Like Tears in Rain: A DeathHiddenTear Ransomware Breakdown
Like Tears in Rain: A DeathHiddenTear Ransomware Breakdown
A Synopsis of the Threat
A new variant of the Hidden Tear ransomware, named “DeathHiddenTear”, has been seen over the last several months, impacting small to medium businesses (“SMB”). Like most ransomware, it has the capabilities of deleting data recovery mechanisms (e.g., volume shadow copies), encrypting files using AES and generating a ransom note that contains contact information and a RSA key. Some victims have reported paying the ransom for a buggy decryptor that either doesn’t work at all or partially. Optiv experienced similar issues with a purchased decryptor.
Intelligence sources suggest the threat actor behind DeathHiddenTear is primarily Russian speaking. The campaign began in the second half of February 2020 and is aimed at English-speaking users but has been observed worldwide. The attacks are most commonly exploited through insecure RDP as initial entry vector and primarily targeting small to medium businesses.
Security researchers created and released the original Hidden Tear ransomware’s source code to demonstrate how ransomware functions. Various threat actors acquired this source code and have since made their own versions of the malware. Optiv has seen several minor versions of DeathHiddenTear with two major releases. The need for a second version was likely because version 1 had a bug that allowed for possible decryption, which was revealed by security researcher @demonslay335 on Twitter. The second version, “DeathHiddenTearV2”, contains a fix for this bug and can be discerned by the method in which the decryption password is created as well as a change in the file extensions used on the encrypted data. The encrypted files may have file extensions .encryptedS and .encryptedL or .encS and .encL. The “S” and “L” identify files as small or large, differentiated by being greater or less than 500MB in size. In some cases, the file extensions are simply .enc, without a file size indicator, which we observed in the most recent samples submitted to VirusTotal. There is no publicly available decryptor for V2 at this time.
Analyzed Samples in the Wild
As of the writing of this post, we found 19 unique samples on VirusTotal, first observed on February 19, 2020 and the most recent submission uploaded on June 17, 2020. The email addresses in the ransom notes used either cock.li or photonmail.ch email services.
An example of the decryption note from a VirusTotal submission is seen below:
String analysis of multiple samples revealed two C2 IP addresses used to send logging.
Strings of d31742a33f52f5d3326a828f73c666d605c07b2070f5a863fce7d97a4b1cfee2
Strings of 3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7
An interesting finding about these IP addresses is their association with a virtual private service (“VPS”). belonging to Virtual Systems LLC in Ukraine (https://virtualsystems[.]net). This company has IP addresses in 34 subnets and hosting for over four thousand domains. Some IP addresses related to the autonomous system number belonging to Virtual Systems LLC (AS30860) were also found to be associated with malware and phishing campaigns. It should be made clear that Virtual Systems LLC is identified as a service used by the threat actor and is not known to be under control of the threat actor. We’ve also observed Tor anonymization services being used in the attacks.
All subnets found to be related to the Virtual Systems LLC AS number (AS30860) are provided below:
Subnets Related to VirtualSystems LLC, AS30860
The DeathHiddenTear ransomware is not overly complex and has typical process tree characteristics of many ransomware threats. The original filename in earlier samples varies from skipc.exe, ssvchost.exe and similar variations while more recent samples have been named ParaEncrypt.exe and sc.exe. It’s likely dropped on a system compromised through other vectors such as insecure RDP.
In the process tree example above, two commands are invoked by the malware:
2788. Removes the Shadow Copy to avoid recovery of the system
vssadmin.exe delete shadows /all /quiet
2848. Uses choice.exe to delete itself after running
cmd.exe /C choice /C Y /N /D Y /T 5 & DEL C:\Users\
Let’s drill further into the binaries themselves for a deeper understanding. We examined 19 samples in total from VirusTotal and surprisingly enough there are slight changes over time. We identified minor changes such as adding target file extensions, modifications to the encryption cipher mode from CBC to CFB and combining two file encryption methods different for small and large file into a single method for all targeted files. Major changes included a more secure method of generating the decryption password, wiping deleted data on disk, and renaming the namespace. As relatively short .NET programs, there isn’t a lot to look at but we can examine the basic functionality and make some comparisons between versions.
|SHA256||File Ext||Version||C2||Compile Timestamp||Email in ransom note|
|f56487db1a1db8114cb92aca99cc6b4d3beab535151e7faea2e72b2071480dfc||.encS, .encL||v1||none||2/16/2020 17:email@example.com|
|d31742a33f52f5d3326a828f73c666d605c07b2070f5a863fce7d97a4b1cfee2||.encryptedS, .encryptedL||v1||184.108.40.206||3/27/2020 17:firstname.lastname@example.org|
|3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7||.encryptedS, .encryptedL||v1||220.127.116.11||4/8/2020 18:email@example.com|
|292bf92948a288e21727a1995a0bd004474832bd5854087fd2e7560d792d5460||.encS, .encL||v1||none||4/10/2020 17:firstname.lastname@example.org|
We examined the malware samples using open source dnSpy, a debugger and .NET assembly editor. At roughly 500 lines of code in length, the author goes the extra mile for maintaining well organized classes with descriptive method names.
As we found with string analysis revealing C2 IP addresses mentioned earlier in this post, two of the samples analyzed contain a WebRequest with in the main function sending a start and finish log containing the victim computer name. These IP’s are described more in the first half of this posting. The binary deletes itself using choice after executing.
The “encryptDirectory” method targets specific content for the encryption stream. The earliest versions we analyzed included 243 file extensions whereas the most recent compiled sample targets 250 file extensions. The data types targeted are common extensions for backups, databases, documents, email and multimedia.
The following method invokes the Microsoft native utility vssadmin.exe to delete volume shadow copies:
This crypto ransomware encrypts targeted user data using AES with RSA keys. A method called “FileEncrypt” performs the file encryption using the standard C# AES 256-bit encryption library, salted with 50000 iterations.
The method “CreatePassword” defined in version 1 creates a 12 character random password which is flawed using the C# System.Random number generator (“RNG”).
In comparison, the method defined in version 2 to create a password with the flaw fixed using the C# class RNGCryptoServiceProvider, making the password impossible to brute force.
Discussing secure RNG’s is a topic for another post but the basics is that Microsoftʼs implementation of System.Random has inherent weaknesses for cryptographic use cases. Referenced in this post. RNGCryptoServiceProvider is the default implementation of security standards compliant RNG due to its uniqueness and stronger cryptographic implementation.
The samples we analyzed named ParaEncrypt.exe still maintain the same program structure but with some minor changes such as wiping deleted data on disk using Microsoft’s native utility cipher.exe, increasing the decryption password length to 30 characters, and changing the namespace to “ParaEncrypt”.
The updated CreatePassword method still uses RNGCryptoServiceProvider but instead of using the stringBuilder class they get a random string of integers and use that to index into the alphabet array to create a 30 character random password.
The figure below shows the added functionality using cipher.exe to overwrite deleted data for each drive attached. Note that the cipher /w command does not work for files less than 1KB in size. More details about cipher and anti-forensics capability can be found here.
Another note about these ParaEncrypt samples is the time stamps in the PE File Header that all read in the future. These time stamps can be and are often inaccurate for multiple reasons we won’t get into here but it’s a notable finding that was different from the other versions. PE File Header TimeDateStamp’s set in the future or impossibly in the past are generally good Threat Hunting indicators to look for suspicious files.
We have not observed other tools used along side this ransomware. As mentioned earlier, these attacks have primarily been opportunistic, leveraging insecure Internet-facing protocols such as RDP. It’s evident this isn’t sophisticated ransomware and it doesn’t have to be to accomplish the end goal. The majority of today’s anti-virus solutions detect all the samples we examined solely based on behavioral characteristics. It’s recommended to maintain anti-virus definition updates and operating system patches.
If applicable to your organization, Optiv has written a Yara rule to detect all these variants. Before implementing any new detection capability, it is recommended to perform baselining known-good activity to prevent false positives.
Copyright 2020 Optiv Security
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
rule DeathHiddenTear : Ransomware
meta:description = "Yara rule for DeathHiddenTear Ransomware"strings:
author = "Optiv Security"
date = "2020-06-17"
threat_level = 5
in_the_wild = true
file_type = "PE"
hash1 = "01697ac491a7d1d9c7f3681a65e4cb05ce8637e1127c0bde718fcd55c0039660"
hash2 = "0536101f67a64732a09b3a297a3a31eb31f3b09df54a499b37ba3f5fedc800cd"
hash3 = "06b453e6e2d5c4e767e9feaeec54061f8071df06a53fdb344e52a7b159ddc5c4"
hash4 = "292bf92948a288e21727a1995a0bd004474832bd5854087fd2e7560d792d5460"
hash5 = "3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7"
hash6 = "45f28f11f624eb715065ff41967316da30c2cbb9c48357f64cf3017faeeac1fb"
