Punisher Ransomware Spreading Through Fake COVID Site
Published 12/22/2022
Originally published by Cyble on November 25, 2022.
New Variant Of Ransomware Targeting Chile
Most organizations experienced an increase in cyber-attacks during the COVID-19 pandemic. Threat Actors (TAs) leveraged the COVID-19 pandemic as a thematic lure to infect users with different malware families. This pandemic theme related to cyber-attacks has reduced in 2022. However, TAs are still utilizing their arsenal of malicious programs to target users who track information related to Covid-19 infection.
Recently, Cyble Research and Intelligence Labs (CRIL) discovered a new variant of Punisher ransomware that was spreading through a COVID-19 theme-based phishing website hosted at covid19[.]digitalhealthconsulting[.]cl. This phishing website delivers ransomware disguised as a COVID tracking application, targeting Chilean users.
Additionally, it demands the equivalent of USD 1000 in Bitcoin for decrypting files. This Ransomware strain uses a common ransom note which is downloaded from the remote server, and then appends content to the ransom note to make it specific to each of its victims. The figure below shows the HTML file used as a ransom note.
Figure 1 – Ransom Note
Technical Analysis
The Punisher Encryptor (SHA256: dfc3e3eed6f6bba5e11fb88d06b22d0100188b1776b68b7207e0a4cac09ffa1a) is a .NET binary and targets windows operating system. The compilation time of this binary is altered; this technique is called ‘Timestomping’, an anti-forensics technique used to stay hidden during incident response activities.
Figure 2 – File Details
The ransomware calls the following functions for encrypting the files in the Victim’s machine.
- GeneratePassword
- GenerateSystemID
- CheckConnection
- MakeConnection
- RetrieveFiles.
- AlertingUser
GeneratePassword
Upon execution, the ransomware sleeps for five seconds using Thread.Sleep() method and executes GeneratePassword() function. This function calls a method RNGCryptoServiceProvider() for generating a random string and then converts the random string into bytes using GetBytes() method. This function further translates the bytes into Base64 encoded format and sends it to the C&C server. The reason for sending this string is unclear, as we also did not observe it being used during the encryption process. The figure below shows the code snippet of the GeneratePassword function.
Figure 3 – Uses RNGCryptoServiceProvider
GenerateSystemID
Now the ransomware gets the volume of serial numbers of infected machines using a WMI query, as shown below. This unique volume serial number is crucial to the later stage of infection to generate the encryption key.
Figure 4 – Ransomware Using VolumeSerialNumber as system ID
CheckConnection
The ransomware then pings google.com to check if victim’s system has an active internet connection and returns a Boolean value based on the response. The figure below shows the code responsible for checking the internet connection.
Figure 5 – Checking Internet Connection
MakeConnection
The ransomware then proceeds to create a list for storing the victim’s information, such as Machine name, Username, System Id, etc., as shown below. The ransomware identifies the victim’s IP using the API “https[:]//api.ipify[.]org”.
Figure 6 – Exfiltrating victim’s information
The data stored in this list is further sent to “hxxp[:]//20[.]100.168[.]3[:]1974/handshake.php” using a POST request, as shown below.
Figure 7 – POST Request
After sending the victim’s details to the C&C server, the ransomware checks if the “UI” directory exists in the “C:\Users\Public\Windows\” folder. If it exists, the ransomware deletes the existing directory in the Victim’s machine, creates a new directory with the same name, and sets the hidden and system attribute to the newly created directory. If the “UI” directory does not exist, then the ransomware creates a new directory with the same attributes, shown below.
Figure 8 – Creating Directory
The ransomware now downloads a .zip file containing the ransom note using a GET request from hxxp[:]//20.100.168[.]3[:]1974/alertmsg[.]zip and extracts it in the directory created in the above step. The figure below shows the network activity and extracted files.
Figure 9 – Downloading Ransom Note
The downloaded .zip file contains a ransom note which will be common to all victims. After infecting a system, the ransomware appends data to ransom notes such as System ID, unique identifier of each victim, BTC address for the ransom payment, date of infection, and JavaScript codes to start the timer, which will also increase the ransom amount after a specific timeframe.
