FortiEDR
FortiEDR automates the protection against advanced threats, pre and post-execution, with real time orchestrated incident response functionality.
ralvarez
Staff
Staff

Description

 

A new group of ransomware operators calling themselves 'Mindware' emerged in the last quarter of 2021 and are reportedly responsible for a number of ransomware/extortion attacks across the globe.

This group targets a broad range of industries with observed victims from healthcare, manufacturing, software, and finance sectors.

 

SHA1 Sector
ae974e5c37936ac8f25cfea0225850be61666874 Software
E9b52a4934b4a7194bcbbe27ddc5b723113f11fe Healthcare
9bc1972a75bb88501d92901efc9970824e6ee3f5 Manufacturing
F91d3c1c2b85727bd4d1b249cd93a30897c44caa Security
46ca0c5ad4911d125a245adb059dc0103f93019d Food Industry
7058ba9c21f06c4d8abcbfc49be638a22361120e Tourism
1d9052ce97f4f127f2626b2ff2ee106b4f8b9a70 Business
3178833a2fa1ab12ac09fb74e4806f42fe18df7d Business
F073d4a6160f8161ab2a050e7afddb4b4daa5e91 Sports

Table 1. Identified Mindware ransomware samples mapped to the targeted sector.

 

The Mindware group employs its own malware, which appears to have commonalities with previously tracked SFile2 ransomware. Mindware ransomware employs new variants of this SFile2 ransomware in their attacks, but the code does not exhibit significant new behavior compared to existing known ransomware samples. As a result of these similarities, FortiEDR provides detection and mitigation for this type of ransomware.

 

In this article, a closer look into how this Mindware malware performs its encryption, indicators associated with its execution, and detail what security events are generated if this ransomware is executed in a FortiEDR protected environment.

 

Analysis

 

The main Mindware ransomware sample analyzed in this article is a 32-bit Windows executable, as were all currently identified variants. On execution, the sample begins encrypting files immediately. Like most modern variants, this ransomware variant performs targeted encryption rather than a ‘scorched earth’ approach and includes a list of approximately 1656 extension names to be included for encryption and 48 extension names for exclusion.

This approach is used to ensure that a targeted endpoint remains operational and that a decoder can be properly deployed following ransomware payment.

 

A unique component of this malware is that each victim receives their own version of ransomware which results in changes to the ransom note and the file extension appended to encrypted files.

This makes building generic detection logic for encryption behavior difficult. Once a file in a directory is encrypted, the malware drops a ransom note with instructions, including how to proceed to recover the encrypted files.

 

The contact email address referenced in the ransom note varies between victims. Analysis of publicly available samples retrieved through VirusTotal indicates that the structure of the file extension given to encrypted files is a shortened version of the victim followed by a set number of random alphanumeric characters.

 

Figure 1 below shows the FortiEDR security event related to the creation of the ransom note, and Figure 2 below shows the content of the ransom note being written to disk for the analyzed sample.

 

mindware01.png

Figure 1. FortiEDR detects the dropping of the ransom note.

 

mindware02.png

Figure 2. A sample of the Mindware ransom note. The embedded emails change for each victim.

 

Encryption progress

 

On execution, the malware creates a visible console window that shows the encryption progress, as seen below in Figure 3.

This is anomalous compared to other malware samples, given that the window can simply be closed by a user to stop the encryption process. However, it also gives us insight into how ransomware operates.

 

Based on the console window, it can be seen that the malware runs several process threads in the background.

Some threads encrypt the files, while others monitor and display the number of files encrypted. The multithreaded approach allows for much faster encryption.

 

mindware03.png

Figure 3. On execution the malware creates a visible console window which shows the files encryption process.

 

Selecting files for encryption

 

As previously highlighted, this ransomware has a list of approximately 1656 extension names to be included for encryption, but not all 1656 extension names in the list are unique.

Many appear to be duplicated, likely collated from various other ransomware inclusion lists. There are also 48 extension names excluded from encryption, such as exe, dll, ocx, and more.

