Ransomware Roundup – Sirattacker and ALC | FortiGuard Labs

On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.

This latest edition of the Ransomware Roundup covers the Sirattacker and ALC ransomware.

Affected platforms: Microsoft Windows
Impacted parties: Microsoft Windows Users
Impact: Encrypts files on the compromised machine and demands ransom for file decryption
Severity level: High

Sirattacker Ransomware

Overview

Sirattacker is one of the latest Chaos ransomware variants. It was first released in the middle of February 2023. Several versions of Chaos ransomware builders are available in Dark Web underground networks, which allow anyone to generate Chaos ransomware with custom configurations.

FortiGuard Labs previously published the following blogs on Chaos ransomware:

Sirattacker Ransomware Infection Vector

Sirattacker ransomware is likely distributed as an Ethereum mining app because all samples include an Ethereum file icon, and some are even named “ETH [3-digit number].exe”.

Another Chaos ransomware variant called “Bruh,” also masquerading as a cryptocurrency generator, was reported in the previous week. While there is no apparent connection between Sirattacker and Bruh ransomware, it’s a curious coincidence.

Sirattacker Ransomware Execution

Once the Sirattacker ransomware is executed, it encrypts files on the victim’s machine and adds random four-letter file extensions to their filenames. Older Chaos ransomware variants are known to overwrite files larger than 2,117,152 bytes with random bytes, which makes file recovery impossible (unless the affected files are properly backed up). In some cases, attackers demand a ransom payment, knowing that most files are unrecoverable. Luckily, Sirattacker ransomware samples appear to be generated using a newer Chaos ransomware generator, as larger files are encrypted instead of overwritten.

Once files are encrypted, Sirattacker displays a ransom note on the Command Prompt.

The ransomware then replaces the desktop wallpaper with its own. The new wallpaper contains an almost identical message to the ransom note and asks victims to contact the attacker by email.

Currently, the Bitcoin wallet the Sirattacker ransomware actor uses has no money left in it. However, the wallet shows that in the latest transaction, recorded on February 24, 2023, the attacker sent a small amount of Bitcoin (0.00150106) to another wallet. However, as of this writing, that wallet was holding a whopping 538.57136296 Bitcoin—worth more than $12 million.

Over the last few months, the attacker appears to have systematically transferred Bitcoin in and out of the wallet. For example, on February 24, 2023, $35.13 worth of Bitcoin was deposited to the attacker’s wallet. That amount of Bitcoin was transferred to another wallet on the same day. Note that screenshots were edited to highlight the attacker’s transactions.

While there is no evidence that those transactions are associated with the Sirattacker ransomware, it potentially indicates that the Sirattacker ransomware threat actor has been actively involved in other illicit activities over the past few months. 

ALC Ransomware

Overview

ALC is a recently reported ransomware. It is known for a message aimed at “Russia and its counterpart” in its ransom note. FortiGuard Labs analyzed the ransomware and found it is much more than meets the eye.

ALC Ransomware Infection Vector

Information on the infection vector used by this group is not currently available. However, it is not likely to differ significantly from other ransomware groups.

ALC Ransomware Execution

Once ALC ransomware runs, it creates several files on the victim machine’s Desktop. Note that some ALC ransomware samples do not create the AlcDif.exe file shown in the image below.

RUS!.txt is a ransom note containing a message with incorrect word choices, indicating that the authors are not native English speakers. For example, “Decrypted” is likely meant to be “Encrypted,” and Russsia is a misspelling of “Russia.” Per the ransom note, ALC ransomware targets “Russia and its counterparts,” which may imply China, Iran, Belarus, and others.

The ransom note asks the victim to contact the attacker on Telegram, an encrypted instant messaging app popular with cybercriminals. However, no contact information or ransom price is provided in the note.

Some of the ALC ransomware samples create an executable file named AlcDif.exe. It is used to create a more sophisticated ransom note. Once the ransomware executes the file, it runs in full screen in a probable attempt to scare victims by imitating a lock screen. If the victim uses multiple monitors, the program only occupies the primary monitor. The program also “toggles” Task Manager. Task Manager gets disabled when the program is run for the first time. Running it again reenables it.

