In September 2021, Accenture was engaged on an emergency incident response for a ransomware attack. During the investigation, we found no correlations between the tools used by the threat actor, ransom note format or threat actor communications and other ransomware attacks. Later correspondence with the threat actor confirmed that this was indeed a new threat to which we assigned the codename ‘Wobbegong’.

Over the past 24 months, Accenture has observed a sharp increase in ransomware incidents, tools, and threat groups. Most of the newer groups we have observed have been splinter groups that have separated from other groups. They often share many of the same tools and techniques as their former affiliates. The vast majority of ransomware groups Accenture has come across, including more recent splinter groups, operate with a mature capability developed over years of experience executing ransomware attacks.

However, the potential financial rewards, low risk and low technical barriers to entry may be enticing new entrants to ransomware extortion with relatively low levels of experience, creating new risks for victims.

In this blog post, we examine the risks posed by these new entrants, analyses Wobbegong’s tactics, techniques, and procedures (TTPs), and outline proactive steps Cyber Defence teams can take to defend against Wobbegong and other related threat actors.

THREAT ACTOR

One of the first steps in any ransomware investigation is to identify the threat actor. Knowing who the threat actor is can speed up and reduce the effort required to contain the threat by enabling the response team to identify and proactively hunt for known prior tradecraft. During the initial investigation, Accenture was unable to identify any correlations between the infrastructure, tools, ransomware notes, payment wallets or engagement channels used by Wobbegong and any other known ransomware threat actors. However, later during the investigation, a user on a Bleepingcomputer.com forum posted a question regarding a ransomware attack that referenced the same TOX user ID and a ransom note that correlated with Wobbegong, suggesting that this incident wasn’t isolated and that more attacks are likely to follow.

The extortion note left by Wobbegong’s ‘Locker’ ransomware:

Many of the ransomware attack victims Accenture works with elect to engage with the threat actor, whether they have an intention of making a ransom payment or not. It’s good practice to keep this option on the table while the investigation unfolds. During communications with the threat actor, they confirmed that they were indeed a new group.

This fact that we were dealing with a new threat actor presented several significant challenges in terms of determining the risk to the client in making a ransom payment. It would not be possible to determine if they would be in breach of international sanctions and with no history to draw from, confidence was not high that data could be recovered even if the ransom was paid. Later in the investigation, this turned out to be a very real concern.

The forensic investigation suggested that Wobbegong used CVE-2019-18935 as the initial point of entry. This vulnerability allows remote code execution through a .NET deserialization vulnerability in the RadAsyncUpload function of Progress Telerik UI for ASP.NET AJAX. Exploit code for this vulnerability can be easily found through code-sharing sites such as GitHub and Exploit-DB. While it is likely that Wobbegong has access to other exploits, it was interesting to note that both the exploit and the custom malware tools used by this threat actor are all based on the .NET framework, suggesting the threat actor may have capability or experience with this specific framework.  

Following initial entry, Wobbegong maintained access to the environment for 103 days before deploying the ransomware. This dwell time is typical of most ransomware groups that automate mass exploitation of vulnerabilities and come back at a later-date to monetise their access through the deployment of ransomware. The lengthy dwell time also suggests there may be other victims of this threat who do not know they have already been compromised at the time of writing this article.

CUSTOM MALWARE – LOCKER ransomware

Accenture’s Cyber Threat Intelligence team reverse engineered the ‘Locker’ ransomware used by Wobbegong to encrypt the victim’s files. The ransomware was written using the .NET framework. Accenture’s reverse engineers found minimal effort had been made to obfuscate the code or hinder reverse engineering. This suggests the developers have a relatively low level of maturity compared to other more experienced threat actors.

The execution flow of the ransomware is as follows:

  1. Delete shadow copies
  2. Decrypt configuration string
  3. Terminate security processes and services
  4. Encrypt files
  5. Cleanup

The ransomware enumerates local drives and file shares on the victim’s computer and initiates a thread to start encrypting files. It does not encrypt network shares containing the $ sign, as these are created by default in the operating system for administrative tasks and are needed for restoring files using the ransomware’s decryption tool. The ransomware also avoids encrypting files in other folders necessary for system operation, such as \Program Files and \Windows, and files with extensions that match with a defined list of extensions, such as .exe, .dll, .sys, etc.

The ransomware only encrypts files that are less than 4,294,967,167 bytes (approximately 4.29gb) in size. It uses an AES-256 encryption with a randomly generated key. Only every second 16-byte chunk is encrypted, up to the first 10 million bytes. All data beyond this limit is left untouched. This technique is consistent with other ransomware malware to avoid detection mechanisms that identify encrypted files by checking if the entire file has been corrupted. Once the file is encrypted, the encryption key is then encrypted and appended to the file.

Accenture’s analysis of the ransomware identified a bug that, under certain circumstances, causes the ransomware to encrypt a file without appending the encryption key necessary for decryption. This bug is caused by an integer truncation that results in sign conversion in the code that appends the encryption key to the end of the file:

This bug would likely affect files between 2 and 4 GB in size, meaning that even if an affected organization were to pay the ransom to receive the decryption tool, it is possible that such files may not be recoverable. This bug highlights the additional risks of dealing with less-experienced ransomware threat actors.

CUSTOM MALWARE - HARPOONBOT

A key part of Wobbegong’s toolset is another custom malware which contains the capability to perform credential dumping, establish persistence and evade Windows Defender. The malware shares common method names and variable names as the ‘Locker’ ransomware, suggesting both malware tools were created by the same author. Accenture have named this malware ‘HarpoonBot’, based on a resource referenced in the code. HarpoonBot is written using the .NET framework and was first submitted to the VirusTotal malware library on June 8th. This was also the time where Wobbegong was first observed inside the victim’s environment.

HarpoonBot drops a version of the XMRig cryptocurrency coin miner, which was first submitted to VirusTotal in April 2021. Its presence within the attacker’s toolset suggests Wobbegong may have a hybrid cryptocurrency mining/ransomware operating model. It is also possible Wobbegong compromised the environment to deploy cryptocurrency miners, only to return months later to deploy ransomware. XMRig has been observed in other hybrid operations before, as reported by Kaspersky in October 2020.

Credential Dumping & Lateral Movement

HarpoonBot is bundled with a RC4 encrypted and compressed version of Mimikatz. Mimikatz is a popular tool used by many threat actors to access passwords that are stored in the Windows LSASS process which is responsible for managing authentication and enforcing Windows security policy. Credentials harvested using Mimikatz are sent to .onion site on the dark web. The same. onion site was observed as a primary command and control channel by the threat actor throughout the operation.

Wobbegong used Mimikatz to access credentials and then impersonated users to move laterally throughout the network and gain access to Windows Domain Administrator credentials, which were then used to deploy the ‘Locker’ ransomware. This playbook is consistent with most other ransomware threat actors.

Defense Evasion

HarpoonBot disables Windows Defender through the following registry keys:

  • HKLM:\SOFTWARE\Microsoft\Windows Defender\Features -Name "TamperProtection"
  • HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware"
  • HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableBehaviorMonitoring"
  • HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableOnAccessProtection"
  • HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableScanOnRealtimeEnable"

Command and Control

For command and control, HarpoonBot primarily uses the http[:]//4emn25fbv22hg73nyi73ik7jhe3wk4yfcqxo4tdbyeekq5xrhkeqiqqd[.]onion/api/ address to receive configuration information of infected systems, handle TOR POST requests, and manage the XMRig miners.

OTHER TACTICS, TECHNIQUES AND PROCEDURES

The other TTPs used by the threat actor are consistent with other ransomware threat actors and are relatively well known.

Persistence

Once Wobbegong has established initial access, they establish persistence through several actions:

  • Installing Cobalt Strike beacons
  • Installing AnyDesk Remote Desktop
  • Setting scheduled tasks to execute a PowerShell downloader contained in registry keys
  • Creating local administrator accounts

Data exfiltration

Evidence of the use of the rclone tool to upload files to the mega.co.nz file sharing cloud service was observed on the victim’s system, suggesting the threat actor attempted to exfiltrate data from the victim’s network prior to deploying the ransomware, possibly for use in a secondary extortion attempt.

The forensic investigation suggested Wobbegong was not selective with respect to what types of files or information they attempted to exfiltrate. This is inconsistent with other more mature ransomware threat actors who have become very selective in terms of the data they steal and its value to their victim. This again points to Wobbegong being a relatively inexperienced ransomware threat actor.

DEFENDING AGAINST THE THREAT

To defend against Wobbegong, Accenture recommends the following actions. Given the consistency in tradecraft between Wobbegong and other ransomware threat actors, most of these actions are equally as applicable to preventing other ransomware attacks:

Whitelist outbound access from servers to the Internet

  • Ransomware threat actors often use standard desktop sharing tools such as AnyDesk, VNC, and TeamViewer.
  • Blocking outbound access to un-trusted sites for servers is an effective control to prevent many ransomware threat actors from establishing a command-and-control channel.

Monitoring and Threat Hunting

  • Implementing dark web monitoring tools for data dumps and leaks and exposed credentials.
  • Monitoring for the use of common malicious tools including Mimikatz and Cobalt Strike beacons.

Threat hunting after patching critical remote code execution vulnerabilities on network perimeter systems to make sure they haven’t been backdoored before being patched.

Conducting regular threat hunting for the presence of unauthorized remote access utilities and ensuring approved remote access sessions are protected using multi-factor authentication and complex passwords.

Vulnerability Management

  • Perform daily vulnerability scans against network perimeter to identify potentially vulnerable systems and application that could be used by threat actors to gain an initial foothold.
  • Patching network infrastructure to the highest available levels. Patching all critical security vulnerabilities, paying specific attention to perimeter systems and operating systems.
  • Scanning networks for machines using remote desktop protocol (RDP) and disabling the protocol if not needed. 

Data protection

  • Implementing encryption or password protection for documents containing sensitive personal, financial, and administrative information.
  • Archive aged sensitive data that is not currently in active use.
  • Block connections to unsanctioned file sharing sites that could be used by a threat actor to exfiltrate data from the environment, including mega.co.nz
  • Monitoring for large amounts of suspicious outbound traffic and other abnormalities in network traffic flow that may indicate data exfiltration.

Identity and Access management

  • Implementing multi-factor authentication for all remote network access, privileged access and for access to critical applications.
  • Make sure all user accounts have long passwords & regularly test password security using commonly available password cracking tools.
  • Deploy & implement Microsoft Local Administrator Password Solution (LAPS) for managing Local Administrator accounts.
  • Deploy Microsoft Group Managed Service Accounts for Windows service accounts and implement very long passwords.

Other

  • Maintaining business continuity and disaster recovery plans that covers remediation and recovery activities to address disruption of services caused by various cyberattacks (e.g. ransomware, DDoS, BEC attacks, etc.).
CONCLUSION

Wobbegong’s activities and use of tools have demonstrated a new element of the ransomware threat; new and unsophisticated ‘copycat’ threat actors taking advantage of the potential for lucrative returns, relatively low personal risk, and abundance of information on ransomware tradecraft. However, as demonstrated by Accenture’s experience with Wobbegong, relatively inexperienced threat actors introduce new risks which should be considered when preparing to deal with ransomware threats. Examples of these new risks include:

  • Inexperience with malware development and ransomware tradecraft may result in irreversible damage to infrastructure or data; and
  • Lack of threat actor provenance makes the process of navigating counter-terrorism financing and sanctions compliance challenging when considering whether to pay or not pay a ransom, as well as low confidence that recovery tools will work once a ransom payment is made. 
APPENDIX – INDICATORS OF COMPROMISE

File Hashes

Hash

Type

Filename

Description

f6cba8db67f7487b7553b164ea58ca9c

MD5

setup_1938215.exe

Trojan used to set persistence and gain initial foothold.

