Threat Research

Midnight Ransomware Flawed Babuk Offshoot

Securonix
Midnight Ransomware Flawed Babuk Offshoot

Midnight is a new ransomware strain derived from Babuk that uses ChaCha20 for file encryption and RSA to protect the ChaCha20 key, while employing intermittent encryption and file-extension/appended-content behaviors. Weaknesses in Midnight’s cryptographic implementation enabled researchers to produce a working decryptor and provide recovery guidance. #Midnight #Babuk

Keypoints

  • Midnight is a Babuk-inspired ransomware family discovered by Gen researchers that inherits Babuk’s core structure but introduces altered cryptographic schemes.
  • It uses ChaCha20 to encrypt file contents and RSA to encrypt the ChaCha20 key, appending the RSA-encrypted key and its SHA256 hash to encrypted files.
  • The ransomware commonly appends .Midnight or .endpoint to encrypted files or appends the extension string to the end of file content; a ransom note named How To Restore Your Files.txt is dropped.
  • Midnight employs intermittent encryption with a file-size-based logic to speed processing while still rendering files unusable; earlier samples targeted high-value data types, later variants encrypt nearly all file types except executables.
  • Samples create a mutex named Mutexisfunnylocal and may drop log files such as Report.Midnight or debug.endpoint depending on configuration.
  • Cryptographic implementation flaws introduced by Midnight’s authors allow file recovery in certain conditions, and a publicly available decryptor with wizard-driven UI has been released (including a 32-bit version).
  • Command-line options include /e (append extension to file content), /n (encrypt network-mounted volumes), and –paths=PATHS to target specific directories.

MITRE Techniques

  • [T1486] Data Encrypted for Impact – Midnight encrypts file contents using ChaCha20 and appends an RSA-encrypted ChaCha20 key and its SHA256 hash to each file (“…The RSA-encrypted key, along with its SHA256 hash, is appended to the end of each encrypted file.”).
  • [T1112] Modify Registry or Replace System Files (configuration/command-line use) – Midnight accepts command-line arguments to control behavior and target specific paths (“…The ransomware accepts several command-line arguments to control its behavior: /e … /n … –paths=PATHS …”).
  • [T1490] Inhibit System Recovery – Midnight targets backups and database file types such as .mdf, .bak, .vbk, and .ibdata to disrupt recovery (“…Earlier samples of Midnight primarily targeted high-value files such as databases, backups, and archives.”).
  • [T1053] Scheduled Task/Job (process and persistence tactics implied) – Creation of mutex and logging behavior prevents multiple instances and supports runtime control (“…creation of a mutex named Mutexisfunnylocal, which is used to prevent multiple instances of the ransomware from running simultaneously. Some samples also drop a debug log …”).

Indicators of Compromise

  • [File extension] encrypted files or appended content – .Midnight, .endpoint (extensions appended to filenames or file content).
  • [File name] ransom note – How To Restore Your Files.txt (dropped in affected directories).
  • [Mutex] runtime indicator – Mutexisfunnylocal (prevents multiple instances).
  • [Log files] dropped logs – Report.Midnight, debug.endpoint (depending on sample configuration).
  • [File hashes] known ransomware samples – dd9de77c6e17093b0b2150b3f0c66e8526369ba68fb7b9a5758ff9274d85342e, 3d9a71cfec82fef531227465f40d9106e671ef162fa3ab21119e2ee08612e0aa (and 4 more hashes).

Read more: https://www.gendigital.com/blog/insights/research/midnight-ransomware

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint