{"id":85748,"date":"2018-02-08T12:23:36","date_gmt":"2018-02-08T06:53:36","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=85748"},"modified":"2018-02-08T17:32:36","modified_gmt":"2018-02-08T12:02:36","slug":"runner-key-component-samsam-ransomware-campaign","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/runner-key-component-samsam-ransomware-campaign\/","title":{"rendered":"The Runner: a key component of the SamSam ransomware campaign – An analysis by Quick Heal Security Labs"},"content":{"rendered":"

In Jan 2018, Greenfield, Indiana-based Hancock Health (healthcare network) was attacked by SamSam ransomware. It encrypted the files containing patients\u2019 data which disrupted their critical services. Even though SamSam is not a new ransomware, it has evolved over a period of time. We had observed its first variant in Feb 2016 that used the RSA algorithm to encrypt targeted users\u2019 files. However, this time, we have observed a significant change in the way this ransomware was launched. The major difference between the old and new variants is the use of the executable ‘runner.exe’ \u2013 it decrypts the ‘.stubbin’ extension file and executes the decrypted content. The result of the decryption is a SamSam ransomware file.<\/p>\n

Fig 1 below depicts the attack chain of the current SamSam ransomware campaign.<\/p>\n

\"\"
Fig 1. SamSam Ransomware attack chain<\/figcaption><\/figure>\n

 <\/p>\n

The technique of deployment makes the \u2018Runner\u2019 a key component in the SamSam ransomware campaign. However, we are not aware of the source of infection for ‘runner.exe’. In this post, we will be taking a deeper look into ‘runner.exe’ \u2013 a key component of this campaign.<\/p>\n

The Runner<\/strong><\/p>\n

We have seen different variants of \u2018runner.exe\u2019 in the last few months. With every variant, we noticed a change in the number of arguments passed to ‘runner.exe’. The first argument is used as a password to decrypt the ‘.stubbin’ file and the remaining arguments are passed to decrypt the payload which is the SamSam ransomware.<\/p>\n

\"\"
Fig 2. Execution sequence of the Runner<\/figcaption><\/figure>\n

Let\u2019s look at the details of the .NET compiled executable (runner.exe) of the variant with three command line arguments.<\/p>\n

\"\"
Fig 3. Execution sequence code<\/figcaption><\/figure>\n

\u2018Runner.exe\u2019 searches for files with the \u2018.stubbin\u2019 extension in its current working directory. The first file found is the desired encrypted file. It then copies the content of the file into an array (arg_4E_0) and deletes the original \u2018.stubbin\u2019 file. The array of encrypted bytes and the first argument from the command line (password) is passed to the ‘Decrypt’ function. The Runner then loads the decrypted bytes into the memory and executes it by passing its remaining command-line arguments as the input.<\/p>\n

Decryption of ‘.stubbin’ file<\/strong><\/p>\n

\u2018Runner.exe\u2019 uses the Rijndael algorithm to decrypt the bytes passed as Cipher data. This is a symmetric key cryptographic algorithm. Here, it uses a 32 bytes key and 16 bytes of Initialization Vector (IV) to decrypt the \u2018.stubbin\u2019 file.<\/p>\n

Figure 4 below shows the generation of key and IV using password.<\/p>\n

\"\"
Fig 4 .IV and Key generation<\/figcaption><\/figure>\n

‘PasswordDeriveBytes’ class is used to generate a key and IV. It is a pre-defined .NET constructor which takes a password and salt as an input to generate a key. Salt is a random data used as an additional input to a function that \u201chashes\u201d the password and used to make a common password uncommon.<\/p>\n

Fig 5 below shows the decryption routine which decrypts the SamSam ransomware file.<\/p>\n

\"\"
Fig 5 .Decryption routine of core .stubbin file<\/figcaption><\/figure>\n

‘CryptoStream’ constructor and Rijndael decryptor are used for cryptographic operations which are performed on CipherData. Using IV, the key to Rijndael algorithm on Cipher data will result in the ransomware payload.<\/p>\n

The runner variants<\/strong><\/p>\n

In the oldest version of SamSam ransomware, no ‘runner.exe’ was observed. Only the payload got executed with an RSA symmetric key as a command-line argument. But, the latest variant uses ‘runner.exe’ with 4 arguments.<\/p>\n

Fig 6 below shows the difference between the arguments passed in different variants of ‘runner.exe’.<\/p>\n

\"\"
Fig 6 .Variants of ‘runner.exe’<\/figcaption><\/figure>\n

We are also observing a few variants using obfuscation in their code and function names.<\/p>\n

\"\"
Fig 7 .Obfuscation in ‘runner.exe’<\/figcaption><\/figure>\n

The deployment techniques used in the SamSam ransomware campaign makes the retrieval of the core ransomware difficult. It thus hinders the process of providing static detections on the SamSam ransomware file. A timedatestamp trait in the variants depicts the arrival of fresh variants of ‘runner.exe’ every month. So, in the coming days, we may see new variants with more obfuscation and with some advanced functionalities.<\/p>\n

Indicator of compromise<\/strong><\/p>\n

D8469E625AE90AB64D4AEF0B63F42150<\/p>\n

7A25B0D43047552CBDAD17CFB488317D<\/p>\n

038FB413F51B0AB7EB088E0F3EA7BE90<\/p>\n

A82DB52BC6F1E5477EB1809CD5F23489<\/p>\n

Subject Matter Experts<\/p>\n

Dhwanit Shrivastava, Yogesh Bane | Quick Heal Security Labs<\/p>\n","protected":false},"excerpt":{"rendered":"

In Jan 2018, Greenfield, Indiana-based Hancock Health (healthcare network) was attacked by SamSam ransomware. It encrypted the files containing patients\u2019 data which disrupted their critical services. Even though SamSam is not a new ransomware, it has evolved over a period of time. We had observed its first variant in Feb 2016 that used the RSA […]<\/p>\n","protected":false},"author":43,"featured_media":85763,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[24,910,5],"tags":[49,50,1581],"class_list":["post-85748","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware","category-ransomware","category-security","tag-malware","tag-ransomware","tag-samsam"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/85748"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/43"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=85748"}],"version-history":[{"count":5,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/85748\/revisions"}],"predecessor-version":[{"id":85766,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/85748\/revisions\/85766"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/85763"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=85748"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=85748"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=85748"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}