Starting on February 11, a widespread ransomware attack struck 100 hospitals across Romania. The attackers exploited vulnerabilities in the hospitals’ systems, forcing them to take critical infrastructure offline.
The malware responsible for this attack belongs to the Phobos family and is known as BackMyData ransomware. Let’s delve into its key characteristics:
Let’s dive deeper into the technical aspects of BackMyData:
The BackMyData ransomware is equipped with an encrypted configuration that it subsequently decrypts using a fixed AES (Advanced Encryption Standard) key. This key, hardcoded within the ransomware’s code, plays a critical role in unlocking the configuration and enabling the malware’s malicious activities.
As evident from the context below, the configuration is securely stored in an encrypted format.
Within its code, the malware directly incorporates the AES (Advanced Encryption Standard) algorithm, bypassing any reliance on Windows APIs.
Within the context of a malicious process, the GetTickCount function is employed to retrieve the precise number of milliseconds that have elapsed since the system was initially started. This function provides valuable timing information and is often used to measure the duration required for specific operations.
The BackMyData ransomware exhibits a specific sequence of actions related to mutexes. Upon execution, it attempts to open two mutexes with distinct names: ‘Global\<<BID>><Volume serial number>00000001’ and ‘Global\<<BID>><Volume serial number>00000000’. Subsequently, if these mutexes do not already exist, the ransomware proceeds to create them.
The process invokes the GetWindowThreadProcessId function. This function retrieves the unique identifier (process ID) of the process responsible for creating a specific window (in this case, the “explorer.exe” window).
The binary opens the “explorer.exe” process using the OpenProcess method.
The access rights specified for this operation are represented by the hexadecimal value 0x400, which corresponds to PROCESS_QUERY_INFORMATION. This allows querying information about the process.
The OpenProcessToken function is employed to open the access token associated with the aforementioned “explorer.exe” process.
The access rights for this operation are represented by the hexadecimal value 0x02000000, which corresponds to MAXIMUM_ALLOWED. This grants broad access to the token.
The ransomware utilizes the DuplicateTokenEx API to create a new access token.
The new token is a duplicate of the previously mentioned token.
The parameters used for creating this token are:
0x2: Denotes SecurityImpersonation, allowing the token to be used for impersonation purposes.
0x1: Denotes TokenPrimary, indicating that the new token is a primary token.
Finally, the ransomware spawns a new instance of itself, executing within the security context of the newly created access token.
In summary, the ransomware manipulates access tokens and leverages the “explorer.exe” process to execute its malicious activities.
It creates a new thread to run the encrypted configuration commands.
During its execution, the malware duplicates its own executable file and deposits it in the “%AppData%\Local” directory. This directory serves as a common location for storing application-specific data and settings on a user’s system.
Additionally, the malware employs the RegOpenKeyExW function to access the Run registry key. Specifically:
In summary, the malware strategically places its executable in a system directory and interacts with the Windows registry to ensure persistence and potentially execute upon system startup.
Understanding these steps sheds light on the ransomware’s tactics and provides insights for mitigation and response strategies.
Tactic | Technique | ID | GRA Detection |
Persistence | Registry Run Keys / Startup Folder | T1547.001 | 19 |
Privilege Escalation | Privilege Escalation | TA0004 | 8 |
Privilege Escalation | Portable Executable Injection | T1055.002 | 0 |
Privilege Escalation | Access Token Manipulation: Token Impersonation/Theft | T1134.001 | 0 |
Privilege Escalation | Create Process with Token | T1134.002 | 0 |
Defense Evasion | Embedded Payloads | T1027.009 | 0 |
Defense Evasion | Deobfuscate/Decode Files or Information | T1140 | 2 |
Discovery | Process Discovery | T1140 | 0 |
Discovery | System Information Discovery | T1082 | 0 |
Discovery | File and Directory Discovery | T1083 | 0 |
Impact | Data Encrypted for Impact | T1083 | 1 |
Impact | Inhibit System Recovery | T1490 | 8 |
Impact | Financial Theft | T1657 | 0 |
About the Author:
Rudra Pratap, Security Research Manager, Gurucul
Rudra Pratap is a Security Research Manager and heads Threat Research at Gurucul with over 12 years of experience in security research and development. Rudra’s expertise spans a wide range of cybersecurity domains, including cloud & endpoint protection, threat detection & response and advanced persistent threats (APTs). He has authored multiple research papers and presented at conferences, sharing insights on topics such as industry threats and cyber espionage campaigns. With a strong background in security research, Rudra has made significant contributions to industry giants like Microsoft and FireEye.