Threat Research

BackMyData Ransomware

Starting on February 11, a widespread ransomware attack struck 100 hospitals across Romania. The attackers exploited vulnerabilities in the hospitals’ systems, forcing them to take critical infrastructure offline.

Ransomware Type: BackMyData

The malware responsible for this attack belongs to the Phobos family and is known as BackMyData ransomware. Let’s delve into its key characteristics:

Key Details

  • The malware embeds an AES key used for decrypting its configuration. This configuration contains whitelisted extensions, files, and directories.
  • It also includes a public RSA key for encrypting AES keys used to lock files.
  • Persistence is achieved by creating an entry under the Run registry key and copying the malware to the Startup folder.
  • The ransomware encrypts both local drives and network shares.
  • It deletes all Volume Shadow Copies and disables the firewall.
  • Files are encrypted using the AES256 algorithm, with a custom 6-byte addition at the end of each encrypted file.
  • The ransomware drops two ransom notes named “info.txt” and “info.hta” to guide victims on how to contact the threat actor.

Technical Insights

Let’s dive deeper into the technical aspects of BackMyData:

The BackMyData ransomware is equipped with an encrypted configuration that it subsequently decrypts using a fixed AES (Advanced Encryption Standard) key. This key, hardcoded within the ransomware’s code, plays a critical role in unlocking the configuration and enabling the malware’s malicious activities.

BackMyData ransomware

As evident from the context below, the configuration is securely stored in an encrypted format.

BackMyData ransomware

Within its code, the malware directly incorporates the AES (Advanced Encryption Standard) algorithm, bypassing any reliance on Windows APIs.

BackMyData ransomware

Within the context of a malicious process, the GetTickCount function is employed to retrieve the precise number of milliseconds that have elapsed since the system was initially started. This function provides valuable timing information and is often used to measure the duration required for specific operations.

BackMyData ransomware

The BackMyData ransomware exhibits a specific sequence of actions related to mutexes. Upon execution, it attempts to open two mutexes with distinct names: ‘Global\<<BID>><Volume serial number>00000001’ and ‘Global\<<BID>><Volume serial number>00000000’. Subsequently, if these mutexes do not already exist, the ransomware proceeds to create them.

BackMyData ransomware

Leverages the “explorer.exe” process to execute its malicious activities

1. GetWindowThreadProcessId Function:

The process invokes the GetWindowThreadProcessId function. This function retrieves the unique identifier (process ID) of the process responsible for creating a specific window (in this case, the “explorer.exe” window).

2. Opening the “explorer.exe” Process:

The binary opens the “explorer.exe” process using the OpenProcess method.

The access rights specified for this operation are represented by the hexadecimal value 0x400, which corresponds to PROCESS_QUERY_INFORMATION. This allows querying information about the process.

3. Access Token Retrieval:

The OpenProcessToken function is employed to open the access token associated with the aforementioned “explorer.exe” process.

The access rights for this operation are represented by the hexadecimal value 0x02000000, which corresponds to MAXIMUM_ALLOWED. This grants broad access to the token.

4. Creating a New Access Token:

The ransomware utilizes the DuplicateTokenEx API to create a new access token.

The new token is a duplicate of the previously mentioned token.

The parameters used for creating this token are:

0x2: Denotes SecurityImpersonation, allowing the token to be used for impersonation purposes.

0x1: Denotes TokenPrimary, indicating that the new token is a primary token.

5. Self-Spawning in the New Security Context:

Finally, the ransomware spawns a new instance of itself, executing within the security context of the newly created access token.
In summary, the ransomware manipulates access tokens and leverages the “explorer.exe” process to execute its malicious activities.

BackMyData ransomware

It creates a new thread to run the encrypted configuration commands.

BackMyData ransomware

Persistence

During its execution, the malware duplicates its own executable file and deposits it in the “%AppData%\Local” directory. This directory serves as a common location for storing application-specific data and settings on a user’s system.

Additionally, the malware employs the RegOpenKeyExW function to access the Run registry key. Specifically:

  • The registry key being accessed is HKEY_LOCAL_MACHINE (represented by the hexadecimal value 0x80000002).
  • The requested access rights include both KEY_WRITE and KEY_WOW64_64KEY, denoted by the combined hexadecimal value 0x20106.

In summary, the malware strategically places its executable in a system directory and interacts with the Windows registry to ensure persistence and potentially execute upon system startup.

BackMyData ransomware

Encrypting Files and Creating Ransom Notes

1. File Size Retrieval:

  • The ransomware employs the GetFileSizeEx API to determine the size of a file.
  • This step allows the malware to assess the file’s dimensions before proceeding with encryption.

2. Partial vs. Total Encryption:

  • The file size is compared against a threshold of 0x180000 bytes (equivalent to approximately 1.5 megabytes).
  • Files exceeding this size are partially encrypted, while smaller files undergo complete encryption.

BackMyData ransomware

BackMyData ransomware

1. File Extension and Additional Data:

  • Encrypted files receive the “.backmydata” extension.
  • Additionally, the ransomware appends the volume serial number and the threat actor’s email address to each encrypted file.

2. Content Encryption:

  • The actual content of the files is encrypted using the AES256 algorithm.
  • The encrypted data is then written to a newly created file.

3. Additional Information in the Encrypted File:

  • Alongside the encrypted content, the ransomware includes the following details in the file:
    • An unencrypted 16-byte IV (Initialization Vector).
    • An RSA-encrypted AES256 key.
    • 6 bytes decrypted from the configuration, which uniquely identifies the ransomware as “DD F9 CC F5 B3 44”.

4. Ransom Notes:

  • The ransomware drops two ransom notes: “info.txt” and “info.hta”.
  • Victims can communicate with the threat actor either via email or a session messenger.

Understanding these steps sheds light on the ransomware’s tactics and provides insights for mitigation and response strategies.

MITRE ATT&CK TACTICS AND TECHNIQUES Covered by GRA:

Tactic Technique ID GRA Detection
Persistence Registry Run Keys / Startup Folder T1547.001 19
Privilege Escalation Privilege Escalation TA0004 8
Privilege Escalation Portable Executable Injection T1055.002 0
Privilege Escalation Access Token Manipulation: Token Impersonation/Theft T1134.001 0
Privilege Escalation Create Process with Token T1134.002 0
Defense Evasion Embedded Payloads T1027.009 0
Defense Evasion Deobfuscate/Decode Files or Information T1140 2
Discovery Process Discovery T1140 0
Discovery System Information Discovery T1082 0
Discovery File and Directory Discovery T1083 0
Impact Data Encrypted for Impact T1083 1
Impact Inhibit System Recovery T1490 8
Impact Financial Theft T1657 0

 

About the Author:Rudra Pratap

Rudra Pratap, Security Research Manager, Gurucul

Rudra Pratap is a Security Research Manager and heads Threat Research at Gurucul with over 12 years of experience in security research and development. Rudra’s expertise spans a wide range of cybersecurity domains, including cloud & endpoint protection, threat detection & response and advanced persistent threats (APTs). He has authored multiple research papers and presented at conferences, sharing insights on topics such as industry threats and cyber espionage campaigns. With a strong background in security research, Rudra has made significant contributions to industry giants like Microsoft and FireEye.