Introduction to Arrow
In early March 2018, a new variant of Ransomware was detected in the wild, called ‘Arrow’. Arrow is linked with the Dharma and CrySis family of viruses and aims to encrypt files on the infected system, meaning that the data on a victim’s computer is locked and unusable.
Payment is demanded (via Bitcoin to protect the cybercriminal’s identity) before the ransomed data is decrypted and access returned to the victim.
The name originates from the .arrow file extension that is added to the resulting encrypted files.
As with most Ransomware, the initial infection is usually a stealthy operation, and the first warning is when the user is presented with a ransom demand page or image. This was consistent with Arrow’s behaviour.
Although there is limited information currently available related to this new strain, all information that we have come across suggests that the primary infection method is via phishing email campaigns containing malicious file attachments, with alternate theories stating fake ads and phishing websites.
Unfortunately, these methods did not seem feasible with the infection we encountered. Our investigation focused on a Windows based server running a specific role, with no mail clients or services. Initial thoughts led us to believe that an admin may have used a web based email client but there was no evidence to support this theory.
With the help of Shodan we identified three protocols that were accessible from the Internet to the compromised host; HTTP (TCP 80), Remote Desktop Protocol (TCP 3389), and Windows Remote Management (TCP 5985). Analysis into the use of these protocols confirmed that active connections had been regularly established over Remote Desktop Protocol (RDP) leading up to and during the infection. By reviewing the infection vectors of the previous variants of this ransomware we found that CrySis had also used RDP to take control and infect victim’s PC’s.
In addition to the protocol discovery, Shodan also provided the attacker with the user ID’s for a small number of administrator accounts, that were still actively logged in to the server. This meant the attacker could move straight to password brute forcing without further user enumeration. It is unclear at this stage but we believe that the attacker used a tool such as NLBrute to perform the brute forcing of the RDP credentials and gain access to the server.
Access gained, Malware dropped
Once one of the accounts was compromised, the attacker gained administrative access to the server and proceeded to install two pieces of software:
- Process Hacker 2
A valid Open Source sysadmin tool that allows the user to monitor system activity, kernel state and control system processes and services.
- IObit Unlocker
A lightweight easy to use utility which helps with the moving, copying, renaming and deleting of locked or in use files.
Tools such as these are commonplace with attackers, they ensure that processes are killed and files are unlocked, in order to make certain that the encryption process of the Ransomware is successful.
The dropped malware came in the form of two main files, the payload and the ransom notice.
- 1.exe was the malicious payload for the ransomware when launched Arrow performs a scan of the local system and when certain files are matched it encrypts them. The process excludes system files so that the operating system is still able to function.
- Info.hta was the second file dropped, this file is the ransom demand notice, and contain emails addresses to contact the attackers as well as a unique victim ID.
As each file is encrypted the filename is appended with the victim ID and email address that is included in the ransom demand, before finishing with .arrow.
Each folder that contains the encrypted files also includes a single text file named ‘FILES ENCRYPTED’. This file contains a warning note that all files have been locked.
In addition to the above, Arrow also silently deletes all Volume Shadow Copies and backups that are present on the host. The following command was used:
vssadmin delete shadows /all /quiet
As displayed, Bitcoin is used as the method of payment for gaining access to the decryption keys, although there is no Bitcoin wallet information included in the demand.
No fixed price is included either, with the demand stating that the price will depend on how quickly you contact them.
Multiple email addresses for the attacker were included in the demand notice that we observed:
Multiple registry entries were added or modified during the installation of the software components and the Arrow Ransomware.
Process Hacker 2
To ensure continued running of the Ransomware the following are added:
At the time of writing there was little in the way of information or valid samples available in the community.
As part of our investigation we have extracted samples of both files mentioned above and submitted them to Cisco AMP / Threat Grid for file analysis.
The image below shows an extract from the Report for 1.exe.
Recommended Recovery & Mitigation
- Ensuring that all management protocols such as RDP and WinRM are not be accessible from the internet.
- Always use a remote access VPN service to connect to the internal network before using the such management protocols.
- Do not try and manually remove the infection, if possible perform a complete restore from backup.
- Implement an offline backup plan to restore data in the event of compromise.
- Ensuring that firewall policies are effectively configured allowing access only to required IPs, ports and protocols.
- Implement an effective patch management process that regularly applies security updates to your endpoints and infrastructure.
Customers running Next-Gen endpoint protection such as Cisco Advanced Malware Protection will be able to detect and block this threat.
Arrow Ransomware is an Extremely Dangerous and High Risk threat to both personal and corporate devices.
Standard detection methods such host based Anti-Virus and network Intrusion Prevention were not capable of detecting this threat.
Contrary to information on some sites, current removal tools are not effective with this variant.
Decryption keys and tools are also not currently available (outside of paying the ransom).
If you become a victim of ransomware Ironshare do not recommend paying this ransom as attackers are not obliged to respond or provide the decryption keys to recover your files.
Indications of Compromise (IOCs)
IOCs are used to assess whether a system has been infected with malware. These indicators can be anything from a file, IP address or a particular behaviour. IOCs help us understand the threat in order for us to better protect our systems.
URL’s & domains:
During our investigation there were no URLs or domains observed in association with this threat.
Associated Files & Hashes:
We witnessed RDP requests and connections from the following public IP addresses: