{"id":86646,"date":"2018-08-10T15:05:21","date_gmt":"2018-08-10T09:35:21","guid":{"rendered":"https:\/\/blogs.quickheal.com\/?p=86646"},"modified":"2018-08-10T15:05:21","modified_gmt":"2018-08-10T09:35:21","slug":"new-net-ransomware-shrug2","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/new-net-ransomware-shrug2\/","title":{"rendered":"Again! A New .NET Ransomware Shrug2"},"content":{"rendered":"

For\u00a0several months, Quick Heal Security Labs has been observing an increase in ransomware\u00a0which are\u00a0built in\u00a0 .NET\u00a0framework. Ransomware like SamSam<\/u><\/a>, Lime <\/u><\/a>and now Shrug was found to be built in .NET framework. Malware authors are\u00a0finding it very easy to build and obfuscate malware in .NET framework rather than making them in other compilers.<\/p>\n

Quick Heal Security Labs has found a new ransomware named Shrug2<\/b><\/strong>. This ransomware demands a ransom\u00a0of 70$ in the form of Bitcoin for decrypting files.<\/p>\n

The infection vector of this ransomware is still unknown, but this file may arrive on the victim\u2019s machine via phishing emails, RDP brute force attacks, malvertising, bundled with other files, etc.<\/p>\n

Technical Analysis<\/b><\/strong><\/p>\n

Before starting file encryption, this ransomware checks for an active Internet connection in an infinite loop by trying to connect to the following\u00a0URL:<\/p>\n

\u201c<\/i><\/em>hxxp<\/i><\/b><\/em><\/strong>:\/\/clients3[.]<\/i><\/b><\/em><\/strong>google<\/i><\/b><\/em><\/strong>[.]com\/generate_204<\/i><\/b><\/em><\/strong>\u201d<\/i><\/em><\/p>\n

\"\"
Fig 1: Code to Check Internet Connection<\/figcaption><\/figure>\n

If an active Internet connection is found on the victim\u2019s system, it checks whether the system is previously infected with \u201cSHRUG2<\/b><\/strong>\u201d by checking the below registry entry:<\/p>\n

\u201c<\/i><\/em>HKCU\\ShrugTwo<\/i><\/b><\/em><\/strong>\u201d<\/i><\/em><\/p>\n

\"\"
Fig 2: ShrugTwo Existing Registry Check<\/figcaption><\/figure>\n

If the system\u00a0is not infected, then it creates a subkey\u00a0with name \u201cShrugTwo<\/i><\/b><\/em><\/strong>\u201d\u00a0<\/b><\/strong>under HKCU <\/b><\/strong>and adds respective values to it as shown in Fig 3.<\/p>\n

\u00a0<\/b><\/strong>Identifier<\/i><\/b><\/em><\/strong>:\u00a0Generated using Username of logged on user appended with a randomly\u00a0generated number between 10000 to 99999,<\/p>\n

Eg. Username\/25413<\/i><\/b><\/em><\/strong><\/p>\n

\u00a0<\/b><\/strong>Installdate<\/i><\/b><\/em><\/strong>:\u00a0Date and time when the ransomware infects the\u00a0victim’s system. This date and time is\u00a0used by the ransomware to display the time left to decrypt\u00a0the files as shown in Fig 15.<\/p>\n

\u00a0<\/b><\/strong>cryKey<\/i><\/b><\/em><\/strong>: Randomly generated AES256 bit key used to encrypt files.<\/p>\n

\u00a0<\/b><\/strong>cryIV \u00a0<\/i><\/b><\/em><\/strong>:\u00a0Randomly generated Initialization Vector used to encrypt files.<\/p>\n

\"\"
Fig 3: Creating ShrugTwo Registry and Adding Values<\/figcaption><\/figure>\n
\"\"
Fig 4: ShrugTwo Registry Entry<\/figcaption><\/figure>\n

After this, malware executes below command to grant all permissions to directory and sub-directories present in %CD%. This command was also seen to have been used by the WannaCry ransomware.<\/p>\n

icacls<\/i><\/b><\/em><\/strong>\u00a0. \/grant Everyone<\/i><\/b><\/em><\/strong>:F<\/i><\/b><\/em><\/strong>\u00a0\/T \/C \/Q<\/i><\/b><\/em><\/strong><\/p>\n

As all ransomware do, it also deletes restore points on the victim\u2019s system. For doing this, it doesn\u2019t use\u00a0trivial ransomware restore point deletion, such as<\/p>\n

vssadmin delete shadows \/all \/quiet & wmic shadowcopy delete<\/p>\n

Rather it uses a very uncommon technique using\u00a0<\/u>srclient<\/i><\/b><\/u><\/em><\/strong>.SRRemoveRestorePoint<\/i><\/b><\/u><\/em><\/strong><\/a>\u00a0<\/i><\/em>as shown below:<\/p>\n

\"\"
Fig 5: System Restore Point Deletion<\/figcaption><\/figure>\n

This ransomware encrypts files with around 76 different extensions. The list of extension is as follows:<\/p>\n

“txt, .docx, .xls, .doc, .xlsx, .ppt, .pptx, .odt, .jpg, .png, .jpeg, .csv, .mdb, .db, .sln, \u00a0\u00a0\u00a0\u00a0.html, .php, .asp, .aspx, .html, .xml, .json, .dat, .cpp, .cs, .c, .js, .java, .mp4, .ogg, \u00a0\u00a0\u00a0\u00a0.mp3, .wmv, .avi, .gif, .mpeg, .msi, .rar, .7zip, .z, .apk, .yml, .qml, .py3, .aif, .cda, \u00a0\u00a0\u00a0\u00a0.mpa, .wpl, .mid, .pkg, .deb, .arj, .rpm, .gz, .dbf, .yml, .tar, .pl, .rb, .ico, .tif, .asp, \u00a0\u00a0\u00a0\u00a0.xhtml, .rss, .jsp, .htm, .o, .zip, .midi, .tiff, .tiff, .midi, .zip, .tar.gz, .pyw, .bmp, .sql, \u00a0\u00a0.psd, .7z”<\/p>\n

The ransomware enumerates all files with the above extensions present in C:\\\\ drive only and stores them in a list named \u201cFilesToHarm<\/i><\/b><\/em><\/strong>\u201d. This list is later used for file encryption.<\/p>\n

\"\"
Fig 6 : File Enumeration for Encryption<\/figcaption><\/figure>\n
\"\"
Fig 7: Few Entries in \u201cFilesToHarm\u201d<\/figcaption><\/figure>\n

A similar kind of list is also created with the name \u201cHarmedFiles<\/i><\/b><\/em><\/strong>\u201d<\/b><\/strong>\u00a0which contains file paths of encrypted files having the extension\u00a0\u201c.SHRUG2<\/i><\/b><\/em><\/strong>\u201d, when the demanded ransom amount is paid or time to decrypt files is elapsed. This created list is used for file decryption or deletion.<\/p>\n

\"\"
Fig 8 : File Enumeration for Decryption<\/figcaption><\/figure>\n
\"\"
Fig 9: Few Entries in \u201cHarmedFiles\u201d<\/figcaption><\/figure>\n

This Ransomware uses AES256 algorithm in CBC(Cipher Block Chaining)<\/u><\/a>\u00a0mode for encrypting enumerated files. In this type of mode,\u00a0there is a requirement\u00a0of Key<\/i><\/b><\/em><\/strong>\u00a0<\/i><\/em>along with the Initialization Vector<\/i><\/b><\/em><\/strong>(IV)<\/b><\/strong>.<\/p>\n

\u00a0<\/b><\/strong>The code\u00a0shown in Fig:\u00a010 is used to create below list and randomly selects 32 characters from it which is used as AES 256bit key.<\/p>\n

\u201c<\/b><\/strong>ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789<\/i><\/b><\/em><\/strong>\u201d<\/b><\/strong><\/p>\n

\"\"
Fig 10: AES Key Generation<\/figcaption><\/figure>\n

Similarly,\u00a0code shown in Fig:\u00a011 is used to create below list and randomly selects 16 characters from it which is used as AES 128bit IV.<\/p>\n

\u201c<\/b><\/strong>ZYXWVUTSRQPONMLKJIHGFEDCBAzyxwvutsrqponmlkjihgfedcba9876543210<\/i><\/b><\/em><\/strong>\u201d<\/b><\/strong><\/p>\n

\"\"
Fig 11: IV Generation<\/figcaption><\/figure>\n

Previously generated Key and IV are used to encrypt file paths present in \u201cFilesToHarm<\/i><\/b><\/em><\/strong>\u201d<\/i><\/em>\u00a0<\/i><\/b><\/em><\/strong>list. Ransomware adds \u201c.SHRUG2<\/i><\/b><\/em><\/strong>\u201d\u00a0<\/b><\/strong>extension\u00a0<\/b><\/strong>to files after encryption.<\/p>\n

\"\"
Fig 12: Encrypt Files and Add Extension<\/figcaption><\/figure>\n

To encrypt files, the ransomware selects file data in chunks of 128bit. This chunk of data is encrypted using previously generated Key and IV in CBC mode.<\/p>\n

\"\"
Fig 13: AES Algorithm<\/figcaption><\/figure>\n

Once all files present in list \u201cFilesToHarm\u201d<\/i><\/b><\/em><\/strong>\u00a0<\/i><\/em>are encrypted, this ransomware sends all generated information like Identifier, Installdate, cryKey,\u00a0and\u00a0cryIV\u00a0to below CnC URL\u00a0which is present in the file.<\/p>\n

\u00a0<\/i><\/em>hxxp:\/\/tempacc11vl[.]000webhostapp[.]com\/marthas_stuff\/uphash[.]php<\/i><\/b><\/em><\/strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/i><\/em><\/p>\n

Then, the ransomware creates its shortcut on the desktop\u00a0with the name \u201c@ShrugDecryptor@<\/i><\/b><\/em><\/strong>\u201d. Name to this shortcut is given in order to fool the victim.<\/p>\n

\"\"
Fig 14: Create Shortcut to Desktop<\/figcaption><\/figure>\n
<\/div>\n

After creating a shortcut, it shows below ransom note, it contains time left to decrypt files along with bitcoin wallet address of ransomware author.<\/p>\n

\"\"
Fig 15: Ransom Note<\/figcaption><\/figure>\n
<\/div>\n

Along with file encryption, the ransomware can perform other activities like file decryption and file deletion.<\/p>\n

Files are decrypted after ransom amount in form of Bitcoin is paid to malware author at wallet address \u201c1Hr1grgH9ViEgUx73iRRJLVKH3PFjUteNx<\/i><\/b><\/em><\/strong>\u201d.<\/p>\n

<\/div>\n
\"\"
Fig 16: Function to Decrypt Files<\/figcaption><\/figure>\n

If ransom amount is not paid within a specified\u00a0time duration, all encrypted files are deleted.<\/p>\n

\"\"
Fig 17: Function to Delete Files<\/figcaption><\/figure>\n

After successful deletion of an encrypted\u00a0file, this ransomware also deletes all its traces. DeleteSubKey deletes Registry \u201cHKCU\\ShrugTwo<\/i><\/b><\/em><\/strong>\u201d and then creates a process to delete itself.<\/p>\n

<\/div>\n
\"\"
Fig 18: Self-Destruction<\/figcaption><\/figure>\n

Indicators of compromise:<\/b><\/strong><\/p>\n

MD5: 04112aec47401c3d91a92cfdf9de02e6<\/p>\n

Registry: HKCU\\ShrugTwo<\/p>\n

Bitcoin Wallet Address: 1Hr1grgH9ViEgUx73iRRJLVKH3PFjUteNx<\/p>\n

URL:<\/p>\n

hxxp:\/\/clients3[.]google[.]com\/generate_204<\/p>\n

hxxp:\/\/tempacc11vl[.]000webhostapp[.]com\/marthas_stuff\/upoldhash[.]php<\/p>\n

Quick Heal<\/a>\u00a0successfully detects Shrug2 ransomware as \u201cRansom.Shrug.ZZ1<\/b><\/strong>\u201d<\/p>\n

Prevention tips<\/b><\/strong><\/p>\n

    \n
  1. Regularly take a backup of your important data in external drives like HDD, pen drive or Cloud storage.<\/li>\n
  2. Install an antivirus and keep it updated.<\/li>\n
  3. Keep your Operating System and software up-to-date.<\/li>\n
  4. Never click on links or download attachments from any unknown or unwanted sources.<\/li>\n<\/ol>\n

    Subject Matter Expert<\/strong><\/p>\n

    Piyush Bansal,\u00a0 Pratik Pachpor | Quick Heal Security Labs<\/p>\n

    <\/div>\n","protected":false},"excerpt":{"rendered":"

    For\u00a0several months, Quick Heal Security Labs has been observing an increase in ransomware\u00a0which are\u00a0built in\u00a0 .NET\u00a0framework. Ransomware like SamSam, Lime and now Shrug was found to be built in .NET framework. Malware authors are\u00a0finding it very easy to build and obfuscate malware in .NET framework rather than making them in other compilers. Quick Heal Security […]<\/p>\n","protected":false},"author":51,"featured_media":86665,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[164,910],"tags":[1300,1020,331,49],"class_list":["post-86646","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cyber-crime","category-ransomware","tag-data-backup","tag-data-loss-prevention","tag-encryption","tag-malware"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/86646"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/51"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=86646"}],"version-history":[{"count":4,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/86646\/revisions"}],"predecessor-version":[{"id":86669,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/86646\/revisions\/86669"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/86665"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=86646"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=86646"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=86646"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}