Friday 17 March 2017

Shade ransomware comes through billing notifications


We are seeing the numerous infections by the new version of the Shade cryptolocker during the last week in Ukraine. The Shade has been leveraging a cheap and effective email delivery channel. The attack is run with the help of fake emails sent on behalf of Ukrainian financial institutions (e.g. PrivatBank, the Ukrainian Tax Office) from the hacked email accounts, most of them belong to organizations in the gov.ua TLD. The subject of these emails is bills or indebtedness that a victim needs to pay.


A bill from PrivatBank:

An indebtedness from the Ukrainian Tax Office:




All messages have links to zip files that contain an obfuscated JavaScript:

Once executed by a user, the script downloads and executes the Shade (a.k.a. Troldesh) ransomware that encrypts users files and demands to pay the $140 ransom to get the decryption tool.


Installation

The executed Java script downloads a ransomware:



The cryptolocker starts from the %Temp% folder and spawns several instances of itself:

It copies itself to the %AppData%\Windows\ folder as the csrss.exe file, which borrowed the Adobe’s icon.


And adds itself to the autorun key in the Windows system registry to start every system boot up:

Encryption

The Shade is written in C++ and uses OpenSSL library. It encrypts files with the following extensions:
b2, cdr, srw, p7b, odm, mdf, p7c, 3fr, der, odb, arw, rwl, cer, xlk, pdd, rw2, crt, dx, r3d, pem, bay, ptx, pfx, indd, nrw, p12, bd, backup, torrent, kwm, pwm, safe, xl, xls, xlsx, xlsm, xlsb, xltm, xlt, xlam, xla, mdb, rtf, txt, xml, csv, pdf, prn, dif, slk, ods, xltx, xlm, odc, xlw, uxdc, pm, udl, dsn, iqy, dqy, rqy, oqy, cub, bak, xsn, xsf, xtp, xtp2, accdb, adb, adp, mda, accda, mde, accde, accdw, accdt, accdc, mdw, dbf, tab, asc, frm, opt, myd, myi, db, onetoc2, one, onepkg, vcs, ics, pst, oft, msg, pptx, ppt, pptm, pps, ppsm, pot, potx, potm, odp, thmx, wpd, wps, ppa, ppam, wmf, emf, pub, ps, xps, vsd, vdx, vss, vsx, vst, vtx, vsw, vdw, emz, dwg, dxf, docx, doc, docm, dotx, dot, dotm, djvu, chm, htm, html, mht, mhtml, shtml, shtm, asp, aspx, dwt, stm, cs, css, psd, pdd, 3ds, max, crw, nef, raf, orf, mrw, dcr, mos, pef, srf, dng, x3f, cr2, erf, sr2, kdc, mfw, mef, cin, sdpx, dpx, fido, dae, dcm, dc3, dic, eps, kmz, iff, tdi, exr, pcx, pdp, pxr, sct, u3d, obj, ai3, ai4, ai5, ai6, ai7, ai8, ai, epsp, epsf, hdr, rgbe, xyze, flm, pbm, pgm, ppm, pnm, pfm, pam, pct, pict, psb, fxg, swf, hta, htc, ssi, as, asr, xsl, xsd, dtd, xslt, rss, rdf, lbi, asa, ascx, asmx, config, cfm, cfml, cfc, tld, phtml, jsp, wml, tpl, lasso, jsf, vb, vbs, vtm, vtml, edml, raw, jpg, jpeg, jpe, bmp, png, tif, tiff, dib, gif, svg, svgz, rle, tga, vda, icb, wbm, wbmp, jpf, jpx, jp2, j2k, j2c, jpc, avi, mkv, mov, mp4, wmv, 3gp, mpg, mpeg, m4v, divx, mpv, m1v, dat, anim, m4a, qt, 3g2, f4v, mkidx, mka, avs, vdr, flv, bin, mp3, wav, asx, pls, zip, 7z, rar, tar, gz, bz2, wim, xz, c, h, hpp, cpp, php, php3, php4, php5, py, pl, sln, js, json, inc, sql, java, class, ini, asm, clx, tbb, tbi, tbk, pst, dbx, cbf, crypted, tib, eml, fld, vbm, vbk, vib, vhd, mtr, vault, 1cd, dt, cf, cfu, mxl, epf, vrp, grs, geo, elf, lgf, lgp, log, st, pff, mft, efd, md, dmp, fdb, lst, fbk


The Shade encrypts file’s content and name with separate AES-256 keys. The AES keys are then encrypted using RSA-3072.The cryptolocker gets a public RSA key whether from a C&C or takes one of the hardcoded RSA public keys from its body if C&C is not available. The encrypted AES keys are placed at the end of an encrypted file.

An encrypted file gets '.no_more_ransom' and a new encrypted name:

The decryption tools made by Kaspersky Lab and Intel Security available at https://www.nomoreransom.org/ will not help you in this case. 


