Malware Analysis Spotlight: Paymen45 Ransomware
Ransomware continues to be a prevalent threat for enterprises across the globe. The 2020 Verizon Data Breach Investigations Report found ransomware was featured in 27 percent of malware incidents (compared to 24 percent in the 2019 DBIR) and 18 percent of organizations reported blocking at least one piece of ransomware last year. Joseph Carson, chief security scientist, and Advisory CISO at Thycotic expanded on this topic, “ransomware will continue to be the biggest threat in the future, not only for companies but celebrities, governments, and others.” In this Malware Analysis Spotlight, the VMRay Labs Team will examine Paymen45 Ransomware, a new ransomware strain first identified around April 2020.
This sample of Paymen45 Ransomware first seen in the wild on May 11th, 2020.
The sample contains an extensive list of services that it deletes through sc.exe. This list and many other strings are encrypted. Paymen45 uses WinCrypt functions to decrypt the content during runtime. This makes it more difficult to statically extract strings from the sample. To achieve the decryption, the sample uses a hard coded AES256 key (Figure 1.1) which it imports with the
CryptImportKey function. Subsequently, it uses the
CryptDecrypt function on the encrypted strings (Figure 1.2).
Paymen45 tries to achieve persistence by using the \CurrentVersion\Run Registry key. In contrast to many other malware samples, it does not copy itself to a safe location. Instead, the sample uses its executable’s current location (Figure 2.1).
If the victim deletes the sample at this easily accessible location and the computer is rebooted, the encryption can be interrupted and the not processed files remain as they are.
Through persistence, the ransomware continues to encrypt user files even if the initial encryption phase would have been interrupted by a reboot of the machine.
The next step in the attack is to delete the services in the previously mentioned list. The sample creates read and write pipes that are supplied to the child process of cmd.exe during its creation (Figure 3.1). These anonymous pipes are used to communicate with the created process. It sends commands through the pipe to delete all the services in the decrypted list (Figure 3.1). This has the advantage that the commands and arguments are not visible as program-line arguments to cmd.
In the VMRay Analyzer Report, we can easily view the communication between both processes by investigating the data written to the pipe.
The commands are sent through anonymous pipes and are therefore not part of the arguments of the process, each delete-service command spawns a new instance of sc.exe with the service as visible argument (Figure 3.2).
In addition to the service deletion, running processes that could prevent the ransomware from being able to encrypt user files are terminated. In the analysis, the sample stops the processes of dwm.exe, taskhost.exe, taskeng.exe and outlook.exe (Figure 4.1).
As mentioned before, Paymen45 decrypts all internal strings including the name of the mutex (Figure 5.3), the used file extension for encrypted files (Figure 5.1), and the ransom note at runtime.
For this particular sample, the mutex name and file extension are hardcoded which are not dependent on the execution environment. This means that the mutex and file extension can be used for threat intelligence to identify the binary.
After the file encryption phase, Paymen45 ensures that the victim can not recover encrypted files with system restore points.
The sample uses Microsoft’s tool vssadmin to delete all shadow copies (Figure 6.1).
Finally, the ransom note shown in the beginning of the post is dropped into multiple directories with the filename readme-warning.txt (Figure 7.1).
The author demands a ransom in exchange for the decryptor (Figure 0).
The communication website is hosted on the tor network: hxxp://paymen45oxzpnouz[.]onion/