Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Like Tears in Rain: A DeathHiddenTear Ransomware Breakdown
A new variant of the Hidden Tear ransomware, named “DeathHiddenTear”, has been seen over the last several months, impacting small to medium businesses (“SMB”). Like most ransomware, it has the capabilities of deleting data recovery mechanisms (e.g., volume shadow copies), encrypting files using AES and generating a ransom note that contains contact information and a RSA key. Some victims have reported paying the ransom for a buggy decryptor that either doesn’t work at all or partially. Optiv experienced similar issues with a purchased decryptor.
Intelligence sources suggest the threat actor behind DeathHiddenTear is primarily Russian speaking. The campaign began in the second half of February 2020 and is aimed at English-speaking users but has been observed worldwide. The attacks are most commonly exploited through insecure RDP as initial entry vector and primarily targeting small to medium businesses.
Security researchers created and released the original Hidden Tear ransomware’s source code to demonstrate how ransomware functions. Various threat actors acquired this source code and have since made their own versions of the malware. Optiv has seen several minor versions of DeathHiddenTear with two major releases. The need for a second version was likely because version 1 had a bug that allowed for possible decryption, which was revealed by security researcher @demonslay335 on Twitter. The second version, “DeathHiddenTearV2”, contains a fix for this bug and can be discerned by the method in which the decryption password is created as well as a change in the file extensions used on the encrypted data. The encrypted files may have file extensions .encryptedS and .encryptedL or .encS and .encL. The “S” and “L” identify files as small or large, differentiated by being greater or less than 500MB in size. In some cases, the file extensions are simply .enc, without a file size indicator, which we observed in the most recent samples submitted to VirusTotal. There is no publicly available decryptor for V2 at this time.
As of the writing of this post, we found 19 unique samples on VirusTotal, first observed on February 19, 2020 and the most recent submission uploaded on June 17, 2020. The email addresses in the ransom notes used either cock.li or photonmail.ch email services.
An example of the decryption note from a VirusTotal submission is seen below:
String analysis of multiple samples revealed two C2 IP addresses used to send logging.
Strings of d31742a33f52f5d3326a828f73c666d605c07b2070f5a863fce7d97a4b1cfee2
Strings of 3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7
An interesting finding about these IP addresses is their association with a virtual private service (“VPS”). belonging to Virtual Systems LLC in Ukraine (https://virtualsystems[.]net). This company has IP addresses in 34 subnets and hosting for over four thousand domains. Some IP addresses related to the autonomous system number belonging to Virtual Systems LLC (AS30860) were also found to be associated with malware and phishing campaigns. It should be made clear that Virtual Systems LLC is identified as a service used by the threat actor and is not known to be under control of the threat actor. We’ve also observed Tor anonymization services being used in the attacks.
All subnets found to be related to the Virtual Systems LLC AS number (AS30860) are provided below:
Subnets Related to VirtualSystems LLC, AS30860
The DeathHiddenTear ransomware is not overly complex and has typical process tree characteristics of many ransomware threats. The original filename in earlier samples varies from skipc.exe, ssvchost.exe and similar variations while more recent samples have been named ParaEncrypt.exe and sc.exe. It’s likely dropped on a system compromised through other vectors such as insecure RDP.
In the process tree example above, two commands are invoked by the malware:
2788. Removes the Shadow Copy to avoid recovery of the system
vssadmin.exe delete shadows /all /quiet
2848. Uses choice.exe to delete itself after running
cmd.exe /C choice /C Y /N /D Y /T 5 & DEL C:\Users\\Downloads\skipc.exe
Let’s drill further into the binaries themselves for a deeper understanding. We examined 19 samples in total from VirusTotal and surprisingly enough there are slight changes over time. We identified minor changes such as adding target file extensions, modifications to the encryption cipher mode from CBC to CFB and combining two file encryption methods different for small and large file into a single method for all targeted files. Major changes included a more secure method of generating the decryption password, wiping deleted data on disk, and renaming the namespace. As relatively short .NET programs, there isn’t a lot to look at but we can examine the basic functionality and make some comparisons between versions.
We examined the malware samples using open source dnSpy, a debugger and .NET assembly editor. At roughly 500 lines of code in length, the author goes the extra mile for maintaining well organized classes with descriptive method names.
As we found with string analysis revealing C2 IP addresses mentioned earlier in this post, two of the samples analyzed contain a WebRequest with in the main function sending a start and finish log containing the victim computer name. These IP’s are described more in the first half of this posting. The binary deletes itself using choice after executing.
The “encryptDirectory” method targets specific content for the encryption stream. The earliest versions we analyzed included 243 file extensions whereas the most recent compiled sample targets 250 file extensions. The data types targeted are common extensions for backups, databases, documents, email and multimedia.
The following method invokes the Microsoft native utility vssadmin.exe to delete volume shadow copies:
This crypto ransomware encrypts targeted user data using AES with RSA keys. A method called “FileEncrypt” performs the file encryption using the standard C# AES 256-bit encryption library, salted with 50000 iterations.
The method “CreatePassword” defined in version 1 creates a 12 character random password which is flawed using the C# System.Random number generator (“RNG”).
In comparison, the method defined in version 2 to create a password with the flaw fixed using the C# class RNGCryptoServiceProvider, making the password impossible to brute force.
Discussing secure RNG’s is a topic for another post but the basics is that Microsoftʼs implementation of System.Random has inherent weaknesses for cryptographic use cases. Referenced in this post. RNGCryptoServiceProvider is the default implementation of security standards compliant RNG due to its uniqueness and stronger cryptographic implementation.
The samples we analyzed named ParaEncrypt.exe still maintain the same program structure but with some minor changes such as wiping deleted data on disk using Microsoft’s native utility cipher.exe, increasing the decryption password length to 30 characters, and changing the namespace to “ParaEncrypt”.
The updated CreatePassword method still uses RNGCryptoServiceProvider but instead of using the stringBuilder class they get a random string of integers and use that to index into the alphabet array to create a 30 character random password.
The figure below shows the added functionality using cipher.exe to overwrite deleted data for each drive attached. Note that the cipher /w command does not work for files less than 1KB in size.
Another note about these ParaEncrypt samples is the time stamps in the PE File Header that all read in the future. These time stamps can be and are often inaccurate for multiple reasons we won’t get into here but it’s a notable finding that was different from the other versions. PE File Header TimeDateStamp’s set in the future or impossibly in the past are generally good Threat Hunting indicators to look for suspicious files.
We have not observed other tools used along side this ransomware. As mentioned earlier, these attacks have primarily been opportunistic, leveraging insecure Internet-facing protocols such as RDP. It’s evident this isn’t sophisticated ransomware and it doesn’t have to be to accomplish the end goal. The majority of today’s anti-virus solutions detect all the samples we examined solely based on behavioral characteristics. It’s recommended to maintain anti-virus definition updates and operating system patches.
If applicable to your organization, Optiv has written a Yara rule to detect all these variants. Before implementing any new detection capability, it is recommended to perform baselining known-good activity to prevent false positives.
Copyright 2020 Optiv Security
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
rule DeathHiddenTear : Ransomware
meta:description = "Yara rule for DeathHiddenTear Ransomware"
author = "Optiv Security"
date = "2020-06-17"
threat_level = 5
in_the_wild = true
file_type = "PE"
hash1 = "01697ac491a7d1d9c7f3681a65e4cb05ce8637e1127c0bde718fcd55c0039660"
hash2 = "0536101f67a64732a09b3a297a3a31eb31f3b09df54a499b37ba3f5fedc800cd"
hash3 = "06b453e6e2d5c4e767e9feaeec54061f8071df06a53fdb344e52a7b159ddc5c4"
hash4 = "292bf92948a288e21727a1995a0bd004474832bd5854087fd2e7560d792d5460"
hash5 = "3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7"
hash6 = "45f28f11f624eb715065ff41967316da30c2cbb9c48357f64cf3017faeeac1fb"
hash7 = "6f3a261f5c90e71d4a5a754e2f81acedb28f1bf50b972ac03cb58d463427d7a5"
hash8 = "90a9694e1fb057186d1d44dff548d5b11934c0d97cea2660166dc66e5df9009b"
hash9 = "d31742a33f52f5d3326a828f73c666d605c07b2070f5a863fce7d97a4b1cfee2"
hash10 = "dd8c89f9a9143c5a59b1410f4854785b4d4d5a6ff9a7e7d53ad516c1bec26e1e"
hash11 = "e27315d539696f064a70ba6eb05aa07c5a3e4399ff205f4477117dd7fd04d35b"
hash12 = "f56487db1a1db8114cb92aca99cc6b4d3beab535151e7faea2e72b2071480dfc"
hash13 = "fb1a2435bbdf97962fc8de17a5778d46b13f858e2fd412f429fba3e08475a3df"
hash14 = "c7ae4f3e1667ffa12be467f2ec188bd6f302d36c3bd0f872fce8de0ce263fb5d"
hash15 = "d12b533e35f1a0383b9ed561a9db1761dbe9e6310d3454a3f4e80cfe198c6102"
hash16 = "a6db04a95a145b8caf79b42f5d5b6e3d4ee04cb8ce85c241121f80c3935775de"
hash17 = "92d6fccd61fa03ff83d8b192449f8edccab17afc032b4b9a5f8979f3fd32ddf9"
hash18 = "f00b3bcbfcb46a41767a5187d0401c05f4edc0d70782c5c54708f2805916c514"
hash19 = "192792855f8f3fe629eb4c8608e73db44b6b00368168f67b7cdb8bcb81f0584e"
strings:$s1 = "ssvchost.exe" fullword wide
$s2 = "vssadmin.exe" fullword wide
$s3 = "$a63a87f5-c842-4804-a82f-26d2e707bacf" fullword ascii // .NET TypeLib Id
$s4 = "\\Decrypt Instructions.txt" fullword wide
$s5 = "targetDirectory" fullword ascii
$s6 = "ssvchost" fullword ascii
$s7 = "get_KeySize" fullword ascii
$s8 = "ssvchost.Properties" fullword ascii
$s9 = "CreatePassword" fullword ascii
$s10 = "/C choice /C Y /N /D Y /T 5 & DEL " fullword wide
$s11 = "_publicKey" fullword ascii
$s12 = "encryptDirectory" fullword ascii
$s13 = "SSvchost" fullword wide
$s14 = "delete shadows /all /quiet" fullword wide
$s15 = "_encrptedComputerInfo" fullword ascii // static string name
$s16 = "Death.Form1.resources" fullword ascii
$s17 = "ParaEncrypt.Properties.Resources" fullword ascii
( uint16(0) == 0x5a4d and filesize < 50KB and ( 8 of them )
) or ( all of them )
Technique_ID, Technique, Sub-technique
T1059 Command-Line Interface - Runs shell commands
T1215 Kernel Modules and Extensions - Opens the Kernel Security Device Driver (KsecDD) of Windows
T1179 Hooking - Installs hooks/patches the running process
T1055 Process Injection - Writes data to a remote process
T1107 File Deletion - Deletes volume snapshots
T1112 Modify Registry - Modifies proxy settings
T1055 Process Injection - Writes data to a remote process
T1012 Query Registry -
April 24, 2018
Serverless architecture enables applications to be developed and deployed without management of the underlying host or operating system. Instead of a....
May 02, 2018
Postman is a useful tool used by many developers to document, test and interact with Application Programming Interfaces (APIs). With the ubiquity of....
September 06, 2018
Postman is a useful tool used by many developers to document, test and interact with Application Programming Interfaces (APIs). This post will explore....
Let us know what you need, and we will have an Optiv professional contact you shortly.