Threat Research

Another Script-Based Ransomware – SANS Internet Storm Center

Securonix

A VBScript-based sample demonstrates how script-based ransomware can be built and evade many antivirus products by using a multi-stage PowerShell payload delivered via environment variables. It encrypts a wide range of file types, drops a ransom note, and attempts to contact a C2 server through an ngrok tunnel, while also aiming to prevent quick recovery of the system. #PowerShell #VBScript #OracleKit #ngrok #READ_ME_NOW.htm

Keypoints

  • The VBS creates a bunch of environment variables that contains encrypted PowerShell code, enabling a staged loading of the payload.
  • The obfuscation is intentionally simple: environment variables hold base64-encoded PowerShell, decoded and executed via Invoke-Expression.
  • The executed script launches PowerShell with a long encoded payload and uses IEX to run the decoded code.
  • A ransom note named READ_ME_NOW.htm is dropped across directories, indicating encryption intent.
  • The ransomware targets a large list of file extensions, encrypting many types of user files with a random extension.
  • The C2 server for the encryption key is hosted via an ngrok tunnel, e.g., http://8619f595a0bd.ngrok.io/.

    • <liThe malware performs cleanup actions to hinder recovery (deleting backups/shadow copies) and includes a kill-switch condition.

MITRE Techniques

  • [T1059.001] PowerShell – The code launches PowerShell with a decoded payload and uses Invoke-Expression to execute it. Quote: ‘powershell.exe” -noexit -WindowStyle Hidden -c “IeX ([System.Text.Encoding]::ASCII.GetString([system.Convert]::FromBase64String($env:XXX0+$env:XXX1+…)))’
  • [T1027] Obfuscated/Compressed Files and Information – The obfuscation is done via environment variables containing encoded PowerShell code and a decoded payload. Quote: ‘The obfuscation technique used is simple but pretty effective: The VBS creates a bunch of environment variables that contains encrypted PowerShell code’
  • [T1071.001] Web Protocols – The C2 channel to fetch encryption key uses an ngrok URL over HTTP. Quote: ‘The C2 server (that will get the encryption key) is hxxp://8619f595a0bd[.]ngrok[.]io/.’
  • [T1490] Inhibit System Recovery – The sample deletes backups and shadow copies to complicate restoration. Quote: ‘execCmd(‘wbadmin delete catalog -quiet’); execCmd(‘wbadmin delete systemstatebackup’); execCmd(‘wbadmin delete backup’); execCmd(‘vssadmin delete shadows /all /quiet’);’
  • [T1486] Data Encrypted for Impact – The ransomware encrypts a broad set of file types with a random extension. Quote: ‘A random extension is generated for encrypted files:’ and ‘Targeted file extensions are:’

Indicators of Compromise

  • [File hash] VBScript sample SHA256 – 8c8ed4631248343f8732a83193828471e005900fbaf144589d57f6900b9c8996
  • [File name] Ransom note – READ_ME_NOW.htm – dropped in all directories
  • [Domain] Command and Control – 8619f595a0bd.ngrok.io
  • [File name] Encrypted payload file – payload.vir (as referenced in decoding steps)

Read more: https://isc.sans.edu/diary/Another%20Script-Based%20Ransomware/29234

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint