A technical analysis of the BackMyData ransomware used to attack hospitals in Romania

MITRE Techniques

• [T1547.001] Registry Run Keys/Startup Folder – Persistence by adding Run key and Startup folder copy. “Persistence is achieved by creating an entry under the Run registry key and copying the malware to the Startup folder.”
• [T1021.002] SMB/Windows Admin Shares – Lateral movement by connecting to network hosts on port 445 to encrypt shares. “It tries to connect to every host on the network on port 445 in order to encrypt every available network share.”
• [T1112] Modify Registry – Open Run key to set persistence. RegOpenKeyExW is used to open the Run registry key (0x80000002 = HKEY_LOCAL_MACHINE, 0x20106 = KEY_WRITE | KEY_WOW64_64KEY)
• [T1490] Inhibit System Recovery – Delete shadow copies to hinder restore. “vssadmin delete shadows /all /quiet – delete all Volume Shadow Copies”
• [T1562.004] Impair Defenses – Disable firewall to avoid detection. “netsh advfirewall set currentprofile state off – disable the firewall for the current network profile”
• [T1486] Data Encrypted for Impact – Encrypt files using AES256 and RSA-encrypted keys. “The files are encrypted using the AES algorithm, with the AES key being encrypted using the public RSA key decrypted from the configuration.”
• [T1059.003] Command and Scripting Interpreter – Use of cmd.exe to run commands. “The ransomware creates a ‘cmd.exe’ process that will execute multiple commands”
• [T1082] System Information Discovery – Retrieve OS version information. “The malware extracts the major and minor version numbers of the operating system using the GetVersion method”
• [T1134.001] Access Token Manipulation – Privilege escalation via tokens. “OpenProcessToken is used to open the access token associated with the above process” and “The malicious process verifies if the token is elevated”
• [T1057] Process Discovery – Enumerate processes. “The processes are enumerated using the Process32FirstW and Process32NextW APIs”