Like Tears in Rain: A DeathHiddenTear Ransomware Breakdown

A Synopsis of the Threat

 

A new variant of the Hidden Tear ransomware, named “DeathHiddenTear”, has been seen over the last several months, impacting small to medium businesses (“SMB”). Like most ransomware, it has the capabilities of deleting data recovery mechanisms (e.g., volume shadow copies), encrypting files using AES and generating a ransom note that contains contact information and a RSA key. Some victims have reported paying the ransom for a buggy decryptor that either doesn’t work at all or partially. Optiv experienced similar issues with a purchased decryptor.

 

Intelligence sources suggest the threat actor behind DeathHiddenTear is primarily Russian speaking. The campaign began in the second half of February 2020 and is aimed at English-speaking users but has been observed worldwide. The attacks are most commonly exploited through insecure RDP as initial entry vector and primarily targeting small to medium businesses.

 

Security researchers created and released the original Hidden Tear ransomware’s source code to demonstrate how ransomware functions. Various threat actors acquired this source code and have since made their own versions of the malware. Optiv has seen several minor versions of DeathHiddenTear with two major releases. The need for a second version was likely because version 1 had a bug that allowed for possible decryption, which was revealed by security researcher @demonslay335 on Twitter. The second version, “DeathHiddenTearV2”, contains a fix for this bug and can be discerned by the method in which the decryption password is created as well as a change in the file extensions used on the encrypted data. The encrypted files may have file extensions .encryptedS and .encryptedL or .encS and .encL. The “S” and “L” identify files as small or large, differentiated by being greater or less than 500MB in size. In some cases, the file extensions are simply .enc, without a file size indicator, which we observed in the most recent samples submitted to VirusTotal. There is no publicly available decryptor for V2 at this time.

 

Analyzed Samples in the Wild

 

As of the writing of this post, we found 19 unique samples on VirusTotal, first observed on February 19, 2020 and the most recent submission uploaded on June 17, 2020. The email addresses in the ransom notes used either cock.li or photonmail.ch email services.

 

An example of the decryption note from a VirusTotal submission is seen below:

 

Death Hidden Tear 1

 

String analysis of multiple samples revealed two C2 IP addresses used to send logging.

 

Death Hidden Tear 2

 

Strings of d31742a33f52f5d3326a828f73c666d605c07b2070f5a863fce7d97a4b1cfee2

 

Death Hidden Tear 3

 

Strings of 3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7

 

An interesting finding about these IP addresses is their association with a virtual private service (“VPS”). belonging to Virtual Systems LLC in Ukraine (https://virtualsystems[.]net). This company has IP addresses in 34 subnets and hosting for over four thousand domains. Some IP addresses related to the autonomous system number belonging to Virtual Systems LLC (AS30860) were also found to be associated with malware and phishing campaigns. It should be made clear that Virtual Systems LLC is identified as a service used by the threat actor and is not known to be under control of the threat actor. We’ve also observed Tor anonymization services being used in the attacks.

 

All subnets found to be related to the Virtual Systems LLC AS number (AS30860) are provided below:

 

"30860","YURTEH-AS, UA"
91.213.175.0/24
141.98.232.0/24
176.119.26.0/24
176.119.29.0/24
152.89.60.0/24
91.235.142.0/24
185.233.185.0/24
45.141.156.0/24
176.119.31.0/24
87.120.36.0/24
152.89.62.0/24
176.119.27.0/24
91.235.143.0/24
193.107.202.0/24
176.119.25.0/24
176.119.28.0/24
45.95.235.0/24
185.233.186.0/24
77.83.117.0/24
193.23.181.0/24
152.89.63.0/24
176.119.30.0/24
193.107.200.0/23
91.224.10.0/24
91.237.250.0/24
91.235.142.0/23
193.107.201.0/24
176.119.26.0/23
152.89.61.0/24
176.119.24.0/24
91.208.115.0/24
91.230.121.0/24
91.223.77.0/24
193.107.200.0/24

 

Subnets Related to VirtualSystems LLC, AS30860

 

Technical Analysis

 

The DeathHiddenTear ransomware is not overly complex and has typical process tree characteristics of many ransomware threats. The original filename in earlier samples varies from skipc.exe, ssvchost.exe and similar variations while more recent samples have been named ParaEncrypt.exe and sc.exe. It’s likely dropped on a system compromised through other vectors such as insecure RDP.

 

Death Hidden Tear 4

 

In the process tree example above, two commands are invoked by the malware:

 

2788. Removes the Shadow Copy to avoid recovery of the system

 

vssadmin.exe delete shadows /all /quiet

 

2848. Uses choice.exe to delete itself after running

 

cmd.exe /C choice /C Y /N /D Y /T 5 & DEL C:\Users\\Downloads\skipc.exe

 

Let’s drill further into the binaries themselves for a deeper understanding. We examined 19 samples in total from VirusTotal and surprisingly enough there are slight changes over time. We identified minor changes such as adding target file extensions, modifications to the encryption cipher mode from CBC to CFB and combining two file encryption methods different for small and large file into a single method for all targeted files. Major changes included a more secure method of generating the decryption password, wiping deleted data on disk, and renaming the namespace. As relatively short .NET programs, there isn’t a lot to look at but we can examine the basic functionality and make some comparisons between versions.

 

SHA256 File Ext Version C2 Compile Timestamp Email in ransom note
fb1a2435bbdf97962fc8de17a5778d46b13f858e2fd412f429fba3e08475a3df .enc v1 none 2/8/2020 17:31 data4days@cock.li
f56487db1a1db8114cb92aca99cc6b4d3beab535151e7faea2e72b2071480dfc .encS, .encL v1 none 2/16/2020 17:14 allzdata@cock.li
e27315d539696f064a70ba6eb05aa07c5a3e4399ff205f4477117dd7fd04d35b .enc v1 none 3/20/2020 15:35 jakejake1234@cock.li
dd8c89f9a9143c5a59b1410f4854785b4d4d5a6ff9a7e7d53ad516c1bec26e1e .enc v1 none 3/21/2020 16:31 jakejake12345@cock.li
d31742a33f52f5d3326a828f73c666d605c07b2070f5a863fce7d97a4b1cfee2 .encryptedS, .encryptedL v1 176.119.28.97 3/27/2020 17:10 jackiedata@cock.li
90a9694e1fb057186d1d44dff548d5b11934c0d97cea2660166dc66e5df9009b .enc v1 none 3/27/2020 17:10 jackiedata@cock.li
6f3a261f5c90e71d4a5a754e2f81acedb28f1bf50b972ac03cb58d463427d7a5 .enc v1 none 4/2/2020 16:27 bigdatahost@protonmail.ch
45f28f11f624eb715065ff41967316da30c2cbb9c48357f64cf3017faeeac1fb .enc v1 none 4/3/2020 17:47 bigdatahost@protonmail.ch
3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7 .encryptedS, .encryptedL v1 91.235.143.205 4/8/2020 18:07 bigdatahost@protonmail.ch
292bf92948a288e21727a1995a0bd004474832bd5854087fd2e7560d792d5460 .encS, .encL v1 none 4/10/2020 17:30 somedatahere@protonmail.ch
06b453e6e2d5c4e767e9feaeec54061f8071df06a53fdb344e52a7b159ddc5c4 .enc v1 none 4/24/2020 16:21 datauser17234@protonmail.ch
0536101f67a64732a09b3a297a3a31eb31f3b09df54a499b37ba3f5fedc800cd .enc v2 none 4/24/2020 16:21 datauser17234@protonmail.ch
01697ac491a7d1d9c7f3681a65e4cb05ce8637e1127c0bde718fcd55c0039660 .enc v2 none 5/15/2020 17:53 palmettovdc@protonmail.ch
c7ae4f3e1667ffa12be467f2ec188bd6f302d36c3bd0f872fce8de0ce263fb5d .enc v1 none 5/16/2020 13:23 bigdatahost@protonmail.ch
d12b533e35f1a0383b9ed561a9db1761dbe9e6310d3454a3f4e80cfe198c6102 .enc v1 none 5/16/2020 13:23 bigdatahost@protonmail.ch
a6db04a95a145b8caf79b42f5d5b6e3d4ee04cb8ce85c241121f80c3935775de .enc v2 none 6/6/2064 9:21 DecryptMe1956@protonmail.ch
92d6fccd61fa03ff83d8b192449f8edccab17afc032b4b9a5f8979f3fd32ddf9 .enc v2 none 9/9/2094 11:27 BCSDataHere@protonmail.ch
f00b3bcbfcb46a41767a5187d0401c05f4edc0d70782c5c54708f2805916c514 .enc v2 none 3/25/2076 17:49 riverrundatahere@protonmail.ch
192792855f8f3fe629eb4c8608e73db44b6b00368168f67b7cdb8bcb81f0584e .enc v2 none 12/4/2064 6:34 DecryptMe1956@protonmail.ch

 

We examined the malware samples using open source dnSpy, a debugger and .NET assembly editor. At roughly 500 lines of code in length, the author goes the extra mile for maintaining well organized classes with descriptive method names.

 

Death Hidden Tear 6

 

As we found with string analysis revealing C2 IP addresses mentioned earlier in this post, two of the samples analyzed contain a WebRequest with in the main function sending a start and finish log containing the victim computer name. These IP’s are described more in the first half of this posting. The binary deletes itself using choice after executing.

 

Death Hidden Tear 7

 

The “encryptDirectory” method targets specific content for the encryption stream. The earliest versions we analyzed included 243 file extensions whereas the most recent compiled sample targets 250 file extensions. The data types targeted are common extensions for backups, databases, documents, email and multimedia.

 

Death Hidden Tear 8

 

The following method invokes the Microsoft native utility vssadmin.exe to delete volume shadow copies:

 

Death Hidden Tear 9

 

This crypto ransomware encrypts targeted user data using AES with RSA keys. A method called “FileEncrypt” performs the file encryption using the standard C# AES 256-bit encryption library, salted with 50000 iterations.

 

Death Hidden Tear 10

 

The method “CreatePassword” defined in version 1 creates a 12 character random password which is flawed using the C# System.Random number generator (“RNG”).

 

Death Hidden Tear 11

 

In comparison, the method defined in version 2 to create a password with the flaw fixed using the C# class RNGCryptoServiceProvider, making the password impossible to brute force.

 

Death Hidden Tear 12

 

Discussing secure RNG’s is a topic for another post but the basics is that Microsoftʼs implementation of System.Random has inherent weaknesses for cryptographic use cases. Referenced in this post. RNGCryptoServiceProvider is the default implementation of security standards compliant RNG due to its uniqueness and stronger cryptographic implementation.

 

ParaEncrypt

 

The samples we analyzed named ParaEncrypt.exe still maintain the same program structure but with some minor changes such as wiping deleted data on disk using Microsoft’s native utility cipher.exe, increasing the decryption password length to 30 characters, and changing the namespace to “ParaEncrypt”.

 

The updated CreatePassword method still uses RNGCryptoServiceProvider but instead of using the stringBuilder class they get a random string of integers and use that to index into the alphabet array to create a 30 character random password.

 

Death Hidden Tear 13

 

The figure below shows the added functionality using cipher.exe to overwrite deleted data for each drive attached. Note that the cipher /w command does not work for files less than 1KB in size.

 

Death Hidden Tear 14

 

Another note about these ParaEncrypt samples is the time stamps in the PE File Header that all read in the future. These time stamps can be and are often inaccurate for multiple reasons we won’t get into here but it’s a notable finding that was different from the other versions. PE File Header TimeDateStamp’s set in the future or impossibly in the past are generally good Threat Hunting indicators to look for suspicious files.

 

Death Hidden Tear 15

 

Conclusion

 

We have not observed other tools used along side this ransomware. As mentioned earlier, these attacks have primarily been opportunistic, leveraging insecure Internet-facing protocols such as RDP. It’s evident this isn’t sophisticated ransomware and it doesn’t have to be to accomplish the end goal. The majority of today’s anti-virus solutions detect all the samples we examined solely based on behavioral characteristics. It’s recommended to maintain anti-virus definition updates and operating system patches.

 

If applicable to your organization, Optiv has written a Yara rule to detect all these variants. Before implementing any new detection capability, it is recommended to perform baselining known-good activity to prevent false positives.

 

/*
Copyright 2020 Optiv Security
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
*/

 

rule DeathHiddenTear : Ransomware
{
meta:
description = "Yara rule for DeathHiddenTear Ransomware"
author = "Optiv Security"
date = "2020-06-17"
threat_level = 5
in_the_wild = true
file_type = "PE"
hash1 = "01697ac491a7d1d9c7f3681a65e4cb05ce8637e1127c0bde718fcd55c0039660"
hash2 = "0536101f67a64732a09b3a297a3a31eb31f3b09df54a499b37ba3f5fedc800cd"
hash3 = "06b453e6e2d5c4e767e9feaeec54061f8071df06a53fdb344e52a7b159ddc5c4"
hash4 = "292bf92948a288e21727a1995a0bd004474832bd5854087fd2e7560d792d5460"
hash5 = "3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7"
hash6 = "45f28f11f624eb715065ff41967316da30c2cbb9c48357f64cf3017faeeac1fb"
hash7 = "6f3a261f5c90e71d4a5a754e2f81acedb28f1bf50b972ac03cb58d463427d7a5"
hash8 = "90a9694e1fb057186d1d44dff548d5b11934c0d97cea2660166dc66e5df9009b"
hash9 = "d31742a33f52f5d3326a828f73c666d605c07b2070f5a863fce7d97a4b1cfee2"
hash10 = "dd8c89f9a9143c5a59b1410f4854785b4d4d5a6ff9a7e7d53ad516c1bec26e1e"
hash11 = "e27315d539696f064a70ba6eb05aa07c5a3e4399ff205f4477117dd7fd04d35b"
hash12 = "f56487db1a1db8114cb92aca99cc6b4d3beab535151e7faea2e72b2071480dfc"
hash13 = "fb1a2435bbdf97962fc8de17a5778d46b13f858e2fd412f429fba3e08475a3df"
hash14 = "c7ae4f3e1667ffa12be467f2ec188bd6f302d36c3bd0f872fce8de0ce263fb5d"
hash15 = "d12b533e35f1a0383b9ed561a9db1761dbe9e6310d3454a3f4e80cfe198c6102"
hash16 = "a6db04a95a145b8caf79b42f5d5b6e3d4ee04cb8ce85c241121f80c3935775de"
hash17 = "92d6fccd61fa03ff83d8b192449f8edccab17afc032b4b9a5f8979f3fd32ddf9"
hash18 = "f00b3bcbfcb46a41767a5187d0401c05f4edc0d70782c5c54708f2805916c514"
hash19 = "192792855f8f3fe629eb4c8608e73db44b6b00368168f67b7cdb8bcb81f0584e"
strings:
$s1 = "ssvchost.exe" fullword wide
$s2 = "vssadmin.exe" fullword wide
$s3 = "$a63a87f5-c842-4804-a82f-26d2e707bacf" fullword ascii // .NET TypeLib Id
$s4 = "\\Decrypt Instructions.txt" fullword wide
$s5 = "targetDirectory" fullword ascii
$s6 = "ssvchost" fullword ascii
$s7 = "get_KeySize" fullword ascii
$s8 = "ssvchost.Properties" fullword ascii
$s9 = "CreatePassword" fullword ascii
$s10 = "/C choice /C Y /N /D Y /T 5 & DEL " fullword wide
$s11 = "_publicKey" fullword ascii
$s12 = "encryptDirectory" fullword ascii
$s13 = "SSvchost" fullword wide
$s14 = "delete shadows /all /quiet" fullword wide
$s15 = "_encrptedComputerInfo" fullword ascii // static string name
$s16 = "Death.Form1.resources" fullword ascii
$s17 = "ParaEncrypt.Properties.Resources" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 50KB and ( 8 of them )
) or ( all of them )
}

 

Indicators of Compromise

 

IP Addresses

 

176.119.28.97
91.235.143.205

 

Email Addresses

 

data4days@cock.li
allzdata@cock.li
jakejake1234@cock.li
jakejake12345@cock.li
jackiedata@cock.li
bigdatahost@protonmail.ch
somedatahere@protonmail.ch
datauser17234@protonmail.ch
palmettovdc@protonmail.ch
DecryptMe1956@protonmail.ch
BCSDataHere@protonmail.ch
riverrundatahere@protonmail.ch

 

Hashes

 

fb1a2435bbdf97962fc8de17a5778d46b13f858e2fd412f429fba3e08475a3df f56487db1a1db8114cb92aca99cc6b4d3beab535151e7faea2e72b2071480dfc e27315d539696f064a70ba6eb05aa07c5a3e4399ff205f4477117dd7fd04d35b dd8c89f9a9143c5a59b1410f4854785b4d4d5a6ff9a7e7d53ad516c1bec26e1e d31742a33f52f5d3326a828f73c666d605c07b2070f5a863fce7d97a4b1cfee2 90a9694e1fb057186d1d44dff548d5b11934c0d97cea2660166dc66e5df9009b 6f3a261f5c90e71d4a5a754e2f81acedb28f1bf50b972ac03cb58d463427d7a5 45f28f11f624eb715065ff41967316da30c2cbb9c48357f64cf3017faeeac1fb 3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7 292bf92948a288e21727a1995a0bd004474832bd5854087fd2e7560d792d5460 06b453e6e2d5c4e767e9feaeec54061f8071df06a53fdb344e52a7b159ddc5c4 0536101f67a64732a09b3a297a3a31eb31f3b09df54a499b37ba3f5fedc800cd 01697ac491a7d1d9c7f3681a65e4cb05ce8637e1127c0bde718fcd55c0039660 c7ae4f3e1667ffa12be467f2ec188bd6f302d36c3bd0f872fce8de0ce263fb5d d12b533e35f1a0383b9ed561a9db1761dbe9e6310d3454a3f4e80cfe198c6102 a6db04a95a145b8caf79b42f5d5b6e3d4ee04cb8ce85c241121f80c3935775de 92d6fccd61fa03ff83d8b192449f8edccab17afc032b4b9a5f8979f3fd32ddf9 f00b3bcbfcb46a41767a5187d0401c05f4edc0d70782c5c54708f2805916c514 192792855f8f3fe629eb4c8608e73db44b6b00368168f67b7cdb8bcb81f0584e

 

MITRE ATT&CK Techniques

 

Technique_ID, Technique, Sub-technique

 

T1059    Command-Line Interface - Runs shell commands
T1215    Kernel Modules and Extensions - Opens the Kernel Security Device Driver (KsecDD) of Windows
T1179    Hooking - Installs hooks/patches the running process
T1055    Process Injection - Writes data to a remote process
T1107    File Deletion - Deletes volume snapshots
T1112    Modify Registry - Modifies proxy settings
T1055    Process Injection - Writes data to a remote process
T1012    Query Registry -

Reads the active computer name
Queries sensitive IE security settings
Reads the cryptographic machine GUID
Reads information about supported languages
T1120    Peripheral Device Discovery - Queries volume information

 

Sources:

 

https://www.bleepingcomputer.com/forums/t/713802/deathhidden-tear-encrypteds-encryptedl-enc-ransomware-support-topic/

https://www.hybrid-analysis.com/sample/06b453e6e2d5c4e767e9feaeec54061f8071df06a53fdb344e52a7b159ddc5c4/5eeb8a48e14ac2580b673b4a

https://ipinfo.io/AS30860

 

Incident Response Consultant II
Chris Kulakowski is a passionate technologist, innovator, and tinkerer. His career spans across 10 years of Digital Media, Information Technology, Security, and Digital Forensics roles at multiple fortune 50 companies. Chris is disciplined in incident response, insider threats, threat hunting, threat intelligence, security operations, cyber defense controls, and end-user security awareness.

Chris holds a Computer Criminology degree from Florida State University and several industry leading cyber security and digital forensics certifications including CISSP, EnCE, GCFE, and Security+. Chris is also accredited with a Stanford University Advanced Computer Security Certificate.