Malware Spotlight: RansomHub Ransomware

“mepocs”, “memtas”, “veeam”, “svc$”, “backup”, “sql”, “vss”, “sql$”, “mysql”, “mysql$”, “sophos”, “MSExchange”,
“MSExchange$”, “WSBExchange”, “PDVFSService”, “BackupExecVSSProvider”, “BackupExecAgentAccelerator”,
“BackupExecAgentBrowser”, “BackupExecDiveciMediaService”, “BackupExecJobEngine”,
“BackupExecManagementService”, “BackupExecRPCService”, “GxBlr”, “GxVss”, “GxClMgrS”, “GxCVD”, “GxCIMgr”,
“GXMMM”, “GxVssHWProv”, “GxFWD”, “SAPService”, “SAP”, “SAP$”, “SAPD$”, “SAPHostControl”, “SAPHostExec”,
“QBCFMonitorService”, “QBDBMgrN”, “QBIDPService”, “AcronisAgent”, “VeeamNFSSvc”, “VeeamDeploymentService”,
“VeeamTransportSvc”, “MVArmor”, “MVarmor64”, “VSNAPVSS”, “AcrSch2Svc”

powershell.exe -Command PowerShell -Command “{ Get-VM | Stop-VM -Force }”

powershell.exe Get-VM | Stop-VM -Force -inputFormat xml -outputFormat text

We are the RansomHub.

 
Your company Servers are locked and Data has been taken to our servers. This is serious.
 
Good news:
– your server system and data will be restored by our Decryption Tool, we support trial decryption to prove that your
files can be decrypted;
– for now, your data is secured and safely stored on our server;
– nobody in the world is aware about the data leak from your company except you and RansomHub team;
– we provide free trial decryption for files smaller than 1MB. If anyone claims they can decrypt our files, you can ask
them to try to decrypt a file larger than 1MB.
 
FAQs:
Who we are?
– Normal Browser Links: https://ransomxifxwc5eteopdobynonjctkxxvap77yqifu2emfbecgbqdw6qd[.]onion.ly/
– Tor Browser Links: http://ransomxifxwc5eteopdobynonjctkxxvap77yqifu2emfbecgbqdw6qd[.]onion/
 
Want to go to authorities for protection?
– Seeking their help will only make the situation worse,They will try to prevent you from negotiating with us, because
the negotiations will make them look incompetent,After the incident report is handed over to the government
department, you will be fined <This will be a huge amount,Read more about the GDRP legislation:https://
en.wikipedia.org/wiki/General_Data_Protection_Regulation>, The government uses your fine to reward them.And
you will not get anything, and except you and your company, the rest of the people will forget what happened!!!!!
 
Think you can handle it without us by decrypting your servers and data using some IT Solution from third-party
“specialists”?
– they will only make significant damage to all of your data; every encrypted file will be corrupted forever. Only our
Decryption Tool will make decryption guaranteed;
 
Don’t go to recovery companies, they are essentially just middlemen who will make money off you and cheat you.
– We are well aware of cases where recovery companies tell you that the ransom price is 5 million dollars, but in fact
they secretly negotiate with us for 1 million dollars, so they earn 4 million dollars from you. If you approached us
directly without intermediaries you would pay 5 times less, that is 1 million dollars.
 
Think your partner IT Recovery Company will do files restoration?
– no they will not do restoration, only take 3-4 weeks for nothing; besides all of your data is on our servers and we
can publish it at any time;
as well as send the info about the data breach from your company servers to your key partners and clients,
competitors, media and youtubers, etc.
Those actions from our side towards your company will have irreversible negative consequences for your business
reputation.
 
You don’t care in any case, because you just don’t want to pay?
– We will make you business stop forever by using all of our experience to make your partners, clients, employees
and whoever cooperates with your company change their minds by having no choice but to stay away from your
company.
As a result, in midterm you will have to close your business.
 
So lets get straight to the point.
 
What do we offer in exchange on your payment:
– decryption and restoration of all your systems and data within 24 hours with guarantee;
– never inform anyone about the data breach out from your company;
– after data decryption and system restoration, we will delete all of your data from our servers forever;
– provide valuable advising on your company IT protection so no one can attack your again.
 
Now, in order to start negotiations, you need to do the following:
– install and run ‘Tor Browser’ from https://www.torproject.org/download/
– use ‘Tor Browser’ open <TA_URL_removed_by_analyst>.onion/
– enter your Client ID: <ID_removed_by_analyst>
* do not leak your ID or you will be banned and will never be able to decrypt your files.
 