 

A combination of inclusion lists and exclusion lists is an interesting feature given an inclusion list negates the need for an exclusion list.

 

These exclusion and inclusions lists are stored within the executable and are encoded for faster comparison when checking for the file to encrypt. Figure 4, 5 and 6 below shows a code snippet of the algorithm used to encode the extension names, the partial list of extension names to be included, and the partial list of extension names to be avoided.

 

mindware04.png

Figure 4. Excerpt of code from analyzed sample used to encode the extension names.

 

mindware05.png

Figure 5. Partial decoded list of extension names to be included for encryption.

 

mindware06.png

Figure 6. Partial decoded list of extension names to be excluded from encryption.

 

Renaming files to encrypt

 

Mindware renames the files to be encrypted by appending the string, such as, 'nissenvelten-sjj3hhut' to the end of the filename. It uses MoveFileW API to rename a file such as, 'readme.txt', to 'readme.txt.nissenvelten-sjj3hhut'.

 

The malware makes it easy to spot an encrypted file by appending the mentioned strings. The figure below shows the code that renames the file.

 

mindware07.png

Figure 7. Code excerpt showing how the ransomware renames the file prior to encryption.

 

The ransomware drops the ransom note, '!nissenvelten!HOW_TO_RESTORE.log', to every folder where there are encrypted files, similar to the figure below.

 mindware08.png

Figure 8. An example folder containing the ransom note and files encrypted by the Mindware ransomware sample.

 

As described previously, the Mindware ransomware is modified for each victim. As part of these modifications, the filename and content of the ransom notes are changed slightly between each variation. Below is the list of ransom notes that are observed.

 

SHA1 Ransom note filename
ae974e5c37936ac8f25cfea0225850be61666874 !nissenvelten!HOW_TO_RESTORE.log
E9b52a4934b4a7194bcbbe27ddc5b723113f11fe !lifespire!README.log
9bc1972a75bb88501d92901efc9970824e6ee3f5 message_to_nottco.txt
F91d3c1c2b85727bd4d1b249cd93a30897c44caa readme_to cvgfi.inf
46ca0c5ad4911d125a245adb059dc0103f93019d A_aco!howtodecipher.log
7058ba9c21f06c4d8abcbfc49be638a22361120e !!laposada_howtodecipher.inf
1d9052ce97f4f127f2626b2ff2ee106b4f8b9a70 message_to fmiint.log
3178833a2fa1ab12ac09fb74e4806f42fe18df7d is_it_possible_convert encoded data.log
F073d4a6160f8161ab2a050e7afddb4b4daa5e91 message_for bigleaguedreams.inf

Table 2. Various ransom not file names dropped by different observed variants of Mindware ransomware.

 

 

Mapping files prior to encryption

 

During encryption, Mindware ransomware loads the file to be encrypted in memory by using the file mapping method. Initially, the file will be open using CreateFileW API, followed by CreateFileMappingW API, which creates a file mapping object for the file. MapViewOfFile API makes a portion of the file accessible in memory.

 

Whatever changes are made in the mapped version of the file will be reflected in the actual file on the disk. All changes will be flushed to the file when UnmapViewOfFile API is executed. The figure below shows the use of file mapping APIs used by Mindware for encryption.

 

mindware09.png

Figure 9. Code excerpt from analyzed sample showing how files are mapped prior to encryption.

 

Future variants

 

FortiEDR employs machine learning and online sandbox analysis as part of its detection capabilities which allows it to detect variants of know malware and suspicious indicators within unknown files, even without explicit signature matches. To validate that these non-signature based detections are effective at detecting new variants of malware, modified the hash is reran in the analyzed sample in a test environment.

 

As it can be seen in Figure 10 below, FortiEDR machine learning detections flagged the modified file as suspicious and blocked execution. This demonstrates that FortiEDR is able to detect a modified version of the Mindware ransomware using its machine learning capability, meaning that it will likely protect against future variants.

