Emerging ‘Copycat’ Ransomware Threat Actors Introduce New Risks

In September 2021, Accenture was engaged on an emergency incident response for a ransomware attack. During the investigation, we found no correlations between the tools used by the threat actor, ransom note format or threat actor communications and other ransomware attacks. Later correspondence with the threat actor confirmed that this was indeed a new threat to which we assigned the codename ‘Wobbegong’.

Over the past 24 months, Accenture has observed a sharp increase in ransomware incidents, tools, and threat groups. Most of the newer groups we have observed have been splinter groups that have separated from other groups. They often share many of the same tools and techniques as their former affiliates. The vast majority of ransomware groups Accenture has come across, including more recent splinter groups, operate with a mature capability developed over years of experience executing ransomware attacks.

However, the potential financial rewards, low risk and low technical barriers to entry may be enticing new entrants to ransomware extortion with relatively low levels of experience, creating new risks for victims.

In this blog post, we examine the risks posed by these new entrants, analyses Wobbegong’s tactics, techniques, and procedures (TTPs), and outline proactive steps Cyber Defence teams can take to defend against Wobbegong and other related threat actors.

THREAT ACTOR

One of the first steps in any ransomware investigation is to identify the threat actor. Knowing who the threat actor is can speed up and reduce the effort required to contain the threat by enabling the response team to identify and proactively hunt for known prior tradecraft. During the initial investigation, Accenture was unable to identify any correlations between the infrastructure, tools, ransomware notes, payment wallets or engagement channels used by Wobbegong and any other known ransomware threat actors. However, later during the investigation, a user on a Bleepingcomputer.com forum posted a question regarding a ransomware attack that referenced the same TOX user ID and a ransom note that correlated with Wobbegong, suggesting that this incident wasn’t isolated and that more attacks are likely to follow.

The extortion note left by Wobbegong’s ‘Locker’ ransomware:

Many of the ransomware attack victims Accenture works with elect to engage with the threat actor, whether they have an intention of making a ransom payment or not. It’s good practice to keep this option on the table while the investigation unfolds. During communications with the threat actor, they confirmed that they were indeed a new group.

This fact that we were dealing with a new threat actor presented several significant challenges in terms of determining the risk to the client in making a ransom payment. It would not be possible to determine if they would be in breach of international sanctions and with no history to draw from, confidence was not high that data could be recovered even if the ransom was paid. Later in the investigation, this turned out to be a very real concern.

The forensic investigation suggested that Wobbegong used CVE-2019-18935 as the initial point of entry. This vulnerability allows remote code execution through a .NET deserialization vulnerability in the RadAsyncUpload function of Progress Telerik UI for ASP.NET AJAX. Exploit code for this vulnerability can be easily found through code-sharing sites such as GitHub and Exploit-DB. While it is likely that Wobbegong has access to other exploits, it was interesting to note that both the exploit and the custom malware tools used by this threat actor are all based on the .NET framework, suggesting the threat actor may have capability or experience with this specific framework.  

Following initial entry, Wobbegong maintained access to the environment for 103 days before deploying the ransomware. This dwell time is typical of most ransomware groups that automate mass exploitation of vulnerabilities and come back at a later-date to monetise their access through the deployment of ransomware. The lengthy dwell time also suggests there may be other victims of this threat who do not know they have already been compromised at the time of writing this article.

CUSTOM MALWARE – LOCKER ransomware

Accenture’s Cyber Threat Intelligence team reverse engineered the ‘Locker’ ransomware used by Wobbegong to encrypt the victim’s files. The ransomware was written using the .NET framework. Accenture’s reverse engineers found minimal effort had been made to obfuscate the code or hinder reverse engineering. This suggests the developers have a relatively low level of maturity compared to other more experienced threat actors.

The execution flow of the ransomware is as follows:

1. Delete shadow copies
2. Decrypt configuration string
3. Terminate security processes and services
4. Encrypt files
5. Cleanup

The ransomware enumerates local drives and file shares on the victim’s computer and initiates a thread to start encrypting files. It does not encrypt network shares containing the $ sign, as these are created by default in the operating system for administrative tasks and are needed for restoring files using the ransomware’s decryption tool. The ransomware also avoids encrypting files in other folders necessary for system operation, such as \Program Files and \Windows, and files with extensions that match with a defined list of extensions, such as .exe, .dll, .sys, etc.

