|
|
|
# Hades Ransomware, the Forefather of the Phoenix Locker
|
|
|
|
|
|
|
|
Hades Ransomware is an advanced form of malware that infiltrates a system and holds data on ransom from the user. It was first discovered in December of 2020 by cybersecurity analysts and named after the Tor website that the victims were instructed to visit to be able to communicate with the ransomware operators. The malware is believed to be of use from a _Lone Wolf_ ransomware group, which makes it even harder to track. This should not be an underestimation though, as they themselves could be very well resourced, as of now there is no group explicitly related to this malware.
|
|
|
|
|
|
|
|
The following is the infection process of the Ransomware:
|
|
|
|
|
|
|
|
- **Initial Access:** Primary methods include getting access using RDP or VPN using actual credentials, this can be found using other forms of malware.
|
|
|
|
- **Persistence:** Utilizing Cobalt Strike and Empire, they now get the use of legitimate credentials, service creation, and C2 Control across the victims environment.
|
|
|
|
- **Privilege Escalation:** Using tools like mimikatz and manual enumeration of found credentials they escalate their credential privilege.
|
|
|
|
- **Defense Evasion:** Deactivate defenses using domain administrator credentials and can include the following:
|
|
|
|
- Batch script to leverage wevtutil.exe to clear event logs
|
|
|
|
- Disable AntiVirus products on endpoints
|
|
|
|
- Modify GPO to disable Windows audit logging
|
|
|
|
- Manually Disable Endpoint Detection and Response tools and prevention policies.
|
|
|
|
- **Discovery:** Perform network reconnaissance using various scripts and tools such as Advanced Port Scanners.
|
|
|
|
- **Lateral Movement:** Using compromised accounts, the threat actor now does various actions such as leveraging RDP and PSexec for host to host lateral movement, as well as going as far as installing custom builds of Chrome.exe and utilizing native browser capability to target victim cloud environments. Command and Control: Threat actor utilities Cobalt Strike framework to the impacted environments with at least two external beacons per environment, established using RMS(Remote manipulator system).
|
|
|
|
- **Exfiltration & Impact:** Prior to deployment of ransomware, the threat actor employs 7zup utility to archive data that was exfiltrated to the threat actor server. They then utilize Psexec to encrypt files on victims' networks; this approach is also known as “double-extortion”.
|
|
|
|
|
|
|
|
# Hades Ransomware TTP
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Phoneix Locker, How It Came To Be
|
|
|
|
|
|
|
|
Phoenix Locker was a ransomware discovered in March of 2021. Its first target was the insurance giant known as CNA. There were many discoveries in the structure of the code that related very closely to the Hades Ransomware. Although no current hacking group has taken credit for the ransomware, many believe it is the doing of the well known group called Evil Corp.The infection process is similar to Hades, except when the files gets encrypted it appends a _.phoenix_ extension, which then leads the following ransom note in the file _phoenix-help.txt_:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This is so the victim is able to communicate to the ransomware operator.
|
|
|
|
|
|
|
|
# Phoenix Locker Ransomware TTP
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Analyzing The Ransomware On CNA
|
|
|
|
|
|
|
|
The entry point for the malware in the case of CNA was one of the employees mistakenly downloading and executing a fake browser update after visiting a legitimate website. The notice did not specify if this legitimate website was the official website the employee was on. The employee did not have elevated privilege so was not able to stop the threat actors from going through with the attack. The threat actors then used additional malware to get credentials they needed to move forward. They then moved laterally within the environment and conducted reconnaissance and established persistence. They performed reconnaissance undetected as they used legitimate tools and credentials the company had. They explored and infected in a way that's called _living off the land_ by only using what was expected from that company, it kept them unnoticed. At least 15,000 systems were infected by the time the threat actors detonated the ransomware.
|
|
|
|
|
|
|
|
The threat actors were able to steal import data affecting roughly 75,000 individuals, a significant number of them being names of current and former employees and their dependents. The information gathered varied from SSNs to birthdates and benefit enrollment. They exfiltrated using MEGAsync into a cloud based account hosted by Mega NZ Limited. CNA was able to reach out to the FBI and Cloud Storage Platform to take back control of the data, it was believed that it was being held with the concept to blackmail and leak information. There was no evidence that any of the information was sold, traded or even viewed. All in all this malware managed to cost CNA roughly $40,000,000 to solve and get back the required information.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Mitigating The Phoenix Locker
|
|
|
|
|
|
|
|
The following can help mitigate yourself from the threat of Phoenix Locker:
|
|
|
|
|
|
|
|
- Maintain and update a backup of all your data
|
|
|
|
- Grant minimum level of access to all users
|
|
|
|
- Isolate infected machines from the main network
|
|
|
|
- Update all credentials with strong and secure passwords
|
|
|
|
- Use updated versions of AV and other detection tools
|
|
|
|
- Use multi factor authentication
|
|
|
|
|
|
|
|
# Code Example of Ransomware(Python)
|
|
|
|
|
|
|
|
**Note:** The current source code of Phoenix Locker is not available.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
**Note:** Tried pasting in specific code examples using code blocks but the markdown got all messed up due to python comments and formatting.
|
|
|
|
|
|
|
|
|
|
|
|
# References
|
|
|
|
- Cyber Investigations, Forensics and Response (CIFR), and Accenture Cyber Threat Intelligence. “7 Victims Spanning Multiple Industries.” WordPressBlog, Accenture, 9 July 2021, https://www.accenture.com/us-en/blogs/security/ransomware-hades.
|
|
|
|
- Dinu, Cezarina. “Hades Ransomware Gang Claims More Victims.” Heimdal Security Blog, Heimdal Security, 30 June 2021, https://heimdalsecurity.com/blog/hades-ransomware-gang-claims-more-victims/#:~:text=First%20discovered%20in%20December%202020,TO%2DDECRYPT%2D%5Bextension%5D.
|
|
|
|
- Malwarebytes Labs, and ABOUT THE AUTHOR Malwarebytes Labs. “CNA Legal Filings Lift the Curtain on a Phoenix Cryptolocker Ransomware Attack.” Malwarebytes Labs, 23 July 2021, https://blog.malwarebytes.com/ransomware/2021/07/cna-legal-filings-lift-the-curtain-on-a-phoenix-cryptolocker-ransomware-attack/.
|
|
|
|
- “Phoenix Cryptolocker Ransomware Threat Intel Advisory.” CloudSEK, 15 June 2021, https://cloudsek.com/threatintelligence/phoenix-cryptolocker-ransomware-threat-intel-advisory/.
|
|
|
|
- Sarah (Qi) Wu and He Xu. “Take It Easy, and Say Hi to This New Python Ransomware.” Fortinet Blog, 1 Sept. 2016, https://www.fortinet.com/blog/threat-research/take-it-easy-and-say-hi-to-this-new-python-ransomware.
|
|
|
|
- Wisser, Will. “Decrypt .Phoenix Files Virus: Phoenix-Phobos Ransomware Removal.” MySpyBot, 1 May 2020, https://myspybot.com/phoenix-ransomware/. |
|
|
|
\ No newline at end of file |
