Arrival
Before deploying this ransomware, attackers use various techniques to gain access to the network, steal domain admin credentials, and move laterally to various devices.
Initialization
This ransomware is written in the Go programming language. When launched, it collects information about the device and identifies files for encryption.
Checks mutex
This ransomware ensures that it runs only once checking for the existence of a mutex value “EKANS” on the target device. If present, the ransomware stops with a message “Already encrypted!”.
Deletes volume shadow copies
After identifying files to encrypt, this ransomware deletes shadow copies of files and system volumes to prevent the recovery of encrypted files. It enumerates shadow copies using WMIC (Windows Management Instrumentation Command-line) and then attempts to remove them.
Stops processes
The ransomware stops numerous services and processes to ensure they don’t lock files targeted for encryption or interrupt the encryption process.
Modifies firewall settings
Before encrypting the files, this ransomware changes the firewall settings to block network communications and prevent recovery and monitoring across the network during file encryption.
It uses the following command to block all traffic:
Netsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutbound
To make sure firewall profiles are on, it runs the following command:
Netsh advfirewall set allprofiles state on
After encrypting the files, it turns off the firewall using the following command:
Netsh advfirewall set allprofiles state off
Excludes files and folders
This ransomware excludes the following files and folders from encryption:
- :\Boot
- \AppData\
- boot.ini
- bootfont.bin
- bootmgr
- bootnxt
- bootsect.bak
- ctfmon.exe
- desktop.ini
- iconcache.db
- :\Local Settings
- ntldr
- ntuser.dat
- ntuser.dat.log
- ntuser.ini
- Program Files
- :\$Recycle.Bin
- :\Recovery
- :\System Volume Information
- thumbs.db
- :\Users\All Users
Encrypts files
This ransomware uses an AES-256 algorithm to encrypt files. It uses a combination of symmetric and asymmetric cryptography (across AES-256 and RSA-2048) and creates a sample encrypted file.
It encrypts files that match a long list of targeted file extensions. Here are some of the extensions it targets:
- .bat
- .blf
- .cmd
- .config
- .devicemetadata-ms
- .dll
- .docx
- .exe
- .ico
- .lnk
- .manifest
- .mui
- .olb
- .ps1
- .regtrans-ms
- .settingcontent-ms
- .sys
After encryption, it appends a random-looking extension to the original file names. It also adds a footer to the end of each encrypted file that includes the AES key encrypted with an RSA public key and an “EKANS” marker.
The following image shows encrypted .pyd files with random-looking five-character string appended by the ransomware:
After encrypting files, it drops a ransom note for each encrypted file. The text file contains the following message
Files used in this analysis
This ransomware has multiple variants that exhibit varying behaviors. This analysis is based on the following sample:
D4DA69E424241C291C173C8B3756639C654432706E7DEF5025A649730868C4A1 (SHA-256)
