๐Ÿ”’
There are new articles available, click to refresh the page.
Before yesterdaySentinelLabs

Nokoyawa Ransomware | New Karma/Nemty Variant Wears Thin Disguise

21 April 2022 at 16:58

Executive Summary

  • At the beginning of February 2022, SentinelLabs observed two samples of a new Nemty variant dubbed โ€œNokoyawaโ€ (sample 1, 2).
  • SentinelLabs consider Nokoyawa to be an evolution of the previous Nemty strain, Karma.
  • The developers have attempted to enhance code responsible for excluding folders from encryption, but SentinelLabs analysis finds that the algorithm contains logical flaws.
  • In March, TrendMicro suggested this ransomware bore some relation to Hive. We assess that Hive and Nokoyawa are different and that the latter is not a rebrand of Hive RaaS.

Overview

In this post, we take a broader look at the similarities between Nokoyawa and Karma ransomware. Previous researchers have highlighted similarities in the attack chain between Nokoyawa and Hive ransomware, concluding that โ€œNokoyawa is likely connected with Hive, as the two families share some striking similarities in their attack chain, from the tools used to the order in which they execute various steps.โ€ Our analysis contradicts that finding, and we assess Nokoyawa is clearly an evolution of Karma (Nemty), bearing no major code similarities to Hive.

Nokoyawa and Karma Variant Similarities

Both Nokoyawa and Karma variants manage multi-threaded encryption by creating an input/output (I/O) completion port (CreateIoCompletionPort), which allows communication between the thread responsible for the enumeration of files and the sub-threads (โ€œ2 * NumberOfProcessorsโ€) responsible for the file encryption.

Nokyoawa (left) vs Karma, initialization of encryption threads

In both cases, public keys for the encryption and ransom note are encoded with Base64.

Like Karma, Nokoyawa accepts different command line parameters, although in the latter they are documented by the developer via a -help command.

Nokoyawa command line support

Aside from the -help command, three other commands (-network, -file, and -dir) are also provided.

Parameter Functionality
-help Prints command line options for execution of ransomware.
-network Encrypts local and network shares.
-file Encrypts specified file.
-dir Encrypts specified directory.

If the ransomware is executed without any parameter, it then encrypts the machine without enumerating and encrypting network resources.

One new parameter not observed in the Karma version is -network, which is responsible for encrypting network shares. Network enumeration is achieved by calling WNetOpenEnumW, WNetEnumResourceW, and WNetCloseEnum.

There are no significant similarities between the ransom notes except the use of email for contact points. Karma variants contained an .onion link that was also present in the Karma ransom note. We did not find any .onion links in Nokoyawa code or ransom note.

The Nokyoawa ransom note:

Dear usernamme, your files were encrypted, some are compromised.
Be sure, you can't restore it without our help.
You need a private key that only we have.
Contact us to reach an agreement or we will leak your black shit to media:

[email protected]
[email protected]

ไบฒ็ˆฑ็š„็”จๆˆทๅ๏ผŒๆ‚จ็š„ๆ–‡ไปถๅทฒๅŠ ๅฏ†๏ผŒๆœ‰ไบ›ๅทฒ่ขซๆณ„้œฒใ€‚
่ฏท็กฎไฟ๏ผŒๅฆ‚ๆžœๆฒกๆœ‰ๆˆ‘ไปฌ็š„ๅธฎๅŠฉ๏ผŒๆ‚จๅฐ†ๆ— ๆณ•ๆขๅคๅฎƒใ€‚
ๆ‚จ้œ€่ฆไธ€ไธชๅชๆœ‰ๆˆ‘ไปฌๆ‹ฅๆœ‰็š„็ง้’ฅใ€‚
่”็ณปๆˆ‘ไปฌไปฅ่พพๆˆๅ่ฎฎ๏ผŒๅฆๅˆ™ๆˆ‘ไปฌไผšๅฐ†ๆ‚จ็š„้ป‘ๅฑŽๆณ„้œฒ็ป™ๅช’ไฝ“๏ผš

[email protected]
[email protected]

The Karma ransom note:

Your network has been breached by Karma ransomware group.
We have extracted valuable or sensitive data from your network and encrypted the data on your systems.
Decryption is only possible with a private key that only we posses.
Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise.
Scamming is just bad for business in this line of work.
Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded.
We advise you not to use any data recovery tools without leaving copies of the initial encrypted file.
You are risking irreversibly damaging the file by doing this.

If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website.

http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/

If a ransom is payed we will provide the decryption key and proof that we deleted you data.
When you contact us we will provide you proof that we can decrypt your files and that we have downloaded your data.

How to contact us:
[email protected]
[email protected]
[email protected]

The ransom note filename uses a similar format as the previous versions: <ransom_extension>_<note_name>.txt.

Nokoyawa Karma
ransom_extension โ€œNOKOYAWAโ€ โ€œKARMAโ€ & โ€œKARMA_V2โ€
note_name โ€œ_readme.txtโ€ โ€œ-ENCRYPTED.txtโ€

The <ransom_extension> string has been used for many different functions, including:

  • file extension of encrypted files
  • appended as data to an encrypted file
  • ransom note filename part
  • mutexย (the NOKOYAWA variant is observed to not make use of Mutexes)
  • to denote files to be excluded from further processing (e.g., to avoid running in a loop)

Nokoyawaโ€™s Flawed Encryption Routine

During the file and folder enumeration, the new variant creates a hash of the enumerated folder and compares it to those of excluded folders. However, this custom hashing algorithm appears to have flaws as it doesnโ€™t seem logical nor does it appear to work as expected.

Below is a Python representation of the hashing algorithm.

def nokoyawa_dir_hashing(folder):
    folder_len = len(folder)
    # to unicode
    folder = '\x00'.join([c for c in folder])
    # initial hash value
    nhash = 0x1505
    i = 0
    while i 

The implementation of this flawed hashing algorithm in some cases results inย excluding multiple folders. Logically, one would expect there to be a 1:1 correlation between a hash and the folder to be excluded. However, the flawed code effectively makes it possible for multiple folders to be excluded based on a single hash. This code does not appear in Karma variants, which instead contain hardcoded strings denoting which folders to ignore during encryption.

The following table shows which folders the developers intended to skip during encryption.

Hash Folders Intended To Be Excluded
0x11f299b5 program files
0x78fb3995 program files (x86)
0x7c80b426 appdata
0x7c8cc47c windows
0xc27bb715 programdata
0xd6f02889 $recycle.bin

For extensions, the ransomware doesn't have any hashing algorithm and compares the raw strings with the extracted extension of the file. The excluded extensions are .exe, .dll, and .lnk. Files containing "NOKOYAWA" are also excluded.

Both Nokoyawa and Karma variants dynamically load bcrypt.dll and call BCryptGenRandom in order to generate 0x20 random bytes. They generate an ephemeral Sect233r1 key pair using the generated random bytes as the seed. The malware then uses the private ephemeral key and the public embedded key to generate a shared Salsa20 key, which is subsequently used for the file encryption. The Salsa20 nonce is hardcoded as โ€œlvcelvceโ€ in Nokoyawa, whereas in the Karma version it was "11111111".

An I/O completion packet is sent to the thread responsible for encryption. The packet includes the following:

  • File handle
  • File size
  • File data
  • Salsa20 key
  • Salsa nonce
  • public ephemeral key

The encryption thread has a switch containing four cases, as follows:

  • Case 1: Writes encrypted content and decryption struct to file and appends "extension"/"variant name".
  • Case 2: Calculates validation SHA1 hash and encrypts file data with Salsa20.
  • Case 3: Closes File Handle and moves files with the new extension.
  • Case 4: Exits.

In both variants, the initial switch case is "2".

Initial case, encryption thread
Encryption thread case handler

During Case 2, the malware adds a SHA1 checksum, which is possibly validated during the decryption phase. The method runs through the following logic:

  • Allocates 0x13 bytes (0x14 required for SHA1)
  • XORs Salsa key with a buffer of "6".
  • Concatenates file data to XORed Salsa key
  • Calculates SHA1.
  • XORs Salsa key with a buffer of "\".
  • Concatenates SHA1 hash to the second XORed Salsa key.
  • Calculates validation SHA1.
  • Validation SHA1 hash first 0x13 bytes are added to the encrypted file struct

Files encrypted by Nokoyawa will have the following structure.

struct nokoyawa_encrypted_file
{
    BYTEย  encrypted_file_data[file_size],ย  // using salsa20
    BYTEย  public_ephemeral_key[0x40],ย  // Sect233r1
    BYTEย  validation_hash[0x13],ย  // last byte is chopped
    STRING ransomware_extension
}

The private key required for decryption is held by the attacker. When made available to the victim, the decryption routine reads the struct, extracts the public ephemeral key and generates the Salsa 20 key using the private key. The encrypted data is then decrypted with the key and validated by replicating the validated hash.

Conclusion

Nokoyawa code similarity and structure suggest it to be an evolution of the previous Nemty strain, Karma. This appears to be another attempt from the developer to confuse attribution. At this time, the actor appears not to have or provide any onion leak page.