There will be no bad news for your company after successful negotiations for both sides. But there will be plenty of
those bad news if case of failed negotiations, so don’t think about how to avoid it.
Just focus on negotiations, payment and decryption to make all of your problems solved by our specialists within 1
day after payment received: servers and data restored, everything will work good as new.
 
************************************************

{"master_public_key": <public_key_removed_by_analyst> "extension": "<extension_removed_by_analyst>" "note_file_name": "README_<extension_removed_by_analyst>.txt", "note_full_text": "We are the RansomHub.\n\nYour company Servers are locked and Data has been taken to our servers. This is serious. \n\nGood news:\n- your server system and data will be restored by our Decryption Tool, we supply trial decryption to prove that your files can be decrypted;\n- for now, your data is secured and safely stored on our server;\n- nobody in the world is aware about the data leak from your company except you and RansomHub team;\n- we provide free trial decryption for files smaller than 1MB. If anyone claims they can decrypt our files, you can ask them to try to decrypt a file larger than 1MB.\n\nFAQs:\nWho we are?\n- Normal Browser Links: https://ransomxifxwc5eteopdobynonjctkxvap77yqifu2emfbecbqdw6qd.onion.ly/\n- Tor Browser Links: 
http://ransomxifxwc5eteopdobynonjctkxvap77yqifu2emfbecbqdw6qd.onion/\n\nWant to go to authorities for protection?\n- Seeking their help will only make the situation worse,They will try to prevent you from negotiating with us, because the negotiations will make them look incompetent,After the incident report is handed over to the government department, you will be fined <This will be a huge amount,Read more about the GDRP legislation:https://
en.wikipedia.org/wiki/General_Data_Protection_Regulation> The government uses your fine to reward them.And you will not get anything, and except you and your company, the rest of the people will forget what happened!!!!!\n\nThink you can handle it without us by decrypting your servers and data using some IT Solution from third-party \"specialists\"?\n- they will only make significant damage to all of your data; every encrypted file will be corrupted forever. Only our Decryption Tool will make decryption guaranteed;\nDon't go to recovery companies, they are essentially just middlemen who will make money off you and cheat you. \n- We are well aware of cases where recovery companies tell you that the ransom price is 5 million dollars, but in fact they secretly negotiate with us for 1 million dollars, so they earn 4 million dollars from you. If you approached us directly without intermediaries you would pay 5 times less, that is 1 million dollars.\n\nThink your partner IT Recovery Company will do files restoration?\n- no they will not do restoration, only take 3-4 weeks for nothing; besides all of your data is on our server and we can publish it at any time; \n as well as send the info about the data breach from your company servers to your key partners and clients, competitors, media and youtubers, etc. \n Those actions from our side towards your company will have irreversible negative consequences for your business reputation.\n\nYou don't care in any case, because you just don't want to pay? \n- We will make you business stop forever by using all of our experience to make your partners, clients, employees and whoever cooperates with your company change their minds by having no choice but to stay away from your company. \nAs a result, in midterm you will have to close your business. \n\nSo lets get straight to the point.