Red Ransomware Group, a new emerging threat in ransomware landscape
Recently, Beaconlab did an investigation of an incident, in which a new ransomware group has been discovered, called Red Ransomware Group, according to its public blog, or also Red CryptoApp (from the encryption extension). Like most modern ransomware groups, they use a double-extortion strategy: file encryption and data exfiltration / publication on a public blog (“Hall of Shame”). In this article, we will discuss the tactics, techniques, and procedures (TTPs) of this new group, as well as some characteristics of their operation.
.
Red Ransomware Group Operation:
At the time of the investigation, the group’s public blog (“Hall of Shame”) had only about a dozen victims listed. Apparently, the first victims were published on the portal on March 5, with attacks likely began at least mid-February 2024.
Like most ransomware groups, this group leaves a ransom note in txt format, HOW_TO_RESTORE_FILES. REDCryptoApp.txt, in all encrypted folders. The note contains a link to the private negotiation portal, and a unique ID for each client.
The extortion platform includes a chat feature for victims to negotiate directly with the group. On the left corner are the details of the ransom demand (wallet address and price, as well as some details of the attack). The exfiltrated data size is, most likely, fake. According to other notes that were analyzed, the wallet address is apparently the same for several victims. So far, no payments have been observed for this wallet.
From their public blog that it’s very likely a new group, which recently began operations. At the time of the blog’s analysis, only 12 victims were listed, all with the same date. In recent days, only one new victim has been added. Although now the download links of the published files redirect to a different URL as the public blog and are currenlty broken, at the time of analysis, the links were functional, and it was possible to download legitimate files exfiltrated from the victims.
We noticed that, in some cases, the description of some victims does not really correspond to the victim company, but to another company with a similar name, it demonstrates a semi-manual, error-prone Google search process.
Chain of Infection and TTP:
Initial Attack Vector:
According our investigation, Red Ransomware Group was found to exploit the CVE-2023-47246 vulnerability in the SYSAid software that had been publicly reported in early November 2023. It’s a Path Traversal vulnerability leading to remote code execution affecting on-prem SysAid versions prior to 23.3.36. The exploitation of this vulnerability, gave the attacker the ability to upload webshells to the root directory of SYSAid and take control of the server.
The webshells were found in the “managerap” path, within the root directory of SYSAid’s Tomcat server, seeking to camouflage themselves with the manager folder that is part of the actual structure of the application.
Several webshells were found, including .JSP File Browser, which allows to explore filesystem, read, create and modify files, execute commands, upload artifacts, etc. This webshell is used by the group to upload, run, and install other remote control software (RMM) on the server.
It is also possible that the group is using Access Brokers (specializing in infiltrating computer systems and networks, then selling that unauthorized access in underground markets). This is a chance, since in the particular case that we investigated, there were already some previously injected webshells, all as a result of the exploitation of the aforementioned SYSAid vulnerability. We could not verify if a Red Ransomware group member uploaded the webshell or if they used an already placed webshell.
Command & Control:
The group uses JWrapper, to deploy SimpleHelp Remote Access, a remote control software designed to provide remote support, in a client-server, self-hosted model. The SimpleHelp client connects to a server under the attacker’s control. In the case analyzed, the attacker’s server was located in http://64.31.63.240/access, hosted by LimeStone Neworks (France).
We have also found other remote monitoring and management tools, which had been installed using NSSM (Non-sucking Service Manager), a legitimate tool for service management for Windows, that runs applications or scripts as a service, in background. The program’s executable was located in C:\windows\system32\, masked under the name HealthReport.exe. NSSM was used to install and run AnyDesk, another popular RMM tools and a malicious DLL c:\windows\system32\users.dll (SHA256 hash: e37b95bb9bee64cc0313eaad8a0269493745f89413bd78b58bb3b479b36084ae).
This DLL waits for commands, which are sent to it from https://cl1p.net/101012. Cl1p.net is a free online online clipboard where the attacker writes some command, which is read from the compromised server, acting as a C&C server, evading security tools, which are not able to inspect the command that is sent. ScreenConnect was also started with NSSM, with a connection ID b5be755f21077092
It is not entirely clear if all of these tools are installed by the Red Ransomware Group, or if some of them were delivered by some Access Broker that had previously gained control over the compromised SYSAid server. It is sure that AnyDesk and ScreenConnect was used as backup C&C mechanism by this group.
All command-and-control tools had been installed as system services and configured at startup, to get persistence.
Internal Scanning:
The group uses SoftPerfect Network Scanner (netscan.exe) to scan other computers on the network. It is a portable scanner that allows you to discover hosts, scan ports, discover shared folders, and extract computer details using WMI, SNMP, HTTP, SSH, and PowerShell. Nmap and Advanced IP Scanner was also found, but it’s likely installed and delivered by independent Access Brokers or groups.
Lateral Movement:
To move laterally to other computers on the network, the Red Ransomware Group mostly uses Pass-the-Hash. To get hashes, the group uses Procdump a command-line tool developed by Microsoft, part of SysInternals, which is used to create process dumps on Windows systems. In this case, the actor gets the hashes dumping the lsass.exe process.
C:Programdatap64.exe -accepteula -ma lsass.exe C:Programdatao.dmp
The dump allows the group to obtain the domain administrator hashes, which is then used to connect to several endpoints and servers to deploy artifacts, including the encrypter.
Using the SMBExec tool, the attacker enables Restricted Admin Mode, which allows them to perform lateral Pass-the-Hash movements using RDP:
Obsfuscated command:
%COMSPEC% /Q /c echo powershell -exec bypass -enc TgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACIASABLAEwATQA6AFwAUwB5AHMAdABlAG0AXABDAHUAcgByAGUAbgB0AEMAbwBuAHQAcgBvAGwAUwBlAHQAXABDAG8AbgB0AHIAbwBsAFwATABzAGEAIgAgAC0ATgBhAG0AZQAgACIARABpAHMAYQBiAGwAZQBSAGUAcwB0AHIAaQBjAHQAZQBkAEEAZABtAGkAbgAiACAALQBWAGEAbAB1AGUAIAAiADAAIgAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIABEAFcATwBSAEQAIAAtAEYAbwByAGMAZQA= ^> \127.0.0.1C$__output 2^>^&1 > %TEMP%execute.bat & %COMSPEC% /Q /c %TEMP%execute.bat & del %TEMP%execute.bat
Deofuscated Commando:
%COMSPEC% /Q /c echo powershell -exec bypass -enc New-ItemProperty -Path "HKLM:SystemCurrentControlSetControlLsa" -Name "DisableRestrictedAdmin" -Value "0" -PropertyType DWORD -Force > \127.0.0.1C$__output 2^>^&1 > %TEMP%execute.bat & %COMSPEC% /Q /c %TEMP%execute.bat & del %TEMP%execute.bat
Exfiltration:
Red Ransomware Group uses Rclone, a well-known command-line tool to sync files and directories from a computer with the most popular cloud content hosting providers. The actor sends the exfiltrated data to Put.io, a well-known cloud hosting service that has been used by other groups in the past. In the case that we saw, the exfiltration was carried out on only one of the affected servers.
Persistence:
To ensure persistence, the actor creates several users, both local and as workgroup, which were added to the local administrator groups of the affected computers, with typical Windows-native commands (quser and net):
Evasion:
We have observed that the group uses the well-known anti-rootkit tools GMER and AVAST aswArPot, masked under the names un63td1n.exe and aswQP_Avar.sys, to interrupt the processes of antivirus and/or EDR, thus evading any protection or blocking that they may cause.
Impact:
For the deployment of the ransomware and post-explotation activities, the attacker uses PDQ Deploy, a tool that is used for the mass deployment of scripts on multiple devices.
With this tool, the attacker builds an XML that is deployed and executes various actions on all the servers to which he has previously gained access, including:
- Delete the records of the most well-known EDRs, preventing the startup on boot
- Ensure auto-start of AnyDesk and Screenconnect
- Create a service named ekrnEpfwFF starting a script AAA.ps1, previously created, on boot:
- The AAA.ps1 script, which is obfuscated, copies the encryptor binary on the path C:\programdata, with the name exe, creates and executes some Powershell scripts (S01.ps1 and S02.ps2) which execute the encryptor on all drives and then deletes some traces, including these scripts.