The ransomware only encrypts files that are less than 4,294,967,167 bytes (approximately 4.29gb) in size. It uses an AES-256 encryption with a randomly generated key. Only every second 16^-byte chunk is encrypted, up to the first 10 million bytes. All data beyond this limit is left untouched. This technique is consistent with other ransomware malware to avoid detection mechanisms that identify encrypted files by checking if the entire file has been corrupted. Once the file is encrypted, the encryption key is then encrypted and appended to the file.

Accenture’s analysis of the ransomware identified a bug that, under certain circumstances, causes the ransomware to encrypt a file without appending the encryption key necessary for decryption. This bug is caused by an integer truncation that results in sign conversion in the code that appends the encryption key to the end of the file:

This bug would likely affect files between 2 and 4 GB in size, meaning that even if an affected organization were to pay the ransom to receive the decryption tool, it is possible that such files may not be recoverable. This bug highlights the additional risks of dealing with less-experienced ransomware threat actors.

CUSTOM MALWARE - HARPOONBOT

A key part of Wobbegong’s toolset is another custom malware which contains the capability to perform credential dumping, establish persistence and evade Windows Defender. The malware shares common method names and variable names as the ‘Locker’ ransomware, suggesting both malware tools were created by the same author. Accenture have named this malware ‘HarpoonBot’, based on a resource referenced in the code. HarpoonBot is written using the .NET framework and was first submitted to the VirusTotal malware library on June 8^th. This was also the time where Wobbegong was first observed inside the victim’s environment.

HarpoonBot drops a version of the XMRig cryptocurrency coin miner, which was first submitted to VirusTotal in April 2021. Its presence within the attacker’s toolset suggests Wobbegong may have a hybrid cryptocurrency mining/ransomware operating model. It is also possible Wobbegong compromised the environment to deploy cryptocurrency miners, only to return months later to deploy ransomware. XMRig has been observed in other hybrid operations before, as reported by Kaspersky in October 2020.

Credential Dumping & Lateral Movement

HarpoonBot is bundled with a RC4 encrypted and compressed version of Mimikatz. Mimikatz is a popular tool used by many threat actors to access passwords that are stored in the Windows LSASS process which is responsible for managing authentication and enforcing Windows security policy. Credentials harvested using Mimikatz are sent to .onion site on the dark web. The same. onion site was observed as a primary command and control channel by the threat actor throughout the operation.

Wobbegong used Mimikatz to access credentials and then impersonated users to move laterally throughout the network and gain access to Windows Domain Administrator credentials, which were then used to deploy the ‘Locker’ ransomware. This playbook is consistent with most other ransomware threat actors.

Defense Evasion

HarpoonBot disables Windows Defender through the following registry keys:

• HKLM:\SOFTWARE\Microsoft\Windows Defender\Features -Name "TamperProtection"
• HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware"
• HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableBehaviorMonitoring"
• HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableOnAccessProtection"
• HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableScanOnRealtimeEnable"

Command and Control

For command and control, HarpoonBot primarily uses the http[:]//4emn25fbv22hg73nyi73ik7jhe3wk4yfcqxo4tdbyeekq5xrhkeqiqqd[.]onion/api/ address to receive configuration information of infected systems, handle TOR POST requests, and manage the XMRig miners.

OTHER TACTICS, TECHNIQUES AND PROCEDURES

The other TTPs used by the threat actor are consistent with other ransomware threat actors and are relatively well known.

Persistence

Once Wobbegong has established initial access, they establish persistence through several actions:

• Installing Cobalt Strike beacons
• Installing AnyDesk Remote Desktop
• Setting scheduled tasks to execute a PowerShell downloader contained in registry keys
• Creating local administrator accounts

Data exfiltration

Evidence of the use of the rclone tool to upload files to the mega.co.nz file sharing cloud service was observed on the victim’s system, suggesting the threat actor attempted to exfiltrate data from the victim’s network prior to deploying the ransomware, possibly for use in a secondary extortion attempt.

