Ransomware Roundup - Retch and S.H.O.
2023-9-21 23:0:0 Author: feeds.fortinet.com(查看原文) 阅读量:3 收藏

On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.

This edition of the Ransomware Roundup covers the Retch and S.H.O ransomware.

Affected platforms: Microsoft Windows
Impacted parties: Microsoft Windows Users
Impact: Encrypts and exfiltrates victims’ files and demands ransom for file decryption
Severity level: High

Retch Ransomware Overview

Retch is a new ransomware variant first discovered in mid-August 2023. It encrypts files on compromised machines and leaves two ransom notes asking victims to pay a ransom for file decryption.

Infection Vector

Information about the infection vector used by the Retch ransomware threat actor is not currently available. However, it is unlikely to be significantly different from other ransomware groups.

Retch ransomware samples have been submitted to a public file scanning service from the following countries:

  • United States
  • Iran
  • Germany
  • Russia
  • France
  • Colombia
  • Korea
  • Italy

Ransomware Execution

Once the ransomware runs, it looks for and encrypts files with the following file extensions:

.txt, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpeg, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb,   .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos .mov, .vdf, .ztmp .sis, .sid, .ncf,           .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x,        .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl,  .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk,           .rgss3a, .pak, .big, .wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .p7c, .pk7, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .pptm, .xlk, .xlsb, .xlsm, .wps, .docm, .odb, .odc, .odm, .odp, .ods, .cs, .exe, .lnk, .mpeg, .mp3, .mkv, .divx, .ogg, .wav, .bat, .index, .flac, .vob, .mpg

The following directories are excluded from file encryption:

  • "Windows"
  • "Program Files"
  • "Program Files (x86)"

The ransomware adds a “.Retch” extension to encrypted files.

Figure 1: Files encrypted by Retch ransomware.

It then drops a ransom note labeled "Message.txt" in every folder where files are encrypted.

Figure 2: Ransom note dropped by Retch ransomware.

In the ransom note, the Retch attacker asks victims to pay Bitcoins worth 300 euros for file decryption. Due to the low ransom demand, Retch ransomware is likely used to target consumers rather than enterprises. As shown in Figure 2, the ransom message is available in French and English, leading us to believe that the Retch ransomware primarily targets French users. However, further investigation revealed that this isn't the case.

We also discovered that the ransom note dropped on the Desktop differs from “Message.txt.” The ransom note left on the Desktop is labeled “HOW TO RECOVER YOUR FILES.txt” and asks victims to pay Bitcoin worth $1000 for file decryption. This ransom note has a different contact email address and includes the attacker’s Bitcoin wallet address.

Figure 3: Ransom note “HOW TO RECOVER YOUR FILES.txt” left on the Desktop by Retch ransomware.

It turns out that the Retch ransomware was developed based on a publicly available ransomware source code that claims to be for educational purposes, which appears to be based on a well-known open-source ransomware, “HiddenTear.” The open-source ransomware has the ransom note shown in Figure 2 by default. The attacker appears to have only customized the ransom note on the desktop, which is only in English, leaving the ransom notes in all other locations untouched. This indicates that the Retch ransomware was not targeting French users as we first thought. As mentioned, the countries from which the files were submitted to the public file scanning service are widespread, further suggesting our suspicion is correct.

At the time of our investigation, the attacker’s Bitcoin wallet had not recorded any transactions.

S.H.O Ransomware Overview

Infection Vector

Information about the infection vector used by the S.H.O ransomware threat actor is not currently available. However, it is unlikely to be significantly different from other ransomware groups.

S.H.O ransomware samples have been submitted to a public file scanning service from the following countries:

  • United States
  • Canada

Ransomware Execution

After the ransomware runs, it encrypts files on compromised machines and adds five random letters and numbers as a file extension.

Figure 4: Files encrypted by S.H.O ransomware.

