Threat Research

Cyble – Moisha Ransomware In Action 

Securonix

Cyble Research Labs analyzed a targeted .NET-based ransomware variant named Moisha, linked to the PT_MOISHA team. Moisha uses double-extortion to exfiltrate and encrypt data, while disabling defenses and threatening data leakage if payment isn’t made. #Moisha #PT_MOISHA #CybleResearchLabs

Keypoints

  • Moisha is a 32-bit GUI-based .NET ransomware targeting Windows and was identified in mid-2022, attributed to the PT_MOISHA team.
  • The malware creates a global mutex to ensure only a single instance runs on a host and exits if the mutex already exists.
  • It stops backup, malware-scanner, and other services to prevent interruption during encryption.
  • Moisha terminates selected processes, disables Microsoft Defender real-time protection, and deletes shadow copies to hinder recovery.
  • It enumerates system drives and files, spawns encryption threads, drops a Base64-decoded ransom note, and excludes certain file types from encryption.
  • Encryption uses RSA and AES with a hardcoded RSA public key; the malware spreads laterally via network shares and eventually deletes itself.
  • The ransom note provides contact details (TOX Messenger and ProtonMail) and claims extensive data access within the victim’s network to pressure payment.

MITRE Techniques

  • [T1204] User Execution – The actors use double-extortion to compel payment from victims. “Moisha uses double-extortion techniques to force the victims into paying the ransom.”
  • [T1059] Command and Scripting Interpreter – The malware is a 32-bit GUI-based .NET binary targeting Windows, indicating execution via a compiled binary. “It is a 32-bit GUI-based .NET binary targeting Windows-based operating systems.”
  • [T1027] Obfuscated Files or Information – The ransom note is created by decoding hardcoded Base64 content. “the ransom note by decoding the hardcoded Base64 content.”
  • [T1070] Indicator Removal on Host – It disables Defender real-time protection and deletes shadow copies. “powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true” and “vssadmin.exe delete shadows /all /quiet”.”
  • [T1489] Service Stop – The ransomware stops services such as backups and malware-scanner services to avoid interference. “list of services to Stop.”
  • [T1082] System Information Discovery – It enumerates system drives using System.IO.Directory.GetLogicalDrives().
  • [T1083] File and Directory Discovery – It enumerates files/folders via RecursePath() for encryption. “RecursePath() function to enumerate the files and folders inside the identified system drive.”
  • [T1057] Process Discovery – It checks for a list of processes and kills them if running. “kills them if they are actively running on the victim’s machine.”
  • [T1046] Network Service Discovery – It spreads to other machines in the network using network-related functions. “Network Spreading functions” (EnumNetShares, GetAllShares, etc.).
  • [T1518] Security Software Discovery – It searches for security-related software environments by listing services like backup and malware-scanner services. “a list of services such as backup services, malware-scanner services, and other services.”
  • [T1486] Data Encrypted for Impact – It uses RSA and AES encryption, with a hardcoded RSA public key. “The Moisha ransomware uses the RSA and AES encryption algorithms, and it comes with a fixed hardcoded Base64 encoded RSA Public Key.”
  • [T1490] Inhibit System Recovery – It deletes shadow copies to inhibit recovery. “Delete shadows /quiet” and related steps.

Indicators of Compromise

  • [Hash] Hashes – Moisha Ransomware Executable – d197883d8745a61fe25aebea85622a65, 5d22d359e7b8dc70ccf5e369fb07f2e0960ef76f, and 1 more hash

Read more: https://blog.cyble.com/2022/08/25/moisha-ransomware-in-action/