The Ransomware Chimera That Does Everything

Overview

Malware typically falls into well-defined categories. Ransomware encrypts files and demands payment. Banking trojans steal credentials. Botnets await remote commands. However, some samples defy these conventional classifications by incorporating multiple threat vectors into a single executable.

This week, the SonicWall Capture Labs Threat Research team examined a .NET executable that combines ransomware, botnet, information stealer, and worm capabilities. The sample is particularly notable for explicitly referencing eight different ransomware families throughout its codebase.

Infection Cycle

Upon execution, it calls Windows API to lock the workstation immediately and displays a full-screen ransom lock screen.

Simultaneously, it creates a mutex `Global\BotnetMutex_7E8F9A0B’ to mark its installation and proceeds to list all working directories. It then changes the desktop wallpaper, which will be visible once the victim unlocks the computer. Real encryption then runs asynchronously in the background while the victim is distracted by the lock screen and the desktop wallpaper.

The malware then creates multiple mutexes that explicitly reference eight distinct ransomware families. These include `WannaCryMutex`, `LockBitMutex`, `RyukMutex`, `REvilMutex`, `DarkSideMutex`, `ContiMutex`, and `BlackCatMutex`, with versioned variants such as `LockBitMutex_v2` and `RyukMutex_v2`.

The AES encryption implementation uses a hardcoded key containing the string `HiddenTearsKey123`, referencing the Hidden Tear educational ransomware proof-of-concept from 2015.

The sample's C2 communications to `parktheatreri.com/api/log` include campaign identification as `"blackcat"` with version `"2.0"`.

Core Ransomware Functionalities

The sample implements standard ransomware capabilities including AES file encryption with a hardcoded key, targeting files in the Desktop/TestFolder directory with a `.encrypted` extension. It deploys a ransom note demanding $1000 in Bitcoin, modifies the desktop wallpaper, and schedules a system shutdown after 5 minutes.

Code references:

• EncryptFiles() method - file encryption routine
• ShowRansomScreen() method - ransom lock screen
• ChangeWallpaper() method - desktop background change
• ScheduleShutdown() method - system shutdown timer

However, the functionality extends well beyond typical ransomware behavior.

Botnet Capabilities

Unlike traditional ransomware that operates in a fire-and-forget manner, this sample maintains persistent command-and-control communication:

• Heartbeat beacons transmitted every 30 seconds
• Fast beacons sent every 10 seconds  
• Continuous data exfiltration via HTTP POST requests
• User-Agent string spoofing to mimic legitimate Chrome browser traffic (as shown in Figure 4.)

This transforms the compromised system into a botnet node that continuously reports back to the operator, extending functionality beyond simple encryption and extortion.

Information Stealer Functionalities

The sample incorporates comprehensive data collection capabilities that significantly diverge from standard ransomware behavior. It implements keylogging through a low-level keyboard hook (`WH_KEYBOARD_LL`) combined with polling of all 255 keyboard keys, captures clipboard contents every 2 seconds, and automatically takes JPEG screenshots every 30 seconds. The malware targets Chrome-specific data including cookies, browsing history, and stored login credentials, while also extracting Windows credential files from `%LOCALAPPDATA%\Microsoft\Credentials` for potential offline cracking. It recursively searches all drives for documents (`.txt`, `.doc`, `.docx`, `.pdf`), spreadsheets (`.xls`, `.xlsx`), images (`.jpg`, `.png`), and archives (`.zip`), staging them for exfiltration. Additionally, it executes system profiling commands including `systeminfo`, `tasklist`, `whoami`, `net user`, `ipconfig`, and `netstat` to gather comprehensive system information. 

This represents espionage-grade data collection occurring before any encryption activities, indicating objectives beyond simple financial extortion.

Worm Propagation Mechanisms

The sample includes self-propagation capabilities atypical of standard ransomware. It monitors for removable drive insertion and automatically copies itself to each device with an accompanying `autorun.inf` file for automatic execution upon connection to other systems. It also attempts lateral movement by copying itself to `\\localhost\c$\Windows\Temp\` and `\\127.0.0.1\Admin$` network shares.

Layered Persistence Mechanisms

The sample implements seven distinct persistence mechanisms to ensure survival across system reboots and security interventions:

•  Registry Run keys for automatic startup
•  Startup folder deployment (`SysUpdate.exe`, `startup.exe`)  
•  Dual scheduled tasks (`SysUpdateTask` triggered on logon, `RansomwareCheck` running daily)
•  System32 directory injection (masquerading as `svchost.exe`)
•  USB autorun-based propagation
•  PDF file association hijacking
•  UAC bypass utilizing the `fodhelper.exe` technique

This redundancy significantly exceeds typical malware persistence strategies, which commonly employ one or two mechanisms.

Comprehensive Defense Evasion

The sample implements an extensive array of defense evasion techniques targeting Windows security infrastructure:

• Disables Windows Defender through registry modification and PowerShell execution
• Terminates security services including `wscsvc`, `SecurityHealthService`, `WinDefend`, and `MsMpSvc`
• Disables Task Manager and Registry Editor access
• Deactivates System Restore functionality
• Removes Safe Mode boot options via registry key deletion
• Disables Windows Firewall
• Deletes Volume Shadow Copies using `vssadmin delete shadows /all /quiet`
• Modifies hosts file to block access to security vendor domains (Kaspersky, McAfee, Symantec, Avast, Bitdefender, ESET, Trend Micro, Malwarebytes, VirusTotal)
• Redirects Google.com to localhost (127.0.0.1)
• Continuously terminates Task Manager and process monitoring utilities
• Implements anti-debugging techniques including `IsDebuggerPresent` and `CheckRemoteDebuggerPresent` API calls
• Utilizes `BlockInput()` API to disable keyboard and mouse input
• Employs `NtSetInformationThread(ThreadHideFromDebugger)` to evade debugger detection

Modern malware increasingly incorporates multi-stage, multi-function capabilities. Real-world ransomware operations now routinely exfiltrate data before encryption (double extortion). Banking trojans deploy ransomware payloads. Botnets deliver information stealers. This sample demonstrates how multiple threat vectors can be integrated into a single executable.

The referenced families span a decade of ransomware development, from Hidden Tear (2015 educational proof-of-concept) to WannaCry (2017 self-propagating worm) to REvil (2019 ransomware-as-a-service) to BlackCat/ALPHV (2021 Rust-based ransomware). Each family introduced techniques that have since become standard in the threat landscape.

The boundaries between ransomware, information stealers, botnets, and worms continue to blur as threat actors adopt multi-functional approaches.

Sonicwall Protection

SonicWall Capture Labs provides protection against this threat via the following signature:

• GAV: Malagent.RSM (Ransomware)

This threat is also detected by SonicWall Capture ATP with RTDMI™ and the Capture Client endpoint solution.