This is the ransom note displayed by AlcDif.exe:

Unlike the ransom note in the text file, this ransom screen provides a contact address, the attacker’s crypto wallet information, a ransom price, and a unique ID assigned to the victim. However, the ransom screen lacks coherence as the provided crypto wallet does not exist, and the QR code does not work. Also, the ransom screen lists a cryptocurrency ransom of 554 Monero (over $80,000 using the exchange rate on February 27^th, 2023) even though a $2,000 price tag is listed under the QR code.

Most importantly, ALC ransomware does not encrypt any files, classifying it as more of a scareware. However, the ransomware sets up cryptography (it generates a random value, hashes it, creates a GO cipher object for AES, encrypts the AES key using the hard-coded RSA public key, and writes the encrypted key in an ALCKEY file), enumerates files on the compromised machine, and saves a list of those files in a separate text file for each drive found (i.e., “C.txt” contains a list of files found in C drive). That evidence leads us to two possible conclusions: either the attacker tries to cheat money out of victims knowing full well the program does not encrypt files, or the program is still in beta.

Fortinet Protections

Fortinet customers are already protected from these malware variants through FortiGuard’s Web Filtering, AntiVirus, and FortiEDR services, as follows:

FortiGuard Labs detects known Sirattacker ransomware variants with the following AV signatures:

• MSIL/ClipBanker.SX!tr

FortiGuard Labs detects known ALC ransomware variants with the following AV signatures:

• W32/Filecoder.CD!tr
• W32/Malicious_Behavior.SBX
• W32/PossibleThreat

IOCs

File-based IOCs:

FortiGuard Labs Guidance

Due to the ease of disruption, damage to daily operations, potential impact to an organization’s reputation, and the unwanted destruction or release of personally identifiable information (PII), etc., it is vital to keep all AV and IPS signatures up to date.

Since the majority of ransomware is delivered via phishing, organizations should consider leveraging Fortinet solutions designed to train users to understand and detect phishing threats:

The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.

Our FREE NSE training: NSE 1 – Information Security Awareness includes a module on internet threats designed to help end users learn how to identify and protect themselves from various types of phishing attacks and can be easily added to internal training programs.

Organizations will need to make foundational changes to the frequency, location, and security of their data backups to effectively deal with the evolving and rapidly expanding risk of ransomware. When coupled with digital supply chain compromise and a workforce telecommuting into the network, there is a real risk that attacks can come from anywhere. Cloud-based security solutions, such as SASE, to protect off-network devices; advanced endpoint security, such as EDR (endpoint detection and response) solutions that can disrupt malware mid-attack; and Zero Trust Access and network segmentation strategies that restrict access to applications and resources based on policy and context, should all be investigated to minimize risk and to reduce the impact of a successful ransomware attack.

As part of the industry’s leading fully integrated Security Fabric, delivering native synergy and automation across your security ecosystem, Fortinet also provides an extensive portfolio of technology and human-based as-a-service offerings. These services are powered by our global FortiGuard team of seasoned cybersecurity experts.

Best Practices include Not Paying a Ransom

Organizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom partly because payment does not guarantee that files will be recovered. According to a U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to target additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit activities that could potentially be illegal. For organizations and individuals affected by ransomware, the FBI has a Ransomware Complaint page where victims can submit samples of ransomware activity via their Internet Crimes Complaint Center (IC3).

How Fortinet Can Help

If you think this or any other cybersecurity threat has impacted you, please contact our Global FortiGuard Incident Response Team. 

FortiGuard Labs’ Emergency Incident Response Service provides rapid and effective response when an incident is detected. And our Incident Readiness Subscription Service provides tools and guidance to help you better prepare for a cyber incident through readiness assessments, IR playbook development, and IR playbook testing (tabletop exercises).

Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard AI-powered security services portfolio.