\n\nWhat do we offer in exchange on your payment:\n- decryption and restoration of all your systems and data within 24 hours with guarantee;\n- never inform anyone about the data breach out from your company;\n- after data decryption and system restoration, we will delete all of your data from our servers forever;\n- provide valuable advising on your company IT protection so no one can hack you again.\n\nNow, in order to start negotiations, you need to do the following:\n- install and run 'Tor Browser' from https://www.torproject.org/download/\n- use 'Tor Browser' open <TA_URL_removed_by_analyst> \n- enter your ID or you will be banned and will never be able to decrypt your files.\n\nThere will be live chat for your company after successful negotiations for both sides. But there will be plenty of those bad cases of failed negotiations, so don't think about how to avoid it.\nJust focus on negotiations, payment and describe to make all of your problems solved by our specialists within 1 day after payment received: servers and data restored, everything will work good as new.\n\n************************************************\n", "note_short_text": "Your data is stolen and encrypted, see README_<extension_removed_by_analyst>.txt.", "settings": {"local_disks": true, "network_shares": true, "kill_processes": true, "kill_services":
true, "set_wallpaper": true, "net_spread": true, "self_delete": false, "running_one": true}, "credentials": [credentials_
removed_by_analyst], "kill_services": ["mepocs", "memtas", "veeam", "svc$", "backup", "sql", "vss", "sql$", "mysql",
"mysql$", "sophos", "MSExchange", "MSExchange$", "WSBExchange", "PDVFSService", "BackupExecVSSProvider",
"BackupExecAgentAccelerator", "BackupExecAgentBrowser", "BackupExecDiveciMediaService",
"BackupExecJobEngine", "BackupExecManagementService", "BackupExecRPCService", "GxBlr", "GxVss", "GxClMgrS",
"GxCVD", "GxCIMgr", "GXMMM", "GxVssHWProv", "GxFWD", "SAPService", "SAP", "SAP$", "SAPD$", "SAPHostControl",
"SAPHostExec", "QBCFMonitorService", "QBDBMgrN", "QBIDPService", "AcronisAgent", "VeeamNFSSvc",
"VeeamDeploymentService", "VeeamTransportSvc", "MVArmor", "MVarmor64", "VSNAPVSS", "AcrSch2Svc"],
"kill_processes": ["agntsvc.exe", "dbeng50.exe", "dbsnmp.exe", "encsvc.exe", "excel.exe", "firefox.exe", "infopath.exe",
"isqlplussvc.exe", "msaccess.exe", "mspub.exe",
"mydesktopqos.exe", "mydesktopservice.exe", "notepad.exe", "ocautoupds.exe", "ocomm.exe", "ocssd.exe", "onenote.exe",
"oracle.exe", "outlook.exe", "powerpnt.exe", "sqbcoreservice.exe", "sql.exe", "steam.exe", "synctime.exe", "tbirdconfig.
exe", "thebat.exe", "thunderbird.exe", "visio.exe", "winword.exe", "wordpad.exe", "xfssvccon.exe", "*sql*.exe", "bedbh.exe",
"vxmon.exe", "benetns.exe", "bengien.exe", "pvlsvr.exe", "beserver.exe", "raw_agent_svc.exe", "vsnapvss.exe", "CagService.
exe", "QBIDPService.exe", "QBDBMgrN.exe", "QBCFMonitorService.exe", "SAP.exe", "TeamViewer_Service.exe",
"TeamViewer.exe", "tv_w32.exe", "tv_x64.exe", "CVMountd.exe", "cvd.exe", "cvfwd.exe", "CVODS.exe", "saphostexec.
exe", "saposcol.exe", "sapstartsrv.exe", "avagent.exe", "avscc.exe", "DellSystemDetect.exe", "EnterpriseClient.exe",
"VeeamNFSSvc.exe", "VeeamTransportSvc.exe", "VeeamDeploymentSvc.exe"], "white_folders": ["*\\$windows.~ws*",
"*\\$windows.~bt*", "*\\windows\\*", "*\\windows.old*", "*\\system volume information*", "*\\Boot*", "*\\PerfLogs*",
"*\\AppData\\Local\\Temp*", "*\\AppData\\Local\\Microsoft\\GameDVR*", "*\\AppData\\Local\\Microsoft\\Edge*",
"*\\AppData\\Local\\Packages\\Microsoft.*", "*\\AppData\\Local\\Packages\\MicrosoftWindows.*", "*\\AppData\\
Local\\Packages\\Internet Explorer*", "*\\Program Files\\Common Files\\microsoft shared*", "*\\Program Files\\
Common Files\\Services*", "*\\Program Files\\Common Files\\System*", "*\\Program Files\\Internet Explorer*", "*\\
Program Files\\ModifiableWindowsApps*", "*\\Program Files\\Uninstall Information*", "*\\Program Files\\Windows