hash7 = "6f3a261f5c90e71d4a5a754e2f81acedb28f1bf50b972ac03cb58d463427d7a5"
hash8 = "90a9694e1fb057186d1d44dff548d5b11934c0d97cea2660166dc66e5df9009b"
hash9 = "d31742a33f52f5d3326a828f73c666d605c07b2070f5a863fce7d97a4b1cfee2"
hash10 = "dd8c89f9a9143c5a59b1410f4854785b4d4d5a6ff9a7e7d53ad516c1bec26e1e"
hash11 = "e27315d539696f064a70ba6eb05aa07c5a3e4399ff205f4477117dd7fd04d35b"
hash12 = "f56487db1a1db8114cb92aca99cc6b4d3beab535151e7faea2e72b2071480dfc"
hash13 = "fb1a2435bbdf97962fc8de17a5778d46b13f858e2fd412f429fba3e08475a3df"
hash14 = "c7ae4f3e1667ffa12be467f2ec188bd6f302d36c3bd0f872fce8de0ce263fb5d"
hash15 = "d12b533e35f1a0383b9ed561a9db1761dbe9e6310d3454a3f4e80cfe198c6102"
hash16 = "a6db04a95a145b8caf79b42f5d5b6e3d4ee04cb8ce85c241121f80c3935775de"
hash17 = "92d6fccd61fa03ff83d8b192449f8edccab17afc032b4b9a5f8979f3fd32ddf9"
hash18 = "f00b3bcbfcb46a41767a5187d0401c05f4edc0d70782c5c54708f2805916c514"
hash19 = "192792855f8f3fe629eb4c8608e73db44b6b00368168f67b7cdb8bcb81f0584e"$s1 = "ssvchost.exe" fullword widecondition:
$s2 = "vssadmin.exe" fullword wide
$s3 = "$a63a87f5-c842-4804-a82f-26d2e707bacf" fullword ascii // .NET TypeLib Id
$s4 = "\\Decrypt Instructions.txt" fullword wide
$s5 = "targetDirectory" fullword ascii
$s6 = "ssvchost" fullword ascii
$s7 = "get_KeySize" fullword ascii
$s8 = "ssvchost.Properties" fullword ascii
$s9 = "CreatePassword" fullword ascii
$s10 = "/C choice /C Y /N /D Y /T 5 & DEL " fullword wide
$s11 = "_publicKey" fullword ascii
$s12 = "encryptDirectory" fullword ascii
$s13 = "SSvchost" fullword wide
$s14 = "delete shadows /all /quiet" fullword wide
$s15 = "_encrptedComputerInfo" fullword ascii // static string name
$s16 = "Death.Form1.resources" fullword ascii
$s17 = "ParaEncrypt.Properties.Resources" fullword ascii( uint16(0) == 0x5a4d and filesize < 50KB and ( 8 of them )}
) or ( all of them )
Indicators of Compromise
fb1a2435bbdf97962fc8de17a5778d46b13f858e2fd412f429fba3e08475a3df f56487db1a1db8114cb92aca99cc6b4d3beab535151e7faea2e72b2071480dfc e27315d539696f064a70ba6eb05aa07c5a3e4399ff205f4477117dd7fd04d35b dd8c89f9a9143c5a59b1410f4854785b4d4d5a6ff9a7e7d53ad516c1bec26e1e d31742a33f52f5d3326a828f73c666d605c07b2070f5a863fce7d97a4b1cfee2 90a9694e1fb057186d1d44dff548d5b11934c0d97cea2660166dc66e5df9009b 6f3a261f5c90e71d4a5a754e2f81acedb28f1bf50b972ac03cb58d463427d7a5 45f28f11f624eb715065ff41967316da30c2cbb9c48357f64cf3017faeeac1fb 3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7 292bf92948a288e21727a1995a0bd004474832bd5854087fd2e7560d792d5460 06b453e6e2d5c4e767e9feaeec54061f8071df06a53fdb344e52a7b159ddc5c4 0536101f67a64732a09b3a297a3a31eb31f3b09df54a499b37ba3f5fedc800cd 01697ac491a7d1d9c7f3681a65e4cb05ce8637e1127c0bde718fcd55c0039660 c7ae4f3e1667ffa12be467f2ec188bd6f302d36c3bd0f872fce8de0ce263fb5d d12b533e35f1a0383b9ed561a9db1761dbe9e6310d3454a3f4e80cfe198c6102 a6db04a95a145b8caf79b42f5d5b6e3d4ee04cb8ce85c241121f80c3935775de 92d6fccd61fa03ff83d8b192449f8edccab17afc032b4b9a5f8979f3fd32ddf9 f00b3bcbfcb46a41767a5187d0401c05f4edc0d70782c5c54708f2805916c514 192792855f8f3fe629eb4c8608e73db44b6b00368168f67b7cdb8bcb81f0584e
MITRE ATT&CK Techniques
Technique_ID, Technique, Sub-technique
T1059 Command-Line Interface - Runs shell commands
T1215 Kernel Modules and Extensions - Opens the Kernel Security Device Driver (KsecDD) of Windows
T1179 Hooking - Installs hooks/patches the running process
T1055 Process Injection - Writes data to a remote process
T1107 File Deletion - Deletes volume snapshots
T1112 Modify Registry - Modifies proxy settings
T1055 Process Injection - Writes data to a remote process
T1012 Query Registry -
Queries sensitive IE security settings
Reads the cryptographic machine GUID
Reads information about supported languages
Copyright © 2020 Optiv Security Inc. All rights reserved.
No license, express or implied, to any intellectual property or other content is granted or intended hereby.
This blog is provided to you for information purposes only. While the information contained in this site has been obtained from sources believed to be reliable, Optiv disclaims all warranties as to the accuracy, completeness or adequacy of such information.
Links to third party sites are provided for your convenience and do not constitute an endorsement by Optiv. These sites may not have the same privacy, security or accessibility standards.
Complaints / questions should be directed to Legal@optiv.com