Threat Analysis Unit - Threat Intelligence Notification
Title: TAU-TIN – PyCrypter Ransomware
Summary
PyCrypter is a ransomware variant that is written in Python with the source code publicly available. PyCrypter entrenches to automatically run on startup and read web browser data. It will also delete volume shadow copies by using scheduled tasks to ensure all the data cannot be restored easily. Following is the screenshot of the ransom note by PyCrypter Ransomware.
Figure 1: Screenshot of the ransom note
This post serves to inform our customers about detection and protection capabilities within the VMware Carbon Black suite of products against PyCrypter Ransomware.
Details
PyCrypter variants will perform the following behavior:
- Add registry key to ensure it will run every startup:
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Crypter = “Malware Directory”
- Disable Windows Task Manager by modify its registry key value
Figure 2: Event log from Cloud Enterprise EDR (CB ThreatHunter)
- It will read user’s sensitive data from web browser from the following files:
- %APPDATA%\Roaming\Mozilla\Firefox\profiles.ini
- %APPDATA%\Local\Microsoft\Windows\History\desktop.ini
- %APPDATA%\Local\Google\Chrome*
- It will append the predefined extension value on the encrypted file; on this analyzed sample it was “.hitman”.
Figure 3: Event log from Cloud Enterprise EDR (CB ThreatHunter) displaying PyCrypter appending “.hitman” as file extension onto encrypted files.
Figure 4: Screenshot from PyCrypter created file “runtime.cfg”
- It will encrypt all files with the following list of extensions:
|
dat |
3dm |
3g2 |
rtf |
xltx |
wma |
class |
rar |
|
keychain |
3ds |
3gp |
tex |
prn |
msi |
cpp |
tar |
|
sdf |
max |
asf |
wpd |
dif |
php |
cs |
7z |
|
vcf |
obj |
flv |
wps |
slk |
apk |
h |
cbr |
|
jpg |
dds |
m4v |
csv |
xlam |
app |
java |
deb |
|
png |
psd |
mov |
ged |
xla |
bat |
lua |
gz |
|
tiff |
tga |
mpg |
key |
ods |
cgi |
pl |
pkg |
|
tif |
thm |
rm |
pps |
docm |
com |
py |
rpm |
|
gif |
tif |
srt |
ppt |
dotx |
asp |
sh |
zipx |
|
jpeg |
tiff |
swf |
pptx |
dotm |
aspx |
sln |
iso |
|
jif |
yuv |
vob |
xml |
xps |
cer |
swift |
ged |
|
jfif |
ai |
wmv |
json |
ics |
cfm |
vb |
accdb |
|
jp2 |
eps |
doc |
xlsx |
mp3 |
css |
vcxproj |
db |
|
jpx |
ps |
docx |
xlsm |
aif |
htm |
dem |
dbf |
|
j2k |
svg |
txt |
xlsb |
iff |
html |
gam |
mdb |
|
j2c |
indd |
|
xls |
m3u |
js |
nes |
sql |
|
fpx |
pct |
log |
mht |
m4a |
jsp |
rom |
fnt |
|
pcd |
mp4 |
msg |
mhtml |
mid |
rss |
sav |
fon |
|
bmp |
avi |
odt |
htm |
mpa |
xhtml |
tgz |
otf |
|
svg |
mkv |
pages |
html |
wav |
c |
zip |
ttf |
|
cfg |
ini |
prf |
bak |
old |
tmp |
torrent |
- It will also create additional files and multiple Python modules and code used by the ransomware under the folder %TEMP%_MEI[random number], such as the following listed file but not limited to:
- %APPDATA%\encrypted_files.txt
- <Running Malware directory>\key.txt
- %TEMP%\_MEI[random number]\runtime.cfg
- %TEMP%\_MEI[random number]\bitcoin.bmp
- %TEMP%\_MEI[random number]\lock.bmp
- %TEMP%\_MEI[random number]\lock.ico
- %TEMP%\_MEI[random number]\Crypto.Cipher._AES.pyd
- %TEMP%\_MEI[random number]\Crypto.Cipher._DES.pyd
- %TEMP%\_MEI[random number]\Crypto.Cipher._DES3.pyd
- %TEMP%\_MEI[random number]\Crypto.Hash._SHA256.pyd
- %TEMP%\_MEI[random number]\Crypto.Random.OSRNG.winrandom.pyd
- %TEMP%\_MEI[random number]\Crypto.Util._counter.pyd
- %TEMP%\_MEI[random number]\Crypto.Util.strxor.pyd
- %TEMP%\_MEI[random number]\Include\pyconfig.h
Figure 5: Event log from Cloud Enterprise EDR (CB ThreatHunter) showing PyCrypter creating additional files.
- It will perform the deletion of volume shadow copies by creating a scheduled task with the following command: (Refer to Figure 6 for Process Chart)
- C:\Windows\system32\cmd.exe /c "schtasks /create /tn updater47 /sc once /sd 01/01/1901 /tr "vssadmin Delete Shadows /All /Quiet" /st 00:00 /rl highest /ru SYSTEM /f"
- C:\Windows\system32\cmd.exe /c "schtasks /run /i /tn updater47"
- C:\Windows\system32\cmd.exe /c "schtasks /delete /tn updater47 /f"
Behavioral Summary
The following is a screenshot of Cloud Enterprise EDR (CB ThreatHunter) process chart by PyCrypter.
Figure 6: Process Chart by PyCrypter
In addition, VMware Carbon Black Cloud Endpoint Standard (CB Defense) will display the malware’s overall triggered TTPs.
Remediation:
MITRE ATT&CK TIDs
| TID | Tactics | Technique |
|---|---|---|
| T1045 | Defense Evasion | Software Packing |
| T1143 | Defense Evasion | Hidden Window |
| T1083 | Discovery | File and Directory Discovery |
| T1060 | Persistence | Registry Run Keys / Startup Folder |
| T1112 | Defense Evasion | Modify Registry |
| T1036 | Defense Evasion | Masquerading |
| T1053 | Execution,Privilege Escalation,Persistence | Scheduled Task |
| T1119 | Collection | Automated Collection |
| T1081 | Credential Access | Credentials in Files |
| T1005 | Collection | Data from Local System |
| T1486 | Impact | Data Encrypted for Impact |
| T1056 | Collection,Credential Access | Input Capture |
| T1490 | Impact | Inhibit System Recovery |
| T1485 | Impact | Data Destruction |
Indicators of Compromise (IOCs)
| Indicator | Type | Context |
|---|---|---|
| 4c0424fa3d761aa5bf79e3c61ab5880540d38c4fff7a241b1ef7113e3f1428d3 | SHA 256 | PyCrypter Ransomware |
| 3682a60045347162d752932e2169a41d | MD5 | PyCrypter Ransomware |
