Introduction
RansomHub is a cybercriminal ransomware/extortion group which emerged in February 2024 and was first reported in same month. The group operate a ransomware as a service (RaaS) business model and offer use of their self-named ransomware to affiliates to use in their intrusions. The ransomware provided by the group is developed in Golang and C++, is capable of targeting Windows, Linux and ESXi instances and advertises fast encryption as one of its main delineating factors compared to other RaaS offerings. At the time of writing, the group have eighteen victims listed on their dark-web site. Target countries of the victims are United States, Brazil, Vietnam, Malaysia, Egypt, Canada, Slovakia. Top three sectors of the victims are Retail, Software, Construction. Top victim countries and industry can be seen in the following chart.
The following figure shows the main page of the RansomHub dark-web site which includes a number of victims and countdowns until the victim data is to be published.
Figure 1. RansomHub dark-web site main page showing victims list.
A RansomHub advertisement on a dark-web forum mentions that RansomHub Locker malware is written in Golang and C++, asymmetric algorithm is based on x25519 and the encryption algorithm is adjusted in AES256, ChaCha20, XChaCha20. It also mentions that Locker is obfuscated using AST (abstract syntax tree) and built daily[1]. This advertisement also mentions that RansomHub group will only receive 10% commission for their RaaS model. They offer different payment model than other groups, they allow affiliates to collect the ransom money and affiliates pay the group RaaS fees when they have received ransom. This payment method might be adopted to gain trust of affiliates, in light of recent fraud by other ransomware operator[2].
The RansomHub website ‘about’ page provides information that the members of group are from different countries, and they are only interested in money. This page also states that the group does not allow attack on CIS (Commonwealth of Independent States[3]), Cuba, North Korea, China
The group also states that they do not allow attacks on organizations that have previously made payments or non-profit organizations. A snapshot of the ‘about’ page is shown in the figure below.
Figure 2. RansomHub dark-web site about page.
Analysis
To demonstrate FortiEDR’s ability to detect and mitigate activity associated with the deployment of RansomHub ransomware we detonated a RansomHub sample and analyzed its behavior. It should be noted that FortiEDR was set to ‘Log Only’ mode to observe the complete malware behavior. In prevention mode behavior associated with these security events would be prevented by FortiEDR.
The analyzed sample ‘t1_amd64.exe’ was executed from the ‘c:\temp’ directory from a cmd.exe process. When the sample was first detonated it triggered ‘Sandbox Analysis’ rule from the FortiEDR ‘Execution Prevention’ security policy. This rule is triggered when an executable is identified that has not been observed and that meets criteria that identify it may be suspicious. The file execution was blocked by this rule, and the unknown file was sent to the array of cloud sandboxes employed within Fortinet Cloud Services (FCS) for analysis automatically. We can observe this in Figure 3 below.
Figure 3. RansomHub sample execution blocked, and file sent to cloud analysis by FortiEDR.
The Fortinet Cloud Services (FCS) classified the malware sample as ‘Malicious’. Immediately following execution, the ransomware changed the wallpaper of the victim endpoint to a black and red wallpaper with text mentioning ‘Your data is stolen and encrypted, see README_<redacted>.txt’. We can observe this wallpaper change in Figure 4 below.
Figure 4. RansomHub sets wallpaper on victim machine with message.
This is different than most other ransomware, as normally the ransomware creates Ransom note and change wallpaper after the encryption process is finished. The ransomware created a image file with name <6 small and capital alphabets>.png in the path ‘C:\Users\<UserName>\AppData\Local\Temp\’. To change the wallpaper the ransomware directly changed registry value of the ‘HKCU\Control Panel\Desktop’ key with path of created image file. The ransomware executable ‘t_amd64.exe’ triggered the rule ‘Unconfirmed Executable’ from FortiEDR ‘Execution Prevention’ security policy. Since the main ransomware process is linked to the executable ‘t1_amd64.exe’ that is marked as unconfirmed, FortiEDR blocks its further actions such as the change in registry for the wallpaper change. This can be observed in Figure 5 below.
Figure 5. FortiEDR blocks ransomware executable from changing wallpaper of victim.
After changing wallpaper, the malware executable ran multiple commands through cmd child processes. These commands were trying to achieve different tasks like: stop IIS service, delete shadow copies and clear windows event logs. The commands ran were as follows:
cmd.exe /c iisreset.exe /stop
cmd.exe /c vssadmin.exe Delete Shadows /all /quiet
cmd.exe /c wevtutil cl application
cmd.exe /c wevtutil cl security
cmd.exe /c wevtutil cl system
cmd.exe /c wmic.exe Shadowcopy Delete
These commands can be observed in FortiEDR Threat Hunting telemetry as shown in Figure 6 below.
Figure 6. FortiEDR Threat Hunting showing multiple commands executed by the ransomware.
Out of all these commands the following command was ran by malware to delete shadow copies using the vssadmin.exe utility:
cmd.exe /c vssadmin.exe Delete Shadows /all /quiet
This command execution triggered the rules ‘File Encryptor’ and ‘Unconfirmed Executable’ from the FortiEDR security policy ‘Ransomware Prevention’ and the command execution was blocked by FortiEDR. This can be observed in Figure 7 below.
Figure 7. FortiEDR event which blocked shadow copy deletion using vssadmin utility.
Malware ran another command via the wmic utility to delete shadow copy as follows:
cmd.exe /c wmic.exe Shadowcopy Delete
This command execution triggered rules ‘File Encryptor’ and ‘Suspicious Application’ from the FortiEDR security policy ‘Ransomware Prevention’. This command execution was blocked which can be observed in Figure 8 below.
Figure 8. FortiEDR blocked shadow copy deletion attempt via wmic utility.
After performing these preparation functions, the main ransomware process started reading multiple files on the victim machine and began encrypting these files and then rename the extension to <6-character lowercase alphanumeric>. In our research it was observed that the ransomware executables used the same extension when encrypted files across multiple different endpoints indicating the file extension is statically embedded when executable is built.
When the malware was trying to write the encrypted data back to the files, we observed multiple file write events in the FortiEDR. The rule ‘File Encryptor’ from FortiEDR security policy ‘Ransomware Prevention’ was triggered by these events and the file write attempts were blocked by the FortiEDR. This can be observed in the Figure 9 below:
Figure 9. FortiEDR blocks malware from writing encrypted data to files on the victim machine.
The ransom note created by the RansomHub malware is a text file with name ‘README_<6-character lowercase alphanumeric>’. The same 6 characters which are used for the encrypted files extension are used in the name of the ransom note file. The ransom note file contains message about data being encrypted and if ransom is not paid the data will be published on the TOR darknet sites. Along with link to the main TOR website of RansomHub, a separate TOR website link is given to contact the attackers. We have found that each different sample gives different TOR contact link in the ransomware note. The ransomware note can be observed in Figure 10 below.
Figure 10. Ransom note created by RansomHub ransomware.
Conclusion
As mentioned in this article, FortiEDR is able to detect and block the execution of a previously unknown RansomHub ransomware executable on initial execution. FortiEDR also effectively detected and blocked post-execution behavior performed by the ransomware such as shadow copy backup deletion using vssadmin utility, shadow copy deletion using wmic utility, wallpaper modification, writing encrypted data to the files, etc. Given these detections were triggered by the behavior of the sample itself rather than fixed signatures, FortiEDR is expected to detect future iterations of RansomHub ransomware. The section below provides Threat Hunting queries so the FortiEDR environments can be checked pro-actively for the indicators of some of these activities.
Threat Hunting
The following Threat Hunting query will detect Process Creation events where ‘vssadmin.exe’ is executed for deletion of shadow copies. This command is not unique for RansomHub ransomware, other malware families may also use this command. False positives may occur where this utility is used for legitimate administrative purposes.
Type:("Process Creation") AND Target.Process.Name:"vssadmin.exe" AND (Target.Process.CommandLine: "delete shadows \/all \/quiet")
The following Threat Hunting query will detect Process Creation events where ‘WMIC.exe’ is executed with command line arguments indicative of deletion of shadow copies. This command is not unique for RansomHub ransomware, other malware families may also use this command. False positives may occur where this utility is used for legitimate administrative purposes although typically these are performed using vssadmin.exe.
Type: ("Process Creation") AND Target.Process.File.Name: ("WMIC.exe") AND Target.Process.CommandLine: ("shadowcopy delete")
The following Threat Hunting query will detect Process Creation events where ‘wevtutil.exe’ is executed with command line arguments indicative of the utility being used to clear Windows Security, System or Application event logs.
Type: ("Process Creation") AND Target.Process.File.Name: ("wevtutil.exe") AND Target.Process.CommandLine: ("cl security" OR "cl system" OR "cl application")
MITRE ATT&CK
Note: The indicators in observed activity for each MITRE technique are relevant to analyzed campaigns and may change in future campaigns.
TA0002 - Execution
|
Technique ID |
Technique Description |
Observed Activity |
|
T1047 |
Windows Management Instrumentation |
Ransomware deletes shadow copies using utility WMIC.exe. The following commandline was used: WMIC.exe shadowcopy delete |
|
T1059.003 |
Command and Scripting Interpreter: Windows Command Shell |
Ransomware uses cmd.exe to execute multiple Windows utilities to implement various other techniques. |
TA0005 - Defense Evasion
|
Technique ID |
Technique Description |
Observed Activity |
|
T1070.001 |
Indicator Removal: Clear Windows Event Logs |
The ransomware clears application , system and security event logs from victim machine using wevtutil.exe utility |
TA0040 - Impact
|
Technique ID |
Technique Description |
Observed Activity |
|
T1486 |
Data Encrypted for Impact |
User data files are encrypted using the file overwrite method. |
|
T1489 |
Service Stop |
Windows IIS service stop command is executed by malware using iisreset.exe utility. This allows web applications hosted on IIS servers from being encrypted as files linked to these applications are often locked while IIS is running. |
|
T1490 |
Inhibit System Recovery |
The malware deletes shadow copy files from system to inhibit system recovery. The following two methods are used to delete shadow copies:
1) cmd.exe /c vssadmin.exe Delete Shadows /all /quiet 2) cmd.exe /c wmic.exe Shadowcopy Delete |
IOC
The samples analyzed in this article were taken from a victim environment that is still under investigation and may be provided at a later date.
[1] https://twitter.com/DailyDarkWeb/status/1754920389959155852
[2] https://thehackernews.com/2024/03/exit-scam-blackcat-ransomware-group.html
[3] https://www.britannica.com/topic/Commonwealth-of-Independent-States
