Initial Discovery
This year seems to again be the year for ransomware. Notorious attacks were made using ransomware and new families are being detected almost on a weekly basis.
The McAfee ATR team has now analyzed a new ransomware family with some special features we would like to showcase. LooCipher represents how a new actor in an early stage of development used the same techniques of distribution as other players in the ransomware landscape. The design of the ransomware note reminded us of the old times of Cerber ransomware, a very well impacted design to force the user to pay the rescue.
Thanks to initiatives like the ‘No More Ransom’ project, one of the partners involved has already provided a valid decryptor to restore files encrypted by LooCipher.
McAfee Telemetry
Based on the data we manage, we detected LooCipher infections in the following regions:
Campaign Analysis:
Based on the analysis we performed, this ransomware was delivered through a DOC file. The content and techniques used with this MalDoc are quite simple compared to other doc files used to spread malware, such as Emotet. No special social engineering techniques were applied; the authors only put a simple message on it – “Enable macros”.
The file is prepared to download LooCipher from a remote server upon opening the file. We can see the Sub AutoOpen function as a macro in the document:
LooCipher will start its encryption routine using a predefined set of characters, creating a block of 16 bytes and using the local system hour:
The ransomware will use the AES-ECB encryption algorithm in the process and the key is the same for all the files which facilitates the file recovery process. Other ransomware families use a different key for each file to avoid the possibility of a brute force attack discovering the key used during the infection.
In the encryption process, the ransomware will avoid 3 special folders in the system so as to not break their functionality.
Encrypting key files and folders was one of the mistakes we highlighted in our analysis of LockerGoga; that ransomware was completely breaking the functionality of the system. Some binaries found were encrypting all the system, including the LockerGoga binary file.
Regarding the extensions that LooCipher will search and encrypt in the system, the list is hardcoded inside the binary:
It is quite interesting see how LooCipher searches for extensions that are not present in Windows systems like “.dmg.” This suggests that the authors may just be going to code sites to find extension lists.
In the analysis we found a PDB reference:
\\Users\\Usuario\\Documents\\Proyectos\\sher.lock\\Debug\\LooCipher.pdb
It is interesting to note that the reference found contains Spanish words, as if the user was using folders named in Spanish, however, the system is configured in English. We currently have no idea why this is so, but it is curious.
BTC payment is the method chosen by LooCipher authors to get money from the victims. So, at the end of the file’s encryption, the ransomware will show a rescue note to the user:
LooCipher decryptor will pop up in the system as well with a specific countdown:
In the ransom note LooCipher says the BTC address is specifically generated for the user but that is not true; all the BTC addresses we have seen are hardcoded in the binary:
This is another special characteristic for this ransomware. Normally, this workflow is providing an email address to contact the authors so they can provide the instructions to the victim, or at least a BTC address to make payment (if there is not a unique BTC address provided to every victim), something that is the main difference between RaaS and one-shot campaigns.
If we apply static analysis in the binaries we have, the same bundle of BTC addresses is included across most that we spot in the wild:
None of the BTC addresses found regarding LooCipher showed any transactions so we believe the authors did not monetize the campaign with the binaries we analyzed.
LooCipher and Network Traffic:
In the encryption process, LooCipher will contact the C2 server and send information about the victim:
The data sent to the server is:
Here, a copy of the network traffic could help the user to know the encryption key used.
Decryptor Fallback Mechanism Implemented by LooCipher
The LooCipher authors provide a fallback mechanism to help victims access the instructions and the decryptor again, in case they close the LooCipher window when it appears in the system after encrypting the files:
The mechanism sees the LooCipher binary uploaded to the Mega platform. In case the user wants to get the BTC address or decrypt the files after making the payment, they can download this binary and use it. If the files were previously encrypted by LooCipher they would not be encrypted again according to the ransomware’s authors.
I’m Infected by LooCipher. How Can I Get my Files Back?
McAfee is one of the founders and contributors of the ‘No More Ransom’ project. One of our fellow stakeholders created a decryptor for all the files encrypted by LooCipher:
So, if you are infected with LooCipher, it is possible get your files back.
Conclusions:
LooCipher authors are not a sophisticated actor compared to other families like Ryuk, LockerGoga or REVil. They tried to spread their ransomware combining the infection with an Office file with a simple macro.
It will be impossible for the authors to come back to the scene if they do not change how the ransomware works.
The McAfee ATR Team advises against paying the ransomware demands and, instead, recommends:
- Saving a copy of your encrypted files – sometimes in the future a decryptor may be released
- Having a solid backup workflow in the company
- Implementing best practices in terms of Cybersecurity
YARA Rule
We uploaded a YARA rule to detect almost all the samples observed in the wild.
MITRE ATT&CK Coverage:
- Hooking
- Defense Evasion
- Network Service Scanning
- System Information Discovery
- Data Compressed
McAfee Coverage:
- Artemis!02ACC0BC1446
- Artemis!12AA5517CB7C
- Artemis!1B1335F20CD0
- Artemis!362AB3B56F40
- Artemis!64FCC1942288
- Artemis!8F421FE340E7
- Artemis!983EF1609696
- Artemis!A11724DBE1D6
- Artemis!A7ABF760411F
- Artemis!B9246AA9B474
- Artemis!F0D98A6809C1
- McAfee-Ransom-O
- Ransomware-GNY!3B9A8D299B2A
- Ransomware-GNY!66571E3C8036
- Ransomware-GNY!9CF3C9E4A9B5
- Ransomware-GNY!A0609D7AD404
- Ransomware-GNY!A77FDEFE40BE
- Ransomware-GNY!A9B6521FF980
- Ransomware-GNY!D3CE02AD4D75
- Ransomware-GNY!DC645F572D1F
- RDN/Generic Downloader.x
- RDN/Generic.ole
IOCs
7720aa6eb206e589493e440fec8690ceef9e70b5e6712a9fec9208c03cac7ff0
35456dc5fdaf2281aad4d8f0441dcd0c715164e9d2ca6412380c2215ed2eab9c
3e8660f0d2b5b4c1c7dfb0d92f1198b65f263d36cd9964505f3a69150a729f6f
2ca214c271920c7261fc0009971961fa6d2ee4bd23820899f4d6e0679739bf2e
2ef92ced4c009fc20645c5602f0b1f2ddca464365b73b62eb0b7217f422590d5
77766f7f78e13dce382aeb4f89c13b9de12a2fa85f0a7550f4239dfe385a6fb5
8834001d7420d8caaa20cd429130249db30c81f0c5da92a2cb2da4dee6669c87
242f9a9cb23c87b6a5913731bce3f4e565f0393d95f2f9a78d675ef481578a61
7db9491697847dd0a65b719b0d836aeb28dec22a9deed57aa601f23a5b32214a
1f5d310da6f3f3a89e22fc86acb71741db56cbe85fbacc43822bec344cbe4058
893c4f7e3d8e9dc6757becbf2f20e81ec09557fc8e6ea72353c7b8984068f145
242198732eecc9c2d07d1db612b6084ece3a8d1d1b337554a7bef4216cbebccf
e209d7003a5d3674ab90fd1d082266a4aaa1bee144b04371abba0c358e95fd03
2a4ce9877a743865d6c11c13aa45da3683af223c196086984f57f3eff07cd3ea
0d72eab82635df496d20a8fb3921e33ed3aac597496cf006322eed48deb2c068
a6d23f11692e23a6c2307b9f5dd660bca3423f2f0202aa398325345f906b07b5
079d555a4935a6748d92e8bd9856ae11ecf4fd5293ed41cf318a407f9aaa6b2d
387be2e56804ed02ed6d4611d82c6f4b88953761d3961a33017adfb274e6cbfa
3e1d8a5faaa35e7f72ecad5f91644efd5bf0d92fdb0341c48a236c843c697196
0c42641fcc805c049883b9617082a8ac6d538fd87cfa371e3fef6114aff71c2a
b31d3de8ffd2b2dce2b570c0172f87a6719f01d4424a7a375bbb249cd15c1157
23b949ed81925ea3c10fa6c74b0d066172409e6a38023bd24672cc4efb47dd64
6987933482f12f0e1301bb0509a46f5889802fe481be160da9a29985acbabbd9
77d5586bc259e944634cff99912779fabfb356f6f840ea5afd6514f52562879d
177e91b5ac698542b5488a95a60816347fcba118f0ad43473aa7d2d5c9223847
0ffeb5639da6e77dfb241f1648fa8f9bac305335f7176def2b17e1b08706d49a
ad7eebdf328c7fd273b278b0ec95cb93bb3428d52f5ff3b69522f1f0b7e3e9a1
hxxps://hcwyo5rfapkytajg[.]tor2web[.]xyz/d[.]php
hxxps://hcwyo5rfapkytajg[.]onion[.]sh/d[.]php
hxxps://hcwyo5rfapkytajg[.]onion[.]ws/d[.]php
hxxps://hcwyo5rfapkytajg[.]tor2web[.]xyz/k[.]php
hxxps://hcwyo5rfapkytajg[.]onion[.]ws/k[.]php
hxxps://hcwyo5rfapkytajg[.]darknet[.]to/d[.]php
hxxps://hcwyo5rfapkytajg[.]onion[.]sh/k[.]php
hxxp://hcwyo5rfapkytajg[.]onion[.]pet/k[.]php
hxxps://hcwyo5rfapkytajg[.]darknet[.]to/k[.]php
hxxp://hcwyo5rfapkytajg[.]onion[.]pet/d[.]php
924cc338d5d03f8914fe54f184596415563c4172679a950245ac94c80c023c7d
e824650b66c5cdd8c71983f4c4fc0e1ac55cd04809d562f3b6b4790a28521486
hcwyo5rfapkytajg[.]darknet[.]to
hcwyo5rfapkytajg[.]onion[.]sh
hcwyo5rfapkytajg[.]onion[.]ws
hcwyo5rfapkytajg[.]tor2web[.]xyz
hxxps://hcwyo5rfapkytajg[.]onion[.]sh/3agpke31mk[.]exe
hxxp://hcwyo5rfapkytajg[.]onion[.]pet/2hq68vxr3f[.]exe
hxxps://hcwyo5rfapkytajg[.]onion[.]sh/info_bsv_2019[.]docm
hxxps://hcwyo5rfapkytajg[.]onion[.]ws/3agpke31mk[.]exe
hxxps://hcwyo5rfapkytajg[.]darknet[.]to/2hq68vxr3f[.]exe
hxxp://hcwyo5rfapkytajg[.]onion[.]pet/info_project_bsv_2019[.]docm
hxxps://hcwyo5rfapkytajg[.]onion[.]ws/info_bsv_2019[.]docm
hxxps://hcwyo5rfapkytajg[.]tor2web[.]xyz/3agpke31mk[.]exe
hxxps://hcwyo5rfapkytajg[.]tor2web[.]xyz/info_bsv_2019[.]docm
hxxps://hcwyo5rfapkytajg[.]onion[.]sh/2hq68vxr3f[.]exe
hxxp://hcwyo5rfapkytajg[.]onion[.]pet/info_bsv_2019[.]docm
hxxp://hcwyo5rfapkytajg[.]onion[.]pet/3agpke31mk[.]exe
hxxps://hcwyo5rfapkytajg[.]darknet[.]to/info_bsv_2019[.]docm
hxxps://hcwyo5rfapkytajg[.]tor2web[.]xyz/2hq68vxr3f[.]exe
hxxps://hcwyo5rfapkytajg[.]onion[.]ws/2hq68vxr3f[.]exe
hxxps://hcwyo5rfapkytajg[.]darknet[.]to/3agpke31mk[.]exe
43cfb0a439705ab2bd7c46b39a7265ff0a14f7bd710b3e1432a9bdc4c1736c49
ff24d9575694ae2a1e6a6101a2dbaa95dd1ab31b44a3931f6d6a62bbf5be2cbd
The post Analysis of LooCipher, a New Ransomware Family Observed This Year appeared first on McAfee Blogs.