Cyber Security BlogsNew Ransomware Strain Sets Sights on Cryptocurrency Users
New programming languages often have fewer security measures and less mature detection mechanisms than well-established ones. Threat Actors (TAs) often attempt to bypass traditional security defenses and avoid detection by using a less-known programming language.
NIM, a programming language specifically created for efficient execution and superior performance, has recently caught the attention of malware developers due to its unique novelty. One of the key reasons for this interest is NIM’s ability to offer cross-platform support, enabling the compilation of code into executable files suitable for both Windows and Linux operating systems.
Previously, the Dark Power ransomware group utilized the NIM programming language to create ransomware variants that can encrypt victims’ files while deliberately excluding critical system files. Moreover, the malware possessed the capability to clear logs and generate a ransom note within each infected folder.
Cyble Research and Intelligence Labs (CRIL) recently encountered a novel strain of ransomware named “Kanti.” This particular ransomware variant earned its name by modifying the encrypted file extension to “.kanti” and dropping a ransom note named “Kanti.html” after the encryption process. This ransomware specifically targets cryptocurrency users, as it employs file names associated with crypto wallets, particularly BTC (Bitcoin).
This blog provides insights into Kanti ransomware’s technical aspects and how victims are enticed through crypto wallets.
Technical Analysis
We have identified a compressed file named “BTC Wallet.zip” that includes two files: “Open Private Keys For Access To Wallet.lnk” and “Locked_253_BTC.zip”, as shown below.
Figure 1 – Files inside the main ZIP file
The name of the zip file led us to believe that the zip file may have been distributed to users via spam emails or from a phishing website, with a specific focus on targeting individuals involved in cryptocurrency activities.
The “Locked_253_BTC.zip” file has a ZIP extension and the name indicating that it likely contains Bitcoin-related content, potentially related to a cryptocurrency wallet. On the other hand, “Open Private Keys For Access To Wallet.lnk” is a Windows shortcut file designed to deceive users into thinking that it provides access to the necessary private keys for unlocking the funds stored in “Locked_253_BTC.zip”. Private keys are essential for managing and accessing cryptocurrency wallets.
The Windows shortcut file (“Open Private Keys For Access To Wallet.lnk”) includes a command to execute “Locked_253_BTC.zip”, which is misleadingly named as a ZIP file but is actually a PE executable.
Upon execution of the lnk file, it runs the target command “cmd.exe /c start Locked_253_BTC.zip,” which bypasses the incorrect file association and directly runs the “Locked_253_BTC.zip” file as an executable, which is a ransomware binary.
The figure below shows the contents of the “BTC Wallet.zip” file and properties of the “Open Private Keys For Access To Wallet.lnk” file.
Figure 2 – Command used by Windows Shortcut file
Kanti Ransomware
The “Locked_253_BTC.zip” is a 64-bit GUI-based binary file created using the NIM programming language, with the SHA256 hash value, ce61f7dad5a1bb7ef8dedb6938b3e6f4fbd4bf991fdd62212578a92c9ae6dec1, as shown below.
Figure 3 – Static file details
After being executed, the ransomware scans the system volumes and uses the FindFirstFileW() and FindNextFileW() API functions to search through files and directories, identifying the files that need to be encrypted.
The ransomware selectively excludes specific file/folder names and file extensions from being encrypted during its encryption process. By excluding specific files and folders from encryption, the TAs responsible for the ransomware can ensure critical system files, essential operating system components, and other crucial elements necessary for the system’s proper functioning.
As the figure below indicates, Kanti ransomware avoided specific folder names, file names, and file extensions from encryption.
Figure 4 – Exclusion list used by ransomware
Once the ransomware identifies the files, it utilizes the “BCrypt.dll” module. It calls its API function, BCryptGenRandom(), with the BCRYPT_USE_SYSTEM_PREFERRED_RNG flag, for secure key generation and performs the encryption process, as shown in Figure 5. The ransomware dynamically loads the module and resolves essential Win32 API function addresses to enable its main operations.
