More ransomware analysis! Many companies and institutions are experiencing a strong season of ransomware attacks leveraged by different threat actors that after the intrusion use ransomware to obtain direct income from them(RaaS model). Among these new ransomwares I decided to pick Mespinoza aka Pysa ransomware.
Mespinoza also know as Pysa due the file extension of its encrypted files is a ransomware that encrypts selected file types in a system’s available drives and appends the “.pysa” extension to the encrypted files. This ransomware has been spotted in two different languages/variants, C++ and Python.
This activity have been also reported by the French CERT. Link to the report: https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-002.pdf
For this overview I analyzed the following sample:
MD5: e3da64fd9a0a585ebe00ac7f235104d6
e3da64fd9a0a585ebe00ac7f235104d6 is a variant of Mespinoza aka Pysa written in C++ that uses a statically linked library(Crypto++) for its crypto operations. The malware was initially a bit tedious to deal with due the fact that is written in C++ and it relies heavily in object oriented programming.
However the main structure and the functionalities can be summarized in activating a mutex, encrypting the filesystem and storing the ransom note in the registry (for persistence of the note). Afterwards it deletes itself by dropping and executing a batch file.
The malware hasn’t been seen using packing, crypters or generic loaders. I also took a look to the Python version just for the sake of curiosity. Both share multiple similarities and the only big difference between them is the implementation of the functionalities in an interpreted language versus a object oriented programming language and the AES mode used, being AES in CFB mode in C++ version whereas it uses AES in OFB mode in the Python version.
Initial Analysis
e3da64fd9a0a585ebe00ac7f235104d6 creates the mutex object “Pysa” right after starting to ensure only one instance of the malware is running at one time. This was fundamental for the author to implement not only to avoid reinfecting a machine, what could end in a non recoverable host, but to avoid overlapping access to the resources needed to encrypt the files.
Once this step is completed, the malware spawns a new thread to start the encryption of the filesystem. This is done after initializing the cryptographic variables that the malware uses to encrypt the files.
Encryption
The malware developers decided to follow the traditional scheme of embedded public to generate the rest of the keys on the fly. This way the files cannot be decrypted without the private key which is in possession of the attacker. Instead of fully relying on the Windows Crypto API to encrypt the files, Mespinoza contains a statically linked library named Crypto++, a common and open source library for cryptography in C++ language.
The public documentation of Crypto++ can be found here: https://www.cryptopp.com/docs/ref/
Mespinoza contains an embedded 4096-bit RSA key that is imported and used to encrypt additional keys. The size was estimated due to the length of the public key compared to different key pair sizes. e3da64fd9a0a585ebe00ac7f235104d6 contains the following embedded RSA key:
<30820220300D06092A864886F70D01010105000382020D00308202080282020100A59FC62FF69F67A7E15B7CB46BD85EC4EE7AE98A105663DEF29191AC57C70E3D25420C430A0A82AF3946F01C8912732F613C7C6FD889C620DC0C75F5A24242C170A9369FE64C7E2D558458DBAFBF884E931DF375DF1BD35490E2D27473BE0FFCD76B748FF5AAC2A6C9E2E027E4F8ADD7E65757F471C9A3695D1EB2D064757C5EBB99DFF7BF73222C6148E530E995E07B5BE21D2F920AECA31DC5BE8889449B8A85705C7D0A5C928772DB7BB1FEFA96A0EBB791BD89D245235CA23A6308159A6F3CAE9622BB9EAF88AF043663DE7C78502C3AC8D54579C472E5A8A181CE9740E629B15825F783B452312ECC6BD48DA5CCF5D679C1E90F41D5C7D1A48C95D6F41C91BB386F53D746D1285F4D2913D5308D10123BD0CDFD3455FEA9897A6A66A56A8CD4C386D7DD188E625D454B471F4D5582467F4A00B1AD0076CFA1B5E34C23415BBC556C898074F16B2D44CC0F8C08ACCD1E09A1AFA6BC045EE75D82106AA5C7F91E0F2AFBA1444F4EE0AE389C9FF11EE16EE52C70F5B5EE1F14E81D862C6DC68E3D597A556298A1B40F8D4CC9BE8949D70375B59A6C78DECF10E39E28814993D7E19571603AA94E4DF1FAA7745626F093A52279EF1A2EE41A0AD859364252726780183ABC7E9AC998D2977A5ABFE42F3014CBA0CBD8483336220A1B58C1A2B4CBDBA54A23975E415597F28C326AF714FAFFE32BF110A9FB03D9914654E25917020111>
Mespinoza initializes its crypto by using multiple function calls to CryptAcquireContextA. This allows the malware to acquire a handle to a particular key container.
In this case we can see in the image below that the first call has most of its parameters blank except for providertype(value 1) and dwFlags(0xf0000000). This indicates that CryptAcquireContext is called using the flag “CRYPT_VERIFYCONTEXT”, meaning that the CryptoAPI will create a key container in memory that will be released when CryptReleaseContext is called.
When the aforementioned flag is used (pszContainer parameter must be NULL) it can be used in the following cases related with our context:
- Creating a hash.
- Generating a symmetric key to encrypt or decrypt data.
- Deriving a symmetric key from a hash to encrypt or decrypt data.
- Verifying a signature. It is possible to import a public key from a PUBLICKEYBLOB or from a certificate by using CryptImportKey or CryptImportPublicKeyInfo.
These function calls are likely to be initialized for Crypto++ and not to generate keys as this library requires it in order to use its classes and functions for cryptographic operations and it has to rely on the Windows CryptoAPI functions to generate a pool of random numbers to generate keys.
Mespinoza utilizes only a few function calls that are visible in the import table, being CryptAquireContextA, CryptReleaseContext and CryptoGenRandom. This last one function is called only once, indicating that is heavily relying in the linked library Crypto++ to handle its operations.
To generate the keys, the malware is configured to use the symmetric-key algorithm AES-256 in CFB mode. This mode requires not only a key but also an 16 bytes length initialization vector(IV) for encryption.
In the image below can be observed the use of CryptGenRandom which will be used by Crypto++ functions to generate pseudorandom numbers for their keys. The CFB mode of AES was determined by observing the use of the linked library functions within the binary. For CFB mode the algorithm expect an initialization vector composed by a pseudorandom number of 16 bytes. These two parameters are required for CFB AES mode.
The ransomware generates the encryption keys and IV on the fly every time a file is selected to be encrypted. The second step is to read the public key to encrypt these values and then converting the output to hex format. Once this step is succeeded, the buffer containing the encrypted keys is written and appended to the file. To allow decryption, Mespinoza uses the public key to encrypt each key and IV used for each encrypted file, encodes them in hex format and appends it to each file.
This means that each encrypted file contains the keys required to decrypt it.
The attacker’s decryptor would use the private key in their possession from the exact RSA key pair and it would extract, decode and decrypt the encrypted keys from the each file to then decrypt the content of the original file.
Below can be observed the string “this is a test” within a txt file encrypted by Mespinoza with a chunk of hex values embedded at the very end of the file.
Before starting encrypting the filesystem, the malware contains two lists: a whitelist and a blacklist of directories and files.
This was implemented to avoid encrypting vital directories of the victim in order to allow the recovery with the attackers decryptor.
The following directories are part of the whitelist: Windows, Boot, Bootsect, pagefile, System Volume Information, bootmgr, Recovery and Microsoft.
If the file is valid for encryption, the first step the malware takes is to rename the file with the extension .pysa.
Files with this extension are excluded from encryption to allow its recovery.
Mespinoza also contains as well a list of targeted file extensions in a predefined blacklist. If the file has an extension not present in the blacklist, the file is ignored and skipped from the encryption process.
The malware also checks if the encrypted drive is C. Below the encryption loop to check all the directories starting on “C:\” to scan all the files and folders available. The ransom note is printed to all the affected directories.
The malware contain the following ransom note with two emails of contact that belongs to the attacker. Details about the ransom note are described below.
Additional features
The malware contains two additional functionalities. One to store the ransom note in the Windows registry and self-deletion.
The malware modifies the registry key “SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ” to make the ransom note to be displayed during the Windows Startup.
The end goal is to notify the user every time it logins in. The values inserted in the modified registry key can be observed below.
After these steps, the malware removes itself . Mespinoza releases the aforementioned mutex “Pysa”, writes a batch script named “update.bat” and executes it by calling ShellExecuteA function with the parameters “open update.bat”. This batch script removes the malware from the filesystem, leaving behind only the encrypted files and the ransom note.
The batch script contains the following data:
:Repeat
del %s(where %s is its own path)
if exists %s goto Repeat
rmdir %s
del %s
MITRE ATT&K
- T1012 Discovery — Query Registry
- T1486 Impact— Data Encrypted for Impact
Related Samples
- a87995539ce200aa4896b8aa2f5d97a6ce80d65924356da9cfde10312c35762e
- 4770a0447ebc83a36e590da8d01ff4a418d58221c1f44d21f433aaf18fad5a99
- e9662b468135f758a9487a1be50159ef57f3050b753de2915763b4ed78839ead
Resources
- https://support.microsoft.com/en-ie/help/238187/cryptacquirecontext-use-and-troubleshooting
- https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptacquirecontexta
- https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptgenrandom
- https://www.cryptopp.com
- https://en.wikipedia.org/wiki/RSA_(cryptosystem)#Padding_schemes
