FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.
This edition of the Ransomware Roundup covers the Shinra and Limpopo ransomware.
Affected platforms: Microsoft Windows, VMWare ESXi
Impacted parties: Microsoft Windows and VMWare ESXi Users
Impact: Encrypts victims’ files and demands ransom for file decryption
Severity level: High
Shinra Ransomware Overview
The Shinra ransomware was first submitted to a publicly available file-scanning service in April 2024. The threat actor steals victims’ data before deploying and running its ransomware malware to encrypt files. The ransomware is also designed to delete Volume Shadow Copies to inhibit system recovery.
Since threat actors sometimes use the names of subcultural characters and organizations, we wondered if Shinra was borrowed from the criminal corporation in the Final Fantasy 7 game, but unfortunately, we found no such evidence.
Infection Vector
Information on the infection vector used by the Shinra ransomware threat actor is unavailable. However, it is not likely to differ significantly from other ransomware groups.
Victimology
The Shinra ransomware samples were submitted to a publicly available file scanning service from Israel, Poland, Russia, the United Kingdom, and the United States.
Attack Method
One of the Shinra ransomware samples (SHA2: 31eec61ed6866e0b4b3d6b26a3a7d65fed040df61062dd468a1f5be8cc709de7) performs the following actions:
The Shinra ransomware sample copies itself to the current user’s startup folder in the start menu as <ID>.exe, where <ID> is 32 hex characters.
It then terminates processes whose names contain any of the following strings:
|
wxServer |
wxServerView |
Sqlmangr |
RAgui |
|
supervise |
Culture |
Defwatch |
winword |
|
QBW32 |
QBDBMgr |
qbupdate |
axlbridge |
|
httpd |
fdlauncher |
MsDtSrvr |
java |
|
360se |
360doctor |
wdswfsafe |
fdhost |
|
GDscan |
ZhuDongFangYu |
QBDBMgrN |
mysqld |
|
AutodeskDesktopApp |
acwebbrowser |
Creative Cloud |
Adobe Desktop Service |
|
CoreSync |
Adobe CEF |
Helper |
node |
|
AdobeIPCBroker |
sync-taskbar |
sync-worker |
InputPersonalization |
|
AdobeCollabSync |
BrCtrlCntr |
BrCcUxSys |
SimplyConnectionManager |
|
Simply.SystemTrayIcon |
fbguard |
fbserver |
ONENOTEM |
|
wsa_service |
koaly-exp-engine-se |
It also terminates services whose names contain any of the following strings:
|
wrapper |
DefWatch |
ccEvtMgr |
ccSetMgr |
|
SavRoam |
Sqlservr |
sqlagent |
sqladhlp |
|
Culserver |
RTVscan |
sqlbrowser |
SQLADHLP |
|
QBIDPService |
Intuit.QuickBooks.FCS |
QBCFMonitorService |
msmdsrv |
|
tomcat6 |
zhudongfangyu |
vmware-usbarbitator64 |
vmware-converter |
|
dbsrv12 |
dbeng8 |
MSSQL$MICROSOFT##WID |
MSSQL$VEEAMSQL2012 |
|
SQLAgent$VEEAMSQL2012 |
SQLBrowser |
SQLWriter |
FishbowlMySQL |
|
MSSQL$MICROSOFT##WID |
MySQL57 |
MSSQL$KAV_CS_ADMIN_KIT |
MSSQLServerADHelper100 |
|
SQLAgent$KAV_CS_ADMIN_KIT |
msftesql-Exchange |
MSSQL$MICROSOFT##SSEE |
MSSQL$SBSMONITORING |
|
MS |
The Shinra ransomware replaces the desktop wallpaper by changing the following registry setting:
- HKCUControl PanelDesktopWallpaper to point to C:ProgramData<ID>.bmp
![Desktop wallpaper that reads: email us for recovery: ethan@[censored].info. In case of no answer, send to this email: ethan@[censored].info. Your unique ID: 9D2D046C9265CBFAD30FBC15C493D9B6](https://www.fortinet.com/blog/threat-research/ransomware-roundup-shinra-and-limpopo-ransomware/_jcr_content/root/responsivegrid/image.img.png/1718056223132/shinra-1.png)
Figure 1. Desktop wallpaper replaced by the Shinra ransomware
The ransomware sets the following registry keys:
- HKLMSoftwareMicrosoftWindowsCurrentVersionOEMInformation
- Manifucator
- SupportPhone
- HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
- “legalnoticecaption” = “Encrypted by Kuza”
- “legalnoticetext” = “Email us for recovery: ethan@…” message
It also uses wevtutil.exe to enumerate and clear Windows logs.
The ransomware does not encrypt files with the following extensions:
|
.exe |
.dll |
.msi |
.bmp |
|
.iso |
.shinra2 |
The ransomware does not encrypt files in directories containing the following strings:
|
$Windows.~bt |
intel |
msocache |
$recycle.bin |
|
Windows photo viewer |
Windows nt |
msbuild |
internet explorer |
|
System volume information |
Windows.old |
|
application data |
|
Windows defender |
Windows |
perflog |
Windows security |
|
Windowspowershell |
microsoft |
boot |
Windows journal |
|
microsoft shared |
common files |
appdata |
usoshared |
|
$Windows.~ws |
all users |
Windowsapp |
microsoft.net |
It avoids encrypting the following files:
|
ntldr |
ntuser.dat |
bootsect.bak |
autorun.inf |
|
thumbs.db |
iconcache.db |
Oddly enough, the Shinra ransomware also includes a different list of file extensions, but we could not find any code using this list. It’s possible that the list is for future development or leftover code that wasn’t removed. The list contains the following extensions:
|
.rar |
.zip |
.ckp |
.db3 |
.dbf |
.dbc |
|
.dbs |
.dbt |
.dbv |
.frm |
.mdf |
.mrg |
|
.mwb |
.myd |
.ndf |
.qry |
.sdb |
.sdf |
|
.sql |
.tmd |
.wdb |
.bz2 |
.tgz |
.lzo |
|
.db |
.7z |
.sqlite |
.accdb |
sqlite3 |
.sqlitedb |
|
.db-wal |
.db-shm |
.dacpac |
.1c |
.1cd |
.vmdk |
|
.vmem |
.iso |
.tar |
.fdb |
.csv |
.mdb |
|
.sl2 |
.mpd |
.rsd |
.tdb |
.tib |
The Shinra ransomware uses COM to run the following commands to delete shadow copies, making file recovery difficult:
- SELECT * FROM Win32_ShadowCopy
- C:WindowsSystem32wbemWMIC.exe shadowcopy where “ID=’%s'” delete”
It then appends “.[ethan@[removed].info].SHINRA2” to the infected files.
Figure 2. Files encrypted by the Shinra ransomware
Other Shinra ransomware variants add different file extensions, such as “.SHINRA3,” “.SHINRA7,” and “.SHINRA9” instead of “.SHINRA2.”
Also, some of the samples change the file icon of the encrypted files, as seen in this screenshot:
Figure 3. Files encrypted by a Shinra ransomware variant
The ransomware executes the following command to change the “boot status policy” settings so that Windows starts normally regardless of any boot errors:
- “bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures”
It also executes the following command, which disables the recovery and repair functions of Windows:
- “bcdedit.exe /set {default} recoveryenabled no”.
The ransomware then restarts itself using “runas admin” to ensure that it is running with administrator privileges.
The malware also checks to make sure it’s running inside a targeted operating system by:
- Using the “VerifyVersionInfo” API to ensure the Windows version is at least 6.0 (Windows Vista/Server 2008)
- By checking whether rstrtmgr.dll (Windows Reset Manager) can be loaded
The ransomware silently empties the Recycle Bin without user confirmation, progress bar, or sound.
Finally, it drops a ransom note, which demands victims to contact the attacker via email:
Figure 4. Shinra ransomware’s ransom note
Limpopo Ransomware Overview
In March of this year, FortiGuard Labs received an inquiry from an Asian law enforcement agency about ransomware named “Socotra” due to its impact in that region. While no sample of the Socorta ransomware has surfaced to date, we were able to trace it back to another ransomware, Limpopo, which was submitted to a publicly available file scanning service in February 2024 that targets ESXi environments.
Infection Vector
Information on the infection vector used by the Limpopo ransomware threat actor is unavailable. Given that BushidoToken’s tweet reported that this malware is affecting Latin America and Thailand, in addition to the previous inquiry about Socorta ransomware from Asia, it is not hard to imagine that they are spreading the ransomware widely in some way, such as through Trojanized software or by exploiting vulnerabilities.
Victimology
Based on the locations from which ransom notes likely used by the Limpopo ransomware family were submitted to the publicly available scanning service, the countries of Chile, Guatemala, Honduras, India, Italy, Mexico, Peru, Spain, Thailand, the United States, and Vietnam were potentially affected.
Attack Method
The Limpopo ransomware is not complex.
Once executed, the Limpopo ransomware encrypts files with the following extensions:
|
.log |
.vmdk |
.vmsd |
.vmem |
.vswp |
|
.vmx2 |
.vmxf |
.vmss |
.vmtx |
.vmtm |
|
.nvram |
.vsb |
.vbm |
.vlb |
.vrb |
|
.hlog |
.rar |
.vsm |
.vsm |
.vbk |
|
.zip |
.iso |
.tgz |
.bco |
.dump |
|
.gzip |
.bck |
.bkp |
.tmp |
.vmx |
|
.ova |
.ovf |
.tar |
.vmd |
.vmsn |
Once files have been encrypted, a “.LIMPOPO” extension is added to the filename. Files with this extension are skipped and effectively whitelisted.
It then drops the following ransom note:
Hi. We have your data. If you don’t cooperate it will be made public. Go to hxxps://getsession[.]org/
Download
install
then add [removed] mention this code LIMPOPO in your message
get in touch with us
No other samples of the Limpopo ransomware were found, but we found similar ransom notes that may have been used by ransomware variants. For example, the Socorta ransomware, a potential Limpopo variant, drops the following ransom note:
Go to hxxps://getsession[.]org/
Download
install
then add [Removed] to your contacts and send a message with this codename — SOCOTRA
Although no actual malware samples are available, other possible Limpopo ransomware variants include Akgum, Aktakyr, Bulanyk, Formosa, Hatartam, Monjukly, Sakgar, Sazanda, and Windows ransomware.
While unverified, the tweet below claims that the Socotra ransomware exploits CVE-2024-22252 and CVE-2024-22253 (CVE-20204-22252 and CVE-20204-22253 may be a typo) that affect VMware ESXi, Workstation, and Fusion, which were patched in March 2024.
English translation:
In the case of cve 20204-22252, cve-20204-22253, be sure to patch it because it will destroy your Eid holiday.
Fortinet Protections
The Shinra and Limpopo ransomware described in this report are detected and blocked by FortiGuard Antivirus as:
- W32/Filecoder.OOY!tr.ransom
- W32/Filecoder.KFZGSOM!tr.ransom
- W64/Filecoder.MK!tr.ransom
- Linux/Filecoder_Babyk.R!tr
FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard AntiVirus engine is part of each of those solutions. As a result, customers with up-to-date versions of these products installed are protected.
IOCs
Shinra Ransomware File IOCs
|
SHA2 |
Note |
|
31eec61ed6866e0b4b3d6b26a3a7d65fed040df61062dd468a1f5be8cc709de7 |
Shinra ransomware |
|
d60d4624425b2f58dd9e37c40046f776e0d78cb031488a12c435239dd0da40ef |
|
|
941a95c85a4b37bff4571d49eb918a5094a032ac1416bded3a3cd3427ecf984c |
|
|
399d586f033ec625a1f7524c86a1483808ff07e920f93e82e70cc5138feee72e |
Limpopo Ransomware File IOCs
|
SHA2 |
Note |
|
031971b9ccb57c1a7cf25bbd58533a6b1b1e760b2f080cb2be5e2522c0d90053 |
Limpopo ransomware |
|
58ba94be5c2c7d740b6192fea1cc829756da955bb0f2fcf478ab8355bf33a31a |
FortiGuard Labs Guidance
Due to the ease of disruption, damage to daily operations, potential impact on an organization’s reputation, and the unwanted destruction or release of personally identifiable information (PII), etc., it is vital to keep all AV and IPS signatures up to date.
Since the majority of ransomware is delivered via phishing, organizations should consider leveraging Fortinet solutions designed to train users to understand and detect phishing threats:
The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.
Our FREE Fortinet Certified Fundamentals (FCF) in Cybersecurity training. The training is designed to help end users learn about today’s threat landscape and will introduce basic cybersecurity concepts and technology.
Organizations will need to make foundational changes to the frequency, location, and security of their data backups to effectively deal with the evolving and rapidly expanding risk of ransomware. When coupled with digital supply chain compromise and a workforce telecommuting into the network, there is a real risk that attacks can come from anywhere. Cloud-based security solutions, such as SASE, to protect off-network devices; advanced endpoint security, such as EDR (endpoint detection and response) solutions that can disrupt malware mid-attack; and Zero Trust Access and network segmentation strategies that restrict access to applications and resources based on policy and context, should all be investigated to minimize risk and to reduce the impact of a successful ransomware attack.
As part of the industry’s leading fully integrated Security Fabric, delivering native synergy and automation across your security ecosystem, Fortinet also provides an extensive portfolio of technology and human-based as-a-service offerings. These services are powered by our global FortiGuard team of seasoned cybersecurity experts.
FortiRecon is a SaaS-based Digital Risk Prevention Service backed by cybersecurity experts that provides unrivaled threat intelligence on the latest threat actor activity across the dark web, providing a rich understanding of threat actors’ motivations and TTPs. The service can detect evidence of attacks in progress allowing customers to rapidly respond to and shut down active threats.
Best Practices Include Not Paying a Ransom
Organizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom partly because the payment does not guarantee that files will be recovered. According to a US Department of Treasury’s Office of Foreign Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to target additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit activities that could potentially be illegal. For organizations and individuals affected by ransomware, the FBI has a Ransomware Complaint page where victims can submit samples of ransomware activity via their Internet Crimes Complaint Center (IC3).
How Fortinet Can Help
FortiGuard Labs’ Emergency Incident Response Service provides rapid and effective response when an incident is detected. Our Incident Readiness Subscription Service provides tools and guidance to help you better prepare for a cyber incident through readiness assessments, IR playbook development, and IR playbook testing (tabletop exercises).
Additionally, FortiRecon Digital Risk Protection (DRP) is a SaaS-based service that provides a view of what adversaries are seeing, doing, and planning to help you counter attacks at the reconnaissance phase and significantly reduce the risk, time, and cost of later-stage threat mitigation.
Source: Original Post