Figure 5 – Encryption process
Afterward, the malware employs the MoveFileExW() API function to replace the original files with their encrypted file, which have been renamed with the extension “.kanti,” as illustrated below.
Figure 6 – MoveFileExW() operation
The figure below depicts the files encrypted by Kanti ransomware after the successful infection of a victim’s machine.
Figure 7 – Encrypted files by Kanti ransomware
Subsequently, the ransomware drops a ransom note named “Kanti.html” on the Desktop location. The ransom note dropped by Kanti Ransomware provides instructions to the victims on how to establish contact with the TAs behind the ransomware, enabling them to initiate negotiations for the ransom payment. The contents of the ransom note are shown in the below figure.
Figure 8 – Contents of the Ransom note
Additionally, the ransomware runs the following command using cmd.exe to delete the ransomware file and open the “Kanti.html” file to display the ransom note to victims before exiting the Command Prompt.
cmd.exe /c ping 127.0.0.1 -n 3 && del C:Users<User>DesktopLocked_253_BTC.zip&& C:Users<User>DesktopKanti.html && exit
The figure below illustrates the process tree of the Kanti ransomware infection.
Figure 9 – Process tree
Conclusion
Ransomware TAs are increasingly focusing on cryptocurrency users, drawn by the potential for higher ransom payments, the apparent anonymity of crypto transactions, and the likelihood that tech-savvy individuals possess valuable data.
Additionally, NIM, being a relatively newer language, may lack robust security mechanisms and detection compared to more established programming languages. This security gap presents an opportunity for malware authors to evade detection and improve the efficiency of their malware attacks.
As organizations take steps to fortify themselves against ransomware attacks, there is a concurrent rise in the emergence of new ransomware groups. These groups continually adapt their strategies and scale up their activities to maximize their monetary profits.
Cyble Research and Intelligence Labs continuously monitors new ransomware campaigns, ensuring that our readers stay updated on the latest findings and developments of the malware.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
Safety Measures Needed to Prevent Ransomware Attacks
Conduct regular backup practices and keep those backups offline or in a separate network.
Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
Refrain from opening untrusted links and email attachments without verifying their authenticity.
Users Should Take the Following Steps After the Ransomware Attack
Detach infected devices on the same network.
Disconnect external storage devices if connected.
Inspect system logs for suspicious events.
Impact of Ransomware
Loss of valuable data.
Loss of the organization’s reputation and integrity.
Loss of the organization’s sensitive business information.
Disruption in organization operation.
Financial loss.
MITRE ATT&CK® Techniques
Tactic
Technique ID
Technique Name
Execution
User Execution
Command and Scripting Interpreter
Defense Evasion
File Deletion Masquerading
Discovery
System Information Discovery
File and Directory Discovery
Impact
Data Encrypted for Impact
Indicators of Compromise (IOCs)
Indicators
Indicator Type
Description
c25e3f897192c324d689d5d3bbd180bb
1e761ae5802cf9085d42cf6d991d7e15ab8976b7
48eaf4aec9e5b9d51e8b4a98ac22b8f0ed0f7deadeff333d93e1fdc268abd932
MD5
SHA1
SHA256
BTC Wallet.zip
c82127fd8c4f288ebbe07a12606ff87c
cc0d3593e977845bf6d4e23359b625b43c57e0e0
556d38e14124cedbd9c477ffa3dba03979b347f20046733db51a42638cf68849
MD5
SHA1
SHA256
Open Private Keys For Access To Wallet.lnk
d8b6fe900e0a446d3ff44e967d358700
3775db152fdf754105ae0b5ced67897209d6203d
ce61f7dad5a1bb7ef8dedb6938b3e6f4fbd4bf991fdd62212578a92c9ae6dec1
MD5
SHA1
SHA256
Locked_253_BTC.zip
(Kanti Ransomware exe)
The post Kanti: A NIM-Based Ransomware Unleashed in the Wild appeared first on Cyble.
