{"id":86587,"date":"2018-08-08T17:55:38","date_gmt":"2018-08-08T12:25:38","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=86587"},"modified":"2018-08-09T12:18:06","modified_gmt":"2018-08-09T06:48:06","slug":"beware-armage-ransomware-file-destroyer","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/beware-armage-ransomware-file-destroyer\/","title":{"rendered":"Beware of the Armage Ransomware – the File Destroyer!"},"content":{"rendered":"

In July last week, Quick Heal Security Labs detected a new ransomware called Armage. It appends \u2018.Armage\u2019 extension to files it encrypts.<\/p>\n

Armage ransomware uses the AES-256 encryption algorithm to encode files making them inoperable. It spreads via spam emails and corrupted text files.<\/p>\n

Technical analysis<\/strong><\/p>\n

Once executed on the infected computer, Armage ransomware opens the command line message narrating the encryption algorithm it has used. See fig 1.<\/p>\n

\"\"<\/p>\n

Fig 1. Command line prompt<\/p>\n

The ransomware does not drop any artifact to perform the malicious activity or to encrypt data. The entire malicious activity (encryption) is carried out by the mother file itself.<\/p>\n

After invading, the ransomware searches for the first file alphabetically to encrypt the data using Windows API FindFirstFileA as shown in fig 2 and to find the next file it has used FindNextFileA API as shown in fig 3.<\/p>\n

\"\"<\/p>\n

Fig.2 FindFirstfileA API is used.<\/p>\n

\"\"<\/p>\n

Fig 3. FindNextFileA API is used to find the files recursively<\/p>\n

After encrypting the data from the folder, Armage drops \u2018Notice.txt\u2019 – a ransom note mentioning the ransom to be paid with other details. Further, the ransomware drops \u2018Notice.txt\u2019 in all the folders wherever data is encrypted.<\/p>\n

\"\"<\/p>\n

Fig.4 Code used to create a new file \u2018Notice.txt\u2019<\/p>\n

\"\"<\/p>\n

Fig 5. Code used to show details to the victim<\/p>\n

The ransom note also mentions the below.<\/p>\n

\u2018Your files was encrypted using AES-256 algorithm. Write me to e-mail: armagedosevin@aol.com to get your decryption key.\u2019<\/em><\/p>\n

As per the PE file analysis, we have found that ransomware injects itself into the processes that run with the administrative privileges so that it can delete shadow copies using command \u2018vssadmin delete shadows \/all.<\/p>\n

This command executes the vssadmin.exe utility and deletes all copies quietly. Fig 5 below shows the code used to delete the shadow copies.<\/p>\n

\"\"<\/p>\n

Fig 6. Code used to delete the shadow copies<\/p>\n

Below are the API\u2019s used by ransomware to encrypt the data.<\/p>\n

\"\"<\/p>\n

Fig 7. API\u2019s used to encrypt the files<\/p>\n

The ransomware encrypts all PE and Non-PE files with \u2018.armage\u2019 extension as shown below.<\/p>\n

\"\"<\/p>\n

Fig 8. Encrypted files with \u2018.armage\u2019 extension<\/p>\n

How Quick Heal protects its users from the Armage ransomware<\/strong><\/p>\n

Quick Heal successfully blocks Armage with the following multilayered protection layers:<\/p>\n