CUBA Ransomware Malware Analysis

Summary

As a part of Elastic Security’s ongoing threat detection and monitoring efforts, we have recently observed a ransomware intrusion by the CUBA ransomware threat group, internally tracked as REF9019. This report will detail the inner workings of the ransomware deployed inside the network to encrypt the victim’s files. Cuba ransomware provides the attacker with the flexibility to encrypt both local and network shares files in the enterprise. CUBA uses the ChaCha20 cipher algorithm for symmetric encryption and RSA encryption to protect the ChaCha20 keys. CUBA is multithreaded for faster encryption with resource access synchronization to avoid file corruption.

In this analysis we will describe the following:

• Operations mode
• Process and services termination
• Enumeration of volumes
• Threading implementation
• File encryption and algorithms used
• MITRE Attack mapping
• YARA rule
• Indicators of compromise

Static Analysis

| | | | --------------- | ---------------------------------------------------------------- | --- | | SHA256 Packed | 0f385cc69a93abeaf84994e7887cb173e889d309a515b55b2205805bdfe468a3 | | SHA256 Unpacked | 3654af86dc682e95c811e4fd87ea405b627bca81c656f3a520a4b24bf2de879f | | File Size | 135168 bytes | | FileType: | Executable | | Imphash: | CA5F4AF10ABC885182F3FB9ED425DE65 | | Compile Time | Wed Mar 09 22:00:31 2022 | UTC | | Entropy | 6.582 |

Sections

For information on the CUBA ransomware campaign and associated malware analysis, check out our blog posts detailing this:

• CUBA Campaign Analysis
• BUGHATCH Malware Analysis

Imports

GetProcessImageFileNameW
EnumProcesses
NetApiBufferFree
NetShareEnum
GetIpNetTable
PathFindFileNameW
FindFirstFileExW
FindFirstFileW
FindNextFileW
WriteFile
SetFileAttributesW
MoveFileExW
FindFirstVolumeW
TerminateProcess
GetEnvironmentStringsW
OpenProcess
GetCurrentProcessId
CreateProcessW
GetVolumePathNamesForVolumeNameW
FindNextVolumeW
GetCurrentThreadId
RaiseException
GetModuleHandleExW
OpenProcessToken
CryptAcquireContextA
CryptGenRandom
CryptReleaseContext
AdjustTokenPrivileges
LookupPrivilegeValueA
ControlService
ChangeServiceConfigW
PathAddBackslashW
GetCPInfo
GetOEMCP
IsValidCodePage
lstrcpynW
InterlockedDecrement
FindClose
CreateFileW
Sleep
lstrcatW
CloseHandle
CreateThread
lstrcpyW
lstrcmpW
ReadFile
GetFileSizeEx
EnterCriticalSection
GetCurrentProcess
GetModuleFileNameW
LeaveCriticalSection
GetCommandLineA
WaitForSingleObject
GetLastError
SetEvent
GetDiskFreeSpaceExW
ResetEvent
GetWindowsDirectoryW
SetFilePointerEx
ExitProcess
CreateEventA
lstrcmpiW
GetTickCount
DeleteCriticalSection
QueryPerformanceCounter
SetStdHandle
FreeEnvironmentStringsW
GetCommandLineW
DecodePointer
GetStringTypeW
GetProcessHeap
FlushFileBuffers
GetConsoleCP
HeapSize
WriteConsoleW
InitializeCriticalSection
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
InitializeCriticalSectionAndSpinCount
WaitForSingleObjectEx
CreateEventW
GetModuleHandleW
GetProcAddress
IsDebuggerPresent
GetStartupInfoW
GetSystemTimeAsFileTime
InitializeSListHead
RtlUnwind
SetLastError
EncodePointer
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
LoadLibraryExW
GetFileType
GetStdHandle
MultiByteToWideChar
WideCharToMultiByte
GetACP
HeapFree
HeapAlloc
LCMapStringW
HeapReAlloc
GetConsoleMode
CharLowerW
GetKeyboardLayoutList
wsprintfW
CloseServiceHandle
OpenSCManagerW
OpenServiceW
QueryServiceStatusEx

