ELF of the Month: New Lucky Ransomware Sample

James Condon
Director of Research, Lacework Labs

Photo by Kiki Wang on Unsplash

News broke in late November 2018 about a ransomware variant dubbed Lucky Ransomware that targets both Linux and Windows platforms. A recent sample of the ransomware module was uploaded to VirusTotal in mid-December 2018 with some different characteristics than previously reported samples. In this month’s edition of ELF of the Month, we take a look at this new sample.

Lucky Ransomware Background

Lucky Ransomware was first reported by SANGFOR and NSFOCUS in late November and early December 2018. It is detailed as a variant of Satan ransomware and has both a Windows and Linux version.

The malware is a module in nature with three major components:

  1. Propagation module
  2. Ransomware module
  3. Coinmining module

The malware attempts to propagate via scanning the local subnet for the following vulnerabilities:

  • JBoss deserialization vulnerability (CVE-2013-4810,CVE-2017-12149)
  • JBoss default configuration vulnerability (CVE-2010-0738)
  • Tomcat arbitrary file upload vulnerability (CVE-2017-12615)
  • Tomcat web admin console backstage weak password brute-force attack
  • WebLogic arbitrary file upload vulnerability (CVE-2018-2894)
  • WebLogic WLS component vulnerability (CVE-2017-10271)
  • Windows SMB remote code execution vulnerability (MS17-010)
  • Apache Struts 2 remote code execution vulnerability (S2-045)
  • Apache Struts 2 remote code execution vulnerability (S2-057)
  • Spring Data Commons remote code execution vulnerability (CVE-2018-1273)

In addition to this, the malware looks to crack weak passwords on Linux hosts.

The ransomware module encrypts files by file extension while whitelisting a number of directories. It names the files with the extension “.lucky” and leaves a ransom note in a file names “How_To_Decrypt_My_File”.

Lastly, the coinmining module is the open-source Monero miner XMRig.

New Sample Details

On December 13th, 2018, a sample of the ransomware module was uploaded to VirusTotal. At the time of this writing it has been submitted 33 times by four submitters. This sample triggers 16 AV detections, two of which identify the sample as Lucky ransomware in the malware family name.

When this sample runs it does a couple things differently. First, it names the encrypted files differently:

“[nmare@protonmail.com]<filename>.<string>.nmare” as opposed to “[nmare@cock.li]<filename>.<string>.lucky”

Figure 1. File listing of encrypted files. 

The ransom note is named “How_To_Decrypt_My_File” as opposed to “_How_To_Decrypt_My_File”.

The ransom note contains the same Bitcoin wallet address however the email address has been updated (same as the email in the encrypted filename).

Figure 2. Ransom note.

Additionally, there is a new command and control IP, 111.90.141.104. Looking at the IP in VirusTotal you can see a number of URLs containing the modules associated with Lucky Ransomware.

Figure 3. Listing of scanned URLs associated with 111.90.141.104.

 

Conclusion

The command and control IP for this sample is still active. We expect to see more updates and new samples in the future. For preventative measures update vulnerable versions of software that is targeted by the propagation module, block command, and control infrastructure detailed in this blog and the referenced blogs, and ensure your systems have proper backups in the event of a ransomware infection.

Detection in Lacework

Lacework will detect the following IOCs via File Integrity Monitoring (FIM) and network connection monitoring. Additionally, Lacework alerts on anomalous processes, user activity, and network communications.

IOCs

SHA256 Hashes

fa4b9c8cefc7d6a549c2a03f66f7d3cdcd65433eeac1cef17f17f20574853622  cry64
65de00e9f262ff62c91c5ec494cb399b8a1de349e05e5dd2d3bd90006d3f141e  fast.exe
fdaf6f9074f296c196f25be4f1b3633d727d55b4b27a227b623c21b754ebd4c4  conn32
1733651578ec564b3f12f1899cf53079674d0233566130a2af3277bfbe444ef5  mn32
fc245df4f5feeabe28bac64949a502ea9d431d9c648b45e5042ec5e77da68278  ft64
2865e03f79cf99f7961fa97d84b88042ec0bd4a710c5ae761c9d917d67679457  conn64
8ab9de549f6d824b2b02971c8c98aa035719e10fd8c784e8a79f672d8a93582a  ft32
1ecb94b101c6229a60475748fee4ecbf656e6d77722d7b422378d47c9510d293  cpt.exe
59f0236e2311b5394308921a5d6df504a918101ead9be1254b9b729be1285e71  conn.exe
8224b7742756920e88d4407770acc7c5a7b7f0c70b26d9d0c96a165b2ce261f6  mn64
fc52ef7b921468a61f947946e85d600112d35995bf2f8b2d82dd9bf5af7d114c  cry32
ae74a671f376fbe12bc09bc77a7e81a754ece5267bb9e481f691210aba7e8f89  mn32.exe

IP Addresses

111.90.141.104

URLs

http://111.90.141[.]104/d/fast.exe
http://111.90.141[.]104/d/conn32
http://111.90.141[.]104/d/mn32
http://111.90.141[.]104/d/ft64
http://111.90.141[.]104/d/conn64
http://111.90.141[.]104/d/ft32
http://111.90.141[.]104/d/cpt.exe
http://111.90.141[.]104/d/conn.exe
http://111.90.141[.]104/d/mn64
http://111.90.141[.]104/d/cry64
http://111.90.141[.]104/d/cry32
http://111.90.141[.]104/d/mn32.exe
http://111.90.141[.]104/d/cpy.exe