Ragnarok Ransomware


Tactical report of Ransomware Ragnarok
Identification

Vendor
Detection
ESET-NOD32
A Variant Of Win32/Filecoder.Ragnarok.A
TrendMicro
Ransom.Win32.RAGNAROK.A
ALYac
Trojan.Ransom.Ragnarok

The following table contains list of artifacts that had been analyzed within this document.



PE
Time stamp
MD
Size in bytes
Filename
Description
Monday 03 February 2020, 05.03.52
48452DD2506831D0B340E45B08799623
210.00 KB (215040 bytes)
since1969.exe
Main malicious



Summary
Ragnarok is a piece of malicious software, classified as ransomware. Its discovery is credited to Karsten Hahn. It operates by encrypting the data of infected devices, for the purpose of making ransom demands for the decryption. As Ragnarok ransomware encrypts, all affected files are appended with the ".ragnarok_cry" extension. To elaborate on how files would appear following encryption, then a file titled something like "1.jpg" would appear as "1.jpg.ragnarok_cry". After this process is complete, a text file - "How_To_Decrypt_My_Files.txt" is created on the desktop.



Technical details
Ransomware starts to resolve apis and libraries based on specific value as shown in figure (1).

It resolves libraries like kernel32.dll, Advapi32.dll, Mpr.dll

Figure (1)

Mutex
Ransomware Resolve api called CreateMutexA from library called kernel32.dll and creates new mutex called name. To make sure that there is only one version of ranowamre is running, if the mutex already exists so ranomware will terminate as shown in figure (2).


Figure (2)



It resolves api called RegOpenKeyExA and RegQueryValueExA then try get current language of machine by check registry path SYSTEM\CurrentControlSet\Control\Nls\Language as shown in figure (3).

Figure (3)
It checks if operating system is 32 or 64 so in case of 32 bits it will create new process as shown in figure (4) and in case of operating system is 64 it will create process as shown in table and figure (5)

Figure (4)
First Case (32 bit)
Command
cmd_shadow
Process name
cmd.exe /c vssadmin delete shadows /all /quiet
Purpose
To delete the Shadow Volume Copies


Second case (64 bit)
It deletes volume shadow copies and disables recovery of firewall as shown in figure (5) and tables below.


Figure (5)

Command
cmd_shadow
Process name
cmd.exe /c vssadmin delete shadows /all /quiet
Purpose
To delete the Shadow Volume Copies


lpCommandLine
cmd.exe /c bcdedit /set {current} recoveryenabled no
lpCommandLine
cmd.exe /c bcdedit /set {current} recoveryenabled no
lpApplicationName
cmd_firewall



It generates new AES key as shown in figure (6)

Figure (6)
Aes_key_rand 
  • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789.

It gets computer name as shown in figure (7).

Figure (7)

Malware trying to get public and private ip address of machine as shown in figure (8).

Figure (8)
It resolves apies to search for files and detect all drives in pc as shown in figure (9).

Figure (9)
I collected most of configurations of ransomware as shown in two figures (10) and (11) below.

Figure (10)

Figure (11)

It adds extension ragnaroks at every file that encrypted.
After encryption finished it displays readme message at the end as shown in figure (12).


Figure (12)
Yara Rule

/*
  Yara Rule Set
  Author: Mahmoud Elmenshawy
  Date:2019-11-17
  Identifier:  BitPaymer Ransomware
*/
private rule IsPE
{condition:
     // MZ signature at offset 0 and ...
     uint16(0) == 0x5A4D and
     // ... PE signature at offset stored in MZ header at 0x3C
     uint32(uint32(0x3C)) == 0x00004550}
rule RagrokRansomware{
     meta:
                                  Author = "Mahmoud Elmenshawy"
                                  Description = "  Ragrok Ransomware Rule for detecting Main file"
                                  MD5 = "48452DD2506831D0B340E45B08799623" 
                strings:
                                  $x1 ="!!ReadMe_To_Decrypt_My_Files.txt".
                                  $x2 ="cmd.exe /c bcdedit /set {current} recoveryenabled no".
                                  $x3 =" cmd.exe /c bcdedit /set {current} bootstatuspolicy   ignoreallfailures".
                               
                condition:
                All of them  and  IsPE



If you wanna learn malware analysis you can check my YouTube channel I'm trying publish analysis of malware and some methods to analysis malwares.
Please don't forgot subscribe my channel Than you ♥  
YouTube channel 
https://www.youtube.com/channel/UCParXHaBXBmqRdHuVUg21pA



Malware analyst : Mahmoud El Menshawy.
Contact Me : mahmoudmorsy372@gmail.com.
linkedin profile : https://www.linkedin.com/in/mahmoudmorsy1/.






Comments

Popular posts from this blog

Sunburst Solarwinds Backdoor

Phishing Attacks 9_4_2021

Conti Ransomware