Threat Research

Huntress: ReadText34 Ransomware Incident Analysis

Securonix

The Huntress analysis details a ransomware incident where an endpoint was compromised via RDP, malicious executables were executed, and security measures were disabled before file encryption and a ransom note appeared. The actor leveraged a BYOVD driver (truesight.sys) and a reverse-shell setup, ultimately encrypting files with cipher.exe and dropping a ransom request. Hashtags: #TrueSightKiller #truesight.sys #trend.exe #winppx.exe #readtext34.exe #BYOVD #LukaLocker #BianLianGoTrojan #How_to_back_files.html

Keypoints

  • Endpoint triggered alerts for RDP enabling and ransomware persistence.
  • The threat actor accessed the C$ share using Administrator credentials.
  • Initial RDP login was blocked due to a misspelled account name before successful access.
  • Malicious executables trend.exe and winppx.exe were run, leading to truesight.sys installation.
  • Truesight.sys is a known BYOVD driver used to facilitate kernel-level actions; security tooling crashed afterward.
  • Multiple persistence mechanisms were established, including Run key modifications and startup behavior.
  • Files were encrypted with cipher.exe, followed by a ransom note demanding payment and asserting data exposure.
  • Recommendations emphasize incident response planning, asset inventory, and comprehensive endpoint monitoring.

MITRE Techniques

  • [T1021.001] Remote Services – ‘Use of RDP for unauthorized access.’
  • [T1203] Execution – ‘Execution of malicious executables like trend.exe and winppx.exe.’
  • [T1547.001] Registry Run Keys/Startup Folder – ‘persistence via the compromised Administrator account’s Run key.’
  • [T1068] Privilege Escalation – ‘Exploitation of vulnerable drivers for privilege escalation.’
  • [T1211] Defense Evasion – ‘Disabling driver signature checks to evade detection.’
  • [T1078] Valid Accounts – ‘Use of compromised Administrator credentials.’
  • [T1486] Impact – ‘File encryption and ransom note generation.’

Indicators of Compromise

  • [Hostname] threat actor workstation name – HOME-PC
  • [File Hash] trend.exe – 90daac69da7201e4e081b59b61ca2a2116772318621c430f75c91a65e56ea085
  • [File Hash] winppx.exe – ac66828fbdf661d67562da5afb7cc8f55d9a8739ab1524e775d5dcebfc4de069
  • [File Hash] readtext34.exe – 8368925651fefcd85e0e73790082b9a69237fa66225f932c2a44014cc356acdc
  • [File Extension] readtext34 – Encrypted file extension
  • [File Name] How_to_back_files.html – Ransom note name
  • [IP Address] 94.198.50.195:25000 – Reverse shell C2 address

Read more: https://www.huntress.com/blog/readtext34-ransomware-incident