Threat Coverage: How FortiEDR protects against Mindware ransomware

Description

A new group of ransomware operators calling themselves 'Mindware' emerged in the last quarter of 2021 and are reportedly responsible for a number of ransomware/extortion attacks across the globe.

This group targets a broad range of industries with observed victims from healthcare, manufacturing, software, and finance sectors.

Table 1. Identified Mindware ransomware samples mapped to the targeted sector.

The Mindware group employs its own malware, which appears to have commonalities with previously tracked SFile2 ransomware. Mindware ransomware employs new variants of this SFile2 ransomware in their attacks, but the code does not exhibit significant new behavior compared to existing known ransomware samples. As a result of these similarities, FortiEDR provides detection and mitigation for this type of ransomware.

In this article, a closer look into how this Mindware malware performs its encryption, indicators associated with its execution, and detail what security events are generated if this ransomware is executed in a FortiEDR protected environment.

Analysis

The main Mindware ransomware sample analyzed in this article is a 32-bit Windows executable, as were all currently identified variants. On execution, the sample begins encrypting files immediately. Like most modern variants, this ransomware variant performs targeted encryption rather than a ‘scorched earth’ approach and includes a list of approximately 1656 extension names to be included for encryption and 48 extension names for exclusion.

This approach is used to ensure that a targeted endpoint remains operational and that a decoder can be properly deployed following ransomware payment.

A unique component of this malware is that each victim receives their own version of ransomware which results in changes to the ransom note and the file extension appended to encrypted files.

This makes building generic detection logic for encryption behavior difficult. Once a file in a directory is encrypted, the malware drops a ransom note with instructions, including how to proceed to recover the encrypted files.

The contact email address referenced in the ransom note varies between victims. Analysis of publicly available samples retrieved through VirusTotal indicates that the structure of the file extension given to encrypted files is a shortened version of the victim followed by a set number of random alphanumeric characters.

Figure 1 below shows the FortiEDR security event related to the creation of the ransom note, and Figure 2 below shows the content of the ransom note being written to disk for the analyzed sample.

Figure 1. FortiEDR detects the dropping of the ransom note.

Figure 2. A sample of the Mindware ransom note. The embedded emails change for each victim.

Encryption progress

On execution, the malware creates a visible console window that shows the encryption progress, as seen below in Figure 3.

This is anomalous compared to other malware samples, given that the window can simply be closed by a user to stop the encryption process. However, it also gives us insight into how ransomware operates.

Based on the console window, it can be seen that the malware runs several process threads in the background.

Some threads encrypt the files, while others monitor and display the number of files encrypted. The multithreaded approach allows for much faster encryption.

Figure 3. On execution the malware creates a visible console window which shows the files encryption process.

Selecting files for encryption

As previously highlighted, this ransomware has a list of approximately 1656 extension names to be included for encryption, but not all 1656 extension names in the list are unique.

Many appear to be duplicated, likely collated from various other ransomware inclusion lists. There are also 48 extension names excluded from encryption, such as exe, dll, ocx, and more.

A combination of inclusion lists and exclusion lists is an interesting feature given an inclusion list negates the need for an exclusion list.

These exclusion and inclusions lists are stored within the executable and are encoded for faster comparison when checking for the file to encrypt. Figure 4, 5 and 6 below shows a code snippet of the algorithm used to encode the extension names, the partial list of extension names to be included, and the partial list of extension names to be avoided.

Figure 4. Excerpt of code from analyzed sample used to encode the extension names.

Figure 5. Partial decoded list of extension names to be included for encryption.

Figure 6. Partial decoded list of extension names to be excluded from encryption.

Renaming files to encrypt

Mindware renames the files to be encrypted by appending the string, such as, 'nissenvelten-sjj3hhut' to the end of the filename. It uses MoveFileW API to rename a file such as, 'readme.txt', to 'readme.txt.nissenvelten-sjj3hhut'.

The malware makes it easy to spot an encrypted file by appending the mentioned strings. The figure below shows the code that renames the file.

Figure 7. Code excerpt showing how the ransomware renames the file prior to encryption.

The ransomware drops the ransom note, '!nissenvelten!HOW_TO_RESTORE.log', to every folder where there are encrypted files, similar to the figure below.

Figure 8. An example folder containing the ransom note and files encrypted by the Mindware ransomware sample.

As described previously, the Mindware ransomware is modified for each victim. As part of these modifications, the filename and content of the ransom notes are changed slightly between each variation. Below is the list of ransom notes that are observed.

Table 2. Various ransom not file names dropped by different observed variants of Mindware ransomware.

Mapping files prior to encryption

During encryption, Mindware ransomware loads the file to be encrypted in memory by using the file mapping method. Initially, the file will be open using CreateFileW API, followed by CreateFileMappingW API, which creates a file mapping object for the file. MapViewOfFile API makes a portion of the file accessible in memory.

Whatever changes are made in the mapped version of the file will be reflected in the actual file on the disk. All changes will be flushed to the file when UnmapViewOfFile API is executed. The figure below shows the use of file mapping APIs used by Mindware for encryption.

Figure 9. Code excerpt from analyzed sample showing how files are mapped prior to encryption.

Future variants

FortiEDR employs machine learning and online sandbox analysis as part of its detection capabilities which allows it to detect variants of know malware and suspicious indicators within unknown files, even without explicit signature matches. To validate that these non-signature based detections are effective at detecting new variants of malware, modified the hash is reran in the analyzed sample in a test environment.

As it can be seen in Figure 10 below, FortiEDR machine learning detections flagged the modified file as suspicious and blocked execution. This demonstrates that FortiEDR is able to detect a modified version of the Mindware ransomware using its machine learning capability, meaning that it will likely protect against future variants.

Figure 10. FortiEDR detects the encryption events from possible future variants of Mindware via machine learning.

In addition to detecting the ransomware executable using Execution policy rules, FortiEDR also detects the encryption event as the ransomware attempts to encrypt each file. Figure 11 below shows FortiEDR detection for ‘File Write’ attempts associated with the execution of the modified Mindware sample described above.

This demonstrates how FortiEDR is able to block malicious behavior associated with unknown malware. Note the high RDI count (2624 events) as FortiEDR detected and (simulated) blocked each file encryption event.

Figure 11. FortiEDR detects the encryption events from a Mindware sample with an unknown hash.

Conclusion

Mindware is another ransomware gang employing its own modified ransomware variant. Like with many of the other ransomware variants analyzed in previous KB articles, FortiEDR continues to provide detection from execution using integrations with machine learning, online sandboxing and FortiGuard Threat Intelligence to identify known and unknown variants of these common threats.

Additionally, FortiEDR detects and mitigates encryption behavior associated with the ransomware encryptions process. This means that even if a variant is able to be executed, attempts to encrypt victim files will be blocked.

Threat Hunting

To search for encrypted files: The encrypted files has randomized extension name with the format '<3+ random characters>-<8 random characters>', such as; ‘nissenvelten-sjj3hhut’, ‘bigleaguedreams-lchy2vwd’, ‘fmiint-sqnsxris’ or ‘cvgfi-8870awn8’.

Other observed randomized extension filenames have the format '<6+ random characters>-<7 random characters>' such as ‘laposada-bfkruyz’, ‘lifespire-kjmu7q9’ and ‘nottco-ycujnbp’.

In either of these situations, larger file extensions should be investigated as anomalous but given this behavior is only observed after encryption has taken place detection of behavior matching the above should lead to immediate containment actions.

Updated 09 Jan 23: Notable false positives can be observed where applications perform journaling as part of their normal operations, typically those that employ SQLite (e.g. Firefox, Adobe Photoshop, etc) . The below query has been refined to omit many of these FPs but additional tuning may be required. This ransomware chooses a random set of chars for its file extension, when tuning you can omit extensions that have high volumes of writes associated with legitimate applications that have logical file extensions.

Type: ("File Write") AND (Target.File.Ext: *???-???????? OR Target.File.Ext: *??????-???????) NOT Target.File.Ext: *journal

MITRE ATT&CK

TA0040 - Impact

IOCs