The forensic investigation suggested Wobbegong was not selective with respect to what types of files or information they attempted to exfiltrate. This is inconsistent with other more mature ransomware threat actors who have become very selective in terms of the data they steal and its value to their victim. This again points to Wobbegong being a relatively inexperienced ransomware threat actor.

DEFENDING AGAINST THE THREAT

To defend against Wobbegong, Accenture recommends the following actions. Given the consistency in tradecraft between Wobbegong and other ransomware threat actors, most of these actions are equally as applicable to preventing other ransomware attacks:

Whitelist outbound access from servers to the Internet

• Ransomware threat actors often use standard desktop sharing tools such as AnyDesk, VNC, and TeamViewer.
• Blocking outbound access to un-trusted sites for servers is an effective control to prevent many ransomware threat actors from establishing a command-and-control channel.

Monitoring and Threat Hunting

• Implementing dark web monitoring tools for data dumps and leaks and exposed credentials.
• Monitoring for the use of common malicious tools including Mimikatz and Cobalt Strike beacons.

Threat hunting after patching critical remote code execution vulnerabilities on network perimeter systems to make sure they haven’t been backdoored before being patched.

Conducting regular threat hunting for the presence of unauthorized remote access utilities and ensuring approved remote access sessions are protected using multi-factor authentication and complex passwords.

Vulnerability Management

• Perform daily vulnerability scans against network perimeter to identify potentially vulnerable systems and application that could be used by threat actors to gain an initial foothold.
• Patching network infrastructure to the highest available levels. Patching all critical security vulnerabilities, paying specific attention to perimeter systems and operating systems.
• Scanning networks for machines using remote desktop protocol (RDP) and disabling the protocol if not needed. 

Data protection

• Implementing encryption or password protection for documents containing sensitive personal, financial, and administrative information.
• Archive aged sensitive data that is not currently in active use.
• Block connections to unsanctioned file sharing sites that could be used by a threat actor to exfiltrate data from the environment, including mega.co.nz
• Monitoring for large amounts of suspicious outbound traffic and other abnormalities in network traffic flow that may indicate data exfiltration.

Identity and Access management

• Implementing multi-factor authentication for all remote network access, privileged access and for access to critical applications.
• Make sure all user accounts have long passwords & regularly test password security using commonly available password cracking tools.
• Deploy & implement Microsoft Local Administrator Password Solution (LAPS) for managing Local Administrator accounts.
• Deploy Microsoft Group Managed Service Accounts for Windows service accounts and implement very long passwords.

Other

• Maintaining business continuity and disaster recovery plans that covers remediation and recovery activities to address disruption of services caused by various cyberattacks (e.g. ransomware, DDoS, BEC attacks, etc.).

CONCLUSION

Wobbegong’s activities and use of tools have demonstrated a new element of the ransomware threat; new and unsophisticated ‘copycat’ threat actors taking advantage of the potential for lucrative returns, relatively low personal risk, and abundance of information on ransomware tradecraft. However, as demonstrated by Accenture’s experience with Wobbegong, relatively inexperienced threat actors introduce new risks which should be considered when preparing to deal with ransomware threats. Examples of these new risks include:

• Inexperience with malware development and ransomware tradecraft may result in irreversible damage to infrastructure or data; and
• Lack of threat actor provenance makes the process of navigating counter-terrorism financing and sanctions compliance challenging when considering whether to pay or not pay a ransom, as well as low confidence that recovery tools will work once a ransom payment is made. 

APPENDIX – INDICATORS OF COMPROMISE

File Hashes

IP Addresses and Domains

Registry Keys

Scheduled Tasks

XMRig Crypto Wallet

[1] Screenshot taken from Accenture’s own analysis of a test file encrypted with the ransomware

Disclaimer : This content is provided for general information purposes and is not intended to be used in place of consultation with our professional advisors.
Copyright © 2021 Accenture. All rights reserved. Accenture and its logo are registered trademarks of Accenture.