Sat 14 December 2019 • Ransomware

Back in October of 2019 the Mespinoza Ransomware family first surfaced via Malspam. On the 14th of December it returned with a new extension .pysa so let's see if any changes have been made.

Fun Fact: The Extension "pysa" is probably derived from the Zanzibari Coin with the same name. Apparently it's quite popular with collectors. But enough of the pocket change, so let me put my two cents in on this sample :D

A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be illegal depending on where you live.

Mespinoza (.pysa) @ AnyRun | VirusTotal | HybridAnalysis --> sha256 a18c85399cd1ec3f1ec85cd66ff2e97a0dcf7ccb17ecf697a5376da8eda4d327

As always: Running Detect it easy on the executable:

One of the first things it will do is modify the SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Registry Key to set the following values. Unfortunately I couldn't confirm this action in a sandbox with RegShot yet.

To retain basic functions of the Operating System Mespinoza will spare certain directories related directly to Windows and critical files.

It will also specifically look for SQL related processes. I will have to confirm this with a debugger, but most of the time database processes are killed by Ransomware to disrupt the service and make the files available for encryption.

Of course Mespinoza won't stop with the system drive so it will check for connected removable media or shared network drives. GetDriveTypeW will tell it which type of media the selected device belongs to.

Up until now I have not seen a ransomware sample running verclsid.exe, so let's investigate: {0B2C9183-C9FA-4C53-AE21-C900B0C39965} corresponds to C:\Windows\system32\SearchFolder.dll and {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} matches the CLSID of IDBProperties which is part of the Microsoft SQL Server.

C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401

After looking at a string dump I found this hex string which is probably the key blob. I'll try to verify this with x32dbg later.

30820220300D06092A864886F70D01010105000382020D003082020802820201009CC3A0141B5488CD31B7D2DD49F9221483CF5FADB558A52CE7670169223BDA9B3C65785F411F22E2B5D0CB890B393A4ADDAAF5D650F7F6EAD43EB5F31002B04A97873A8044D5A8D4BAB19C05FBF645EEA9E2458BB4B2A73E1EF5D1955DD000C6C626C7805B683B3EA64AEA62D50D8A45D956DDB8691BC838406291F2FC3FC707F4C9DA763D62AC7F029A4616AE883004A912CA5EAE2C6211ADF8EA56532A5BDE53DAE58B6ED6B86D9780CB3B5B884FDC7487DAC357A42276E97C3DEFAB6A458063EBE9AFECBDF89B1BB9A7CFD5313D10D2D7CD6E14170B5C36F69508E8B5610C08328F2593E32D48B6BE378A2FDF58BB3ECDDAD9B69304F9936E93F84EE3660A42758F39D4EF8428E84551F3583602BB3230D662362C43A8E90B5B413A7416A1FCC89BD37A6A793192CF3E8552975E55FDA9472F7666CA4E6F59317AB7195B91C6B18959C6B91E70E40533F40126FECCCFB8E3BA2BE1804EEC3C54847A828C6F6665138E6E38D315198372B85B906E08EDC081A959B504E6583BA05D58D71BF7BD019B3F2C4BA800B5C7FFE04B0B8EF48095025E553B13304EAE76E23242266E6F8E7A1FEFF4F23B586F092932A765C8141F84A91D296F1EA2DCF5DB31E66BE8B76E1BB6DC1353CE5D2F998A2BA1C4ACF6CFEE7FB349A0B6A5E9D0CE010BD4D834F7EE2E265241D65C9B347BB69368DC59308EBE884EFB8389F4E31A20339B79020111

Turns out that the encrypted key is appended to the end of each file affected by the ransomware (which is a common tactic for some strains).

As this article is work in progress I will update it as soon as I can. As I did not see the Malware deleting the Volume Shadow Copies until now, so one option for possible victims would be to run Photorec or Recuva to check for recoverable files.

Update 22.01.2020:

There's a new version of the Mespinoza / .pysa Variant compiled on the 18th of Jańuary:

Mespinoza (.pysa) @ AnyRun --> `sha256 e9662b468135f758a9487a1be50159ef57f3050b753de2915763b4ed78839ead

In the screenshot below you can see a comparison of the old sample (1.exe) and the new one (1.bin). Exept for a few minor changes the two samples are mostly identical:

The public Key used by the criminals is still the same (converted from hex to raw, key blob located in the binary):

MIICIDANBgkqhkiG9w0BAQEFAAOCAg0AMIICCAKCAgEA6dYN+TogNihncAJNXRhtUeyj7EQ/BIGbupIM
q5PRI3a1+HqMXEk5vdb3NhzFBUoVhY/jTEE71flTwHM73q9PrgovaYSl8HeXZaU+HkqjF7Ofu4Qf+SDk
oPxcubX4cFYV1r97z9vcFgFehzk+9CofEnHWEo2N656QGRXeO0PaJX/riiL672KHzMDNKzfZQnmpMHL+
KzeyJaaPVVz7V9qCCkjT+IT26xtG2jY5tggepfLQfB6ExxaoJ1j0GapQMIZ3k6F1AtBmfcNvyu3cW29a
bIOCsu1QRzfq6iSau2xx0ZaRz0l3vgU79PCLtsGw7BNPtKZdDL9dA879aKWlDBIizc3lg4IpHxdf5MOT
mpQR0kst3kyOieNlIjEAyewyRQ788o3qs8k9SS+89CD916AMEVqRcQH8ugBv5ocs0xAf+2bHe13ogIRc
iTz9ALTvtMSqhNptEBP/z+lIhuMTs2MrJRTaQLpVHUIlqAcQuLm8AHIYdGmBXEvUqPjRIo+L9Jb+P1XU
cXYHvOZUBV0VFSOoyQeqiBeaYS+PhCV6TmTRHsH/8XkPt/eGXm3Dk4feYNaZ5a9uQKYc9Akt6G0N+P8T
7zobyAWfQNqGFJhklh6JEAJw58XCJNdmETT68kfwtQ+XFB4caUHessaJ369lprAj4TjDUFfYkkm74ntG
4nVtL+sCARE===

The Ransomnote contents stayed the same, exept for the contact email addresses. Here are the contents of Readme.README:

Hi Company,

Every byte on any types of your devices was encrypted.
Don't try to use backups because it were encrypted too.

To get all your data back contact us:
raingemaximo@protonmail.com
gareth.mckie3l@protonmail.com
--------------

FAQ:

1.
   Q: How can I make sure you don't fooling me?
   A: You can send us 2 files(max 2mb).

2.
   Q: What to do to get all data back?
   A: Don't restart the computer, don't move files and write us.

3.
   Q: What to tell my boss?
   A: Protect Your System Amigo.

MITRE ATT&CK

T1215 --> Kernel Modules and Extensions --> Persistence

T1045 --> Software Packing --> Defense Evasion

T1012 --> Query Registry --> Discovery

T1114 --> Email Collection --> Collection

IOCs

Mespinoza (pysa)

1.exe --> SHA256: a18c85399cd1ec3f1ec85cd66ff2e97a0dcf7ccb17ecf697a5376da8eda4d327
          SSDEEP: 12288:aVchT6oi+OeO+OeNhBBhhBBpiOTn5CjGGc4dXOsOjKf:aVc1Jiin5yGpMIj

File size: 504.50 KB

Associated Files

Readme.README
%temp%\update.bat

E-Mail Addresses

aireyeric@protonmail[.]com
ellershaw.kiley@protonmail[.]com

Used in previous campaigns:

mespinoza980@protonmail[.]com
alanson_street8@protonmail[.]com
lambchristoffer@protonmail[.]com

Ransomnote

Hi Company,

Every byte on any types of your devices was encrypted.
Don't try to use backups because it were encrypted too.

To get all your data back contact us:
aireyeric@protonmail.com
ellershaw.kiley@protonmail.com
--------------

FAQ:

1.
   Q: How can I make sure you don't fooling me?
   A: You can send us 2 files(max 2mb).

2.
   Q: What to do to get all data back?
   A: Don't restart the computer, don't move files and write us.

3.
   Q: What to tell my boss?
   A: Protect Your System Amigo.

Wed 11 December 2019 • Ransomware

I first read about this strain on Twitter but it didn't seem like a big thing. Turns out I Was wrong: In the last 3 days I collected over 35 samples :O

Searching for "Project.exe" on AnyRun yields more than a healthy list of results all matching this strain. Oh would you look at that: Looks like we have a Borland Delphi application here 🧐 Yep, it's that ugly it definitely is Deplhi :D And the criminals seem to have a very strong opinion about the Land of the Free but no arguments to back it up (since the rest...

Thu 05 December 2019 • Ransomware

Let's continue with the obscure music -> malware references by analysing Lockbit, a strain that has been around for a few weeks, but with very little Info about is origin and behaviour.

I got this sample from one of the victims posting in the Bleeping Computer Forum thread. From what I gather their systems fell to yet another RDP Bruteforce attack (one user was affected on multiple systems in their domain). A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your local laws as owning malware...

Mon 02 December 2019 • Ransomware

Honestly I couldn't decide between the title above and "All crimes are paid", but Sex Pistols fans will get it regardless ¯\(ツ)/¯

I found this sample while browsing the new public submissions on AnyRun on the 1st of December. It peaked my interest because there were just three samples of it on the platform at the time of writing this and they were all uploaded very recently. A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your...

Tue 19 November 2019 • Ransomware

No flashy wallpapers or other bells and whistles, but if you aren't careful and maintain backups as you should DeathRansom will take your data with it to its grave. Or will it ?

A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be illegal depending on where you live. DeathRansom @ AnyRun | VirusTotal | HybridAnalysis --> sha256 3a5b015655f3aad4b4fd647aa34fda4ce784d75a20d12a73f8dc0e0d866e7e01 The plain text note doesn't look that special. I'll be refering to this strain as Deathransom, since the Read More

Tue 05 November 2019 • Ransomware

Mystic but also a new(-ish) threat: Medusa ransomware. Let's take a quick peek, but don't look too close or you may need to fetch backups soon.

A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be illegal depending on where you live. medusa.exe @ AnyRun --> sha256 3a5b015655f3aad4b4fd647aa34fda4ce784d75a20d12a73f8dc0e0d866e7e01 dix_16.exe @ HybridAnalysis --> sha256 49da42d00cc3ad6379ead2e07fd5f09bd358b144a6e78aad4bb1a8298e2bb568 Taking a look at the stringdump that stringsifter produced one of the first things that stood out was this...

Sat 26 October 2019 • Ransomware

No, this will not be a skiddy Tutorial on how to earn quick crypto but rather an analysis of the Open Source Ransomware "Hiddentear".

A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be illegal depending on where you live. "Shade Ransomware creater is stupid fxxxxx.exe" @ Any.Run --> sha256 ba978eee90be06b1ce303bbee33c680c2779fbbc5b90c83f0674d6989564a70a Because HiddenCrypt is Written in C# utilizing the .NET Framework 4 static analysis...