The Sophos Managed Threat Response (MTR) team and SophosLabs researchers have been investigating an ongoing series of ransomware attacks in which the ransomware executable forces the Windows machine to reboot into Safe Mode before beginning the encryption process. The attackers may be using this technique to circumvent endpoint protection, which often won’t run in Safe Mode.
Sophos telemetry began detecting the ransomware on Thursday March 18 as it targeted Exchange servers that remain unpatched against the ProxyLogon vulnerabilities disclosed by Microsoft earlier this month. The Black KingDom ransomware is far from the most sophisticated payload we’ve seen. Sophos commissioned specialist research house Vanson Bourne to survey 5,000 IT managers on their experiences of ransomware. Sophos had no role in the selection of respondents and all responses were provided anonymously. The survey was conducted during January and February 2020. Respondents came from 26 countries across six continents. When Sophos Home detects an attempt to maliciously encrypt your files, it immediately stops the process. Then it rolls back any changes made by the ransomware by replacing the newly-encrypted files with saved backups. Finally, it removes the ransomware itself. You don’t have to do anything – all of this happens automatically.
In mid-October, the Sophos MTR team worked with a targeted organization to investigate and remediate a ransomware outbreak within their network. The ransomware, which calls itself Snatch, sets itself up as a service that will run during a Safe Mode boot. It quickly reboots the computer into Safe Mode, and in the rarefied Safe Mode environment, where most software (including security software) doesn’t run, Snatch encrypts the victims’ hard drives.
Sophos analysts first encountered the Snatch ransomware about a year ago. The threat actor identities behind the ransomware appear to have been active since the summer of 2018. SophosLabs believes that the Safe Mode enhancement to this malware is a newly added feature.
SophosLabs feels that the severity of the risk posed by ransomware which runs in Safe Mode cannot be overstated, and that we needed to publish this information as a warning to the rest of the security industry, as well as to end users. As we continue to investigate new incidents, we will update this post, and may post a followup in the next few days.
What we refer to as Snatch malware comprises a collection of tooling, which include a ransomware component and a separate data stealer, both apparently built by the criminals who operate the malware; a Cobalt Strike reverse-shell; and several publicly-available tools that aren’t inherently malicious, but used more conventionally by penetration testers, system administrators, or technicians.
One of a growing number of malware families we’ve encountered that have been programmed in Go, Snatch does not appear to be multiplatform. Created by Google, Go was designed to be able to produce programs that, in theory, could run under multiple operating systems.
However, the malware we’ve observed isn’t capable of running on platforms other than Windows. Snatch can run on most common versions of Windows, from 7 through 10, in 32- and 64-bit versions. The samples we’ve seen are also packed with the open source packer UPX to obfuscate their contents.
Snatch’s threat actors job postings
The threat actors behind this malware (who refer to themselves on criminal message boards as “Snatch Team”) appear to have adopted the active automated attack model, in which they seek to penetrate enterprise networks via automated brute-force attacks against vulnerable, exposed services, and then leverage that foothold to spread internally within the targeted organization’s network through human-directed action.
Online posts from criminal boards by suspected members of Snatch Team appear to support the assertion that this is the attacker’s modus operandi. A user (who goes by the online moniker BulletToothTony) soliciting assistance in this type of attack method, writing in a (translated from the original Russian language) message board posting titled “Snatch ransomware” that he is “Looking for affiliate partners with access to RDPVNCTeamViewerWebShellSQL inj [SQL injection] in corporate networks, stores and other companies.”
Later in the same message thread, this user offers to (at no charge) train others in the use of the malware, allow prospective criminal partners to use their infrastructure, provide “the best students” with a customized server running Metasploit, and then says “we are looking for capable people to join our team.”
Russian speakers only, apparently. Спасибо, ты такой заботливый.
The threat actors have also innovated their crime in another important way: One piece of malware used in the Snatch attacks is capable of, and has been, stealing vast amounts of information from the target organizations.
Deciphering the Snatch attack
In one of the incidents, which targeted a large international company, the MTR team managed to obtain detailed logs from the targeted company that the ransomware had not been able to encrypt. The attackers initially accessed the company’s internal network by brute-forcing the password to an administrator’s account on a Microsoft Azure server, and were able to log in to the server using Remote Desktop (RDP).
Using the Azure server as a foothold, the attackers leveraged that administrator’s account to log into a domain controller (DC) machine on the same network, and then performed surveillance tasks on the target’s network over the course of several weeks.
The attackers query the list of users authorized to log in on the box, and write the results to a file. We also observed them dump WMIC system & user data, process lists, and even the memory contents of the Windows LSASS service, to a file…
…then upload them to their C2 server.
We’ve also observed that the attackers set up one-off Windows services to orchestrate specific tasks. These services have long randomized filenames, such as this one, which queries the list of running processes from the tasklist program, outputs it to a file in the temp directory, then runs a batch file (also located in the temp directory) that uploads the tasklist file to the C2 server.
In fact, it uses this same method to upload a lot of information to the C2 server. For instance, it uses this command to send the extracted user account and other profile information (the .txt file) back to the C2, and then executes a batch file it has created in the Windows temp directory.
The attackers installed surveillance software on about 200 machines, or roughly 5% of the computers on this particular organization’s internal network. The attackers installed several malware executables; The first group of files appears to be designed to give the attackers remote access to the machines without having to rely on the compromised Azure server.
The attackers also installed a free Windows utility called Advanced Port Scanner and used that tool to discover additional machines on the network they could target. Following this incident response, we were contacted by another company targeted by this same malware, and the investigation found a copy of Advanced Port Scanner on machines in that network, too.
Sophos analysts also found a tool we suspect was also created by the malware authors named Update_Collector.exe; The tool takes the data that had been collected using WMI to learn more about other machines and user accounts on the network, dumps that information to a file, and then uploads it to the attackers’ command-and-control server. We came across copies on some of the compromised machines.
We also found a range of otherwise legitimate tools that have been adopted by criminals installed on machines within the target’s network, including Process Hacker, IObit Uninstaller, PowerTool, and PsExec. The attackers typically use them to try to disable AV products.
Subsequent hunts for related files revealed several other attacks in which precisely the same collection of tools was used in what appear to be opportunistic attacks against organizations located around the world, including the United States, Canada, and several European countries. All the organizations where these same files were found also were later discovered to have one or more computers with RDP exposed to the internet. Many of the components were found in the Downloads folder for an admin account on the infected system.
At some point during the attack, which may be several days to weeks after the initial network breach, the attacker downloads the ransomware component to the targeted machine(s). This component arrives on the system with a filename that includes the unique-to-each-victim five-character code and the word “_pack.exe” in the filename.
By the time the malware invokes the PSEXEC service to execute the ransomware, it has extracted itself into the Windows folder with the same five-character code followed by _unpack.exe.
The ransomware installs itself as a Windows service called SuperBackupMan. The service description text, “This service make backup copy every day,” might help camouflage this entry in the Services list, but there’s no time to look. This registry key is set immediately before the machine starts rebooting itself.
The SuperBackupMan service has properties that prevent it from being stopped or paused by the user while it’s running.
The malware then adds this key to the Windows registry so it will start up during a Safe Mode boot.
Using the BCDEDIT tool on Windows, it issues a command that sets up windows operating system to boot in Safe Mode, and then immediately forces a reboot of the infected computer.
When the computer comes back up after the reboot, this time in Safe Mode, the malware uses the Windows component net.exe to halt the SuperBackupMan service, and then uses the Windows component vssadmin.exe to delete all the Volume Shadow Copies on the system, which prevents forensic recovery of the files encrypted by the ransomware.
The ransomware then begins encrypting documents on the infected machine’s local hard drive.
The impact of Snatch
The ransomware appends a pseudorandom string of five alphanumeric characters to the encrypted files. This string appears both in the filename of (and hardcoded into) the ransomware executable, and in the ransom note, and appears to be unique to each targeted organization. For example, if the ransomware is named abcdex64.exe, the encrypted files would have the file extension .abcde appended to the original filename, and the ransom note uses a naming paradigm like README_ABCDE_FILES.txt or DECRYPT_ABCDE_DATA.txt
The attackers were foiled in their attempts to infect machines protected by Sophos endpoint products with the ransomware payloads, or to kill the Sophos endpoint protection services and processes on machines that were attacked. But others were not so lucky. We reached out to Coveware, a company that specializes in extortion negotiations between ransomware victims and attackers. The company tells us they have negotiated with the Snatch criminals on 12 occasions between July and October on behalf of their clients. Ransom demands (in Bitcoin) ranged in value from $2,000 to $35,000, but trended up over that four month period.
As with many other ransomware, Snatch maintains a list of files and folder locations it won’t encrypt. Ransomware typically does this to maintain system stability while focusing its attention on work documents or personal files. The locations it skips include:
C:
- windows
- recovery
- $recycle.bin
- perflogs
C: ProgramData
- start menu
- microsoft
- templates
- favorites
C:Program Files
- windows
- perflogs
- $recycle.bin
- system volume information
- common files
- dvd maker
- internet explorer
- microsoft
- mozilla firefox
- reference assemblies
- tap-windows
- windows defender
- windows journal
- windows mail
- windows media player
- windows nt
- windows photo viewer
The threat actors apparently actively monitor the systems running their agents, as we discovered while an analyst was manually running one of the samples from an instrumented, testbed computer.
When the analyst was logged out unexpectedly, the analyst suspected that the attackers identified the machine as a security research platform, so he wrote a message to the attackers and left it on the testbed’s desktop. Moments later, the attackers responded by logging the analyst out of the machine again and then blocking the IP address being used by the analyst from reconnecting to the Snatch C2 server.
We also discovered that the ransomware is using OpenPGP. The ransomware binaries we’ve inspected appear to have PGP Public Key blocks hardcoded into the files. (We’ve put those keys into the IoCs page for Snatch on the SophosLabs Github.)
And the name “Snatch” doesn’t appear to be a coincidence. In earlier versions of the ransomware, the ransom note included an email address of “imBoristheBlade@protonmail.com” seems to be a reference to the Guy Ritchie movie Snatch (2000), in which a Rasputin-esque former-KGB agent character named Boris the Blade is beaten, shot, and stabbed throughout, often with little to no effect on his ability to get up and carry on fighting. Bullet Tooth Tony, the handle used by the message board poster, is another character that appears in the same movie.
What can you do to prevent and detect a Snatch attack
Prevention
- As we’ve been urging organizations to do for a while now, Sophos recommends that organizations of any size refrain from exposing the Remote Desktop interface to the unprotected internet. Organizations that wish to permit remote access to machines should put them behind a VPN on their network, so they cannot be reached by anyone who does not have VPN credentials.
- The Snatch attackers also expressed interest in contracting with, or hiring, criminals who are capable of breaching networks using other types of remote access tools, such as VNC and TeamViewer, as well as those with experience using Web shells or breaking in to SQL servers using SQL injection techniques. It stands to reason that these types of internet-facing services also pose significant risks if left unattended.
- Likewise, organizations should immediately implement multifactor authentication for users with administrative privileges, to make it more difficult for attackers to brute force those account credentials.
- For Sophos customers, it is imperative that all users are running the most current endpoint protection, and enable the CryptoGuard feature within Intercept X.
Detection
- The majority of initial access and footholds that we have observed are on unprotected and unmonitored devices. It’s extremely important for organizations of almost any size to perform regular and thorough inventory of devices, to ensure no gaps or “dark corners” exist on your network.
- Execution of the Snatch ransomware occurred after threat actors had several days of undetected and uninhibited access to the network. A rigorous and mature threat hunting program would have greater potential to identify the threat actors prior to the execution of the ransomware executable.
Detection details
Sophos products detect various components of Snatch and the files used in this attack under the following signatures:
Troj/Snatch-H
Mal/Generic-R
Troj/Agent-BCYI
Troj/Agent-BCYN
HPmal/GoRnSm-A
HPmal/RansMaz-A
PUA Detected: ‘PsExec’
Additional detection methods include anomalous behavior detection in MTR and Intercept X.
Indicators of compromise have been published on the SophosLabs Github and will be updated as new indicators are discovered.
Acknowledgments
Thanks to the following Sophos research and MTR incident response staff, whose work contributed to this report:
Albert Zsigovits
Andrew Ludgate
Andrew O’Donnell
Hajnalka Kope
Jordan Rodgers
Luca Nagy
Peter Mackenzie
Savio Lau
Simon Porter
Suriya Natarajan
Vikas Singh
Xiaochuan Zhang
Yannick Formaggio
Editor’s note: This is one of a series of articles focused on the Conti ransomware family, which include a detailed analysis of a Conti attack, A Conti Ransomware Attack Day-By-Day, and a guide for what IT administrators can expect when Conti ransomware hits.
Sophos Ransomware Protection
For the past several months, both SophosLabs and the Sophos Rapid Response team have been collaborating on detection and behavioral analysis of a ransomware that emerged last year and has undergone rapid growth. The ransomware, which calls itself Conti, is delivered at the end of a series of Cobalt Strike/meterpreter payloads that use reflective DLL injection techniques to push the malware directly into memory.
Because the reflective loaders deliver the ransomware payload into memory, never writing the ransomware binary to the infected computer’s file system, the attackers eliminate a critical Achilles’ heel that affects most other ransomware families: There is no artifact of the ransomware left behind for even a diligent malware analyst to discover and study.
That isn’t to say there aren’t artifacts and components to look at. The threat actors involved in attacks using Conti have built a complex set of custom tooling designed not only to obfuscate the malware itself, when it gets delivered, but conceal the internet locations from which the attackers have been downloading it during attacks, and prevent researchers from obtaining a copy of the malware that way as well.
Two-stage loading process
The first stage of the Conti ransomware process involves a Cobalt Strike DLL, roughly 200kb in size, that allocates the memory space needed to decrypt and load meterpreter shellcode into system memory.
The shellcode, XORed in the DLL, unfurls itself into the reserved memory space, then contacts a command-and-control server to retrieve the next stage of the attack.
This C2 communication is distinctive for a number of reasons. First, the malware appears to be using a sample Cobalt Strike configuration script named trevor.profile, published on a public Github archive. The profile serves as a sort of homage to an incident in which security researchers attending a conference found an insect in a milkshake at a restaurant outside the conference center.
But it doesn’t appear that the Conti attackers have modified this sample script very much, which makes the C2 communication notable in two ways: The script designates certain characteristics used during this phase of the attack, including a User-Agent string (“Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)“) that mimics that of a computer running Windows 7 but, distinctively, fails to identify the specific browser; and a static URI path (“/us/ky/louisville/312-s-fourth-st.html“) that includes the address of the infamous restaurant where the researcher discovered the bug in their shake.
The initial connection to the C2 server is to a page named Menus.aspx on the server; That page delivers the next payload, which the first one loads into memory — another Cobalt Strike shellcode loader that contains the reflective DLL loader instructions.
If that works successfully, the malware then contacts the “312-s-fourth-st.html” page on the same C2 server. The attackers only trigger these chains of events during an active attack, placing the ransomware binary on the C2 server so that it can be retrieved by this process only while the attack is ongoing, and removing it immediately afterwards.
Elusive ransomware payloads
Because of the ephemeral nature of the placement of the ransomware payload, analysts had difficulty obtaining samples for research. But we were able to salvage some of the in-memory code from infected computers where the malware was still running.
The ransomware process is not particularly unique, but it does reveal the ransomware creator’s ongoing interest in thwarting analysis by security researchers.
The ransomware itself uses a relatively common anti-analysis technique sometimes referred to as “API-by-hash,” in which Conti uses hash values to call specific API functions; Conti has an added layer of encryption over the top of these hashes to futher complicate the work of a reverse engineer. The malware has to perform two cycles of decryption on itself in order to perform those functions.
Among the behavior observed by responders, the ransomware immediately begins a process of encrypting files while, at the same time, sequentially attempting to connect to other computers on the same network subnet, in order to spread to nearby machines, using the SMB port.
Conti’s developers have hardcoded the RSA public key the ransomware uses to perform its malicious encryption into the ransomware (files are encrypted using the AES-256 algorithm). This isn’t unusual; It means that it can begin encrypting files even if the malware is unable to contact its C2.
Sophos Antivirus Ransomware
Unfortunately, that isn’t the only threat this ransomware poses to its targets: Conti ransomware has also adopted a “leaks” site like several other ransomware threat actor groups. The attackers spend some time on the target network and exfiltrate sensitive, proprietary information to the cloud (in recent attacks, the threat actors have used the cloud storage provider Mega).
Sophos Tv Commercial Paula: Ransomware
Under a header labeled YOU SHOULD BE AWARE! , the ransom note threatens, “Just in case, if you try to ignore us. We’ve downloaded a pack of your internal data and are ready to publish it on out (sic) news website if you do not respond. So it will be better for both sides if you contact us as soon as possible.”
Detection guidance
Conti ransomware, on its own, is unable to bypass the CryptoGuard feature of Sophos Intercept X; Our endpoint products may detect components of Conti under one or more of the following definitions: HPmal/Conti-B, Mem/Conti-B, Troj/Swrort-EZ, Troj/Ransom-GEM, or Mem/Meter-D. Network protection products like the Sophos XG firewall can also block the malicious C2 addresses to prevent the malware from retrieving its payloads and completing the infection process.
Sophos Home Security
Indicators of compromise for malware samples examined in this research has been posted to the SophosLabs Github.