by RSS Rommel Joven  |  Sep 12, 2016  |  Filed in: Security Research

It’s been just less than a month since the Shark Ransomware was discovered, and there is already an upgrade from the same authors, along with a new Ransomware-as-a-Service (RaaS) website,a new name, and new features. While this site follows the standard RaaS business model being commonly used by other ransomware developers, it has a new twist.  Besides the usual offer to let users customize and build their own ransomware, Atom is being promoted as a “Ransomware Affiliate Program.” The twist is that it offers the soon-to-be cybercriminal customer an attractive 80 percent share of the profit for every successful payment from ransomware victims.

 The website claims the following features of the ransomware, as shown below.

Atom Builder

Atom has a new GUI interface for easier customization of the ransomware, as opposed to its Shark predecessor which needed to be built using a command line with the configuration as the argument.

Clicking on the TRY TO UPDATE button on the builder  connects to the user to its C&C server, which includes the following:

First, is the core.dat, which is a copy of the payload from the server.

Second, is the version.da,t which in our analysis contains the string 1.001.05.09.16.

 

After finishing the update and filling up the needed details, Atom is ready to build.

A new feature of the Atom ransomware is that it creates a unique tracking ID for its affiliates for every build. This is a convenient way for them to track and monitor their progress.

By using the tracking ID in the website, you can see a report for the last 7 days, including the total number of installs, payments, and bitcoin earned.

Encryption Process

Atom ransomware is written in C#. Upon decompiling atom we observed that it is highly obfuscated, making static analysis difficult. To be able to better understand the code, we used an open source C# debugger called dnSpy.

When we take a look at the encryption, we see that it starts by generating random ASCII characters 0x20h or 256 bits long.

It uses the RNGCryptoServiceProvider to generate cryptographically strong random values, making it suitable as an encryption key. This key is then sent to the C&C server after the encryption routine has run.

Once the key is ready, it enumerates files suitable for encryption based on the configuration.

The targeted files configured by the affiliate are then be encrypted with an AES-256 algorithm.

Afterwards, the encrypted files are appended with the .locked extension.

When the encryption process is completed, it executes its dropped decryptor and provides the victim with instructions for decrypting their files.  The bitcoin address shown is that of the developer, which guarantees that they get their cut first, with the promise to automatically transfer the rest to the affiliate’s bitcoin wallet.

Dropped Files and Registry Key

The following files are dropped in the directory %AppData%\Settings:

  • files.dat – contains the list of file paths of the encrypted files
  • {random}.exe – the ransomware note and decryptor
  • Qr.png – a Qr image that has information on the bitcoin address and price
  • Settings.dat – contains the victim ID, bitcoin address, and price

 

Atom also adds the following registry to run the decryptor at every start up:

key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

value: decryptor

data: %AppData%\Settings\{random}.exe

 

Network communication

Atom communicates with its C&C after its encryption process. It uses HTTPS as its protocol, which complicated static analysis. To be able to decrypt the traffic sent to the C&C, we set up a MiTM proxy to monitor and decrypt the live traffic.

The following information was included:

  • decryption_key – randomly generated for each infection
  • decryption_price – price specified by the affiliate
  • id -  unique victim’s ID
  • bitcoin_user_address – bitcoin address of the affiliate
  • tracking_id –tracking ID of the affiliate
  • hash – SHA1 of the data sent

The response from the C&C is the bitcoin address of the developer, which is revealed in the decryptor.

As of this writing, we were able to determine the following information from the C&C’s Apache server status.

  • Current Time: Tuesday, 06-Sep-2016 20:41:49 Pacific Daylight Time
  • Restart Time: Tuesday, 30-Aug-2016 16:22:35 Pacific Daylight Time
  • Server uptime: 7 days 4 hours 19 minutes 14 seconds
  • Total accesses: 3,130

This information shows that the ransomware is quite new and active.

Conclusion

Based on our findings, the developers of Atom keep their ransomware up to date so that its users can be more effective in infecting their suspected victims. Having this kind of set up, the only thing the affiliates have to do now is distribute the ransomware.

With the increasing number of developers offering Ransomware-as-a-Service(Raas), Atom offers a very competitive profit share of 80 percent to gain an advantage on their competition, and to encourage more affiliates to use their service. We predict that this so-called Malware as a Service business model will go on to cater bigger audiences and attract more aspiring cyber criminals.

Fortinet blocks Atom C&C communication via application control signature Atom.Botnet.

Variants built from the Atom builder are detected as MSIL/Atom.A!tr.

 

Thanks to Tien Phan for additional insights on the network communication and creating the application control signature.

 

-= FortiGuard Lion Team =-

 

IOCs

Sha 256:

5ab04878b630d1e0598fb6f74570f653a6bd0753dad9ef55ecf467bee7e618e1 – Builder

C&C:

ai4izgc2ehbzweniw5gb.tk/C7Rp3TEKylDK5tlhpZ1R/sWvCdaim38uwTvyCi9vl/dP05LsRABdze3h56EtSR.php

 

by RSS Rommel Joven  |  Sep 12, 2016  |  Filed in: Security Research