SentinelLabs could not validate previous research suggesting Nokoyawa is related to Hive. Given the lack of code similarities between the two and the lack of further correlating data, we can only suggest that earlier researchers' findings may be explained by the possibility of an affiliate using both Hive and Nokoyawa.

SentinelLabs continues to follow and analyze the development of Nemty ransomware variants.

Indicators of Compromise

Karma Ransomware SHA1

960fae8b8451399eb80dd7babcc449c0229ee395

Nokoyawa Ransomware SHA1

2904358f825b6eb6b750e13de43da9852c9a9d91
2d92468b5982fbbb39776030fab6ac35c4a9b889
32c2ecf9703aec725034ab4a8a4c7b2944c1f0b7

Nokoyawa Ransom Note Email Addresses

[email protected]
[email protected]
[email protected]
[email protected]

Nokoyawa YARA Rule

rule Nokoyawa_Nemty
{
    meta:  
        author = "@Tera0017"
        description = "Nokoyawa, Nemty/Karma ransomware variant"    
        Reference = "https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/"
    
    strings:
        $code1 = {B8 (41| 43) 00 00 00 [10-30] 83 F8 5A}
        $code2 = {48 8B 4C 24 08 F0 0F C1 01 03 44 24 10}      
        $code3 = {83 E8 20 88 [7] 48 C1 E0 05 48 03 44 24}
        $code4 = {48 C7 44 24 ?? 05 15 00 00}
        $string1 = "RGVhciB1c2VybmFtbWUsIHlvdXIgZmlsZXMgd2VyZSBlbmNyeXB0ZWQsIHNvbWUgY" ascii
        $string2 = "-network" fullword wide
        $string3 = "-help" fullword wide
        $winapi1 = "PostQueuedCompletionStatus" fullword ascii
        $winapi2 = "GetSystemInfo" fullword ascii
        $winapi3 = "WNetEnumResourceW" fullword ascii
        $winapi4 = "GetCommandLineW" fullword ascii
        $winapi5 = "BCryptGenRandom" fullword ascii
        
    condition:
        all of ($winapi*) and 4 of ($code*, $string*)
}

Karma Ransomware | An Emerging Threat With A Hint of Nemty Pedigree

18 October 2021 at 16:43

Karma is a relatively new ransomware threat actor, having first been observed in June of 2021. The group has targeted numerous organizations across different industries. Reports of a group with the same name from 2016 are not related to the actors currently using the name. An initial technical analysis of a single sample related to Karma was published by researchers from Cyble in August.

In this post, we take a deeper dive, focusing on the evolution of Karma through multiple versions of the malware appearing through June 2021. In addition, we explore the links between Karma and other well known malware families such as NEMTY and JSWorm and offer an expanded list of technical indicators for threat hunters and defenders.

Initial Sample Analysis

Karmaโ€™s development has been fairly rapid and regular with updated variants and improvements, oftentimes building multiple versions on the same day. The first few Karma samples our team observed were:

Sample 1: d9ede4f71e26f4ccd1cb96ae9e7a4f625f8b97c9
Sample 2: a9367f36c1d2d0eb179fd27814a7ab2deba70197
Sample 3: 9c733872f22c79b35c0e12fa93509d0326c3ec7f

Sample 1 was compiled on 18th, June 2021 and Samples 2 and 3 the following day on the 19th, a few minutes apart. Basic configuration between these samples is similar, though there are some slight differences such as PDB paths.

After Sample 1, we see more of the core features appear, including the writing of the ransom note. Upon execution, these payloads would enumerate all local drives (A to Z) , and encrypt files where possible.

Further hunting revealed a number of other related samples all compiled within a few days of each other. The following table illustrates compilation timestamps and payload size across versions of Karma compiled in a single week. Note how the payload size decreases as the authorsโ€™ iterate.

Ransom Note is not Created in Sample 1.

Also, the list of excluded extensions is somewhat larger in Sample 1 than in both Samples 2 and 3, and the list of extensions is further reduced from Sample 5 onwards to only exclude โ€œ.exeโ€, โ€œ.iniโ€, โ€œ.dllโ€, โ€œ.urlโ€ and โ€œ.lnkโ€.

The list of excluded extensions is reduced as the malware authors iterate

Encryption Details

From Sample 2 onwards, the malware calls CreateIoCompletionPort, which is used for communication between the main thread and a sub thread(s) handling the encryption process. This specific call is key in managing efficiency of the encryption process (parallelization in this case).

Individual files are encrypted by way of a random Chacha20 key. Once files are encrypted, the malware will encrypt the random Chacha20 key with the public ECC key and embed it in the encrypted file.