S.H.O attempts to encrypt files with the following extensions:

.myd, .ndf, .qry, .sdb, .sdf, .tmd, .tgz, .lzo, .txt, .jar, .dat, .contact, .settings, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpg, .mka, .mhtml, .oqy, .png, .csv, .py, .sql, .indd, .cs, .mp3, .mp4, .dwg, .zip, .rar, .mov, .rtf, .bmp, .mkv, .avi, .apk, .lnk, .dib, .dic, .dif, .mdb, .php, .asp, .aspx, .html, .htm, .xml, .psd, .pdf, .xla, .cub, .dae, .divx, .iso, .7zip, .pdb, .ico, .pas, .db, .wmv, .swf, .cer, .bak, .backup, .accdb, .bay, .p7c, .exif, .vss, .raw, .m4a, .wma, .ace, .arj, .bz2, .cab, .gzip, .lzh, .tar, .jpeg, .xz, .mpeg, .torrent, .mpg, .core, .flv, .sie, .sum, .ibank, .wallet, .css, .js, .rb, .crt, .xlsm, .xlsb, .7z, .cpp, .java, .jpe, .ini, .blob, .wps, .docm, .wav, .3gp, .gif, .log, .gz, .config, .vb, .m1v, .sln, .pst, .obj, .xlam, .djvu, .inc, .cvs, .dbf, .tbi, .wpd, .dot, .dotx, .webm, .m4v, .amv, .m4p, .svg, .ods, .bk, .vdi, .vmdk, .onepkg, .accde, .jsp, .json, .xltx, .vsdx, .uxdc, .udl, .3ds, .3fr, .3g2, .accda, .accdc, .accdw, .adp, .ai, .ai3, .ai4, .ai5, .ai6, .ai7, .ai8, .arw, .ascx, .asm, .asmx, .avs, .bin, .cfm, .dbx, .dcm, .dcr, .pict, .rgbe, .dwt, .f4v, .exr, .kwm, .max, .mda, .mde, .mdf, .mdw, .mht, .mpv, .msg, .myi, .nef, .odc, .geo, .swift, .odm, .odp, .rar, .orf, .pfx, .p12, .pl, .pls, .safe, .tab, .vbs, .xlk, .xlm, .xlt, .xltm, .svgz, .slk, .tar.gz, .dmg, .ps, .psb, .tif, .rss, .key, .vob, .epsp, .dc3, .iff, .opt, .onetoc2, .nrw, .pptm, .potx, .potm,.pot, .xlw, .xps .xsd, .xsf, .xsl, .kmz, .accdr, .stm, .accdt, .ppam, .pps, .ppsm, .exe, .p7b, .wdb, .sqlite, .sqlite3, .dacpac, .zipx, .lzma, .z, .tar.xz, .pam, .r3d, .ova, .1c, .dt, .c, .vmx, .xhtml, .ckp, .db3, .dbc, .dbs, .dbt, .dbv, .frm, .mwb, .mrg, .txz, .mrg, .vbox, .wmf, .wim, .xtp2, .xsn, .xslt

The following files are excluded in all directories:

Figure 5: List of files excluded from encryption.

These directories are also excluded from having their contents encrypted:

Figure 6: List of directories excluded from encryption.

S.H.O encrypts each file using an RSA public key and the Microsoft “Rijndael Managed” C# library.

Figure 7: File encryption routine.

Upon completing the encryption run, it replaces the Desktop wallpaper with its own that asks victims to find and read the file “readme.txt,” which is a ransom note.

Figure 8: Wallpaper replaced by S.H.O ransomware.

FortiGuard Labs has identified two S.H.O ransomware variants that leave different ransom notes. Although the ransom notes have different Bitcoin addresses belonging to the attacker, the ransom fee stays consistent at $200.

Figure 9: Ransom note dropped by an S.H.O ransomware variant.

Figure 10: Ransom note dropped by another S.H.O ransomware variant.

The ransom messages have a very fearful and ominous tone that may be an attempt to scare victims into paying the ransom.

Neither of the Bitcoin wallets was available at the time of our investigation.

Fortinet Protections

Fortinet customers are already protected from these malware variants through our AntiVirus and FortiEDR services, as follows:

FortiGuard Labs detects the Retch ransomware samples with the following AV signature:

  • MSIL/Filecoder.AK!tr.ransom

FortiGuard Labs detects the S.H.O ransomware samples with the following AV signature:

  • MSIL/Filecoder.APU!tr.ransom

The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. Fortinet EPP customers running current AntiVirus updates are also protected.

IOCs

IOC

IOC Type

Note

46ccde0b58abeec8e3e62eed462bbf663efd4c0027c692210b2922a2217fcaac

SHA2

Retch ransomware

a928964f062125cc32863a361a0554939f391a2e54a614c9c20c441f638a2f20

SHA2

f7ab2da0e0ba7e0290b74fea2f0438de4ba3b460f99c4c869285edb9bff5b846

SHA2

79972890083f7e47a3a221bff96ba5229618355cba24b685cc08e7f5672b2b7a

SHA2

d2b9de087fdc05071283cb162bd94bf6608ccc3e09ca3b9e7ccafffd13e084d0

SHA2

C:\Users\IlIlIlIlIlIlIlIl\Desktop\TEMPLATE AND MASTERS 09032023\ransomware-master werkING for obfuscation\Gendarmerie B.V.3\obj\Release\teste25.pdb

PDB

Retch PDB String

D:\SEPTEMBER WORKS\Gendarmerie ransomware-master_  one page Current Sun 08 12 23\ransomware-master\Gendarmerie B.V.3\obj\Debug\Gendarmerie_300.pdb

907f6b56a13e377293fb142de08c023b2f75b7dc321ea6976868a99dac2ebdc3 

SHA2

S.H.O ransomware

dcff6ed7acfa665af1cc31a005ccfcbdb79614a6749af6b4c3ff29ef1774008d

SHA2

tUsmRqlrj5UCBgSc7H35O5BwodM0FI9hbK1VBimv/pjcWj9uAPjjfkyX28MAH nPKlHhfqk7rG0N1cVf46VOqW2tPDF91kCQmB2PATst0yfz5hmQUkvazSid78f qwR43XwoQu4RwKmRxlzprZfHTTmiJP1zRyQlGOT7zrPWdS+3sdR9MkjBWl +nZUPBuRE7ApNSWt0M9M61P3psNkfDkEcaguzYkBv+ptpKRTTrK3ppstxhD KVdRuXOBlcZKNsiRciFOE8PdapN+8T0z7jOU9b5PE2vAeewKw5zOXwI6PDb DVEpRZHcXhNrcaKIXqO5OsXAi5/tGsk05QtEn/uBpzpQ==

RSA Public Key

S.H.O ransomware’s RSA Public Key

FortiGuard Labs Guidance

Due to the ease of disruption, damage to daily operations, potential impact on an organization’s reputation, and the unwanted destruction or release of personally identifiable information (PII), etc., it is vital to keep all AV and IPS signatures up to date.

Since the majority of ransomware is delivered via phishing, organizations should consider leveraging Fortinet solutions designed to train users to understand and detect phishing threats:

The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.

Our FREE NSE trainingNSE 1 – Information Security Awareness includes a module on internet threats designed to help end users learn how to identify and protect themselves from various types of phishing attacks and can be easily added to internal training programs.

Organizations will need to make foundational changes to the frequency, location, and security of their data backups to effectively deal with the evolving and rapidly expanding risk of ransomware. When coupled with digital supply chain compromise and a workforce telecommuting into the network, there is a real risk that attacks can come from anywhere. Cloud-based security solutions, such as SASE, to protect off-network devices; advanced endpoint security, such as EDR (endpoint detection and response) solutions that can disrupt malware mid-attack; and Zero Trust Access and network segmentation strategies that restrict access to applications and resources based on policy and context, should all be investigated to minimize risk and to reduce the impact of a successful ransomware attack.

As part of the industry's leading fully integrated Security Fabric, delivering native synergy and automation across your security ecosystem, Fortinet also provides an extensive portfolio of technology and human-based as-a-service offerings. These services are powered by our global FortiGuard team of seasoned cybersecurity experts.

Best Practices Include Not Paying a Ransom

Organizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom partly because the payment does not guarantee that files will be recovered. According to a US Department of Treasury's Office of Foreign Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to target additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit activities that could potentially be illegal. For organizations and individuals affected by ransomware, the FBI has a Ransomware Complaint page where victims can submit samples of ransomware activity via their Internet Crimes Complaint Center (IC3).

How Fortinet Can Help

FortiGuard Labs’ Emergency Incident Response Service provides rapid and effective response when an incident is detected. Our Incident Readiness Subscription Service provides tools and guidance to help you better prepare for a cyber incident through readiness assessments, IR playbook development, and IR playbook testing (tabletop exercises).


文章来源: https://feeds.fortinet.com/~/794213528/0/fortinet/blog/threat-research~Ransomware-Roundup-Retch-and-SHO
如有侵权请联系:admin#unsafe.sh