A ransom note, UNLOCK_FILES.793DF82AFCB81B75.txt, appeared on computers throughout a company and when triaging what happened, encrypted files were observed. The ransom note (shown below) gave specific instructions as to what was happening, details on how to resolve the problem and a link where to contact them.
A typical ransomware response was initiated, and forensic analysis was completed. An unpatched FortiGate appliance, which controlled Remote Desktop Protocol (RDP) access for users, was found to be the likely entry point into the environment.
This vulnerability allows any user to connect without having to authenticate, allowing access and granting administrator privileges. This access was leveraged and a user account was created that had a similar name to that of a legitimate administrator account. PSEXESVC was executed which let users execute processes on remote systems without the need to have any kind of client software present on the remote computers. The threat actors used RDP to find the domain controller which became the hub of their activity.
Cobalt Strike was executed which has the ability to create connections (using Cobalt Strike servers) to compromise networks and create persistent channels between the target and the attackers. In this instance "Cobalt Strike” was renamed “rsmvc.dll” which was run from the domain controller. Also, “klink.exe” was executed on the domain controller which is a free telnet/ssh client for Windows. Connections to most systems in the environment was done via RDP.
The threat actor was in the environment for five days before an attempt to launch the ransomware payload. File 793DF82AFCB81B75.64.exe was executed but only ran for 30 seconds before terminating. The threat actor downloaded an .exe to .msi program and ran 793DF82AFCB81B75.64.msi but it also terminated after 30 seconds. The threat actor created a batch file named “start.bat” which appeared to copy “793DF82AFCB81B75.64” to every server. Also, a batch file named “rmd.bat” was run. This allowed the threat actor to update the configuration for the endpoint software.
Scheduled tasks were created to automate the ransomware deployment but that too was unsuccessful. As the ransom note and encrypted files were discovered, the threat actor was blocked. Some files were encrypted but a large majority were not.
Key Takeaways
-
It is believed that there was no C2 beaconing due to the direct connection via telnet and RDP.
-
There was no forensic evidence that indicated what data was exfiltrated from the environment.
-
Unpacking and analyzing the malware did not reveal anything with a unique signature.
-
The ransomware appeared to be generic, possibly an edited version of a previous variant.
-
Initial negotiations with this group indicated they may be new due to not having an active “shame” site and trouble with them configuring their direct chat channel.
After a few weeks, they had their “shame” active and had posted victim data. All victim data that was posted appeared to be from current victims. There was no historical data as is observed with other sites.
793DF82AFCB81B75.64.exe (MD5 1f61c4e1e363f44094432045b2251497)
793DF82AFCB81B75.64.msi (MD5 19d7382e3e9069b1fc6e9629f2ccf0b4)
Jeffrey Wappelhorst also contributed to this article.