Surtr Ransomware Being Distributed in Korea – ASEC BLOG

Through internal monitoring, the ASEC analysis team has recently discovered that Surtr ransomware is being distributed. This ransomware encrypts files, then adds a “[DycripterSupp@mailfence.com].[<random string>].Surtr” file extension to the original file extension name.

When Surtr ransomware infects a system, it changes the desktop image of the infected PC and creates a ransom note (See Figures 1 and 2) to inform the user of the ransomware infection. Surtr also creates ransom note files (SURTR_README.hta and SURTR_README.txt) in folders containing the infected files.

Figure 1. The changed desktop after being infected with Surtr
Figure 2. Ransom note of Surtr (SURTR_README.hta)
Figure 3. Ransom note of Surtr (SURTR_README.txt)

Before the actual file encryption, Surtr carries out various tasks such as checking the list of processes along with the IP address of the country where the file is executed, and terminating services.

First, the ransomware performs a query through the “ip-api.com” socket (IP lookup service) and looks up the country in which the file is being executed. If the file is executed in a certain country, it halts the execution after displaying a message box as shown in the figure below.

Figure 4. Checking the country in which the ransomware file is executed

After performing the check routine for the debugging status and sandbox of the target process, Surtr deletes the files in the Recycle Bin and creates the following directory which is used to save the files and the copy of the ransomware file that are created when the ransomware is executed.

  • C:ProgramDataService
  • %TEMP%Service

It also includes a logic that checks for the running services and processes in the target system to see if any of them correspond to the strings defined within the file (See Figures 5 and 6).

Figure 5. A part of the strings showing the list of services to be terminated
Figure 6. A part of the strings showing the list of processes to be detected

This is followed up by the execution of the following commands to re-adjust the size of the volume shadow copies and delete them for all defined drives, as well as disable the recovery environment, making it difficult for users to recover their original files after the infection.

vssadmin resize shadowstorage /for= /on= /maxsize=401MB
vssadmin resize shadowstorage /on= /maxsize=unbounded
vssadmin.exe Delete Shadows /all /quiet
bcdedit /set {default} recoveryenabled No
bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
fsutil.exe usn deletejournal /D C:
wbadmin.exe delete catalog -quiet
schtasks.exe /Change /TN “MicrosoftWindowsSystemRestoreSR” /disable
reg add HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
reg add HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesNonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
reg add HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWinRE /v DisableSetup /t REG_DWORD /d 1 /f
reg add “HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindows NTSystemRestore” /v DisableConfig /t REG_DWORD /d 1 /f
reg add “HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindows NTSystemRestore” /v DisableSR /t REG_DWORD /d 1 /f
reg add HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsBackupClient /v DisableBackupToDisk /t REG_DWORD /d 1 /f
reg add HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsBackupClient /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
reg add HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsBackupClient /v DisableBackupToOptical /t REG_DWORD /d 1 /f
reg add HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsBackupClient /v DisableBackupLauncher /t REG_DWORD /d 1 /f
reg add HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsBackupClient /v DisableRestoreUI /t REG_DWORD /d 1 /f
reg add HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsBackupClient /v DisableBackupUI /t REG_DWORD /d 1 /f
reg add HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsBackupClient /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
reg add HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsBackupServer /v OnlySystemBackup /t REG_DWORD /d 1 /f
reg add HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsBackupServer /v NoBackupToDisk /t REG_DWORD /d 1 /f
reg add HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsBackupServer /v NoBackupToNetwork /t REG_DWORD /d 1 /f
reg add HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsBackupServer /v NoBackupToOptical /t REG_DWORD /d 1 /f
reg add HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsBackupServer /v NoRunNowBackup /t REG_DWORD /d 1 /f
reg add HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlWMIAutologgerEventLog-System{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f

Furthermore, the ransomware encrypts files in all drives aside from those with the file extensions “surt,” “dll,” “exe,” and “lnk” (See Figure 7), and files under a certain path are exempt from encryption (See Figure 8).

Figure 7. File extensions exempt from encryption
Figure 8. A part of the folders exempt from encryption

After encrypting the files, Surtr performs additional behaviors such as creating ransom notes and deleting event logs, as shown in Figure 9.

Figure 9. Performing additional behaviors after file encryption

AhnLab’s anti-malware software, V3, detects and responds to Surtr ransomware with a variety of detection points, including file detection and behavior-based detection. To prevent ransomware infection, users must be cautious of running files from unknown sources and make sure to scan suspicious files with an anti-malware program while also keeping the program updated to the latest version. AhnLab’s anti-malware software, V3, detects and blocks the malware using the following aliases:

[File Detection]

  • Ransomware/Win.Generic.C5285743 (2022.10.25.02)

[Behavior Detection]

  • Ransom/MDP.Nemty.M2599

[IOC Info]

  • ad539ebdf9e34e02be487134cf9a6713
  • e31b96b8a74075935360b5e5a18926e9
  • 674e7ee905d24a89af47b53b53ffc23c

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Source: https://asec.ahnlab.com/en/41092/

No tags for this post.