Punisher Ransomware Spreading Through Fake COVID Site

Originally published by Cyble on November 25, 2022.

New Variant Of Ransomware Targeting Chile

Most organizations experienced an increase in cyber-attacks during the COVID-19 pandemic. Threat Actors (TAs) leveraged the COVID-19 pandemic as a thematic lure to infect users with different malware families. This pandemic theme related to cyber-attacks has reduced in 2022. However, TAs are still utilizing their arsenal of malicious programs to target users who track information related to Covid-19 infection.

Recently, Cyble Research and Intelligence Labs (CRIL) discovered a new variant of Punisher ransomware that was spreading through a COVID-19 theme-based phishing website hosted at covid19[.]digitalhealthconsulting[.]cl. This phishing website delivers ransomware disguised as a COVID tracking application, targeting Chilean users.

Additionally, it demands the equivalent of USD 1000 in Bitcoin for decrypting files. This Ransomware strain uses a common ransom note which is downloaded from the remote server, and then appends content to the ransom note to make it specific to each of its victims. The figure below shows the HTML file used as a ransom note.

Figure 1 – Ransom Note

Technical Analysis

The Punisher Encryptor (SHA256: dfc3e3eed6f6bba5e11fb88d06b22d0100188b1776b68b7207e0a4cac09ffa1a) is a .NET binary and targets windows operating system. The compilation time of this binary is altered; this technique is called ‘Timestomping’, an anti-forensics technique used to stay hidden during incident response activities.

Figure 2 – File Details

The ransomware calls the following functions for encrypting the files in the Victim’s machine.

1. GeneratePassword
2. GenerateSystemID
3. CheckConnection
4. MakeConnection
5. RetrieveFiles.
6. AlertingUser

GeneratePassword

Upon execution, the ransomware sleeps for five seconds using Thread.Sleep() method and executes GeneratePassword() function. This function calls a method RNGCryptoServiceProvider() for generating a random string and then converts the random string into bytes using GetBytes() method. This function further translates the bytes into Base64 encoded format and sends it to the C&C server. The reason for sending this string is unclear, as we also did not observe it being used during the encryption process. The figure below shows the code snippet of the GeneratePassword function.

Figure 3 – Uses RNGCryptoServiceProvider

GenerateSystemID

Now the ransomware gets the volume of serial numbers of infected machines using a WMI query, as shown below. This unique volume serial number is crucial to the later stage of infection to generate the encryption key.

Figure 4 – Ransomware Using VolumeSerialNumber as system ID

CheckConnection

The ransomware then pings google.com to check if victim’s system has an active internet connection and returns a Boolean value based on the response. The figure below shows the code responsible for checking the internet connection.

Figure 5 – Checking Internet Connection

MakeConnection

The ransomware then proceeds to create a list for storing the victim’s information, such as Machine name, Username, System Id, etc., as shown below. The ransomware identifies the victim’s IP using the API “https[:]//api.ipify[.]org”.

Figure 6 – Exfiltrating victim’s information

The data stored in this list is further sent to “hxxp[:]//20[.]100.168[.]3[:]1974/handshake.php” using a POST request, as shown below.

Figure 7 – POST Request

After sending the victim’s details to the C&C server, the ransomware checks if the “UI” directory exists in the “C:\Users\Public\Windows\” folder. If it exists, the ransomware deletes the existing directory in the Victim’s machine, creates a new directory with the same name, and sets the hidden and system attribute to the newly created directory. If the “UI” directory does not exist, then the ransomware creates a new directory with the same attributes, shown below.

Figure 8 – Creating Directory

The ransomware now downloads a .zip file containing the ransom note using a GET request from hxxp[:]//20.100.168[.]3[:]1974/alertmsg[.]zip and extracts it in the directory created in the above step. The figure below shows the network activity and extracted files.

Figure 9 – Downloading Ransom Note

The downloaded .zip file contains a ransom note which will be common to all victims. After infecting a system, the ransomware appends data to ransom notes such as System ID, unique identifier of each victim, BTC address for the ransom payment, date of infection, and JavaScript codes to start the timer, which will also increase the ransom amount after a specific timeframe.

The ransomware adds these details in the ransom note to make the ransom note more specific to the Victim. The figure below shows the code snippet used by the ransomware to add data to the ransom note.

Figure 10 – Appending Data to Ransom Note

RetrieveFiles

Now Ransomware searches files in the victim’s machine for its encryption process. It executes the DriveInfo.GetDrives() method to get the names of all logical drives in the machine and encrypts only files present in the USERPROFILE directory of C Drive.

The ransomware also targets all directories in other drives and encrypts files present in the directory. The ransomware encrypts files having extensions such as .pptx, .docx, .doc, .xlsx, .txt, .pdf, .500, .jpeg, .jpg, .png.

Figure 11 – File Types Targeted by Punisher Ransomware

Before encrypting files, the ransomware generates a key for encryption using the following steps:

1. The ransomware creates a string by concatenating the strings 2202sb+Volume Serial Number+ punished.
2. It converts the concatenated string into a BYTE array.
3. Finally, it calculates the MD5 hash of the array object.

The ransomware uses this MD5 hash as a final key and encrypts files using the AES-128 algorithm. The ransomware also changes the extension of the encrypted files to “.punisher” and makes them unusable, as shown below.

Figure 13 – Encrypted Files

AlertingUser

After encrypting files, it opens ransom notes in the browser using full-screen mode and demands $1000 as a ransom payment. The ransomware also drops ransom notes as a shortcut file named “unlock your files.lnk” in locations such as Desktop, Startup, and Start Menu so that the ransom alert will be shown to victims when they log in to their affected systems.

Conclusion

Threat Actors are Adopting various techniques to spread malware infection. This blog also covers a known case of ransomware spreading through fake COVID portals. Punisher ransomware appears to be targeting individuals rather than targeting corporate networks. The files encrypted by this ransomware can also be easily decrypted as it uses AES-128 symmetric algorithm for its encryption.

Our Recommendations

We have listed some of the essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

Safety Measures Needed to Prevent Ransomware Attacks

• Download COVID-19-related applications only from verified sources.
• Conduct regular backup practices and keep those backups offline or in a separate network.
• Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
• Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
• Refrain from opening untrusted links and email attachments without verifying their authenticity.

Users Should Take the Following Steps After the Ransomware Attack

• Detach infected devices on the same network.
• Disconnect external storage devices if connected.
• Inspect system logs for suspicious events.

Impact And Criticality of Ransomware attack

• Loss of valuable data.
• Loss of the organization’s reputation and integrity.
• Loss of the organization’s sensitive business information.
• Disruption in organization operation.
• Financial loss.

MITRE ATT&CK® Techniques

Indicators Of Compromise