{"id":547,"date":"2023-12-07T19:24:42","date_gmt":"2023-12-07T19:24:42","guid":{"rendered":"https:\/\/blog.scilabs.mx\/en\/?p=547"},"modified":"2023-12-07T19:24:42","modified_gmt":"2023-12-07T19:24:42","slug":"threat-profile-ransomhouse","status":"publish","type":"post","link":"https:\/\/blog.scilabs.mx\/en\/2023\/12\/07\/threat-profile-ransomhouse\/","title":{"rendered":"Threat Profile: Ransomhouse"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-550 aligncenter\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2023\/12\/LogoRansomhouse.jpg\" alt=\"\" width=\"318\" height=\"159\" \/><\/p>\n<p>&nbsp;<\/p>\n<h1>Objective<\/h1>\n<p>The objective of this document is to present available information about the <em>RansomHouse<\/em> threat actor. To that purpose, the data and the Indicators of Compromise within were gathered by SCILabs through intelligence processes in open sources, monitoring tasks, and dedicated threat hunting in the region during the first and second weeks of November 2023. Furthermore, detailed descriptions of the TTP, and tools used by this cybercriminal group are provided.<\/p>\n<p>&nbsp;<\/p>\n<h1>General overview<\/h1>\n<p>The <em>RansomHouse<\/em> threat actor has been active since December <a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2022\/05\/threat-profile-ransomhouse-makes-extortion-work-without-ransomware\">2021<\/a>, and has become relevant for having carried out attacks on large companies such as <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/amd-investigates-ransomhouse-hack-claims-theft-of-450gb-data\/\">AMD<\/a>, <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/adata-denies-ransomhouse-cyberattack-says-leaked-data-from-2021-breach\/\">ADATA<\/a> , and <a href=\"https:\/\/therecord.media\/colombia-government-ministries-cyberattack\">IFX Networks<\/a>: the latter is known for having had the major impact in LATAM.<\/p>\n<p>&nbsp;<\/p>\n<p>According to their leak site and their Telegram channel, the members of <em>RansomHouse<\/em> are dedicated to find security flaws in computer systems; however, instead of reporting them as ethical hackers would do, they take the opportunity to extract the information and then request ransom payment, which according to <a href=\"https:\/\/burjcdigital.urjc.es\/bitstream\/handle\/10115\/23991\/2022-23-ETSII-A-2059-2059037-p.herrezuelo.2019-MEMORIA.pdf?sequence=-1&amp;isAllowed=y\">public<\/a> investigations can reach amounts close to 4.5 million euros.<\/p>\n<p>&nbsp;<\/p>\n<p>The victims of this threat actor have not revealed many details because, according to their <a href=\"https:\/\/explore.avertium.com\/resource\/everything-about-data-extortion-group-ransomhouse\">posts<\/a>, most intrusions are personalized attacks. However, according to the information analyzed by SCILabs, some of the vulnerabilities that the group exploits are in Google Chrome (<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-4863\"><strong>CVE-2023-4863<\/strong><\/a> ), MacOS (<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-41064\"><strong>CVE-2023-41064<\/strong><\/a> and <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-41061\"><strong>CVE-2023-41061<\/strong><\/a>) and ESXi (<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-20867\"><strong>CVE-2023-20867<\/strong><\/a> ).<br \/>\n<em>RansomHouse<\/em> only encrypts the information if the <a href=\"https:\/\/explore.avertium.com\/resource\/everything-about-data-extortion-group-ransomhouse\">ransom <\/a>demands are not met. It was possible to identify that they use variants of the <a href=\"https:\/\/www.tarlogic.com\/es\/glosario-ciberseguridad\/babuk\/\"><em>Babuk<\/em> <\/a>ransomware that mainly seek to encrypt virtual machines on Linux (ESX). Also, it is worth mentioning that the code of that ransomware was leaked in 2021 (also the year <em>RansomHouse<\/em> emerged) on a <a href=\"https:\/\/hipertextual.com\/2021\/09\/se-filtra-el-proyecto-completo-y-el-codigo-fuente-del-peligroso-ransomware-babuk\">Russian<\/a> forum.<\/p>\n<p>&nbsp;<\/p>\n<p>Some of the <em>Babuk ransomware<\/em> variants observed in attacks by <em>RansomHouse<\/em> are <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/new-white-rabbit-ransomware-linked-to-fin8-hacking-group\/\"><em>WhiteRabbit<\/em> <\/a>and <a href=\"https:\/\/www.clarin.com\/tecnologia\/ifx-networks-ciberataque-multinacional-afecta-pymes-grandes-empresas-argentinas_0_73JfZR8VLr.html\"><em>MarioLocker<\/em><\/a>, both considered Ransomware-As-a-Service (<a href=\"https:\/\/www.cloudflare.com\/es-es\/learning\/security\/ransomware\/ransomware-as-a-service\/\">RaaS<\/a>).<\/p>\n<p>&nbsp;<\/p>\n<p>With a high confidence level, according to SCILabs\u2019 hypothesis, the threat actor engages in opportunistic attacks, indicating a lack of preference for a specific sector or location. This approach allows them to achieve broader reach and maximize their chances of success.<\/p>\n<p>&nbsp;<\/p>\n<h1>Region of operations<\/h1>\n<p>As a result of the OSINT processes and the analysis of the artifacts, SCILabs determined, with a high level of confidence, that the RansomHouse\u00b4s victims are from Germany, Australia, Belgium, Canada, China, Colombia, United Arab Emirates, Spain, United States, Philippines, India, Indonesia, Italy, Maldives, United Kingdom, San Cristobal y Nieves, Singapore, South Africa, Sweden, Taiwan and Vanuatu, and it has international presence<\/p>\n<p>&nbsp;<\/p>\n<p>The following map shows in red the countries that have had most of the security incidents (18) related to <em>RansomHouse<\/em>, in orange those that have been moderately affected (between 7 and 8 attacks) and finally, in yellow, the locations that have only been victims 1 or 2 times by this threat actor.<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-559 aligncenter\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2023\/12\/AffectedCountries_RH.png\" alt=\"\" width=\"834\" height=\"454\" \/><\/p>\n<p style=\"text-align: center\"><span style=\"color: #3366ff\"><strong>Figure 1. <em>RansomHouse<\/em> confirmed attacks by region<\/strong><\/span><\/p>\n<p>&nbsp;<\/p>\n<p>In Latin America the most affected country by this group was Colombia (with two confirmed attacks), and internationally, the United States is the nation that has suffered the most ransomware attacks orchestrated by <em>RansomHouse<\/em>, with a total of 18, followed by Italy with 8 attacks and the United Kingdom with 7 attacks.<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-572 size-full\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2023\/12\/mostaffected_RH_v2.png\" alt=\"\" width=\"3574\" height=\"2137\" \/><\/p>\n<p style=\"text-align: center\"><span style=\"color: #3366ff\"><strong>Figure 2. <em>RansomHouse <\/em>confirmed attacks by country<\/strong><\/span><\/p>\n<p>&nbsp;<\/p>\n<p>Below is a timeline with the most relevant activity (large-scale events or events with great media impact) of <em>RansomHouse<\/em> based on SCILabs telemetry, along with various posts from the attackers&#8217; leak blog, since its appearance in December 2021 to September 2023.<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-557 aligncenter\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2023\/12\/timeline_RH.png\" alt=\"\" width=\"903\" height=\"313\" \/><\/p>\n<p style=\"text-align: center\"><span style=\"color: #3366ff\"><strong>Figure 3. Most relevant attacks by <em>RansomHouse<\/em><\/strong><\/span><\/p>\n<p>&nbsp;<\/p>\n<p>It is essential to mention that, although the attacks shown above are the most relevant, they are not the only ones perpetrated by <em>RansomHouse<\/em>. According to SCILabs telemetry, there are currently at least 55 organizations, public and private that have been victims. This threat actor has had its most productive period in 2023 (31 attacks in 2023, 22 attacks in 2022, and 2 attacks in 2021) since its inception in 2021.<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-573 size-full\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2023\/12\/Trendattacks_RH_v2.png\" alt=\"\" width=\"3452\" height=\"1863\" \/><\/p>\n<p style=\"text-align: center\"><span style=\"color: #3366ff\"><strong>Figure 4. Trend attacks of <em>RansomHouse<\/em><\/strong><\/span><\/p>\n<p>&nbsp;<\/p>\n<h1>Who can it affect?<\/h1>\n<p>During constant monitoring of the region, SCILabs identified that <em>RansomHouse<\/em> attacks are directed at organizations of all types in different industries such as: health, retail, education, services, construction, transportation, and technology. Telemetry indicates that the most affected sector by this ransomware is health, followed by services and technology.<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-574 size-full\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2023\/12\/affectedsctor_RH_v2.png\" alt=\"\" width=\"3712\" height=\"1751\" \/><\/p>\n<p style=\"text-align: center\"><span style=\"color: #3366ff\"><strong>Figure 5. <em>RansomHouse<\/em> attacks by affected sector<\/strong><\/span><\/p>\n<p>&nbsp;<\/p>\n<h1>How can it affect an organization?<\/h1>\n<p>If a <em>RansomHouse<\/em> attack is successful, the threat actor could steal, leak, and encrypt information of all types from victim organizations, disrupting operations that cause financial loss, compromise of sensitive data, as well as loss of reputation and trust in the organization. Therefore, organizations must be aware of this threat actor\u2019s TTP (Tactics, Techniques, and Procedures) to minimize the probability of being infected and know how to act if <em>RansomHouse<\/em> compromises them.<\/p>\n<p>&nbsp;<\/p>\n<h1>Analysis<\/h1>\n<p>&nbsp;<\/p>\n<h2>Threat context<\/h2>\n<p>Despite not being a new threat actor (active since 2021), as of this document&#8217;s creation date, no research has yet been made public that describes the full range of behavioral and tools that <em>RansomHouse<\/em> uses during its infection chain. However, SCILabs analyzed all the information available about this threat actor campaigns, artifacts, and TTP, resulting in the following summary:<\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>Initial access<\/strong>: In some of their attacks, <em>RansomHouse<\/em> has used phishing e-mails as the main entry method. However, it is common for them to gain access to corporate environments by exploiting vulnerabilities such as <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-4863\"><strong>CVE-2023-4863<\/strong><\/a>, <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-41064\"><strong>CVE-2023-41064<\/strong><\/a> and <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-41061\"><strong>CVE-2023-41061<\/strong><\/a>, which, when exploited, can allow an attacker to execute remote code. They also use non-interactive sessions to bypass multi-factor authentication (MFA) and exploit <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-20867\"><strong>CVE-2023-20867<\/strong><\/a> vulnerabilities to gain access to VMware virtual machines.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>Access to credentials:<\/strong> The operators of this ransomware use the following applications to steal credentials.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li style=\"list-style-type: none\">\n<ul>\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/sysinternals\/downloads\/procdump\"><strong>ProcDump<\/strong><\/a><strong>:<\/strong> This application, created by SysInternals, performs memory dumps from lsass.exe process (applicable only on Windows).<\/li>\n<li><a href=\"https:\/\/keepcoding.io\/blog\/como-funciona-mimikatz\/\"><strong>Mimikatz<\/strong><\/a><strong>:<\/strong> This is used to perform <a href=\"https:\/\/www.redeszone.net\/tutoriales\/seguridad\/que-es-ataque-pass-the-hash-protegerse\/\">Pass the Hash<\/a> attacks and to extract clear text credentials obtained via memory dump made by ProcDump or its dump module.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>Persistence:<\/strong> To generate persistence, attackers carry out a\u00a0<a href=\"https:\/\/attack.mitre.org\/techniques\/T1003\/006\/\">DCSync<\/a> attack, a well-known credential dump technique that allows attackers to obtain sensitive information from the Active Directory database. This technique also helps attackers simulate the replication process from a remote domain controller (DC) and requests credentials from another DC credential collection, in addition to exploiting vulnerabilities <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2022-42475\"><strong>CVE-2022-42475<\/strong><\/a>, <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-20269\"><strong>CVE-2023-20269<\/strong><\/a>, which can allow the attacker to access via VPN.