS) shadows silently and deletes shadow copy data.

cmd.exe /C wbadmin delete catalog -quiet

Deletes the backup catalog silently.

net.exe stop ##WID /y

Stops the Windows Internal Database service.

net.exe stop AcronisAgent /y

Stops the Acronis Agent service.

net.exe stop AcrSch2Svc /y

Stops the Adobe Acrobat Update Service.

net.exe stop apache24 /y

Stops the Apache 2.4 web server service.

net.exe stop ARSM /y

Stops the ARSM service (backup/restore software).

net.exe stop avpsus /y

Stops the Avast Update Service.

net.exe stop backup /y

Stops the Windows Backup service.

net.exe stop BackupExecAgentAccelerator /y

Stops the Backup Exec Agent Accelerator service.

net.exe stop BackupExecAgentBrowser /y

Stops the Backup Exec Agent Browser service.

net.exe stop BackupExecDiveciMediaService /y

Stops the Backup Exec Device Media Service.

net.exe stop BackupExecJobEngine /y

Stops the Backup Exec Job Engine service.

net.exe stop BackupExecManagementService /y

Stops the Backup Exec Management Service.

net.exe stop BackupExecRPCService /y

Stops the Backup Exec RPC Service.

net.exe stop BackupExecVSSProvider /y

Stops the Backup Exec VSS Provider service.

net.exe stop bedbg /y

Stops the Backup Exec Debug Monitor.

net.exe stop BMR Boot Service /y

Stops the BMR (Bare Metal Restore) Boot Service.

net.exe stop CAARCUpdateSvc /y

Stops the CA ARCserve Update Service.

net.exe stop CASAD2DWebSvc /y

Stops the CA ARCserve D2D Web Service.

net.exe stop ccEvtMgr /y

Stops the Symantec Event Manager service.

net.exe stop ccSetMgr /y

Stops the Symantec Settings Manager service.

net.exe stop Culserver /y

Stops the Culserver service.

net.exe stop dbeng8 /y

Stops the Sybase SQL Anywhere - Network Server service.

net.exe stop dbsrv12 /y

Stops the Sybase SQL Anywhere - Personal Server service.

net.exe stop DefWatch /y

Stops the Symantec Definition Watcher service.

net.exe stop Exchange /y

Stops the Microsoft Exchange Server service.

net.exe stop FCS /y

Stops the Microsoft Forefront Client Security service.

net.exe stop FishbowlMySQL /y

Stops the Fishbowl Inventory MySQL service.

net.exe stop Intuit /y

Stops the Intuit Update Service.

net.exe stop Intuit.QuickBooks.FCS /y

Stops the Intuit QuickBooks FCS service.

net.exe stop McAfeeDLPAgentService /y

Stops the McAfee DLP (Data Loss Prevention) Agent Service.

net.exe stop memtas /y

Stops the Memtas service (backup/restore software).

net.exe stop mepocs /y

Stops the MEPOCS service (backup/restore software).

net.exe stop mfewc /y

Stops the McAfee Framework Service.

net.exe stop MSExchange /y

Stops the Microsoft Exchange Server service.

net.exe stop MSExchange$ /y

Stops a specific instance of the Microsoft Exchange Server service.

net.exe stop msftesql /y

Stops the Microsoft SQL Server Full-Text Search service.

net.exe stop msmdsrv /y

Stops the SQL Server Analysis Services.

net.exe stop MSSQL /y

Stops the SQL Server service.

net.exe stop MSSQL$ /y

Stops a specific instance of the SQL Server service.

net.exe stop MSSQL$KAV_CS_ADMIN_KIT /y

Stops the SQL Server instance for Kaspersky Administration Kit.

net.exe stop MSSQL$MICROSOFT /y

Stops a specific SQL Server instance named "MICROSOFT".

net.exe stop MSSQL$MICROSOFT##SSEE /y

Stops the SQL Server instance named "MICROSOFT##SSEE".

net.exe stop MSSQL$SBSMONITORING /y

Stops the SQL Server instance for SBS Monitoring.

net.exe stop MSSQL$SHAREPOINT /y

Stops the SQL Server instance for SharePoint.

net.exe stop MSSQL$VEEAMSQL2012 /y

Stops the SQL Server instance for Veeam Backup.

net.exe stop MSSQLFDLauncher$SBSMONITORING /y

Stops the SQL Full-Text Filter Daemon Launcher for SBS Monitoring.