 

mindware10.png

Figure 10. FortiEDR detects the encryption events from possible future variants of Mindware via machine learning.

 

In addition to detecting the ransomware executable using Execution policy rules, FortiEDR also detects the encryption event as the ransomware attempts to encrypt each file. Figure 11 below shows FortiEDR detection for ‘File Write’ attempts associated with the execution of the modified Mindware sample described above.

 

This demonstrates how FortiEDR is able to block malicious behavior associated with unknown malware. Note the high RDI count (2624 events) as FortiEDR detected and (simulated) blocked each file encryption event.

 

mindware11.png

Figure 11. FortiEDR detects the encryption events from a Mindware sample with an unknown hash.

 

Conclusion

 

Mindware is another ransomware gang employing its own modified ransomware variant. Like with many of the other ransomware variants analyzed in previous KB articles, FortiEDR continues to provide detection from execution using integrations with machine learning, online sandboxing and FortiGuard Threat Intelligence to identify known and unknown variants of these common threats.

 

Additionally, FortiEDR detects and mitigates encryption behavior associated with the ransomware encryptions process. This means that even if a variant is able to be executed, attempts to encrypt victim files will be blocked.

 

Threat Hunting

 

To search for encrypted files: The encrypted files has randomized extension name with the format '<3+ random characters>-<8 random characters>', such as; ‘nissenvelten-sjj3hhut’, ‘bigleaguedreams-lchy2vwd’, ‘fmiint-sqnsxris’ or ‘cvgfi-8870awn8’.

Other observed randomized extension filenames have the format '<6+ random characters>-<7 random characters>' such as ‘laposada-bfkruyz’, ‘lifespire-kjmu7q9’ and ‘nottco-ycujnbp’.

 

In either of these situations, larger file extensions should be investigated as anomalous but given this behavior is only observed after encryption has taken place detection of behavior matching the above should lead to immediate containment actions.

 

Type: ("File Write") AND (Target.File.Ext: *???-???????? OR Target.File.Ext: *??????-???????)

 

MITRE ATT&CK

TA0040 - Impact

 

Technique ID

Technique Description

Observed Activity

T1486

Data Encrypted for Impact

Similar to common ransomware, Mindware encrypts files on a local victim endpoint. Mindware has an extensive include list for filetypes based on file extension and also an exclude list.

IOCs

Indicator Description

Indicator

Indicator Type

Associated Tactic

Notes

Mindware binary

ae974e5c37936ac8f25cfea0225850be61666874

SHA1 Hash

Execution

Mindware sample First observed date: 2022-01-31

Mindware binary

e9b52a4934b4a7194bcbbe27ddc5b723113f11fe

SHA1 Hash

Execution

Mindware sample First observed date: 2022-02-09.

Mindware binary

9bc1972a75bb88501d92901efc9970824e6ee3f5

SHA1 Hash

Execution

Mindware sample First observed date: 2022-04-05.

Mindware binary

f91d3c1c2b85727bd4d1b249cd93a30897c44caa

SHA1 Hash

Execution

Mindware sample First observed date: 2022-02-26.

Mindware binary

46ca0c5ad4911d125a245adb059dc0103f93019d

SHA1 Hash

Execution

Mindware sample First observed date: 2022-03-08.

Mindware binary

7058ba9c21f06c4d8abcbfc49be638a22361120e

SHA1 Hash

Execution

Mindware sample First observed date: 2022-01-04.

Mindware binary

1d9052ce97f4f127f2626b2ff2ee106b4f8b9a70

SHA1 Hash

Execution

Mindware sample First observed date: 2021-10-29.

Mindware binary

3178833a2fa1ab12ac09fb74e4806f42fe18df7d

SHA1 Hash

Execution

Mindware sample First observed date: 2022-01-08.

Mindware binary

f073d4a6160f8161ab2a050e7afddb4b4daa5e91

SHA1 Hash

Execution

Mindware sample First observed date: 2021-12-23.

Contributors