Ransomware Roundup – Sirattacker and ALC Ransomware

Read Time:8 Minute, 40 Second


On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.

This latest edition of the Ransomware Roundup covers the Sirattacker and ALC ransomware.

Affected platforms: Microsoft Windows
Impacted parties: Microsoft Windows Users
Impact: Encrypts files on the compromised machine and demands ransom for file decryption
Severity level: High

Sirattacker Ransomware

Overview

Sirattacker is one of the latest Chaos ransomware variants. It was first released in the middle of February 2023. Several versions of Chaos ransomware builders are available in Dark Web underground networks, which allow anyone to generate Chaos ransomware with custom configurations.

FortiGuard Labs previously published the following blogs on Chaos ransomware:

Sirattacker Ransomware Infection Vector

Sirattacker ransomware is likely distributed as an Ethereum mining app because all samples include an Ethereum file icon, and some are even named “ETH [3-digit number].exe”.

Figure 1. Sirattacker file icon

Another Chaos ransomware variant called “Bruh,” also masquerading as a cryptocurrency generator, was reported in the previous week. While there is no apparent connection between Sirattacker and Bruh ransomware, it’s a curious coincidence.

Sirattacker Ransomware Execution

Once the Sirattacker ransomware is executed, it encrypts files on the victim’s machine and adds random four-letter file extensions to their filenames. Older Chaos ransomware variants are known to overwrite files larger than 2,117,152 bytes with random bytes, which makes file recovery impossible (unless the affected files are properly backed up). In some cases, attackers demand a ransom payment, knowing that most files are unrecoverable. Luckily, Sirattacker ransomware samples appear to be generated using a newer Chaos ransomware generator, as larger files are encrypted instead of overwritten.

Figure 2. Files encrypted by Sirattacker ransomware

Once files are encrypted, Sirattacker displays a ransom note on the Command Prompt.

Figure 3. Ransom message displayed by Sirattacker ransomware

The ransomware then replaces the desktop wallpaper with its own. The new wallpaper contains an almost identical message to the ransom note and asks victims to contact the attacker by email.

Figure 4. Screenshot of the desktop wallpaper replaced by Sirattacker ransomware

Currently, the Bitcoin wallet the Sirattacker ransomware actor uses has no money left in it. However, the wallet shows that in the latest transaction, recorded on February 24, 2023, the attacker sent a small amount of Bitcoin (0.00150106) to another wallet. However, as of this writing, that wallet was holding a whopping 538.57136296 Bitcoin—worth more than $12 million.

Figure 5. Bitcoin wallet used by the Sirattacker ransomware threat actor

Figure 6. Transactions recorded in the attacker’s Bitcoin wallet

Over the last few months, the attacker appears to have systematically transferred Bitcoin in and out of the wallet. For example, on February 24, 2023, $35.13 worth of Bitcoin was deposited to the attacker’s wallet. That amount of Bitcoin was transferred to another wallet on the same day. Note that screenshots were edited to highlight the attacker’s transactions.

Figure 7. Incoming transaction recorded on February 24, 2023

Figure 8. Outgoing transaction recorded on February 24, 2023

While there is no evidence that those transactions are associated with the Sirattacker ransomware, it potentially indicates that the Sirattacker ransomware threat actor has been actively involved in other illicit activities over the past few months. 

ALC Ransomware

Overview

ALC is a recently reported ransomware. It is known for a message aimed at “Russia and its counterpart” in its ransom note. FortiGuard Labs analyzed the ransomware and found it is much more than meets the eye.

ALC Ransomware Infection Vector

Information on the infection vector used by this group is not currently available. However, it is not likely to differ significantly from other ransomware groups.

ALC Ransomware Execution

Once ALC ransomware runs, it creates several files on the victim machine’s Desktop. Note that some ALC ransomware samples do not create the AlcDif.exe file shown in the image below.

 

Figure 9. Screenshot of Desktop with files created by ALC ransomware

RUS!.txt is a ransom note containing a message with incorrect word choices, indicating that the authors are not native English speakers. For example, “Decrypted” is likely meant to be “Encrypted,” and Russsia is a misspelling of “Russia.” Per the ransom note, ALC ransomware targets “Russia and its counterparts,” which may imply China, Iran, Belarus, and others.

The ransom note asks the victim to contact the attacker on Telegram, an encrypted instant messaging app popular with cybercriminals. However, no contact information or ransom price is provided in the note.

Figure 10. ALC ransomware’s ransom note

Some of the ALC ransomware samples create an executable file named AlcDif.exe. It is used to create a more sophisticated ransom note. Once the ransomware executes the file, it runs in full screen in a probable attempt to scare victims by imitating a lock screen. If the victim uses multiple monitors, the program only occupies the primary monitor. The program also “toggles” Task Manager. Task Manager gets disabled when the program is run for the first time. Running it again reenables it.

This is the ransom note displayed by AlcDif.exe:

Figure 11. Screenshot of ALC ransomware’s lock screen

Unlike the ransom note in the text file, this ransom screen provides a contact address, the attacker’s crypto wallet information, a ransom price, and a unique ID assigned to the victim. However, the ransom screen lacks coherence as the provided crypto wallet does not exist, and the QR code does not work. Also, the ransom screen lists a cryptocurrency ransom of 554 Monero (over $80,000 using the exchange rate on February 27th, 2023) even though a $2,000 price tag is listed under the QR code.

Figure 12. QR code scan

Most importantly, ALC ransomware does not encrypt any files, classifying it as more of a scareware. However, the ransomware sets up cryptography (it generates a random value, hashes it, creates a GO cipher object for AES, encrypts the AES key using the hard-coded RSA public key, and writes the encrypted key in an ALCKEY file), enumerates files on the compromised machine, and saves a list of those files in a separate text file for each drive found (i.e., “C.txt” contains a list of files found in C drive). That evidence leads us to two possible conclusions: either the attacker tries to cheat money out of victims knowing full well the program does not encrypt files, or the program is still in beta.

Figure 13. Screenshot of ALCKEY containing encrypted AES key

Fortinet Protections

Fortinet customers are already protected from these malware variants through FortiGuard’s Web Filtering, AntiVirus, and FortiEDR services, as follows:

FortiGuard Labs detects known Sirattacker ransomware variants with the following AV signatures:

FortiGuard Labs detects known ALC ransomware variants with the following AV signatures:

  • W32/Filecoder.CD!tr
  • W32/Malicious_Behavior.SBX
  • W32/PossibleThreat

IOCs

File-based IOCs:

SHA256

Malware

a80908bcd96a8df6070eb9a9c83739c8d95c34d7d81b890bacda91bb05c53267

Sirattacker ransomware

b3be7cf75ded8a3dec4a78a9dcf32ff433ac5fa5743d5c27b77dd67f9d6a427b

 

Sirattacker ransomware

b8a277a731485717c01a7d20fb6af795fa823a219b9b01ee2f476889610a28da

 

Sirattacker ransomware

d4d7fb3c49feed626b24e5db8735547d7b244705342dcc301faafa0b9ac72bf1

 

Sirattacker ransomware

e6de7531d2c7900ff73b30e33170fd7530fb7771518503c65203b1a419a8d11e

 

Sirattacker ransomware

75b45fea6000b6cb5e88b786e164c777c410e11fdcf1ff99b66b43096223d734

 

Sirattacker ransomware

bbc6a34b48a4c71a4d9c2ae2d8c975f3b6caf2e17b86057ccbcb6686d1d5a642

ALC ransomware

bff07ae5ccea66b658783fcf940eaf6baa453b534af2ebe9b70f14923871d82f    

ALC ransomware

dc50ac15414b7274533cde5e1b28bfaa85353de38d4b21a8cb996412c0f6e432   

ALC ransomware

0abe1ab9c75395a4ca829028d9c8c6530bd3bfda49e4b856b6f3539b9aa36ea5     

ALC ransomware

1c5377db817c03f3c2711d351e380611291b5935ba0e2b0de763e4ef470e5bab    

ALC ransomware

456961cba9a8dfce1b66081c6a73c2f1ec676fcdedac24c678f890a3425e7260     

ALC ransomware

48b074b48bde3f15ca28983f26e855bafd6f19e8240d938b14f31417b39d9fd2    

ALC ransomware

7efa5acd25e6276d122b2e2b8055a64dc4c757fc6067d3307973327154a507ff    

ALC ransomware

84d4ca11c23a20bb220c15dbe3a363fb774081b6106c351fc9d8eab4f3b5b62c    

ALC ransomware

 

FortiGuard Labs Guidance

Due to the ease of disruption, damage to daily operations, potential impact to an organization’s reputation, and the unwanted destruction or release of personally identifiable information (PII), etc., it is vital to keep all AV and IPS signatures up to date.

Since the majority of ransomware is delivered via phishing, organizations should consider leveraging Fortinet solutions designed to train users to understand and detect phishing threats:

The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.

Our FREE NSE trainingNSE 1 – Information Security Awareness includes a module on internet threats designed to help end users learn how to identify and protect themselves from various types of phishing attacks and can be easily added to internal training programs.

Organizations will need to make foundational changes to the frequency, location, and security of their data backups to effectively deal with the evolving and rapidly expanding risk of ransomware. When coupled with digital supply chain compromise and a workforce telecommuting into the network, there is a real risk that attacks can come from anywhere. Cloud-based security solutions, such as SASE, to protect off-network devices; advanced endpoint security, such as EDR (endpoint detection and response) solutions that can disrupt malware mid-attack; and Zero Trust Access and network segmentation strategies that restrict access to applications and resources based on policy and context, should all be investigated to minimize risk and to reduce the impact of a successful ransomware attack.

As part of the industry’s leading fully integrated Security Fabric, delivering native synergy and automation across your security ecosystem, Fortinet also provides an extensive portfolio of technology and human-based as-a-service offerings. These services are powered by our global FortiGuard team of seasoned cybersecurity experts.

Best Practices include Not Paying a Ransom

Organizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom partly because payment does not guarantee that files will be recovered. According to a U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to target additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit activities that could potentially be illegal. For organizations and individuals affected by ransomware, the FBI has a Ransomware Complaint page where victims can submit samples of ransomware activity via their Internet Crimes Complaint Center (IC3).

How Fortinet Can Help

If you think this or any other cybersecurity threat has impacted you, please contact our Global FortiGuard Incident Response Team

FortiGuard Labs’ Emergency Incident Response Service provides rapid and effective response when an incident is detected. And our Incident Readiness Subscription Service provides tools and guidance to help you better prepare for a cyber incident through readiness assessments, IR playbook development, and IR playbook testing (tabletop exercises).

Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard AI-powered security services portfolio.



Source link

Happy
Happy
0 %
Sad
Sad
0 %
Excited
Excited
0 %
Sleepy
Sleepy
0 %
Angry
Angry
0 %
Surprise
Surprise
0 %
Previous post Ransomware Roundup – Sirattacker and ALC Ransomware
Next post Fortinet Solitary-Seller SASE Supports Do the job From Wherever with New Capabilities