Threat Research

Surtr Ransomware Being Distributed in Korea – ASEC BLOG

Securonix

Surtr ransomware is being distributed in Korea, encrypting files and appending a unique Surtr extension to filenames. It also alters the infected system’s desktop, drops ransom notes SURTR_README.hta and SURTR_README.txt, and performs anti-analysis checks before proceeding with encryption. #Surtr #DycripterSupp #ip-api #mailfence #SURTR_README.hta #SURTR_README.txt

Keypoints

  • Surtr ransomware is active in Korea and observed during internal monitoring by ASEC.
  • It encrypts files and appends a specific Surtr extension format to the original filenames.
  • It changes the desktop wallpaper and creates ransom notes (SURTR_README.hta and SURTR_README.txt) in infected folders.
  • Before encryption, it checks the executing country via ip-api.com and may halt if in certain countries.
  • It creates the directories C:ProgramDataService and %TEMP%Service and terminates certain services/processes.
  • It deletes the Recycle Bin, disables recovery features, and adjusts/shadow copies to hinder recovery.
  • Post-encryption it deletes event logs and drops additional behavior indicators; AhnLab’s V3 detects and blocks it with specific IOCs/GUIs.

MITRE Techniques

  • [T1486] Data Encrypted for Impact – The ransomware encrypts files and adds a ‘[[email protected]].[<random string>].Surtr’ file extension to the original file extension name. ‘This ransomware encrypts files, then adds a ‘[[email protected]].[<random string>].Surtr’ file extension to the original file extension name.’
  • [T1497] Virtualization/Sandbox Evasion – After performing the check routine for the debugging status and sandbox of the target process. ‘After performing the check routine for the debugging status and sandbox of the target process.’
  • [T1490] Inhibit System Recovery – It executes commands to re-adjust volume shadow copies and disable the recovery environment. ‘to re-adjust the size of the volume shadow copies and delete them for all defined drives, as well as disable the recovery environment.’
  • [T1070.001] Clear Windows Event Logs – The malware deletes event logs after encryption. ‘deleting event logs.’
  • [T1569.002] Service Stop – It terminates services during infection. ‘terminating services.’
  • [T1059] Command-Line Interface – The malware uses a series of Windows commands (vssadmin, bcdedit, wbadmin, reg add, etc.) to manipulate system state. ‘the following commands to re-adjust the size of the volume shadow copies and delete them for all defined drives’ and listing commands like ‘vssadmin resize shadowstorage’, ‘bcdedit /set {default} recoveryenabled No’ etc.

Indicators of Compromise

  • [Hash] ad539ebdf9e34e02be487134cf9a6713, e31b96b8a74075935360b5e5a18926e9, and 1 more hash – IOCs associated with Surtr sample detection.
  • [Domain] ip-api.com – Used to determine the country of execution via an IP lookup service.
  • [Domain] mailfence.com – Associated with the email address used in the ransomware extension tag. (e.g., [email protected])
  • [File/Directory] SURTR_README.hta, SURTR_README.txt – Ransom note files dropped by Surtr.
  • [File/Directory] C:ProgramDataService, %TEMP%Service – Directories created during infection lifecycle.
  • [File] SURTR extension pattern – ‘[[email protected]].[].Surtr’ appended to encrypted files.

Read more: https://asec.ahnlab.com/en/41092/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint