In early March 2018, a new variant of Ransomware was detected in the wild, called 'Arrow'. Arrow is linked with the Dharma and CrySis family of viruses and aims to encrypt files on the infected system, meaning that the data on a victim's computer is locked and unusable.Payment is demanded (via Bitcoin to protect the cybercriminal's identity) before the ransomed data is decrypted and access returned to the victim.The name originates from the .arrow file extension that is added to the resulting encrypted files.
As with most Ransomware, the initial infection is usually a stealthy operation, and the first warning is when the user is presented with a ransom demand page or image. This was consistent with Arrow's behaviour.Although there is limited information currently available related to this new strain, all information that we have come across suggests that the primary infection method is via phishing email campaigns containing malicious file attachments, with alternate theories stating fake ads and phishing websites.Unfortunately, these methods did not seem feasible with the infection we encountered. Our investigation focused on a Windows based server running a specific role, with no mail clients or services. Initial thoughts led us to believe that an admin may have used a web based email client but there was no evidence to support this theory.With the help of Shodan we identified three protocols that were accessible from the Internet to the compromised host; HTTP (TCP 80), Remote Desktop Protocol (TCP 3389), and Windows Remote Management (TCP 5985). Analysis into the use of these protocols confirmed that active connections had been regularly established over Remote Desktop Protocol (RDP) leading up to and during the infection. By reviewing the infection vectors of the previous variants of this ransomware we found that CrySis had also used RDP to take control and infect victim's PC's.In addition to the protocol discovery, Shodan also provided the attacker with the user ID's for a small number of administrator accounts, that were still actively logged in to the server. This meant the attacker could move straight to password brute forcing without further user enumeration. It is unclear at this stage but we believe that the attacker used a tool such as NLBrute to perform the brute forcing of the RDP credentials and gain access to the server.
Once one of the accounts was compromised, the attacker gained administrative access to the server and proceeded to install two pieces of software:
Tools such as these are commonplace with attackers, they ensure that processes are killed and files are unlocked, in order to make certain that the encryption process of the Ransomware is successful.The dropped malware came in the form of two main files, the payload and the ransom notice.
As each file is encrypted the filename is appended with the victim ID and email address that is included in the ransom demand, before finishing with .arrow.E.g. 'example-file.pdf.id-[victimID].[e-mail].arrow'Each folder that contains the encrypted files also includes a single text file named 'FILES ENCRYPTED'. This file contains a warning note that all files have been locked.
In addition to the above, Arrow also silently deletes all Volume Shadow Copies and backups that are present on the host. The following command was used:vssadmin delete shadows /all /quiet
As displayed, Bitcoin is used as the method of payment for gaining access to the decryption keys, although there is no Bitcoin wallet information included in the demand.No fixed price is included either, with the demand stating that the price will depend on how quickly you contact them.Multiple email addresses for the attacker were included in the demand notice that we observed:rigopril123[@]cock.lirigopril123[@]tutanota.com
Multiple registry entries were added or modified during the installation of the software components and the Arrow Ransomware.Process Hacker 2HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Process_Hacker2_is1
IObit UnlockerHKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IObit Unlocker_is1
To ensure continued running of the Ransomware the following are added:HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
At the time of writing there was little in the way of information or valid samples available in the community.As part of our investigation we have extracted samples of both files mentioned above and submitted them to Cisco AMP / Threat Grid for file analysis.The image below shows an extract from the Report for 1.exe.
We recommend:
Customers running Next-Gen endpoint protection such as Cisco Advanced Malware Protection will be able to detect and block this threat.
Arrow Ransomware is an Extremely Dangerous and High Risk threat to both personal and corporate devices.Standard detection methods such host based Anti-Virus and network Intrusion Prevention were not capable of detecting this threat.Contrary to information on some sites, current removal tools are not effective with this variant.Decryption keys and tools are also not currently available (outside of paying the ransom).If you become a victim of ransomware Ironshare do not recommend paying this ransom as attackers are not obliged to respond or provide the decryption keys to recover your files.
IOCs are used to assess whether a system has been infected with malware. These indicators can be anything from a file, IP address or a particular behaviour. IOCs help us understand the threat in order for us to better protect our systems.
During our investigation there were no URLs or domains observed in association with this threat.
Filename: 1.exeSHA265: 5cac87ce35db568b9649dd7f463a564b5640688b29b933845a17b2d3150e68b40Filename: info.htaSHA265: 8841af89afd57dba4d563032e0570416848045e8b358a34ae43647b7fd2185a4
We witnessed RDP requests and connections from the following public IP addresses:76[.]8.251.17069[.]70.58.15050[.]203.188.118
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.