An Analysis of the BabLock (aka Rorschach) Ransomware

1. Overview of BabLock Ransomware

2. Analysis of BabLock Ransomware

2.1 Introduction

Sangfor FarSight Labs recently captured a sample of a new ransomware family that shares many characteristics with other ransomware families, such as Lockbit 2.0 and Babuk. We identified the sample as belonging to the Bablock ransomware family which is also known as Rorschach. According to samples submitted to VirusTotal, BabLock has been responsible for attacks in Europe, the Middle East, and Asia. In one of the attacks, the threat actors exploited the now-patched arbitrary file upload vulnerability in Zimbra Collaboration (ZCS) 8.8.15 and 9.0, identified as CVE-2022-41352, to remotely execute arbitrary code.

When the ransomware is launched on a domain controller with administrator privileges, it can spread across the local area network by creating a Group Policy Object (GPO).

The attack chain of the ransomware is as follows:

2.2 Analysis

2.2.1 MITRE ATT&CK

The compilation time of the ransomware sample was prior to March 2022. As of the publication of this article, there are still 54 mainstream antivirus software vendors whose software or security products cannot identify the BabLock ransomware, whether based on threat intelligence or dynamic and static detection rules.

2.2.2 Analysis of Techniques

Once the ransomware sample is launched, it will immediately delete three related files and then encrypt files in the system. Encrypted files are appended with the extension "k1k2k3", and a random number between 00 and 99 is also added to the end of this extension. After encryption, a ransom note is released to instruct the victim on how to contact the attacker and pay the ransom. The ransom note is named "_r_e_a_d_m_e.txt" and includes the attacker's email address but does not provide information regarding the ransom amount or payment method.

The content of the _r_e_a_d_m_e.txt ransom note is as follows:

Encrypted Files:

The ransomware's execution relies on the following three files:

Since winutils.dll is compressed using a modified version of UPX 3.96, it cannot be unpacked with a standard version of UPX and needs to be unpacked through dynamic debugging.

Information Collection

1. Collect System UUID

UUIDs are used to identify infected computers so that attackers can track and manage them.

2. Check System Language

Use GetSystemDefaultUILanguage and GetUserDefaultUILanguage to determine the country or region code of the system based on the default language of the system or user. This is used to avoid encrypting the machines that are located in the Commonwealth of Independent States (CIS).

Defense Evasion

1. Fixed Startup Parameters

The ransomware will execute encryption only when the value of the required parameter (—run) is correct.

cy.exe -run=xxxx
--pt=C:\Users\John\Desktop\FileFolder\winutils.dll 
--cg=C:\Users\John\Desktop\FileFolder\config.ini 
--we=C:\Users\John\Desktop\FileFolder\cy.exe

In addition to the required parameters, this sample also supports the following optional parameters:    

2. DLL Side-Loading

Use the legitimate software cy.exe to load winutils.dll. The cy.exe (original name: cydump.exe) is a Cortex XDR Dump Service Tool, developed by the cybersecurity company Palo Alto Networks, Inc.

3. Process Injection

Call the following API functions to inject shellcode into the memory of the legitimate process notepad.exe, to execute arbitrary code in the target process. This operation allows the ransomware to bypass de+fense mechanisms such as antivirus software and firewalls.

The ransomware sample launches the notepad.exe in a suspended state and injects shellcode with junk characters at the beginning. Once the junk characters are removed, the shellcode becomes a PE file that is packed using VMProtect. The ransomware writes 64 KB of data to the memory of notepad.exe at a time, as shown in the figure below:

The first 64 KB of data is packed using VMProtect, as shown in the figure below:

4. Process Argument Spoofing

The ransomware launches a system program process in a suspended state, initializes its process environment block (PEB), replaces the command-line parameter with a legitimate one (consisting of the same number of 1s as the length of the parameter being replaced), rewrites the parameter with the real one into the memory using the WriteProcessMemory() function, then, resumes the process, to bypass process memory analysis. For example, the ransowware runs the command "bcdedit.exe /set {default} recoveryenabled no", but the string “/set {default} recoveryenabled no” is replaced with 33 1s before execution, where the string length is also 33.

The following figure shows the real executed commands, which were decrypted through dynamic debugging.

The following describes the commands executed by the ransomware.

(1) Stop services related to databases to prevent file damage or encryption failure, which may occur when the program occupies the files to be encrypted.

• net1 stop MSDTC: Stops the Microsoft Distributed Transaction Coordinator service used to manage distributed transactions.
• net1 stop SQLSERVERAGENT: Stops the SQL Server Agent service used to execute SQL Server Agent jobs and manage multiple SQL Server instances.
• net1 stop MSSQLSERVER: Stops the SQL Server database engine service.
• net1 stop vds: Stops the virtual disk service used to manage virtual disks and volumes.
• net1 stop SQLWriter: Stops the SQL Server VSS Writer service used to support the Volume Shadow Copy Service.
• net1 stop SQLBrowser: Stops the SQL Server browser service used to help clients locate the SQL Server instance.
• net1 stop MSSQL$CONTOSO1: Stops the service of the SQL Server instance named CONTOSO1.

(2) Delete system backups and prevent system recovery.

• vssadmin.exe delete shadows /All /Quiet: Deletes all shadow copies.
• bcdedit.exe /set {default} recoveryenabled no: Disables the Windows Recovery Environment.
• bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures: Ignores all boot failures.
• wbadmin.exe DELETE SYSTEMSTATEBACKU: Deletes a system state backup.
• wbadmin.exe DELETE SYSTEMSTATEBACKUP -deleteOldest: Deletes the oldest system state backup.
• wbadmin.exe delete catalog -quiet: Deletes the backup catalog.
• wbadmin.exe delete backup: Deletes backups.
• wbadmin.exe delete systemstatebackup -keepversions:0: Deletes all system state backups.
• wmic.exe SHADOWCOPY /nointeractive: Lacks the required argument “DELETE“. The command to delete a shadow copy is "WMIC.exe shadowcopy delete /nointeractive".

(3) Clear event logs to prevent security personnel from tracing the ransomware’s operations.

• wevtutil.exe clear-log Application: Clears application logs.
• wevtutil.exe clear-log Security: Clears security logs.
• wevtutil.exe clear-log System: Clears system logs.
• wevtutil.exe clear-log "windows powershell": Clears Windows PowerShell logs.

(4) Turn off and disable the Windows firewall, making it easier for attackers to access the victim computer and execute malicious code.

• netsh advfirewall set currentprofile state off: Turns off the Windows Firewall.
• netsh.exe firewall set opmode mode=disable: Disables the Windows Firewall.

5. Use of Direct System Calls (syscall)

The ransomware does not directly call API functions but uses direct system calls (syscall) through specifying the syscall ID. This helps it avoid detection by security software that monitor API function calls.

Impact

1. Terminate Processes

Terminates processes such as databases, servers, remote management tools, hypervisors, and time synchronization program.

wxServer.exe, supervise.exe, sync-taskbar.exe, vxmon.exe, wxServerView.exe, Culture.exe, sync-worker.exe, sqlbrowser.exe, sqlmangr.exe, Defwatch.exe, wsa_service.exe, tomcat6.exe, RAgui.exe, httpd.exe, synctime.exe, Sqlservr.exe

2. Stop Services

Stops services related to the core components of the SQL Server database.

SQLPBDMS, SQLBrowser, SSISScaleOutWorker150, SQLPBENGINE, SQL Server Distributed Replay Client, MSSQLLaunchpad, MSSQLFDLauncher, SQL Server Distributed Replay Controller, SQLWriter, SQLSERVERAGENT, MsDtsServer150, SQLTELEMETRY, MSSQLServerOLAPService, SSISTELEMETRY150, MSSQLSERVER, SSASTELEMETRY,SSISScaleOutMaster150

3. Empty the Recycle Bin

Calls the SHEmptyRecycleBinA() function to delete files in the Recycle Bin to prevent users from recovering files from it.

4. Encrypt Files

(1) Extensions of skipped files

(2) Skipped directories and files

Skips the following directories during the encryption.

bootmgr
AppData
Boot
Windows
WINDOWS
Windows. old
Ahnlab
Tor Browser
Internet Explorer
Google
Opera
Opera Software
Mozilla
Mozilla Firefox
$Recycle.Bin
ProgramData
All Users
BOOTNXT
ntldr
Program Files
Program Files (x86)
#recycle
...
Documents and Settings
Policies
SYSVOL
NETLOGON
scripts

Skips the following files during the encryption:

autorun.inf
boot.ini
bootfont.bin
BOOTSECT.BAK
bootmgr.efi
bootmgfw.efi
desktop.ini
iconcache.db
ntuser.dat
ntuser.dat.log
ntuser.ini
thumbs.db
ntuser.dat
ntuser.dat.LOG1
ntuser.dat.LOG2
AUTOEXEC.BAT
autoexec.bat
config.ini
1_config.ini
begin.txt
finish.txt
_r_e_a_d_m_e.txt
<injected notepad.exe's PID>_l.log
<injected notepad.exe's PID>_e.log
Config.Msi

(3) Encryption

The ransomware utilizes a combination of Curve25519 and HC-128 algorithms, along with I/O Completion Port (IOCP), to achieve multithread encryption.

For each file, a 32-byte private key is generated using the Crypto API function CryptGenRandom.

The encryption process is as follows:

1. Creates a ransom note in each directory traversed.
2. Determines whether a file needs to be skipped for encryption. If so, the ransomware moves on to the next file. If not, it proceeds with the subsequent actions.
3. Uses the Curve25519 algorithm to generate a pair of public and private keys. The public key is used for encryption while the private key is used for decryption.
4. Generates a 256-bit HC-128 key and a 32-bit Initialization Vector (IV) for each file, which will used as parameters of the encryption algorithm. These parameters are hardcoded in the ransomware's code.
5. Encrypts target files with the HC-128 key and IV generated in step 4. The encrypted HC-128 key is appended to the encrypted files for decryption.
6. Append the extension string "k1k2k3(00-99)" to each encrypted file.

2.3 Indicators of Compromise (IOCs)

2.4 Sangfor Solution

The following Sangfor products and services provide protection against the BabLock ransomware:
Sangfor Endpoint Secure

About Sangfor FarSight Labs

Sangfor FarSight Labs researches the latest cyber threats and unknown zero-day vulnerabilities, alerting customers to potential dangers to their organizations, and providing real-time solutions with actionable intelligence. Sangfor FarSight Labs works with other security vendors and the security community at large to identify and verify global cyberthreats, providing fast and easy protection for customers.