An X-Labs Guide to Ransomware and How it Works

In Microsoft’s Digital Defense Report 2024, they observed that ransomware attacks have increased 2.75x compared to 2023. And it’s clear the trend won’t be slowing any time soon—Cybersecurity Ventures estimates that ransomware could cost organizations $265 billion annually by 2031. 

What is Ransomware?

Ransomware is a type of malicious software that encrypts a victim's data, rendering it inaccessible until a ransom is paid, typically in cryptocurrency. Hackers favor ransomware for its high return on investment, exploiting weak security measures to demand payments often costing organizations millions. They leverage double extortion, threatening to leak sensitive data if demands aren't met, amplifying the pressure. 

Trends show ransomware attacks are increasingly targeting critical infrastructure, deploying advanced techniques like "living off the land" types of attacks, often using AI-enhanced malware. And ransomware-as-a-service (RaaS) platforms enable less skilled criminals to join the fray. 

Given the momentum, the X-team decided to take the opportunity to write a hands-on blog post that shows how ransomware attacks work. For this post, we’ll analyze one that bears a resemblance to Maze ransomware. This attack is typically delivered via a VBScript attachment from email. Like the Maze ransomware, it uses an AES encryption technique and encrypts files with random extensions used for leaving a ransom note.

Fig. 1 - Attack chain

Here's a look at the lure email:

Fig. 2 - Lure email

The VBScript kicks things off:

Fig 3- VBScript

Upon execution, the VBScript follows these steps:

• Creates Folder C:\WinXRAR
• Opens PDF impersonating Old Mutual which is clean
• Downloads Crawl[.]exe, Bootxr[.]exe to created folder from 45.125.67[.]168
• After download, it executes using powershell cmd /c
• Deletes file

Fig. 4 - Decoy PDF

And here's a look at the created folder:

Fig. 5 - Created folder

Analysis of Crawl[.]exe

The file crawl[.]exe is downloaded and executed when Decoy PDF was shown. Below shows brief analysis of crawl[.]exe

File on static analysis gives us much more information on the behavior of the file. On analyzing Strings on PE studio, below are a few notable imports and strings that indicates which file is malicious.

A few notable strings

• CreateToolhelp32Snapshot
• \wmic[.]exe
• \Decryptfiles[.]txt
• SleepEx
• BCryptGenRandom
• RegOpenKey
• RegCloseKey
• Shadow copy delete

And that paves the way for a few suspicious notable imports:

Fig. 6 - Suspicious imprt files

Here's where the strings reveal the ransom note:

Fig. 7 - Ransom note

Additionally, the file also kills several processes as shown in the highlighted section below in Fig. 8.

Fig. 8 - Killing several processes

These include some of the important processes mentioned below, along with other important processes.

• taskkill/
• Avpmapp.exe
• Cmd.exe
• K7TSecurity.exe
• K7AVScan.exe
• av_task.exe
• FilMsg.exe
• FilUp.exe

From here, let's move on to a deeper analysis of the file. IDA view shows multiple instructions and multiple anti-VM techniques using IsDebuggerPresent. 

Fig. 9 - IsDebuggerPresent anti-VM technique

When this file is executed in virtual machine (VM), it creates multiple threads performing multi-threading before running the malware which helps in quick encryption of files. This is achieved by “CreateThread” Windows API. We applied breakpoint on CreateThread process and each time it is stepped over it created new threads. Before going to the next breakpoint, it creates 106 Threads.

 If we don’t set a Breakpoint on CreateThread, it will create threads and perform execution.

Fig. 10 - Multiple thread creation

Next, we put a breakpoint at IsDebuggerPresent, to halt the process:

Fig. 11 - Registry changes and malware execution

Registry changes are made in HKLM\System\CurrentControlSet\Control\Cryptography\Provider by modifying value of the type of encryption. Here, it is performing AES Encryption along. Everytime folder/file is encrypted, the value is taken from Registry entries and random extension of 4 characters is added to the files.

This ransomware also deletes Windows file backups using obfuscated command and shadow delete “c:\AsicvR\Asic\..\..\Windows\Asic\Asic\..\..\system32\Asic\Asic\..\..\wbem\Asic\Asicv\..\..\wmic.exe shadowcopy delete”

File also deletes itself after exeuction completes using below command

“cmd.exe /C ping 1.1.1[.]1 -n 1 -w 3000 > Nul & Del /f /q \"%s\"", Filename”

Fig. 12 - File deletes itself after making changes

Fig. 13 - Registry changes and file encryption

Encryption of files:

Fig. 14 - Performing file/folder encryption

The ransomware encrypts photos, videos and documents, leaving executables and DLLs untouched. After encryption is complete, it drops a Decryptfiles.txt in each folder and subfolder and encryption above mentioned file types with a random four-character extension. The behavior is similar to the Maze ransomware that was active from 2019 - 2020. 

Fig. 15 - Encrypted files

Fig. 16 - Ransom note (first part)

Fig. 17 - More ransom note details

Ransomware campaigns like this one start as a VBScript attached to email that lures a user to view a document. Once the user opens the document and executes the VBScript, it displays a PDF targeting OldMutual, an African financial service. The PDF is merely a decoy. Once opened, the attachment calls a PowerShell script which creates a folder and downloads two files from an IP address—one being a miner and the other being a ransomware file. The ransomware file executes automatically in the background encrypting important documents, photos and videos. By the time user closes the PDF, the system tends to be infected with ransomware—dropping a text file named as Decrpytfiles.txt which asks user to pay the ransom to get the files unlocked. 

Protection Statement

Forcepoint customers are protected against this threat at the following stages of attack:

• Stage 2 (Lure) – Malicious VBS attachments associated with these attacks are identified and blocked.
• Stage 3 (Redirect) – Blocked URLs which downloads further payload
• Stage 5 (Dropper File) - The dropper files are added to Forcepoint malicious database and are blocked.
• Stage 6 (Call Home) - Blocked email credentials

IOCs