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>Discovery:<\/strong> <em>RansomHouse<\/em> exploits the <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-3519\"><strong>CVE-2023-3519<\/strong><\/a> vulnerability to deploy a WebShell in victims&#8217; non-productive environments and perform discovery in the active directory.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>Lateral movement:<\/strong> By collecting domain controller credentials, they abuse remote services such as Secure Shell (SSH) and RDP to perform lateral movements.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>Impact:<\/strong> Attackers steal sensitive data from victims to encrypt it later if the attackers&#8217; demands are unmet. They post the stolen data on their leak site and threaten to sell it to other groups.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h2>Artifacts analysis<\/h2>\n<p>During the third week of October 2023, through constant monitoring and threat hunting in LATAM, SCILabs identified three ransomware samples based on the <em>Babuk<\/em> ransomware encryption source code, which according to our analysis and <a href=\"https:\/\/portal.cci-entel.cl\/Threat_Intelligence\/Boletines\/1718\/\">public<\/a> investigations, are related to <em>RansomHouse<\/em>.<\/p>\n<p>&nbsp;<\/p>\n<h3><em>Babuk Cryptor (Linux variant)<\/em><\/h3>\n<ul>\n<li><strong>File type:<\/strong> SCILabs identified that the recovered file is a <em>Babuk<\/em> ransomware encryption source code, corresponding to an ELF-type executable for Linux compatible with 64-bit systems.<\/li>\n<li><\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-821\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/11\/PropiedadesBabuk.jpg\" alt=\"\" width=\"735\" height=\"56\" \/><\/p>\n<p style=\"text-align: center\"><span style=\"color: #3366ff\"><strong>Figure 6. <em>Babuk<\/em> ransomware encryption source code properties<\/strong><\/span><\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>Libraries used:<\/strong> During the static analysis of the sample, SCILabs identified some functions and libraries that are part of the C and C++ standard libraries. These libraries provide capabilities related to file management, processes, and others described in Annex II of this document.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-824\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/11\/Bibliotecas.png\" alt=\"\" width=\"705\" height=\"564\" \/><\/p>\n<p style=\"text-align: center\"><span style=\"color: #3366ff\"><strong>Figure 7. <em>Babuk<\/em> cryptor libraries (Observed by static analysis)<\/strong><\/span><\/p>\n<ul>\n<li><strong>Parameterized execution:<\/strong> Through the malware analysis, it was possible to identify that for the correct execution of the file it is necessary to give the directory in which the files will be encrypted as a parameter.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-819\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/11\/UsoBabuk.jpg\" alt=\"\" width=\"496\" height=\"66\" \/><\/p>\n<p style=\"text-align: center\"><span style=\"color: #3366ff\"><strong>Figure 8. <em>Babuk<\/em> parametrized execution<\/strong><\/span><\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>Searched files:<\/strong> Through the malware analysis, it was identified that the artifact focuses on encrypting files that have the following extensions, among which can be found database files and virtual machine files, besides many others.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<table>\n<tbody>\n<tr>\n<td width=\"111\"><strong>Filetype<\/strong><\/td>\n<td width=\"111\"><strong>Filetype<\/strong><\/td>\n<td width=\"100\"><strong>Filetype<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"111\">.XVGV<\/td>\n<td width=\"111\">.dump<\/td>\n<td width=\"100\">.vab<\/td>\n<\/tr>\n<tr>\n<td width=\"111\">.backup<\/td>\n<td width=\"111\">.dmp<\/td>\n<td width=\"100\">.zip<\/td>\n<\/tr>\n<tr>\n<td width=\"111\">.nvram<\/td>\n<td width=\"111\">.vmx<\/td>\n<td width=\"100\">.rar<\/td>\n<\/tr>\n<tr>\n<td width=\"111\">.vmdk<\/td>\n<td width=\"111\">.vbk<\/td>\n<td width=\"100\">.sql<\/td>\n<\/tr>\n<tr>\n<td width=\"111\">.vmdx<\/td>\n<td width=\"111\">.vbm<\/td>\n<td width=\"100\">.log<\/td>\n<\/tr>\n<tr>\n<td width=\"111\">.vmxf<\/td>\n<td width=\"111\">.vrb<\/td>\n<td width=\"100\">.vib<\/td>\n<\/tr>\n<tr>\n<td width=\"111\">.vmsd<\/td>\n<td width=\"111\">.vlb<\/td>\n<td width=\"100\">.gz<\/td>\n<\/tr>\n<tr>\n<td width=\"111\">.vmss<\/td>\n<td width=\"111\">.vob<\/td>\n<td width=\"100\">.wt<\/td>\n<\/tr>\n<tr>\n<td width=\"111\">.vmem<\/td>\n<td width=\"111\">.vsm<\/td>\n<td width=\"100\">.vmsn<\/td>\n<\/tr>\n<tr>\n<td width=\"111\">.vswp<\/td>\n<td width=\"111\">.vsb<\/td>\n<td width=\"100\"><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: center\"><span style=\"color: #3366ff\"><strong>Table 1. <em>Babuk<\/em> extensions to encrypt<\/strong><\/span><\/p>\n<ul>\n<li><strong>Encryption extension:<\/strong> In the case of <em>Babuk<\/em>, the extension used to encrypt the victim\u2019s files is \u201c.XVGV\u201d.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-818\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/11\/ArchivosAntesBabuk.jpg\" alt=\"\" width=\"440\" height=\"61\" \/><\/p>\n<p style=\"text-align: center\"><span style=\"color: #3366ff\"><strong>Figure 9. Original files<\/strong><\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-817\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/11\/ArchivosDespuesBabuk.jpg\" alt=\"\" width=\"441\" height=\"54\" \/><\/p>\n<p style=\"text-align: center\"><span style=\"color: #3366ff\"><strong>Figure 10. Files after <em>Babuk<\/em> execution<\/strong><\/span><\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>Specifications at the end of the execution:<\/strong> It was identified that statistics related to the encrypted files are displayed at the end of the execution of the <em>Babuk<\/em> cryptor.<\/li>\n<\/ul>\n<ol>\n<li style=\"list-style-type: none\">\n<ol>\n<li>Name of the encrypted files<\/li>\n<li>Files that were already encrypted before execution<\/li>\n<li>Number of files that have been encrypted<\/li>\n<li>Number of files that have been skipped<\/li>\n<li>Total of files contained in the directory.<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-795\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/11\/EjecucionDeRansomware.jpg\" alt=\"\" width=\"681\" height=\"295\" \/><\/p>\n<p style=\"text-align: center\"><span style=\"color: #3366ff\"><strong>Figure 11. Result shown by <em>Babuk<\/em> cryptor<\/strong><\/span><\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>Ransom notes:<\/strong> When the execution of the artifact finishes, in addition to displaying the statistics of the encrypted files, the ransom note is created. In this case, the file&#8217;s name is HowToRestore.txt, and it is in all the subdirectories in the previously specified folder (at execution).<\/li>\n<\/ul>\n<p style=\"padding-left: 40px\">The ransom note tells the user that their security has been breached and that more than 500GB of information has been stolen (only in some infection cases); they also indicate a maximum period of 3 days to contact the attackers and suggest not trying to recover the files, as they could be permanently damaged.<\/p>\n<p style=\"padding-left: 40px\">At the end of the ransom note, the attackers also share their contact e-mail addresses, and an ID to identify the victim.<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-801\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/11\/RescateBabuk.jpg\" alt=\"\" width=\"423\" height=\"383\" \/><\/p>\n<p style=\"text-align: center\"><span style=\"color: #3366ff\"><strong>Figure 12. <em>Babuk\u2019s<\/em> rescue note<\/strong><\/span><\/p>\n<h3><em>WhiteRabbit<\/em> cryptor (Linux variant)<\/h3>\n<p>SCILabs determined that <em>WhiteRabbit<\/em> is a <em>Babuk<\/em> variant after having identified multiple overlaps summarized below:<\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li>Type of file<\/li>\n<li>Used C\/C++ libraries<\/li>\n<li>Execution with the same parameters<\/li>\n<li>Summary of encrypted files<\/li>\n<li>Extensions that seek to encrypt<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>In addition, some differences between both cryptors were identified. The most relevant are the following:<\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>Encryption extension:<\/strong> It was possible to identify that, in the case of <em>WhiteRabbit<\/em>, the extension used to encrypt the victim&#8217;s files is \u201c.mario\u201d.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-816\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/11\/ExtensionWhiteRabbit.jpg\" alt=\"\" width=\"541\" height=\"79\" \/><\/p>\n<p style=\"text-align: center\"><span style=\"color: #3366ff\"><strong>Figure 13. <em>WhiteRabbit<\/em> encrypt extension<\/strong><\/span><\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>Ransom note:<\/strong> When the execution of the artifact ends, in addition to displaying the statistics of the encrypted files the ransom note is created; in this case, the file name is How To Restore your files.txt and it is located in all subdirectories contained in the previously specified folder (at execution).<\/li>\n<\/ul>\n<p>The ransom note has six sections within the same file, separated by a sequence of middle dashes (&#8212;). Each of them is described below:<\/p>\n<ol>\n<li>It allows some prohibited actions, including shutting down, restarting the infected computer, editing, moving encrypted files, and even using a third-party software to recover information.<\/li>\n<li>It provides a brief explanation of what just happened and the steps for the victim to follow.<\/li>\n<li>It shares the negotiation process, establishing a maximum period of 4 days to begin.<\/li>\n<li>It indicates the URL where the evidence of the leak can be found.<\/li>\n<li>It shows the contact instructions and means of establishing communication with attackers.<\/li>\n<li>It describes the possible consequences of ignoring or failing to comply with the attackers&#8217; requests.<\/li>\n<\/ol>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-815\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/11\/NotaRescateWhiteRabbit.jpg\" alt=\"\" width=\"544\" height=\"508\" \/><\/p>\n<p style=\"text-align: center\"><span style=\"color: #3366ff\"><strong>Figure 14. <em>WhiteRabbit<\/em> Rescue note<\/strong><\/span><\/p>\n<p>&nbsp;<\/p>\n<h3><em>MarioLocker<\/em> cryptor (Linux variant)<\/h3>\n<p>SCILabs determined that <em>MarioLocker<\/em> is a variant of <em>Babuk<\/em> after having identified multiple matches which are summarized below:<\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li>Type of file<\/li>\n<li>Used C\/C++ libraries<\/li>\n<li>Execution with the same parameters<\/li>\n<li>Summary of encrypted files<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>In addition, some differences between both cryptors were identified. The most relevant are:<\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>Searched files:<\/strong> Through malware analysis, it was identified that the artifact focuses on encrypting files that have the following extensions, which are virtualization files.<\/li>\n<li><\/li>\n<\/ul>\n<table>\n<tbody>\n<tr>\n<td width=\"111\"><strong>Filetype<\/strong><\/td>\n<td width=\"111\"><strong>Filetype<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"111\">.vmdk<\/td>\n<td width=\"111\">.ova<\/td>\n<\/tr>\n<tr>\n<td width=\"111\">.ovf<\/td>\n<td width=\"111\">.vmem<\/td>\n<\/tr>\n<tr>\n<td width=\"111\">.vib<\/td>\n<td width=\"111\">.vswp<\/td>\n<\/tr>\n<tr>\n<td width=\"111\">.vbk<\/td>\n<td width=\"111\">.vmsd<\/td>\n<\/tr>\n<tr>\n<td width=\"111\">.vbm<\/td>\n<td width=\"111\">.vmsn<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: center\"><span style=\"color: #3366ff\"><strong>Table 2. <em>MarioLocker<\/em> files to encrypt<\/strong><\/span><\/p>\n<ul>\n<li><strong>Encryption extension:<\/strong> It was possible to identify that, in the case of <em>MarioLocker<\/em>, it uses the following five extensions to perform the encryption; in this case, the artifact is only encrypted with the .emario extension. It is worth mentioning that the attacker uses the Linux urandom service to encrypt the information.