Over the years, Stroz Friedberg Incident Response Services has observed threat actors use unusual and sometimes clever malware evasion techniques, but the latest Ragnar Locker evasion technique will probably take the cake for 2020. We have been closely monitoring this technique and have seen some interesting changes in Q2 of 2020. Before we delve into the latest changes we want to provide some history on Ragnar Locker.
Background
Ragnar Locker is a relatively new ransomware strain that was discovered in December of 2019, but it didn’t get much attention until February 2020 when BleepingComputer published an article about it specifically targeting ConnectWise and Kaseya which are commonly used by managed service providers. Unlike some of the more common ransomware variants, Ragnar Locker is not known to be a “Ransomware as a Service” (RaaS), where affiliates pay ransomware developers for the ability to use the malware on victim networks. Further, the Ragnar Locker group has in past attacks stolen victim data and used a “public shaming” website to “encourage” its victims to pay the ransom.
In late May, Sophos released information about a new evasion technique used by Ragnar Locker, an MSI installer that installs a VirtualBox hypervisor complete with a pre-made virtual machine containing the Ragnar Locker ransomware. The MSI includes a script, “install.bat”, that configures VirtualBox share folders for each drive mounted on the host. The virtual machine then attempts to map all shared folders, effectively giving it access to all drives from the host for encryption. While the evasion method is unique and effective, since most antivirus can’t stop the encryption from occurring because it doesn’t have visibility into the virtual machine, the package is bulky (~100 MB). The overall evasion and execution technique showcases the many ways threat actors are evolving their tooling, tactics and techniques in order to complete their encryption goal.
Things took an unexpected turn in June when the Maze ransomware group announced several new partnerships, including one with the Ragnar Locker group. The Maze “Public Shaming” site then began attributing specific attacks to Ragnar Locker, seemingly taking over victim announcements and negotiations. It was around this time we observed the updates to the MSI ransomware installer. The Ragnar Locker group is still using VirtualBox wrapped in an MSI installer, but now the ‘payload’ is Maze ransomware.
The Maze Virtual Machine
The previous version of Ragnar Locker’s MSI was held together by a collection of batch scripts and text files. The process looked something like this:
The process works, but there are some unnecessary steps that the new version streamlines. First, va.exe and install.bat have been combined into a single GoLang DLL named “AzamatOutDll.dll”. Azamat is stored as a binary stream in the MSI and is executed as a CustomAction.
This approach maintains all the malicious setup functionality in the context of Msiexec.exe, which is a legitimate and signed process that is part of the Windows operating system. This makes it more difficult for security tools to detect and prevent execution. To further protect its functionality, each of Azamat’s strings are XOR’ed with a unique key and then stored as a base64 value.
The MSI also changes how it accesses files on the host. The original “install.bat” script creates a share folder in the VirtualBox config for each drive that is mounted on the system. Azamat instead creates symbolic links to its encryption targets in the “C:\SDRSMLINK” directory of the infected system. Depending on the version of the OS, Azamat can use the built-in mklink command or one of two tools included in the MSI “ln.exe” and “senable.exe” for creating the symbolic links.
Finally, the MSI will run the virtual machine, which has been upgraded from prior versions that contained the Ragnar Locker ransomware. Now, instead of running Windows XP, the virtual machine is running Windows 7. This update increases the MSI size from about 120 MB to somewhere between 650 and 800 MB.
Like AzamatOutDll, vrun.exe is written in Golang and replaces the vrun batch script from the original version of the VBox wrapper, taking on the tasks of mounting the share folders and, ultimately, executing ‘payload’. In the samples we have observed, the payload is a Maze Ransomware DLL, which supports the partnership between Ragnar Locker and Maze. Now the process looks like this:
The updated, streamlined version of Ragnar Locker greatly reduces the number of ways the encryption process can be interrupted.
How to defend your organization
Ransomware is now the default for financially motivated threat actors. Here are some ways you can help combat the threat to your organization:
- Phishing is a common method threat actors will use to gain initial access to your environment. Phishing detection and controls, as well as user awareness training on common phishing methods can help prevent some many of these attacks.
- Follow up on all alerts triggered by your antivirus solution, even if the AV claims it blocked or cleaned the threat.
- Most ransomware actors use post-exploitation frameworks, such as Cobalt Strike, for lateral movement and C&C. Blocking the default Cobalt Strike SSL certificate using your IPS is an effective measure against many actors.
- Block third-party cloud storage, especially sites like MEGA.
- Blocking the installation of virtual machines where possible. Consumer virtual machine software, like VirtualBox, isn’t typically a requirement of servers.
Additionally, we recommend alerting and blacklisting (where possible) the following executables to help delay and detect the ransomware execution:
ATT&CK Mapping
- Initial Access
- T1566 – Phishing
- T1133 – External Remote Services
- Execution
- T1059.001 – Command and Scripting Interpreter: PowerShell
- T1047 – Windows Management Instrumentation
- Persistence
- T1053.005 – Scheduled Task/Job: Scheduled Task
- Defense Evasion
- T1218.007 – Signed Binary Proxy Execution: Msiexec
- T1564.006 – Hide Artifacts: Run Virtual Instance
- Credential Access
- T1110 – Brute Force
- T1003.001 – OS Credential Dumping: LSASS Memory
- T1003.003 – OS Credential Dumping: NTDS
- Lateral Movement
- T1021.001 – Remote Services: Remote Desktop Protocol
- T1021.002 – Remote Services: SMB/Windows Admin Shares
- T1021.006 – Remote Services: Windows Remote Management
- Command and Control
- T1071.001 – Application Layer Protocol: Web Protocols
- Exfiltration
- T1567.002 – Exfiltration to Cloud Storage
- Impact
- T1486 – Data Encrypted for Impact
Authors: Daniel Spicer and Partha Alwar