Computing

2 minute read

After reading this article about the Ragnar Locker ransomware running in a Windows XP VM to prevent it from being detected. I thought why not just analyze it to see what it does compare to other ransomware families. This blog post will further explain the ransomware using the programs Ghidra and x64dbg.

Analysis

Using the function GetLocalInfoW the ransomware checks if the language on the computers is one of the following languages. And if true the process terminates itself.

Azerbaijani, Armenian, Belorussian, Kazakh, Kyrgyz, Moldavian, Tajik, Russian, Turkmen, Uzbek, Ukrainian, Georgian

image-20200529171413730

To make sure that there is only one process running it creates an event with the use of CreateEventW. If the event already exists the function GetLastError will return 0xb7 (ERROR_ALREADY_EXISTS), and after looping 32768 times the process will terminate itself. But if the event is created successfully the function GetLastError returns 0 (ERROR_SUCCESS) and ransomware continues running. It does this to ensure that only one copy of the ransomware is running at a time.

image-20200529222814164

To ensure that large amounts of data can be encrypted. The ransomware checks whether the following services are running and if running it stops the services. This is also stated on the malware wiki.

vss,sql,memtas,mepocs,sophos,veeam,backup,pulseway,logme,logmein,connectwise,splashtop,kaseya

image-20200531232343276

After that, the function at memory address 00402150 renamed to decrypt_string is called to decrypt an RSA public key and a ransomware note in memory.

image-20200531190214847

Public key

 -----BEGIN PUBLIC KEY-----\n
 MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3rt9EPkNBSGeoCGzU50f\nOaEgC3EdDSXvMT26aRlzsUcng/EZUlTKwYDYwHXdIuWvshUymKexyi/BLR1fGs5Y\n044BnrBqFPSgrjwarZw37wLTYqAKGR/5pTKxjwVuJ4ArC2A1XbYOlmhv2pbnVq4l\nq0juc6W2MNoK31Bfds3/lrLAqlu3KMMg43PCvI2IMooguRRm7NEvqSeuu5ZmuC/A\nv2/aNxSQoXfr2yS6JoZP7EFx/I00bkWWrHr4qhHppJrRVcJH8jGh9DDSuz7XzoW7\ntLAPQZKR8V29x5z0Yscgm64Bd60uj3Fp9N7xqRDWZUKZQ+om9yTRhpsi8gORGrVp\nMQIDAQAB\n
 -----END PUBLIC KEY-----\n

Ransomware note

image-20200531190802429

To use CryptoAPI function of Windows the function CryptAcquireContextW is called. The encryption method used is RSA public key alogrithm, because the dwProvType parameter is 0x1 which stands for Cryptographic Provider Type PROV_RSA_FULL.

image-20200531194111538

The public key gets imported with the use of CryptImportPublicKeyInfo.

image-20200531234017475

The imported RSA public key is then used to encrypt the later used Salsa20 key and nonce.

image-20200531235759021

Before encrypting files the ransomware writes the ransomware note to the path C:\Users\Public\Documents\RGNR_04BFF775.txt. And then adds a generated_secret to file. I didn’t further analyzed the way the generated_secret is created. I think this is for the malware authors to identify the malware sample used in a ransomware attack, but I don’t know for sure.

image-20200531200232105

image-20200531200311609

Encryption

The encryption method skips the following folders, files and extensions. This is also stated on the malware wiki.

kernel32.dll, Windows, Windows.old, Tor browser, Internet Explorer, Google, Opera, Opera Software, Mozilla, Mozilla Firefox, $Recycle.Bin, ProgramData, All Users, autorun.inf, boot.ini, bootfont.bin, bootsect.bak, bootmgr, bootmgr.efi, bootmgfw.efi, desktop.ini, iconcache.db, ntldr, ntuser.dat, ntuser.dat.log
, ntuser.ini, thumbs.db, .sys, .dll, .lnk, .msi, .drv, .exe

To open a file the function CreateFileW is called. The fifth parameter dwCreationDisposition = 3 which stands for OPEN_EXISTING.

image-20200601203144499

Then the function ReadFile is called to read a number of bytes of the file, that gets written to buffer. This buffer is then encrypted by the function at address 00402380 renamed to encrypt_buffer. The ransomware uses an encryption algorithm based on Salsa20 stream cipher.

image-20200601211421004

Buffer before encryption - the buffer contains the local file “C:\Program Files\die_win32_portable\base\db\Binary\bzip.1.sg” (not associated with the malware)

image-20200601204806960

Buffer after encryption

image-20200601205054698

After written the encrypted buffer to the file, the used key, nonce and the string _RAGNAR_ are written to the end of the file.

image-20200601210824215

At the end, the ransomware opens the ransomware note with Notepad.

image-20200531203519707

image-20200529212911106

IOC

SHA256 - EC35C76AD2C8192F09C02ECA1F263B406163470CA8438D054DB7ADCF5BFC0597

References

https://www.bleepingcomputer.com/news/security/ransomware-encrypts-from-virtual-machines-to-evade-antivirus/

https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/

https://malware.wikia.org/wiki/Ragnar_Locker

Updated:

You May Also Enjoy

Automating DFIR using Cloud services

7 minute read

TL;DR: The DFIR lab can automate the processing of Plaso timelines to Timesketch using Velociraptor and Google Cloud services

Using Docker images from scratch

5 minute read

The last blog post about Docker was about using non-root Docker containers and why this is safer. This time I want to go a step further and explain what I th...

Mount Locker ransomware analysis

8 minute read

This blog post will explain how the ransomware called Mount Locker works. For encryption, Mount Locker uses Chacha20 to encrypt files and RSA-2048 to encrypt...