- Create Administrator2 user (password P@ssw0rd1234!), in Autologon mode
- SMB connection to destination server to be encrypted, with Workgroup test user (P@ssw0rd123)
- Copy AAA.ps1 script in C:\programdata of each computer to be encrypted
The encryptor is copied in each device with the name AAQQ.exe. The executable is packaged with UPX and is written in Go. The hash (SHA-256) is ba84c820016298ad5e15a5f3eb9ab608491963ff333ae0e1267ac48ac909606ee
Other interesting findings:
To execute some of the post-exploitation actions, after connecting through SimpleHelp, the group uses Win-PTY (winpty-agent.exe, https://github.com/rprichard/winpty), a tool that provides an interface similar to the Unix pseudo-terminal to communicate with Windows console programs and send CMD commands in a more practical way.
Powershell script Ofuscation:
All Powershell scripts that we found were obfuscated with a simple character replacement algorithm.
Script S01.ps1:
Although the attacker deleted the file, it was possible to retrieve it. This script delete all sort of backups and delete traces, mainly. It 7 parts, which execute a set of actions, such as:
- Disable Windows Defender and all its modules (automatic sample sending, real-time protection, intrusion prevention, etc.)
- Set Full Control (Everyone:F) permissions on multiple locations, including disk drives, folders at the root of C:\ (excluding those related to the OS), desktop folders, downloads, and documents for each user.
- Stops and disables a number of listed services and processes, matching a list of words (Veeam, Barracuda, Trend, Cylance, sql, etc).
- Use vssadmin.exe to delete all shadow copies on the system. (except for the C:\ partition), and to adjust the maximum shadow storage size on all available drives (reduces it to 401MB). Then it makes sure they have been deleted repeating the process with wmic and Get-WmiObject commands
- With bcdedit it disables system recovery and set the boot state policy to ignore all failures.
- With Get-EventLog and Clear-EventLog commands, it clears the event logs
Script S02.ps1:
This script execute the encryptor; it defines a key that appears to be an MD5 hash, hardcoded in the script. We were unable to determine if this is a unique key for each victim or if it is a universal key.
The encryptor is then run in a loop for each disk drive as follows:
C:ProgramdataAAQQ.exe <clave> <unidad_disco>
On the C:\ disk, the attacker avoids encrypting any folder containing “Windows”, “Program”, “users”, “driver”, “boot”, probably to avoid interfering with or corrupting the operating system.
Summary:
This new group, while still having a limited number of victims, will most likely continue to increase its operations and casualties. Like other current groups, this actor leverages many legitimate IT management tools (Living-off-the-Land, LotL) to reduce the chances of being detected, seeking to go unnoticed. In addition, it demonstrates a high degree of automation of its actions and tasks, reducing the victim’s reaction time, between the initial compromise and the encryption of all systems.
To minimize the chances of being a victim of this type of group, at Beaconlab we recommend:
- Always keep software up to date, with the latest security patches, especially applications and services exposed on Internet.
- Use EDR/XDR solutions that allow you to detect early signs of compromise. Remember that endpoint protection solutions, even if they could block threats, must be continuously monitored by specialized analysts; Also, remember to check your settings frequently to ensure that the levels of protection are adequate.
- Implement a centralized visibility and traceability strategy that allows for early detection of any type of intrusion, in different layers. Keep in mind that attackers often seek to disrupt EDR/XDR processes, and defense-in-depth visibility is critical to address that risk.
- Hardening according to a baseline, e.g. CIS Benchmarks, for each system and according to each use or application of that system.
- Conduct a thorough review of users with administrator privilege and remove those that are not strictly necessary, limiting it to the minimum necessary staff.
- Implement a protection strategy against lateral movement techniques (Pass-the-Hash, Pass-the-Ticket or similar), considering that these techniques are an abuse of the way that the AD architecture itself is designed. Microsoft has published an official guide to address it:
Indicators of Compromise (IoC):
You can download the IoC in csv format here