Ransomware Roundup – CatB Ransomware
This bi-weekly Ransomware Roundup report from FortiGuard Labs looks at ransomware variants that have gained traction within our datasets and the wider OSINT community. It aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against these variants.
This latest edition of the Ransomware Roundup covers the CatB ransomware.
Affected platforms: Microsoft Windows
Impacted parties: Microsoft Windows Users
Impact: Encrypts files on the compromised machine and demands ransom for file decryption
Severity level: High
CatB Ransomware Overview
CatB is a reasonably new entrant to the ransomware field, with samples only dating back to December 2022. However, FortiGuard Labs has also found additional samples we believe with medium confidence to be from the same threat actor owing to their using the same Bitcoin wallet. These date to November 2022.
The CatB threat actor does not offer a web portal (on TOR or otherwise) to name and shame victims. Contact is only available via an e-mail address in the ransom note.
As of the time of writing, there is no indication that the malware operators use a Ransomware-as-a-Service model.
CatB Ransomware Infection Vector
Information on the infection vector used by this group is not currently available. However, it’s not likely to differ significantly from those used by other ransomware groups.
CatB Ransomware Dropper Execution
CatB uses a dropper packaged into a Microsoft Windows Dynamic Link Library (.dll) file. Contained within the dropper is a second .dll file that contains the payload responsible for encrypting files on the victim’s machine. This particular version of CatB uses DLL sideloading to execute the payload’s code. (DLL sideloading places a malicious DLL file in the same directory as a trusted executable. When the executable tries to load a DLL with the same name, the attacker’s DLL is loaded instead.)
Execution of the dropper is accomplished using the Windows “rundll32.exe” application.
The dropper is packed using UPX, which unpacks the file and executes the code inside.
Once the primary code executes, CatB creates an array of barriers to prevent analysis and execution on virtual machines/sandboxes. To validate that the malware has been loaded on a legitimate target, each barrier must be met before the payload is dropped and executed.
Among the first of these is a check for the number of processors on the system.
Given that most modern physical Windows devices are multi-processor/multi-core computers, there must be at least two to continue.
In addition to multi-core processors, most current systems have more than 2GB of RAM installed. Figure 4 above shows a comparison being made to the value of 800 in hexadecimal. In decimal, this corresponds to 2048 or 2GB. The value must be this or greater to continue.
The next test involves the hard disk. Most virtual machines are created with just enough resources to do their intended job, while a physical device will have much more.
The dropper attempts to validate that the hard disk on the machine meets certain criteria. It uses the API call “DeviceIOControl” to determine this by passing a value of 70000 in hexadecimal. This corresponds to 458752, which is the control code for IOCTL_DISK_GET_DRIVE_GEOMETRY. This provides a mechanism to obtain information on a physical disk (e.g. tracks, sectors and cylinders).
If all checks pass, the dropper creates the file “oci.dll”.
As mentioned, this version of CatB uses DLL sideloading to execute the payload in “oci.dll”. To do this, the Microsoft Distributed Transaction Coordinator (MSDTC) service is used to facilitate the process. As MSTDC starts, it reads several DLLs from “C:\windows\system32”, which now contains the malicious version of “oci.dll”.
CatB alters the username of the service to “LocalSystem” and then starts MSDTC.
Even if one anti-VM check fails, MSDTC will still be started. However, it will quickly be followed by a termination event, thereby ending the execution of CatB.
Otherwise, “oci.dll” begins its run to encrypt the host system.
CatB Ransomware Payload Execution
CatB looks for files to encrypt beyond just the “C:\” drive, enumerating additional mounted hard drive volumes up to “I”.
The ransomware will not encrypt anything that might be considered a functional system file that would prevent a possible recovery (and thereby eliminate any reason to pay a ransom).
Interestingly, CatB does not deploy a ransom note in an obvious location (e.g., the user’s desktop) as other ransomware strains do. Instead, every encrypted file has the ransom note prepended to the top of the file.
As shown in figures 11 and 12, the ransom demanded is steep at 50BTC on day 1. This is approximately $1,102,010.00 (as of the date of this writing). The cost escalates daily until day five, when it indicates that data will no longer be recoverable.
The Bitcoin address used in this sample, along with similar ransomware samples FortiGuard Labs has found, had no funds at the time of writing.
As mentioned earlier, the only contact method available is through the attacker’s Proton Mail address.
Fortinet customers are already protected from this malware variant as follows:
FortiGuard Labs detects known CatB ransomware variants with the following AV signatures:
The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. Customers running current AntiVirus updates are protected.
Unpacked CatB Dropper
CatB Malware Family
CatB Malware Family
FortiGuard Labs Guidance
Due to the ease of disruption, damage to daily operations, potential impact to an organization’s reputation, and the unwanted destruction or release of personally identifiable information (PII), etc., it is vital to keep all AV and IPS signatures up to date.
Since the majority of ransomware is delivered via phishing, organizations should consider leveraging Fortinet solutions designed to train users to understand and detect phishing threats:
The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.
Our FREE NSE training: NSE 1 – Information Security Awareness includes a module on internet threats designed to help end users learn how to identify and protect themselves from various types of phishing attacks and can be easily added to internal training programs.
Organizations will need to make foundational changes to the frequency, location, and security of their data backups to effectively deal with the evolving and rapidly expanding risk of ransomware. When coupled with digital supply chain compromise and a workforce telecommuting into the network, there is a real risk that attacks can come from anywhere. Cloud-based security solutions, such as SASE, to protect off-network devices; advanced endpoint security, such as EDR (endpoint detection and response) solutions that can disrupt malware mid-attack; and Zero Trust Access and network segmentation strategies that restrict access to applications and resources based on policy and context, should all be investigated to minimize risk and to reduce the impact of a successful ransomware attack.
As part of the industry’s leading fully integrated Security Fabric, delivering native synergy and automation across your security ecosystem, Fortinet also provides an extensive portfolio of technology and human-based as-a-service offerings. These services are powered by our global FortiGuard team of seasoned cybersecurity experts.
Best Practices include Not Paying a Ransom
Organizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom partly because payment does not guarantee that files will be recovered. According to a U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to target additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit activities that could potentially be illegal. For organizations and individuals affected by ransomware, the FBI has a Ransomware Complaint page where victims can submit samples of ransomware activity via their Internet Crimes Complaint Center (IC3).
How Fortinet Can Help
If you think this or any other cybersecurity threat has impacted you, contact our Global FortiGuard Incident Response Team. FortiGuard Labs’ Emergency Incident Response Service provides rapid and effective response when an incident is detected. And our Incident Readiness Subscription Service provides tools and guidance to help you better prepare for a cyber incident through readiness assessments, IR playbook development, and IR playbook testing (tabletop exercises).
Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and our FortiGuard AI-powered security services portfolio.