Defender*", "*\\Program Files\\Windows Mail*", "*\\Program Files\\Windows Media Player*", "*\\Program Files\\
Windows NT*", "*\\Program Files\\Windows Photo Viewer*", "*\\Program Files\\Windows Portable Devices*", "*\\
Program Files\\Windows Security*", "*\\Program Files\\Windows Sidebar*", "*\\Program Files\\WindowsApps*",
"*\\Program Files\\WindowsPowerShell*", "*\\Program Files (x86)\\Common Files*", "*\\Program Files (x86)\\
Common Files\\Microsoft Shared*", "*\\Program Files (x86)\\Common Files\\Services*", "*\\Program Files (x86)\\
Common Files\\System*", "*\\Program Files (x86)\\Internet Explorer*", "*\\Program Files (x86)\\Microsoft\\*Edge*",
"*\\Program Files (x86)\\Microsoft\\Temp*", "*\\Program Files (x86)\\Microsoft.NET*", "*\\Program Files (x86)\\
Windows Defender*", "*\\Program Files (x86)\\Windows Mail*", "*\\Program Files (x86)\\Windows Media Player*",
"*\\Program Files (x86)\\Windows Multimedia Platform*", "*\\Program Files (x86)\\Windows NT*", "*\\Program Files
(x86)\\Windows Photo Viewer*", "*\\Program Files (x86)\\Windows Portable Devices*", "*\\Program Files (x86)\\
Windows Security*", "*\\Program Files (x86)\\Windows Sidebar*", "*\\Program Files (x86)\\WindowsPowerShell*",
"*\\ProgramData\\ssh\\*", "*\\ProgramData\\USOPrivate*", "*\\ProgramData\\USOShared*", "*\\ProgramData\\
Package Cache*", "*\\ProgramData\\Microsoft\\Device Stage*", "*\\ProgramData\\Microsoft\\DeviceSync*", "*\\
ProgramData\\Microsoft\\Diagnosis*", "*\\ProgramData\\Microsoft\\DiagnosticLogCSP*", "*\\ProgramData\\
Microsoft\\DRM*", "*\\ProgramData\\Microsoft\\UEV*", "*\\ProgramData\\Microsoft\\EdgeUpdate*", "*\\
ProgramData\\Microsoft\\Event Viewer*", "*\\ProgramData\\Microsoft\\IdentityCRL", "*\\ProgramData\\Microsoft\\
MapData*", "*\\ProgramData\\Microsoft\\MF*", "*\\ProgramData\\Microsoft\\NetFramework*", "*\\ProgramData\\
Microsoft\\Network*", "*\\ProgramData\\Microsoft\\Provisioning*", "*\\ProgramData\\Microsoft\\Search*", "*\\
ProgramData\\Microsoft\\SmsRouter*", "*\\ProgramData\\Microsoft\\Spectrum*", "*\\ProgramData\\Microsoft\\
Speech_OneCore*", "*\\ProgramData\\Microsoft\\Storage Health*", "*\\ProgramData\\Microsoft\\User Account
Pictures*", "*\\ProgramData\\Microsoft\\Vault*", "*\\ProgramData\\Microsoft\\WDF*", "*\\ProgramData\\Microsoft\\
Windows*", "*\\ProgramData\\Microsoft\\Windows Defender*", "*\\ProgramData\\Microsoft\\Windows NT*", "*\\
ProgramData\\Microsoft\\Windows Security Health*", "*\\ProgramData\\Microsoft\\WinMSIPC*", "*\\ProgramData\\
Microsoft\\WPD*", "*\\ProgramData\\Packages\\USOPrivate*", "*\\ProgramData\\Packages\\USOShared*", "*\\
ProgramData\\Packages\\WindowsHolographicDevices*", "*\\ProgramData\\Packages\\MicrosoftWindows.*", "*\\
ProgramData\\Packages\\Microsoft.*"], "white_files": ["NTUSER.DAT", "autorun.inf", "boot.ini", "desktop.ini", "thumbs.
db", "*.deskthemepack", "*.themepack", "*.theme", "*.msstyles", "*.exe", "*.drv", "*.msc", "*.dll", "*.lock", "*.sys", "*.msu",
"*.lnk", "*.ps1", "*.iso", "*.inf", "*.cab", "*.386"], "white_hosts": []}

rule RansomHub_ransomware_executable
{

meta:

author = “areteir.com”
description = “Detects the RansomHub ransomware executable”
target = “Windows systems”
file_type = “exe”
copyright = “Copyright © 2024 by Arete Advisors, LLC.”
distribution = “No re-distribution without Arete Advisors, LLC consent.”

strings:

$s1 = “json:\”local_disks\””
$s2 = “json:\”running_one\””
$s3 = “json:\”self_delete\””
$s4 = “json:\”white_files\””
$s5 = “json:\”white_hosts\””
$s6 = “json:\”credentials\””
$s7 = “json:\”kill_services\””
$s8 = “json:\”set_wallpaper\””
$s9 = “json:\”white_folders\””
$s10 = “json:\”note_file_name\””
$s11 = “json:\”note_full_text\””
$s12 = “json:\”kill_processes\””
$s13 = “json:\”network_shares\””
$s14 = “json:\”note_short_text\””
$s15 = “json:\”master_public_key\””

condition:

((uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)) and
(9 of ($s*))

}