New ransomware with ‘.SaveTheQueen’ extension discovered by Varonis – Information Age

admin on February 5, 2020 Leave a Comment

Varonis has uncovered a new strand of ransomware that encrypts files and adds the extension '.SaveTheQueen' to it

The ransomware infiltrated a standard component of the user's system, making it harder to detect.

The findings regarding this next-generation ransomware were put forward via a blog post by Varonis.

The progress of the newly uncovered malware was found to be tracked using the system volume (SYSVOL) folder found on active directory (AD) domain controllers.

The initially infected user, who contacted Varonis to report the ransomware, named a file hourly and saved it in the SYSVOL folder. This would be accessed by various IP addresses.

The ransomware was found to be concealed by ConfuserEX, an open source .NET protector.

Bill Conner, president and CEO of SonicWall, takes Information Age through the current cyber security landscape. Read here

However, while the way the malware infiltrated the system and the way it was made up was new, the payload was not.

The final payload is very plain ransomware. No persistence, no C2 connection just good old asymmetric encryption to make the victims files unreadable, the blog post from Varonis explained.

Its functions parameters allowed it to:

After looking for files within local and mapped drives to encrypt, attempts were made to close any process using those files.

Files were then renamed .SaveTheQueenING with the aid of the MoveFile function, before encryption.

Once the files were encrypted, their names were changed again to .SaveTheQueen.

Then, the ransom note was added to the directory.

This ransomware, according to Varonis, does not encrypt EXE, DLL, MSI, ISO, SYS or CAB file types, nor does it encrypt files in the following folders:

US Attorney General William Barr has reignited the debate over lawful access, but cybersecurity expert, Callum Tennent argues that if governments are given the power to break encryption these powers will be abused. Read here

Log files were created in the same folder by the person behind the attacks, each of which were named after a device within the affected domain.

We concluded that the log files were used to monitor the infection process on new devices, and that the hourly file was a scheduled task that ran malware on the new devices using a PowerShell script, samples v3 and v4, said the blog post.

The attacker had likely obtained and used domain admin privileges to write files to SYSVOL. The attacker ran PowerShell code on the infected hosts that created scheduled task to open, decode and run the malware.

Before trying and failing to decode the malware once they found it, Varonis staff opted to utilise the Magic method from GCHQs CyberChef app.

Using this, they found that the file responsible was Gzip under base64, after which the file was decompressed to reveal that the injector of the ransomware was an unprotected .NET file.

After reading the source code using DNSpy, we understood its sole purpose was to inject shellcode into the winlogon.exe process, said Varoniss blog post.

Injecting shellcode into winlogon.exe, a standard component of Windows operations, made it even harder than usual to detect.

The threats against organisations are growing in volume and success, but can AI in cyber security stop the rot and turn failure into success? Read here

We used Hexacorns shellcode2exe utility to compile the shellcode into an executable to debug and analyse. We then realised that the shellcode worked on both 32-bit and 64-bit machines, the post continued.

Writing even simple shellcode in native assembly can be difficult; writing full shellcode ransomware that works on 32-bit and 64-bit systems requires a high set of skills, so we started to wonder about the sophistication of the attacker.

After further digging, Varonis found that the shellcode was written with the aid of generic software for this task, and that it could be written in exactly the same way using a tool called Donut.

To confirm our theory, we compiled our own code using Donut and compare it with the sample it was a match, explained the blog post.

From there, the team unpacked the code using Elektrokill Unpacker.

This news comes following the recent discovery of the Ekans, or Snake, attack, which targets Windows systems used within industrial control infrastructures.

Designed to stop 64 different processes, something that makes the attack unique, its capable of attacking oil refineries, power grids and other high-value industrial systems.

Regarding how to stop new ransomware attacks such as these, Nick Palmer, technical director at Attivo Networks, said: No matter how good your cyber defences are, it is always a good idea to prepare for a ransomware attack by having a playbook that documents how to respond, to avoid a situation where employees are learning what to do as an attack is happening.

Companies can give themselves extra time to respond effectively with tools like deception technology that slow the ransomware down, and, where possible, divert it to non-critical systems.

In the event of a successful ransomware attack, determine ahead of time under what conditions, if any, you would pay. Discuss the pros and cons and the risks you are prepared to accept if you are unable to regain access to your files.

Read more from the original source:
New ransomware with '.SaveTheQueen' extension discovered by Varonis - Information Age

Related Posts
Posted in Encryption

Comments are closed.