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<table>\n<tbody>\n<tr>\n<td width=\"111\"><strong>Filetype<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"111\">.mario<\/td>\n<\/tr>\n<tr>\n<td width=\"111\">.emario<\/td>\n<\/tr>\n<tr>\n<td width=\"111\">.lmario<\/td>\n<\/tr>\n<tr>\n<td width=\"111\">.mmario<\/td>\n<\/tr>\n<tr>\n<td width=\"111\">.nmario<\/td>\n<\/tr>\n<tr>\n<td width=\"111\">.wmario<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: center\"><span style=\"color: #3366ff\"><strong>Table 3. <em>MarioLocker<\/em> Extension files<\/strong><\/span><\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-814\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/11\/ArchivosDespuesMario.jpg\" alt=\"\" width=\"746\" height=\"92\" \/><\/p>\n<p style=\"text-align: center\"><span style=\"color: #3366ff\"><strong>Figure 15. <em>MarioLocker<\/em> files after execution<\/strong><\/span><\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>Ransom note:<\/strong> When the execution of the artifact ends, in addition to displaying the statistics of the encrypted files, the ransom note is created; in this case, the file name is HowToRestore.txt, and it is located in all the subdirectories contained in the previously specified folder (at execution).<\/li>\n<\/ul>\n<ol>\n<li style=\"list-style-type: none\">\n<ol>\n<li>\u00a0It shows some prohibited actions, including shutting down, restarting, editing, moving encrypted files, from the infected PC or using third-party software to recover information.<\/li>\n<li>It provides a brief explanation of what just happened and the steps for the victim to follow.<\/li>\n<li>It shares the negotiation process, establishing a maximum period of 4 days to begin it.<\/li>\n<li>It indicates the URL where evidence of the leak can be found.<\/li>\n<li>It shows the contact instructions and means of establishing communication with the attackers.<\/li>\n<li>It describes the possible consequences of ignoring or failing to comply with attackers&#8217; requests.<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<p style=\"padding-left: 40px\">In the case of the sample analyzed, it was possible to observe that the attackers used the mentioned note for one of their victims.<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-813\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/11\/NotaRescateMario.jpg\" alt=\"\" width=\"600\" height=\"612\" \/><\/p>\n<p style=\"text-align: center\"><span style=\"color: #3366ff\"><strong>Figure 16. <em>MarioLocker<\/em> rescue note<\/strong><\/span><\/p>\n<p>&nbsp;<\/p>\n<p>SCILabs also obtained one of the <em>MarioLocker<\/em> cryptors aimed at ESX systems, which has the following differences.<\/p>\n<ul>\n<li><strong>Parameterized execution:<\/strong> Through a malware analysis it was possible to identify that for the correct execution of the file, it is necessary to give an IP address with a port associated with ESX services. It is not detailed what the reason for this type of execution is, but the attacker may enter the victim&#8217;s address so that he can continue with his infection process.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-812\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/11\/EjecucionMario.png\" alt=\"\" width=\"1005\" height=\"438\" \/><\/p>\n<p style=\"text-align: center\"><span style=\"color: #3366ff\"><strong>Figure 17. Parametrized <em>MarioLocker<\/em> execution in ESX<\/strong><\/span><\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li>Skip directories: Through the malware analysis, as seen in the previous image, it is specified that the following operating system folders are not checked. The attacker does this to increase the speed of searching for encrypted files.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<table width=\"217\">\n<tbody>\n<tr>\n<td width=\"104\"><strong>Filetype<\/strong><\/td>\n<td width=\"113\"><strong>Filetype<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"104\">\/sys<\/td>\n<td width=\"113\">\/proc<\/td>\n<\/tr>\n<tr>\n<td width=\"104\">\/run<\/td>\n<td width=\"113\">\/var\/log<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: center\"><span style=\"color: #3366ff\"><strong>Table 4. <em>MarioLocker<\/em> directories<\/strong><\/span><\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>Deletion of traces:<\/strong> In this case, the device erases its traces on the ESX server by deleting the \u201c.log\u201d type files found in the \u201c\/vaf\/log\u201d path with the purpose of reducing the possibility of locating the attacker\u2019s activities during the event.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-811\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/11\/BorradoHuellasMario.jpg\" alt=\"\" width=\"512\" height=\"99\" \/><\/p>\n<p style=\"text-align: center\"><span style=\"color: #3366ff\"><strong>Figure 18. <em>MarioLocker<\/em> deleting clues<\/strong><\/span><\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>Reconnaissance:<\/strong> Once the artifact is executed successfully, it performs a reconnaissance of the equipment to identify users, the number of virtual machines, and network interfaces, which could provide relevant information for the attacker to expand its operations.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-810\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/11\/ActividadesReconocimientoMario.png\" alt=\"\" width=\"1038\" height=\"602\" \/><\/p>\n<p style=\"text-align: center\"><span style=\"color: #3366ff\"><strong>Figure 19. <em>MarioLocker<\/em> recognition activities<\/strong><\/span><\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>Security evasion:<\/strong> The artifact can turn off the device&#8217;s firewall if enabled and restart the agent for the connection with the VCenter, which is responsible for sending the established configuration.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-809\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/11\/EvasionDefensasMario.png\" alt=\"\" width=\"1201\" height=\"162\" \/><\/p>\n<p style=\"text-align: center\"><span style=\"color: #3366ff\"><strong>Figure 20. <em>MarioLocker<\/em> defense evasion<\/strong><\/span><\/p>\n<p>&nbsp;<\/p>\n<p style=\"padding-left: 40px\">Also, what appears to be an attempt to change the users&#8217; password on the ESX was detected with a password known to the attacker, which could help to automate malicious tasks or establish persistence.<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-823\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/11\/Fig21.png\" alt=\"\" width=\"713\" height=\"206\" \/><\/p>\n<p style=\"text-align: center\"><span style=\"color: #3366ff\"><strong>Figure 21. <em>MarioLocker<\/em> password change in ESX<\/strong><\/span><\/p>\n<p>&nbsp;<\/p>\n<h3>Leaks site<\/h3>\n<p>Through OSINT processes, it was possible to recover some addresses corresponding to the <em>RansomHouse<\/em> leak site in which the following elements were observed.<\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>List:<\/strong> At the beginning of the site, a historical list of the organizations that have been victims of <em>RansomHouse<\/em> since its first attack in 2021 is shown, as well as a &#8220;news&#8221; section in which they reveal the latest companies that have been attacked.<\/li>\n<\/ul>\n<p style=\"padding-left: 40px\">Each element in the list has the victims\u2019 names, the affected organization&#8217;s website, the action they carried out on it, the date they carried out the attack, and the status in which the information was found.<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-807\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/11\/FiltracionesRansomHouse.jpg\" alt=\"\" width=\"469\" height=\"340\" \/><\/p>\n<p style=\"text-align: center\"><span style=\"color: #3366ff\"><strong>Figure 22. <em>RansomHouse<\/em> website<\/strong><\/span><\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>Evidence:<\/strong> Each victim has a page dedicated to them. On this site, it possible to identify several boxes with the following information:<\/li>\n<\/ul>\n<ol>\n<li style=\"list-style-type: none\">\n<ol>\n<li>Name and a brief description of the organization affected by <em>RansomHouse<\/em>.<\/li>\n<li>Details of the organization, in which it is feasible to find the website, profits, or number of employees.<\/li>\n<li>Evidence of packages, with the possibility of being downloaded for whoever wants to consult them, whether the data package has a password or not.<\/li>\n<li>Indicates the status of the stolen or encrypted files; in this case, there can be two aspects:\n<ul>\n<li>Evidence &#8211; when the attackers are in a negotiation period with the victim, and to persuade them to make the ransom payment they publish a small portion of the stolen information.<\/li>\n<li>Disclosed &#8211; when the negotiation has ended and the attackers publish the stolen information, probably because the victim did not pay the ransom.<\/li>\n<\/ul>\n<\/li>\n<li>Date when the victim&#8217;s files were encrypted and the amount of information the attackers extracted from the organization.<\/li>\n<li>Sharing the publication on social networks like X (beforeTwitter) or Facebook is possible.<\/li>\n<li>Telegram channel of the attackers to establish communication with them.<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-796\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/11\/Evidencias.jpg\" alt=\"\" width=\"707\" height=\"393\" \/><\/p>\n<p style=\"text-align: center\"><span style=\"color: #3366ff\"><strong>Figure 23. <em>RansomHouse<\/em> Website with affected companies and its evidence<\/strong><\/span><\/p>\n<p>&nbsp;<\/p>\n<h1>Attack Flow<\/h1>\n<p>The following attack flow was developed from open-source malware analysis and intelligence processes.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-561 aligncenter\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2023\/12\/Flow_RH.png\" alt=\"\" width=\"3307\" height=\"1058\" \/><\/p>\n<p style=\"text-align: center\"><span style=\"color: #3366ff\"><strong>Figure 24. <em>RansomHouse<\/em> attack flow<\/strong><\/span><\/p>\n<p>&nbsp;<\/p>\n<h1>Framework MITRE ATT&amp;CK\u00ae TTPs<\/h1>\n<p>The following TTP matrix based on the MITRE Framework was obtained from open-source malware analysis and intelligence processes.<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-827\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/11\/mitreransomhouse.png\" alt=\"\" width=\"861\" height=\"791\" \/><\/p>\n<p style=\"text-align: center\"><span style=\"color: #3366ff\"><strong>Table 5. Framework MITRE ATT&amp;CK\u00ae TTPs<\/strong><\/span><\/p>\n<p>&nbsp;<\/p>\n<h1>Diamond model<\/h1>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-562 aligncenter\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2023\/12\/Diamond_RH.png\" alt=\"\" width=\"730\" height=\"460\" \/><\/p>\n<p style=\"text-align: center\"><span style=\"color: #3366ff\"><strong>Figure 25. RansomHouse Diamond model<\/strong><\/span><\/p>\n<p>&nbsp;<\/p>\n<h1>Conclusions<\/h1>\n<p>According to SCILabs telemetry, ransomware is one of the biggest threats affecting organizations in different industries in LATAM, especially those that operate as managed service providers (MSP). The most common initial vectors are the exploitation of critical vulnerabilities in devices accessible from the internet, brute force attacks on RDP and VPN services, the purchase of access credentials on Dark Web forums or through access brokers, and the use of phishing e-mails directed at organizations.<\/p>\n<p>&nbsp;<\/p>\n<p>SCILabs considers that the danger of <em>RansomHouse<\/em> lies primarily in the fact that it is a group that distributes cross-platform ransomware, which means that it has variants for both Linux and Windows; on the other hand, it orchestrates supply chain attacks, such as the one directed at IFX in September 2023.<\/p>\n<p>&nbsp;<\/p>\n<p>The ideal victims of these attacks are those organizations that do not have robust security mechanisms to protect their infrastructure, such as multi-factor authentication (MFA), organizations without a well-managed EDR system, servers exposed on the internet with vulnerabilities, or lousy password management practices. As expected, organizations that do not have a well-defined disaster recovery plan (DRP) and business continuity plan (BCP) could have a more significant impact from ransomware attacks.<\/p>\n<p>&nbsp;<\/p>\n<p>SCILabs will continue to monitor this threat to keep organizations and users updated on any changes to their TTP, new IoC, or relevant information that could be vital to avoid falling victim to <em>RansomHouse<\/em>.<\/p>\n<p>&nbsp;<\/p>\n<p>Finally, SCILabs considers essential to comply with the following recommendations to detect malicious activity related to this campaign in time and avoid becoming a victim.<\/p>\n<p>&nbsp;<\/p>\n<p><strong><em>RansomHouse<\/em> recommendations<\/strong>:<\/p>\n<ul>\n<li>Add the IoC shared in this document to your security solutions to reduce the possibility of infection by this variant.<\/li>\n<li>Add the YARA rule in this document to your security solutions to reduce the possibility of infection by this variant.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li>Recommendations for ESX administration:\n<ul>\n<li>Keep ESX-type computers in an isolated network sector that is administration-only and can only be accessed by specific users.<\/li>\n<li>Users with access to ESX must have constant training on threats, such as infostealers and phishing to reduce the ability of attackers to reach these computers.<\/li>\n<li>Make frequent password changes to the ESX and store them in password managers to avoid having them in plain text.<\/li>\n<li>Prevent the ESX administration from being on the same network as the virtual machines.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li>Perform threat-hunting activities looking for executions of the rm -rf \/var\/log\/*.log command the attacker uses to perform fingerprint deletion.<\/li>\n<li>Perform threat-hunting activities by looking for executions of files with an EXE, OUT, or ELF extension followed by a directory or IP address, as these are the execution parameters used by <em>RansomHouse<\/em>.<\/li>\n<li>Verify if Cisco ASA and Fortinet technologies are present in your organization, update to the latest versions and make sure there is a 3-month periodical password change policy for the VPN, as well as a two-factor authentication (2FA).<\/li>\n<li>If your organization uses Chrome in MacOS or iOS, always keep them updated to the latest version because vulnerabilities have been seen in those that are exploited by <em>RansomHouse<\/em> operators.<\/li>\n<li>Follow the recommendations provided by SCILabs on their blog <a href=\"https:\/\/blog.scilabs.mx\/en\/recommendations-before-during-and-after-ransomware-attack\/\">before, during, and after a ransomware attack<\/a>.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h1>IOCs<\/h1>\n<p>The following indicators were obtained with a high confidence level through a malware analysis.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Hash SHA256<\/strong><br \/>\n2C1475F1B49A8B93A6C6217BE078392925535E084048BF04241E57A711F0F58E<br \/>\n549A8BC04C0EA9C622BAC90B0607E3F4FD48CB5610601031E054CC6340F8EBA5<br \/>\nD36AFCFE1AE2C3E6669878E6F9310A04FB6C8AF525D17C4FFA8B510459D7DD4D<br \/>\n8189C708706EB7302D7598AEEE8CD6BDB048BF1A6DBE29C59E50F0A39FD53973<br \/>\nD2B55BA46104FB1657478FA307623F39BEEEB488583CEAA8F8C60432777A1E9E<\/p>\n<p>&nbsp;<\/p>\n<p><strong>URLS<\/strong><br \/>\nXW7AU5PNWTL6LOZBSUDKMYD32N6GNQDNGITJDPPYBUDAN3X3PJGPMPID[.]ONION<br \/>\nVA5VKFDIHI5FORRZSNMINS436Z3CBVF3SQQKL4LF6L6KN3T5KC5EFRAD[.]ONION<br \/>\nZOHLM7AHJWEGCEDOZ7LRDRTI7BVPOFYMCAYOTP744QHX6GJMXBUO2YID[.]ONION<br \/>\nHXXP[:]\/\/ZZF6L4WAVAYC2MVBZWETTBLCO2QODVE5SECTJQYWC6FUWKVCVJLUAMYD[.]ONION\/?URL=82B40DD6-E600-43BF-B4DF-0BB2CF76B426<br \/>\nHXXPS[:]\/\/T.ME\/RHOUSE_NEWS<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Email accounts<\/strong><br \/>\nSPACEIT@TECHMAIL[.]INFO<br \/>\nITLAB@CYBERFEAR[.]COM<\/p>\n<p>&nbsp;<\/p>\n<p>The following indicators were obtained through RetroHunt activities and open-source intelligence and were validated by SCILabs with a high confidence level.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Hash SHA256<\/strong><br \/>\nE142F4E8EB3FB4323FB377138F53DB66E3E6EC9E82930F4B23DD91A5F7BD45D0<br \/>\n8140004FF3CF4923C928708505754497E48D26D822A95D63BD2ED54E14F19766<br \/>\nBC4066C3B8D2BB4AF593CED9905D1C9C78FFF5B10AB8DBED7F45DA913FB2D748<\/p>\n<p>&nbsp;<\/p>\n<h1>Annex I<\/h1>\n<p>&nbsp;<\/p>\n<h2>YARA rule to detect <em>RansomHouse<\/em> cryptor<\/h2>\n<table>\n<tbody>\n<tr>\n<td width=\"645\">rule Detects_RansomHouse: RansomHouse<\/p>\n<p>{<\/p>\n<p>meta:<\/p>\n<p>description = &#8220;Detects_RansomHouse&#8221;<\/p>\n<p>author = &#8220;SCILabs&#8221;<\/p>\n<p>date = &#8220;21\/11\/2023&#8221;<\/p>\n<p>sample1 = &#8220;E56C97CB4F9DF25845CDA36E3CD7D597&#8221;<\/p>\n<p>sample2 = &#8220;C0FAA37055ED3E9783E6F86CFE499E68&#8221;<\/p>\n<p>sample3 = &#8220;0DCBB7C7AF77EFD4A2B39F2303806FCD&#8221;<\/p>\n<p>sample4 = &#8220;D2853C1D92C73DC047CDB1F201900A99&#8221;<\/p>\n<p>&nbsp;<\/p>\n<p>strings:<\/p>\n<p>$s1 = &#8220;emario.out&#8221; ascii<\/p>\n<p>$s2 = &#8220;e_esxi.out&#8221; ascii<\/p>\n<p>$s3 = &#8220;.mario&#8221; ascii<\/p>\n<p>$s4 = &#8220;.emario&#8221; ascii<\/p>\n<p>$s5 = &#8220;.lmario&#8221; ascii<\/p>\n<p>$s6 = &#8220;.mmario&#8221; ascii<\/p>\n<p>$s7 = &#8220;.nmario&#8221; ascii<\/p>\n<p>$s8 = &#8220;.wmario&#8221; ascii<\/p>\n<p>$s9 = &#8220;HowToRestore.txt&#8221; ascii<\/p>\n<p>$s10 = &#8220;FASF)@#$#k&#8221; ascii<\/p>\n<p>$s11 = &#8220;\/path\/to\/be\/encrypted&#8221; ascii<\/p>\n<p>$s12 = &#8220;Welcome to the RansomHouse&#8221; ascii<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>condition:<\/p>\n<p>2 of them<\/p>\n<p>}<\/p>\n<p>&nbsp;<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h1><\/h1>\n<h1>Annex II<\/h1>\n<p>&nbsp;<\/p>\n<h2>Babuk functions<\/h2>\n<table style=\"height: 2996px\" width=\"886\">\n<thead>\n<tr>\n<td width=\"21%\"><strong>Function \/ Library<\/strong><\/td>\n<td width=\"78%\"><strong>Utility<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"21%\">closedir<\/td>\n<td width=\"78%\">Close a directory previously opened with opendir.<\/td>\n<\/tr>\n<tr>\n<td width=\"21%\">difftime<\/td>\n<td width=\"78%\">Calculates the difference between two-time values.<\/td>\n<\/tr>\n<tr>\n<td width=\"21%\">entry<\/td>\n<td width=\"78%\">Check if encryption has been started, otherwise start it<\/td>\n<\/tr>\n<tr>\n<td width=\"21%\">environ<\/td>\n<td width=\"78%\">Get environment variables<\/td>\n<\/tr>\n<tr>\n<td width=\"21%\">exit<\/td>\n<td width=\"78%\">Terminates program execution.<\/td>\n<\/tr>\n<tr>\n<td width=\"21%\">fclose<\/td>\n<td width=\"78%\">Closes a file stream.<\/td>\n<\/tr>\n<tr>\n<td width=\"21%\">fflush<\/td>\n<td width=\"78%\">Clears the buffer of a file stream.<\/td>\n<\/tr>\n<tr>\n<td width=\"21%\">finalize<\/td>\n<td width=\"78%\">Can be part of a function or variable name<\/td>\n<\/tr>\n<tr>\n<td width=\"21%\">fopen<\/td>\n<td width=\"78%\">Open a file.<\/td>\n<\/tr>\n<tr>\n<td width=\"21%\">fprintf<\/td>\n<td width=\"78%\">Prints formatted data to a file stream.<\/td>\n<\/tr>\n<tr>\n<td width=\"21%\">fread<\/td>\n<td width=\"78%\">Reads a block of data from a file stream.<\/td>\n<\/tr>\n<tr>\n<td width=\"21%\">free<\/td>\n<td width=\"78%\">Free previously dynamically allocated memory with malloc, calloc, or realloc.<\/td>\n<\/tr>\n<tr>\n<td width=\"21%\">fseek<\/td>\n<td width=\"78%\">Sets the position of a file pointer.<\/td>\n<\/tr>\n<tr>\n<td width=\"21%\">fwrite<\/td>\n<td width=\"78%\">Writes a block of data to a file stream.<\/td>\n<\/tr>\n<tr>\n<td width=\"21%\">malloc<\/td>\n<td width=\"78%\">Reserve memory dynamically.<\/td>\n<\/tr>\n<tr>\n<td width=\"21%\">memcpy<\/td>\n<td width=\"78%\">Copies a block of memory from source to destination.<\/td>\n<\/tr>\n<tr>\n<td width=\"21%\">memset<\/td>\n<td width=\"78%\">Sets the first n bytes of a memory area to a given value.<\/td>\n<\/tr>\n<tr>\n<td width=\"21%\">opendir<\/td>\n<td width=\"78%\">Opens a directory for reading.<\/td>\n<\/tr>\n<tr>\n<td width=\"21%\">prctl<\/td>\n<td width=\"78%\">Controls the behavior of a process.<\/td>\n<\/tr>\n<tr>\n<td width=\"21%\">printf<\/td>\n<td width=\"78%\">Prints formatted data to standard output.<\/td>\n<\/tr>\n<tr>\n<td width=\"21%\">pthread_cond_broadcast<\/td>\n<td width=\"78%\">Wakes up all threads that are waiting on a condition variable.<\/td>\n<\/tr>\n<tr>\n<td width=\"21%\">pthread_cond_init<\/td>\n<td width=\"78%\">Initializes a condition variable.<\/td>\n<\/tr>\n<tr>\n<td width=\"21%\">pthread_cond_signal<\/td>\n<td width=\"78%\">Wakes up a thread that is waiting on a condition variable.<\/td>\n<\/tr>\n<tr>\n<td width=\"21%\">pthread_cond_wait<\/td>\n<td width=\"78%\">Causes a thread to wait on a condition variable until signaled by another thread.<\/td>\n<\/tr>\n<tr>\n<td width=\"21%\">pthread_create<\/td>\n<td width=\"78%\">Create a new thread of execution.<\/td>\n<\/tr>\n<tr>\n<td width=\"21%\">pthread_detach<\/td>\n<td width=\"78%\">Indicates that a thread should be automatically released after completion.<\/td>\n<\/tr>\n<tr>\n<td width=\"21%\">pthread_kill<\/td>\n<td width=\"78%\">Send a signal to a thread.<\/td>\n<\/tr>\n<tr>\n<td width=\"21%\">pthread_mutex_init<\/td>\n<td width=\"78%\">Initializes a mutex.<\/td>\n<\/tr>\n<tr>\n<td width=\"21%\">pthread_mutex_lock<\/td>\n<td width=\"78%\">Locks a mutex.<\/td>\n<\/tr>\n<tr>\n<td width=\"21%\">pthread_mutex_unlock<\/td>\n<td width=\"78%\">Unlock a mutex.<\/td>\n<\/tr>\n<tr>\n<td width=\"21%\">putchar<\/td>\n<td width=\"78%\">Prints a single character to standard output.<\/td>\n<\/tr>\n<tr>\n<td width=\"21%\">puts<\/td>\n<td width=\"78%\">Prints a string of characters followed by a line break to standard output.<\/td>\n<\/tr>\n<tr>\n<td width=\"21%\">readdir<\/td>\n<td width=\"78%\">Read the following directory entry.<\/td>\n<\/tr>\n<tr>\n<td width=\"21%\">rename<\/td>\n<td width=\"78%\">Change the name of a file.<\/td>\n<\/tr>\n<tr>\n<td width=\"21%\">sigaction<\/td>\n<td width=\"78%\">Establishes the handling of a signal.<\/td>\n<\/tr>\n<tr>\n<td width=\"21%\">sigemptyset<\/td>\n<td width=\"78%\">Search for free space in memory to later start the mutex<\/td>\n<\/tr>\n<tr>\n<td width=\"21%\">sleep<\/td>\n<td width=\"78%\">Causes the program to pause for a specified number of seconds.<\/td>\n<\/tr>\n<tr>\n<td width=\"21%\">snprintf<\/td>\n<td width=\"78%\">Prints a formatted character string to a buffer.<\/td>\n<\/tr>\n<tr>\n<td width=\"21%\">sprintf<\/td>\n<td width=\"78%\">Prints a formatted character string to a buffer.<\/td>\n<\/tr>\n<tr>\n<td width=\"21%\">stat<\/td>\n<td width=\"78%\">Returns information about a file or directory<\/td>\n<\/tr>\n<tr>\n<td width=\"21%\">stderr<\/td>\n<td width=\"78%\">Used to print error messages to standard error output.<\/td>\n<\/tr>\n<tr>\n<td width=\"21%\">stdout<\/td>\n<td width=\"78%\">Show standard output and save file simultaneously<\/td>\n<\/tr>\n<tr>\n<td width=\"21%\">strcat<\/td>\n<td width=\"78%\">Concatenates two-character strings.<\/td>\n<\/tr>\n<tr>\n<td width=\"21%\">strcmp<\/td>\n<td width=\"78%\">Compares two-character strings.<\/td>\n<\/tr>\n<tr>\n<td width=\"21%\">strcpy<\/td>\n<td width=\"78%\">Copies one string of characters into another.<\/td>\n<\/tr>\n<tr>\n<td width=\"21%\">strlen<\/td>\n<td width=\"78%\">Returns the length of a character string.<\/td>\n<\/tr>\n<tr>\n<td width=\"21%\">strstr<\/td>\n<td width=\"78%\">Finds the first occurrence of a substring in another string.<\/td>\n<\/tr>\n<tr>\n<td width=\"21%\">sysconf<\/td>\n<td width=\"78%\">Returns system configuration information.<\/td>\n<\/tr>\n<tr>\n<td width=\"21%\">time<\/td>\n<td width=\"78%\">Gets the current time.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span style=\"color: #3366ff\"><strong>Table 6. Babuk and variants\u2019 libraries and functions<\/strong><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&nbsp; Objective The objective of this document is to present available information about the RansomHouse threat actor. To that purpose,<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-547","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts\/547","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/comments?post=547"}],"version-history":[{"count":0,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts\/547\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/media?parent=547"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/categories?post=547"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/tags?post=547"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}