Chacha Encryption

Across Samples 2 to 5, the author removed the CreateIoCompletionPort call, instead opting to create a new thread to manage enumeration and encryption per drive. We also note the โ€œKARMAโ€ mutex created to prevent the malware from running more than once. Ransom note names have also been updated to โ€œKARMA-ENCRYPTED.txtโ€.

Diving in deeper, some samples show that the ChaCha20 algorithm has been swapped out for Salsa20. The asymmetric algorithm (for ECC) has been swapped from Secp256k1 to Sect233r1. Some updates around execution began to appear during this time as well, such as support for command line parameters.

A few changes were noted in Samples 6 and 7. The main difference is the newly included background image. The file โ€œbackground.jpgโ€ is written to %TEMP% and set as the Desktop image/wallpaper for the logged in user.

Desktop image change and message

Malware Similarity Analysis

From our analysis, we see similarities between JSWorm and the associated permutations of that ransomware family such as NEMTY, Nefilim, and GangBang. Specifically, the Karma code analyzed bears close similarity to the GangBang or Milihpen variants that appeared around January 2021.

Some high-level similarities are visible in the configurations.

We can see deeper relationships when we conduct a bindiff on Karma and GangBang samples. The following image shows how similar the main() functions are:

The main() function & argument processing in Gangbang (left) and Karma

Victim Communication

The main body of the ransom note text hasnโ€™t changed since the first sample and still contains mistakes. The ransom notes are base64-encoded in the binary and dropped on the victim machine with the filename โ€œKARMA-AGREE.txtโ€ or, in later samples, โ€œKARMA-ENCRYPTED.txtโ€.

Your network has been breached by Karma ransomware group.
We have extracted valuable or sensitive data from your network and encrypted the data on your systems.
Decryption is only possible with a private key that only we posses.
Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise.
Scamming is just bad for business in this line of work.
Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded.
We advise you not to use any data recovery tools without leaving copies of the initial encrypted file.
You are risking irreversibly damaging the file by doing this.
If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website.
http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/

If a ransom is payed we will provide the decryption key and proof that we deleted you data.
When you contact us we will provide you proof that we can decrypt your files and that we have downloaded your data.

How to contact us:

{[email protected]}
{[email protected]}
{[email protected]}

Each sample observed offers three contact emails, one for each of the mail providers onionmail, tutanota, and protonmail. In each sample, the contact emails are unique, suggesting they are specific communication channels per victim. The notes contain no other unique ID or victim identifier as sometimes seen in notes used by other ransomware groups.

In common with other operators, however, the Karma ransom demand threatens to leak victim data if the victim does not pay. The address of a common leaks site where the data will be published is also given in the note. This website page appears to have been authored in May 2021 using WordPress.

The Karma Ransomware Groupโ€™s Onion Page

Conclusion

Karma is a young and hungry ransomware operation. They are aggressive in their targeting, and show no reluctance in following through with their threats. The apparent similarities to the JSWorm family are also highly notable as it could be an indicator of the group being more than they appear. The rapid iteration over recent months suggests the actor is investing in development and aims to be around for the foreseeable future. SentinelLabs continues to follow and analyze the development of Karma ransomware.

Indicators of Compromise

SHA1s
Karma Ransomware

Sample 1: d9ede4f71e26f4ccd1cb96ae9e7a4f625f8b97c9
Sample 2: a9367f36c1d2d0eb179fd27814a7ab2deba70197
Sample 3: 9c733872f22c79b35c0e12fa93509d0326c3ec7f
Sample 4: c4cd4da94a2a1130c0b9b1bf05552e06312fbd14
Sample 5: bb088c5bcd5001554d28442bbdb144b90b163cc5
Sample 6: 5ff1cd5b07e6c78ed7311b9c43ffaa589208c60b
Sample 7: 08f1ef785d59b4822811efbc06a94df16b72fea3
Sample 8: b396affd40f38c5be6ec2fc18550bbfc913fc7ea

Gangbang Sampleย 
ac091ce1281a16f9d7766a7853108c612f058c09

Karma Desktop image
%TEMP%/background.jpg
7b8c45769981344668ce09d48ace78fae50d71bc

Victim Blog (TOR)
http[:]//3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd[.]onion/

Ransom Note Email Addresses
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

MITRE ATT&CK
T1485 Data Destruction
T1486 Data Encrypted for Impact
T1012 Query Registry
T1082 System Information Discovery
T1120 Peripheral Device Discovery
T1204 User Execution
T1204.002 User Execution: Malicious File

  • There are no more articles
โŒ