The ransomware adds these details in the ransom note to make the ransom note more specific to the Victim. The figure below shows the code snippet used by the ransomware to add data to the ransom note.
Figure 10 – Appending Data to Ransom Note
RetrieveFiles
Now Ransomware searches files in the victim’s machine for its encryption process. It executes the DriveInfo.GetDrives() method to get the names of all logical drives in the machine and encrypts only files present in the USERPROFILE directory of C Drive.
The ransomware also targets all directories in other drives and encrypts files present in the directory. The ransomware encrypts files having extensions such as .pptx, .docx, .doc, .xlsx, .txt, .pdf, .500, .jpeg, .jpg, .png.
Figure 11 – File Types Targeted by Punisher Ransomware
Before encrypting files, the ransomware generates a key for encryption using the following steps:
- The ransomware creates a string by concatenating the strings 2202sb+Volume Serial Number+ punished.
- It converts the concatenated string into a BYTE array.
- Finally, it calculates the MD5 hash of the array object.
The ransomware uses this MD5 hash as a final key and encrypts files using the AES-128 algorithm. The ransomware also changes the extension of the encrypted files to “.punisher” and makes them unusable, as shown below.
Figure 13 – Encrypted Files
AlertingUser
After encrypting files, it opens ransom notes in the browser using full-screen mode and demands $1000 as a ransom payment. The ransomware also drops ransom notes as a shortcut file named “unlock your files.lnk” in locations such as Desktop, Startup, and Start Menu so that the ransom alert will be shown to victims when they log in to their affected systems.
Conclusion
Threat Actors are Adopting various techniques to spread malware infection. This blog also covers a known case of ransomware spreading through fake COVID portals. Punisher ransomware appears to be targeting individuals rather than targeting corporate networks. The files encrypted by this ransomware can also be easily decrypted as it uses AES-128 symmetric algorithm for its encryption.
Our Recommendations
We have listed some of the essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
Safety Measures Needed to Prevent Ransomware Attacks
- Download COVID-19-related applications only from verified sources.
- Conduct regular backup practices and keep those backups offline or in a separate network.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
Users Should Take the Following Steps After the Ransomware Attack
- Detach infected devices on the same network.
- Disconnect external storage devices if connected.
- Inspect system logs for suspicious events.
Impact And Criticality of Ransomware attack
- Loss of valuable data.
- Loss of the organization’s reputation and integrity.
- Loss of the organization’s sensitive business information.
- Disruption in organization operation.
- Financial loss.
MITRE ATT&CK® Techniques
Tactic | Technique ID | Technique Name |
Execution | T1204 | User Execution |
Persistence | T1547.001 | Registry Run Keys / Startup Folder |
Defense Evasion | T1070.006 T1497.003 | Timestomp Time-Based Evasion |
Discovery | T1087 T1082 T1083 | Account Discovery System Information Discovery File and Directory Discovery |
Impact | T1486 | Data Encrypted for Impact |
Command and Control | T1071 | Application Layer Protocol |
Exfiltration | T1020 | Automated Exfiltration |
Indicators Of Compromise
Indicators | Indicator type | Description |
c267ca8be1871263937a5e433a49342c f10f8a99b610db68c2caca017eeb9cd046acea64 79e4ecb131813bd897e9df2f75c32da92ffc603a5a74acb987c90088080774e4 | MD5 SHA-1 SHA256 | Punisher Ransomware executable |
df3a831a805ada51ce56e32a46a07b51 7c235d83e6c95a6a7d587d6d3ec99262d52c0fb4 dfc3e3eed6f6bba5e11fb88d06b22d0100188b1776b68b7207e0a4cac09ffa1a | MD5 SHA-1 SHA256 | Punisher Ransomware executable |
hxxp[:]//20.100.168[.]3[:]1974/handshake[.]php hxxp[:]//20.100.168[.]3[:]1974/alertmsg[.]zip | URL | C&C URL |
Related Articles:
Threat Report: BEC and VEC Attacks Continue to Surge, Outpacing Legacy Solutions
Published: 11/08/2024
Tackling Ransomware Head-On: A Business’s Guide to Understanding and Defense
Published: 10/31/2024
Top Threat #4 - Cloudy with a Chance of Breach: The Cloud Security Strategy Storm
Published: 10/21/2024