C&C Communication

The locker is equipped with a TOR client and connects to a C&C server in the TOR network:
188.40.128.246:9001
185.14.185.240:443
a4ad4ip2xzclh6fd.onion/{reg, prog, cmd, sys, shd}.php?<list of options>


Notification

When encryption is done, the Shade changes the Wallpaper to:
F18...png


And creates multiples README[1-10].txt with the following text in Russian and English:


Ваши файлы былu зашuфрованы.Чmобы раcшифровать uх, Вaм необходимо оmпpaвить код:340B839511AF48C7114E|0на элekmронный адрeс lukyan.sazonov26@gmail.com .Далeе вы noлучuте вce необxoдимыe инстpуkцuu.Попытkи paсшuфpoвaть сaмoсmоятeльнo нe пpиведym нu k чему, kрoме бeзвозвраmной пomеpи информaции.Еслu вы вcё же хотuтe nопыmaться, mo npедвaрumeльно cдeлайтe pезервные konuи файлов, иначе в cлyчаeих uзмeнeния pacшuфpовka сmaнeт невозмoжнoй нu пpи kакиx ycловияx.Eслu вы не получили отвema пo вышеуказаннoму aдpесy в meчeние 48 чaсoв (и тoльko в эmoм cлyчаe!),воcпoльзуйmеcь фopмoй обpатной связu. Этo мoжнo cдeлamь двyмя cпоcoбами:1) Сkaчaйтe и уcmанoвитe Tor Browser no ссылкe: https://www.torproject.org/download/download-easy.html.enB aдреснoй cтроke Tor Browser-a ввeдuтe aдрec:http://cryptsen7fo43rr6.onion/и нaжмume Enter. Зaгpyзuтcя стрaница c фoрмoй oбратнoй cвязu.2) В любом бpaузeрe nерейдuте по oднoмy из адpeсoв:http://cryptsen7fo43rr6.onion.to/http://cryptsen7fo43rr6.onion.cab/

All the important files on your computer were encrypted.To decrypt the files you should send the following code:340B839511AF48C7114E|0to e-mail address lukyan.sazonov26@gmail.com .Then you will receive all necessary instructions.All the attempts of decryption by yourself will result only in irrevocable loss of your data.If you still want to try to decrypt them by yourself please make a backup at first becausethe decryption will become impossible in case of any changes inside the files.If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!),use the feedback form. You can do it by two ways:1) Download Tor Browser from here:https://www.torproject.org/download/download-easy.html.enInstall it and type the following address into the address bar:http://cryptsen7fo43rr6.onion/Press Enter and then the page with feedback form will be loaded.2) Go to the one of the following addresses in any browser:http://cryptsen7fo43rr6.onion.to/http://cryptsen7fo43rr6.onion.cab/


When I wrote to the specified email, I got the following reply where the attacker suggests me send him one unimportant file to verify decryption service and pay $140 in Bitcoins for a decryption tool. However, the BTC address and amount of Bitcoins to be paid were not yet mentioned.

Translated into English:


The cost of decryption is 140 $. Send 1 file (for free I decrypt 1 file up to 2 mb in weight, which does not contain important information, only to enable you to recognize that this is your file,no reports, diplomas, coursework, presentations will be decrypted for free and we will decrypt them as evidence that the files can be restored).Within 5 minutes to an hour from the time of payment, we will send a program and a key that will exactly return everything as it was.Do not try to restore data using antivirus utilities, you will corrupt all filesIf you want to try, try on another PC and use a minimum of files, otherwise then even I’ll not be able to help.And please remember that the price is growing every day.PS Write clearly, very clearly, take into account that besides you many people write,I do not run the dialogues, I work as quickly pay - immediately receive. Not satisfied with the price of the service, do not write any more.Bitcoins can be bought or produced for FREE, for example, with bitcoin mining. Read Wikipedia or other resources about mining.The service of decryption is free.You can choose, whether to mine free bitcoins or to buy them not wasting the time. Only you can decide

Later, I was notified that I need to pay 
0.15  BTC to 1MTQfPqy6xy3b1otkASrcRi5SAUfxpDZW7.


Restore files


In the recent Shade version, the cryptolocker has introduced the deletion of shadow copies to prevent restoring previous versions of files:

vssadmin.exe Delete Shadows /All /Quiet

Conclusion


This example vividly shows how efficient social engineering techniques can be. There is no need to pay extra for exploit kits and hacking. A targeting user will execute malware with his own hands.


In addition, new versions of ransomware leave no chances to get back the files without paying a ransom by employing unbreakable ciphers and wiping out a file from a disk.

The only way to protect your cyberspace against such attacks is to raise your security awareness. Be suspicious of emails coming from unknown senders. And never open/execute attachment of emails you found suspicious. Good antivirus installed could be of great use to win this cyber security battle.

Network IoCs

erbird.com
169.55.70.244
151.101.112.166
ce.lijit.com
104.199.101.81
52.201.117.78
77.238.185.35
p.adsymptotic.com (94.31.6.169)
81.222.128.13
188.40.128.246:9001
185.14.185.240:443
a4ad4ip2xzclh6fd.onion/
вкурсеэа.рф

References

- Nice ransomware map: https://comparite.ch/ransomwaremap
- NoMoreRansom project https://www.nomoreransom.org/

1 comment: