A new targeted attack has infected several organizations in Taiwan with a new ransomware family, which we have dubbed ColdLock. This attack is potentially destructive as the ransomware appears to target databases and email servers for encryption.
The information we gathered indicates that this attack started hitting organizations in early May. Analysis of the malware points to similarities between ColdLock and two previously known ransomware families, specifically Lockergoga, Freezing, and the EDA2 “educational” ransomware kit. There have been no indications that this attack has hit any other organization outside of those targeted; we do not believe that this family is currently in widespread use.
Trend Micro users are protected from this threat, which we detect as Ransom.MSIL.COLDLOCK.YPAE-A and Ransom.PS1.COLDLOCK.YPAE-A. The blog post below describes the behavior of this threat, and describes its links to other ransomware threats.
Arrival Vector
We currently do not know the initial arrival vector of this threat into a potential victim’s network. However, we believe that the attackers somehow gained access to the target organization’s Active Directory servers. From this point, they were able to set Group Policies that led to the ransomware file being downloaded and run onto machines within the affected domain.
The payload arrives as a .NET executable (as a .DLL file), which has been packed/protected using the ConfuserEx packer. It uses PowerShell reflective loading of .NET executables to run the said .DLL file:
It also contains two checks to verify if it’s running. Firstly, it checks for the presence of %System Root%ProgramDatareadme.tmp, which is used by the ransom note. This check prevents a system from being reinfected by the same threat:
More unusually, it will check the system clock. It will only run at or later than 12:10 PM on any given day; if it is earlier, it will sleep for 15 seconds until it is past the said time.
Encryption Routines
Before it encrypts any file, the ransomware also performs certain preparatory routines. Firstly, it terminates several services on the system if they are running to prevent file access violations. These services are:
These are service names used by various databases, as well as the Exchange mail server. It will also terminate the Outlook process.
It also checks the Windows version running on the system. If it is running Windows 10, it carries out several Windows 10-specific routines. Windows Defender is disabled, as well as the ability to send feedback/malware samples to Microsoft. Push notifications are disabled as well.
The actual encryption routine is slightly unusual. Whether the files within a directory are encrypted depends on a set of three conditions, namely:
If all of the above conditions are met, it will encrypt all the files in the given directory except those with the following extensions:
In other cases — where some (or all) of the conditions are not met — it will only encrypt files with the following extensions:
The encryption process uses the AES function in CBC mode. It generates the needed key and initialization vector (IV) using a salt and secret key; the former is embedded in the code while the latter is generated dynamically using the SHA-256 hash of a randomly generated 32-byte long string. This is then encrypted using a hard-coded public RSA key and then embedded in the ransom note. Encrypted files get the .locked extension.
The ransom note is stored in various locations on the system, namely:
The contents of this note are similar to other ransomware notes:
The ransomware then changes the system’s wallpaper for all users; it now contains an instruction to read a text file (the ransom note). It does this by changing several registry settings.
Connections to other ransomware families
At first glance, it would seem that this threat is related to Lockergoga, since they share the same extension for encrypted files (.locked). However, other ransomware families also use this extension, making the connection more tenuous. A more reasonable link to the Freezing ransomware family exists. It shares a similar method of propagation within networks (compromised AD servers), reflective injection methods, and internal module architecture.
The code also shares similarities with the open-source EDA2 ransomware kit. As early as several years ago, ransomware threats spreading in the wild were based on EDA2, which was supposedly only for “recreational” purposes.
Trend Micro solutions
Ransomware continues to be a lingering threat, something we mentioned in our last Annual Security Roundup after seeing that the number of ransomware cases we detected climbed from 55 million in 2018 to 61 million in 2019. Cases like these are more dangerous, as threats that compromise enterprise systems allow for much easier propagation within enterprise networks.
Below are some of the best practices users can do to protect systems from ransomware:
For more robust and proactive defense against ransomware, the following Trend Micro Solutions are recommended:
Indicators of Compromise
SHA-256 hash | Detection Name |
08677a3dac3609d13dc4a2a6868ee2f6c1334f4579356d162b706a03839bb9ff | Ransom.PS1.COLDLOCK.YPAE-A |
c5108344e8a6da617af1c4a7fd8924a64130b4c86fa0f6d6225bb75534a80a35 | Ransom.MSIL.COLDLOCK.YPAE-A |
The post Targeted Ransomware Attack Hits Taiwanese Organizations appeared first on .
The head of counterintelligence for a division of the Russian Federal Security Service (FSB) was… Read More
For nearly a dozen years, residents of South Carolina have been kept in the dark… Read More
The U.S. government is warning that “smart locks” securing entry to an estimated 50,000 dwellings… Read More
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said today it is investigating a breach… Read More
On April 9, Twitter/X began automatically modifying links that mention “twitter.com” to read “x.com” instead.… Read More
If only Patch Tuesdays came around infrequently — like total solar eclipse rare — instead… Read More