net.exe stop MSSQLServerADHelper100 /y

Stops the SQL Server Active Directory Helper service.

net.exe stop MVArmor /y

Stops the MVArmor service (multi-variant execution application).

net.exe stop MVarmor64 /y

Stops the 64-bit version of the MVArmor service (multi-variant execution application).

net.exe stop mysql57 /y

Stops the MySQL 5.7 service.

net.exe stop NetBackup BMR MTFTP Service /y

Stops the NetBackup Bare Metal Restore MTFTP service.

net.exe stop PDVFSService /y

Stops the PDVFS (backup service).

net.exe stop QBCFMonitorService /y

Stops the QuickBooks Company File Monitoring Service.

net.exe stop QBFCService /y

Stops the QuickBooks File Copy Service.

net.exe stop QBIDPService /y

Stops the QuickBooks Identity Protection Service.

net.exe stop QBVSS /y

Stops the QuickBooks VSS service.

net.exe stop QLADHLP /y

Stops the QuickBooks Link Auto Data Handler service.

net.exe stop QuickBooks /y

Stops the QuickBooks service.

net.exe stop RTVscan /y

Stops the Symantec AntiVirus Auto-Protect service.

net.exe stop SavRoam /y

Stops the Symantec AntiVirus Roam service.

net.exe stop sophos /y

Stops the Sophos AntiVirus service.

net.exe stop sql /y

Stops the SQL Server service.

net.exe stop sqladhlp /y

Stops the SQL Server Active Directory Helper service.

net.exe stop sqlagent /y

Stops the SQL Server Agent service.

net.exe stop SQLAgent$KAV_CS_ADMIN_KIT /y

Stops the SQL Server Agent for Kaspersky Administration Kit.

net.exe stop SQLAgent$SBSMONITORING /y

Stops the SQL Server Agent for SBS Monitoring.

net.exe stop SQLAgent$SHAREPOINT /y

Stops the SQL Server Agent for SharePoint.

net.exe stop SQLAgent$VEEAMSQL2012 /y

Stops the SQL Server Agent for Veeam Backup.

net.exe stop sqlbrowser /y

Stops the SQL Server Browser service.

net.exe stop Sqlservr /y

Stops the SQL Server service.

net.exe stop SQLWriter /y

Stops the SQL Server VSS Writer service.

net.exe stop stc_raw_agent /y

Stops the STC Raw Agent service.

net.exe stop svc$ /y

Stops a service named "svc$" (Matches processes that end in ‘svc’: svc$).

net.exe stop tomcat6 /y

Stops the Apache Tomcat 6 service.

net.exe stop veeam /y

Stops the Veeam Backup service.

net.exe stop VeeamDeploymentService /y

Stops the Veeam Deployment Service.

net.exe stop VeeamNFSSvc /y

Stops the Veeam NFS Service.

net.exe stop VeeamTransportSvc /y

Stops the Veeam Transport Service.

net.exe stop vmware /y

Stops the VMware service

net.exe stop vmware-converter /y

Stops the VMware Converter service.

net.exe stop VSNAPVSS /y

Stops the VSNAP VSS service.

net.exe stop vss /y

Stops the Volume Shadow Copy Service.

net.exe stop wrapper /y

Stops the Java Service Wrapper.

net.exe stop WSBExchange /y

Stops the Windows Server Backup Exchange integration service.

net.exe stop YooBackup /y

Stops the YooBackup service (backup application).

net.exe stop YooIT /y

Stops the YooIT service (backup application).

net.exe stop zhudongfangyu /y

Stops the Zhudongfangyu service (Chinese antivirus software).

powershell.exe Get-MpPreference -verbose

Displays the current Microsoft Defender preferences with verbose output.

powershell.exe Set-MpPreference -DisableArchiveScanning $true

Disables archive scanning in Microsoft Defender.

powershell.exe Set-MpPreference -DisablePrivacyMode $true

Disables privacy mode in Microsoft Defender.

powershell.exe Set-MpPreference -LowThreatDefaultAction 6

Sets the default action for low threat detections to 'Allow' in Microsoft Defender.

powershell.exe Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true

Disables signature updates on startup if the engine is not running in Microsoft Defender.

powershell.exe Set-MpPreference -SubmitSamplesConsent 2

Sets the sample submission consent to 'Send safe samples automatically' in Microsoft Defender.

Table 1. Commands executed by the Psoglav ransomware.

 

The process creation events related to execution of these commands can be analyzed in the ‘Investigation View’ as shown in Figure 4 or through the threat hunting interface of the FortiEDR as shown in Figure 5 below.

 

commands_investigation_Win10EDR5.2.2.577_Jun2024 - VMware Workstation-2024-06-05 18_22_19.png

Figure 4. FortiEDR Investigation View showing child process related to the Psoglav malware pre-encryption behavior.

 

commands_list_threat_hunting-2024-06-05 11_20_40.png

Figure 5. FortiEDR threat hunting interface showing commands executed by malware to perform pre-encryption activity.

 

After executing the commands, the ransomware executable starts encryption of multiple files on the victim machine. This activity triggers rules ‘File Encryptor’ and ‘Unconfirmed Executable’ from the FortiEDR ‘Ransomware Prevention’ security policy. This can be observed in the following Figure 6.

 

FileEncryptor_Demo EDR2 US-2024-05-31 19_21_07.png

Figure 6. Ransomware triggers ‘File Encryptor’ rule from FortiEDR ‘Ransomware Prevention’ security policy.

 

All targeted files on the victim endpoint are rewritten with encrypted data and then renamed with added extension ‘.psoglav’. The file names and content of a sample encrypted text file can be observed in Figure 7 below.

 

encrypted_file_content_2024-05-30-18-27-31.png

Figure 7. User files extensions changed and encrypted data sample

 

While encryption is being done, the ransomware process creates a ransom note in a text file with name ‘Psoglav_Read_Me.txt’ in each folder from where it has encrypted files. The content of these ransom note can be observed in the following Figure 8.

 

ransomnote_text_file_2024-05-30-18-14-37.png

Figure 8. Psoglav ransomware ransom note file.

 

The ransom note contains email address of the affiliate and personal ID of the victim. It mentions that any two files with size less than 1 MB can be sent for testing of decryption before payment. with a unique component of this ransomware is that the contact email of the affiliate is given and not of the ransomware service provider. This means the affiliate will need to perform any negotiations with the victim which highlights that this RaaS offering is more ‘lightweight’ compared to other programs. This could be because the group lack the infrastructure to perform these functions, may be a method of separating the group from interaction with the victims to minimize risk of law enforcement tracking the group or this may be a revised model which builds trust with the affiliate by allowing them to receive payment directly rather receiving a cut from the group.

 

After encryption of files is complete, the ransomware creates an image file with name ‘Psoglav.jpg’ in path ‘C:\Users\<Username>\AppData\Roaming\Microsoft\Windows\Templates\.’ Then set this file as wallpaper of windows by changing the value of registry key ‘Wallpaper’ in the registry path ‘HKCU\Control Panel\Desktop’. This wallpaper can be observed in Figure 9 and registry changes can be observed in the FortiEDR threat hunting interface in Figure 10 below.

 

wallpaper_ransom_2024-05-30-18-12-16.png

Figure 9. Psoglav ransomware changed victim wallpaper

 

Wallpaper_change_Win10EDR5.2.2.577_Jun2024 - VMware Workstation-2024-06-05 19_21_31.png

Figure 10. FortiEDR threat hunting interface showing wallpaper registry changed by the Psoglav malware.

 

Conclusion

As highlighted in this article, FortiEDR is able to detect and mitigate the risk associated with the Psoglav ransomware. FortiEDR is able to block the ransomware execution at  initial file execution, during attempts to delete backups, and when writing of encrypted data to files is attempted.

This ransomware’s pre-encryption activity is very noisy and results in multiple alerts making it easy to detect through behavioral analysis. Additionally, during analysis, we observed that some of the commands used for to stop services and impact antivirus effectiveness were executed 2-4 times by the malware. Whilst the in-memory loading of much of the ransomware’s code is designed to inhibit detection, this behavior is anomalous and creates great detection opportunities for behavior based tools like FortiEDR.

Some useful threat hunting queries and MITRE ATT&CK mappings are provided below to support the proactive threat hunting efforts.

 

Threat Hunting

 

The following Threat Hunting query will detect ‘Process Creation’ events where ‘vssadmin.exe’ is executed for deletion of shadow copies. This command is not unique for Psoglav ransomware; other malware families may also use this command. False positives may occur where this utility is used for legitimate administrative purposes.

