Ransomware by runlocker / ranlock

Pandemics do not stop malware script kiddies.

Today is a (pretty much honeypot) computer with VNC enabled on the default port with a simple password set (single lower case dictionary word) that got brute forced by someone.

The hacker then checked if the machine was on the network and what other users were on the computer.

2020-04-06_14_02_58.png

All files across the drive on the machine were encrypted with a file extension specific to the infection instance …2020-04-06_14_04_11.png

And the ransomware note “!!! ALL YOUR FILES ARE ENCRYPTED !!!.txt” contained..

!!! ALL YOUR FILES ARE ENCRYPTED !!!

All your files, documents, photos, databases and other important files are encrypted.

You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key.
Only we can give you this key and only we can recover your files.

To be sure we have the decryptor and it works you can send an email: runlocker@protonmail.com and decrypt one file for free.
But this file should be of not valuable!

Do you really want to restore your files?
Write to email: runlocker@protonmail.com
Reserved email: ranlock@keemail.me

Your personal ID: A50-90E-EC9

Attention!
* Do not rename encrypted files.
* Do not try to decrypt your data using third party software, it may cause permanent data loss.
* Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

The timeline looks like they hacked the computer the March around 42 minutes past midnight.
Then at 01:12am they snooped through the files (not much on the honeypot system but they did open a file called ” password.txt”.

At 01:14 they downloaded a file using Chrome:
hxxps://aes.one/files/d/a5e/17e641m6n07en291al7w21gn7t/c8ecdba9ef806c83/

Which in turn provides a .exe file called “zeppelin.exe“.

MD5	7e867d82199a59d28ce35d31ea688dee
SHA-1	52adcf0361aa8fb3a34daa1bb67a620d58b2b8a7
SHA-256	b3a71d2611660242a98236e332e964bf9c1e6d647b570cc650e2815d8054afc5

The initial attempt to download this file was thwarted by Microsoft’s Windows Defender – the hacker then manually snoozed / turned off defender to complete their attack.
It is likely that the file gets copied into c:\Users\USERNAME\AppData\Roaming\Microsoft\Windows\spoolsv.exe and is detected as “Ransom:W32/ZZeppelin.A!MSR”

2020-04-06_14_23_08.png

At 01:16am they fired off the encryption of all the files.

Potentially linked or maybe another hacker had also run a powershell script 10:11:48 03/04/2020 which did something with: hxxp://31.44.184.47:80/aa which appears to be a base64 encoded file containing further powershell script containing another base64 encoded file which then needs binary xor to produce a valid file.

Windows Defender also identifies this file.

MD5	4a79e1626ce14d7ae5f5b7965c872103
SHA-1	350cfa0b6f502672cb5e15ce10e17bc17632e749
SHA-256	35cd8737cebb9f72db999a49b260c5d9188615b31302d8e7d01b4f37ba4609db

I must say a massive thank you to GCHQ for their amazing tool CyberChef which made analyzing this so much easier.

This entry was posted in Uncategorized. Bookmark the permalink.

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s