e45317e88277273c58f51a1f7cf4ef93

MD5

setup_00.exe

Self-extracting archive file that contains setup_1938215.exe DLLs

148026943a65dc17bd38f4346591b154

MD5

Org.Mentalis.dll

.NET DLL file contained within setup_00.exe

11bbdf80d756b3a877af483195c60619

MD5

DotNetZip.dll

.NET DLL file contained within setup_00.exe

affc560c09c60b437d6abe245691cdc8

MD5

DotNetZip.xml

.NET XML file contained within setup_00.exe

0028363af6001b2a4cdc5136ebb1fc44

MD5

SockWebProxy.dll

.NET DLL file contained within setup_00.exe

4364a406bcad1e11d06e1317190231d6

MD5

tor.exe

Tor Browser

73ad2318db1dad18ab71a6e92c2a76a4

bd1c7369830ebd781ed5eade64f8f9e4

MD5

AnyDesk.exe

AnyDesk Executables

d8b22a0989b1586ae409ef66b258f087156535509bacb5ba38ef958fb9d4ab4e

SHA256

rclone.exe

Rclone Exeuctable

8be95803a29c31706cf72692131cb19a

23c0500a69b71d5942585bb87559fe83

MD5

1622020139.7254303.dll

1623138433.9779773.dll

DLLs dropped by Telerik UI execution

2a932a40bfb1d2a1c0f37e74ba063e2a

MD5

WindowsSetup.exe

Ransomware

99e67d208e0841cc96a3a2977028b866bda0d2b9968b3e2912ec84b4d0fb4171

69f5451625294a70c96bfd5066d9b37e850bb03fb42bf0bdf0487b2e4cc6ee0e

bb65166da13144d40949b7029430cdb9c181f2d4160c3d0477bda3fdd0cac9b9

SHA256

Cobalt Strike Beacons

Cobalt Strike Beacons

ab110b93ec2683c604dd09021a43e563

MD5

Xmrig.exe

XMRig Miner

954a1df856d5b3343f7114961fdfa3c9

MD5

Mimikatz.exe

Mimikatz

IP Addresses and Domains

IOC

Description

46[.]246.122.73

2[.]56.59.117

45[.]146.164.50

IPs observed exploiting Telerik vulnerability.

4emn25fbv22hg73nyi73ik7jhe3wk4yfcqxo4tdbyeekq5xrhkeqiqqd[.]onion

Trojan malware deployed by threat actor observed attempting to connect to this domain

e5d6f8fc0027.ngrok[.]io

85[.]206.165.175

Shellcode from Telerik vulnerability observed connecting to this domain

92[.]223.88.232

66[.]203.112.11

92[.]223.88.232

103[.]1.213.62

101[.]178.108.13

46[.]246.122.167

46[.]246.122.43

IP addresses observed attempting to connect via AnyDesk

Registry Keys

IOC

Description

HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -Name "setup"

HKLM:\SOFTWARE\Microsoft\.NETFramework -Name "F"

Registry keys used for persistence.

Scheduled Tasks

IOC

Description

Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 Update

Internet Explorer Update

Scheduled tasks used for persistence

XMRig Crypto Wallet

IOC

Description

42KuHsJwTRpUcyaQU1s1ojTTu9pPEXsdF76ncB6a4AbiCPijPVckin6CMBkZi7skhv2xAmfXmHPcyJsnvRoX9on3LWq61PC

XMRig crypto wallet used by the Harpoonbot miner

 

[1] Screenshot taken from Accenture’s own analysis of a test file encrypted with the ransomware

Disclaimer : This content is provided for general information purposes and is not intended to be used in place of consultation with our professional advisors.
Copyright © 2021 Accenture. All rights reserved. Accenture and its logo are registered trademarks of Accenture.

Mark Sayer

Managing Director – Accenture Security, Cyber Defence Lead, AAPAC


Mack Heath

Senior Consulting Manager – Cyber defense, ASIAM


Chris Keune

Senior Manager – Security, ASIAM


Paul Sabanal

Delivery Manager – Security

Subscribe to Accenture's Anztrends Blog Subscribe to Accenture's Anztrends Blog