 

Type:("Process Creation") AND Target.Process.Name:"vssadmin.exe" AND (Target.Process.CommandLine: "delete shadows \/all \/quiet")

 

 

The following Threat Hunting query will detect Process Creation events where ‘WMIC.exe’ is executed with command line arguments indicative of deletion of shadow copies. This command is not unique for Psoglav ransomware; other malware families may also use this command. False positives may occur where this utility is used for legitimate administrative purposes.

 

Type: ("Process Creation") AND Target.Process.File.Name: ("WMIC.exe") AND Target.Process.CommandLine: ("shadowcopy delete")

 

 

The following Threat Hunting query will detect ‘File Creation’ events for the ‘Psoglav.jpg’ file which is wallpaper set by the ransomware. Note: the change of file name ‘Psoglav.jpg’ in future version would be very easy for a threat actor and if file name is changed this threat hunting rule will be needed to modify.

 

Type: ("File Create") AND Target.File.Name: ("Psoglav.jpg") AND Target.File.Path: ("AppData\\Roaming\\Microsoft\\Windows\\Templates")

 

 

The following Threat Hunting query will detect the registry ‘Value Set’ events for the ‘Psoglav.jpg’ file when malware set it as wallpaper. Note: the change of file name ‘Psoglav.jpg’ in future version would be very easy for a threat actor and if file name is changed this threat hunting rule will be needed to modify.

 

Type: ("Value Set") AND Registry.Path: ("HKCU\\Control Panel\\Desktop") AND Registry.Name: ("Wallpaper") AND Registry.Data: ("Psoglav.jpg")

 

 

The following Threat Hunting query will detect ‘File Creation’ events for the ‘Psoglav_Read_Me.txt’ file which is ransom note file created by the Psoglav ransomware. Note that this file name is specific to the current campaign of the Psoglav being tracked and may change in future.

 

Type: ("File Create") AND Target.File.Name: ("Psoglav_Read_Me.txt")

 

 

The following Threat Hunting query will detect ‘Process Creation’ events when ‘cmd.exe’ is executed with specific command-line used by the ransomware to configure boot options to ignore all failures and disable automatic recovery on failure. False positives may occur where this utility is used for legitimate administrative purposes.

 

Type: ("Process Creation") AND Target.Process.File.Name: ("cmd.exe") AND Target.Process.CommandLine: ("\/C bcdedit \/set \{default\} bootstatuspolicy ignoreallfailures" OR "bcdedit \/set \{default\} recoveryenabled no")

 

 

MITRE ATT&CK

 

TA0002 - Execution

Technique ID

Technique Description

Observed Activity

T1047

Windows Management Instrumentation

Ransomware deletes shadow copies using utility WMIC.exe. The following command line was used:

WMIC.exe shadowcopy delete

T1059.003

Command and Scripting Interpreter: Windows Command Shell

Ransomware uses cmd.exe to execute multiple Windows utilities to prepare the victim endpoint for encryption. Cmd was used to execute a number of net commands.

T1059.001    

Command and Scripting Interpreter: PowerShell

Ransomware uses multiple powershell commands to disable features of Microsoft Defender.

 


TA0005 – Defense Evasion

Technique ID

Technique Description

Observed Activity

T1562.001

Impair Defenses: Disable or Modify Tools

Ransomware execute commands to disable antivirus softwares

T1620

Reflective Code Loading

Ransomware loads DLL file with name ‘saveMySettingsOnExit  *  XmlWriter.WriteBase64.dll’ directly in memory, this file is not present on the file system.

T1027.009

Obfuscated Files or Information: Embedded Payloads

Ransomware load payload with name ‘saveMySettingsOnExit  *  XmlWriter.WriteBase64.dll’ directly in memory, this payload is embedded in the executable file.

 


TA0040 - Impact

Technique ID

Technique Description

Observed Activity

T1486

Data Encrypted for Impact

User data files are encrypted using the file overwrite method.

T1489

Service Stop

Multiple Windows service stop commands are executed by malware using cmd.exe and net.exe utility.

T1490

Inhibit System Recovery

The malware deletes shadow copy files from the system to inhibit system recovery. The following commands are used to delete shadow copies and inhibit recovery:

 

cmd.exe /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete

 

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no

T1491.001

Defacement: Internal Defacement

The ransomware changes wallpaper of the victim desktop with message about file encryption

 

 

IOCs (Indicators of Compromise)

The samples analyzed in this article were taken from a victim environment still under investigation and may be provided later.

 

 

 

[1] https://www.coveware.com/blog/2024/4/17/raas-devs-hurt-their-credibility-by-cheating-affiliates-in-q...

Contributors