Strings

Good day. All your files are encrypted. For decryption contact us.
Write here waterstatus@cock.li
reserve admin@encryption-support.com
jabber cuba_support@exploit.im
We also inform that your databases, ftp server and file server were downloaded by us to our servers.
If we do not receive a message from you within three days, we regard this as a refusal to negotiate.
Check our platform: http://cuba4ikm4jakjgmkezytyawtdgr2xymvy6nvzgw5cglswg3si76icnqd.onion/
* Do not rename encrypted files.
* Do not try to decrypt your data using third party software,
  it may cause permanent data loss.
* Do not stop process of encryption, because partial encryption cannot be decrypted.
!! READ ME !!.txt

Code Analysis

Entry Point

The malware starts by retrieving the active input locale identifier of the victim using the GetKeyboardLayout API. When the Russian language is in the list of supported languages of the machine, the process deletes and terminates itself with a simple command line: c:\system32\cmd.exe c/ del PATH_TO_BINARY without encrypting the file system.

Command-line Options

The threat actor included 4 different operations based on the following command-line arguments:

• The network keyword
• An IP keyword
• A path keyword
• The local keyword

Network keyword parameter

When specifying the network keyword, the malware retrieves the Address Resolution Protocol (ARP) table of the machine using the GetIpNetTable Windows API and enumerates the shares of each IP in the ARP table, this information is added to a linked list that will be accessed by the encryption capability, which will be discussed further below in detail.

IP keyword parameter

By specifying an IP address as the first parameter in the command line the malware proceeds by enumerating and encrypting every share found for the specified IP.

Path keyword parameter

The malware will encrypt the local directory contents, or the file provided, as the first parameter of the command-line.

Local keyword parameter

The local keyword is used to encrypt every local volume on the machine, and because the malware targets volumes by their ID, it can encrypt both mounted and unmounted volumes.

Process Termination

CUBA starts by acquiring SeDebugPrivilege and then terminates a hardcoded list of processes and services using a common Windows API (see appendix for list [1], [2]). For some services, the malware first tries to disable the service– indicated by the second parameter of TerminateProcesses::TerminateServiceByName function. This is mainly done to prevent interference with the encryption process by applications that may lock files from external changes, for example, databases.

Local Volume Enumeration

The malware enumerates all the local volumes and for each volume larger than 1GB it saves the volume’s GUID in a custom linked list. The ransomware utilizes the CriticalSection object to access this linked list for synchronization purposes due to multiple threads accessing the same resource. This helps to avoid two threads encrypting the same file at the same time, a race condition that would corrupt the file.

Multithreaded Encryption Synchronization

After preparing a list to encrypt, CUBA ransomware spawns encryption threads with the structure defined below as a parameter. Depending on the command line arguments, the malware starts 4 threads for local encryption or 8 threads for network encryption.

When a thread finishes its task, it will decrement a counter until it reaches 0: lpParameter-\>NumberOfThreadRunning. When the last thread completes, it will alert the program that the task is done with a call to SetEvent API, which will self delete and terminate the malware.

Encryption Implementation

The malware leverages the symmetric encryption algorithm ChaCha20 to encrypt files and the asymmetric encryption algorithm RSA to protect the ChaCha20 Key and Initialization Vector (IV). The author has utilized a customized version of WolfSSL, an open source SSL/TLS library, to implement this capability. Other samples (2957226fc315f71dc22f862065fe376efab9c21d61bbc374dde34d47cde85658) implemented a similar function using the libtomcrypt library. Other implementations may exist that are not described here.

The ransomware allocates a large custom structure called block that contains all the required encryption information. It then initializes an RsaKey structure with wc_InitRsaKey and decodes an embedded 4096 bit RSA public key in DER format using wc_RsaPublicKeyDecode which it saves to block.PubRsaKey.

File Enumeration

Each thread takes an entry from the linked list and starts recursively enumerating files starting from the root of the volume. In the case of a specific directory, the same function is called recursively except for specific directories (see appendix for list). Otherwise, it will ignore the ransom note file !! READ ME !!.txt and files with specific extensions (see appendix for list).

The malware uses wc_RNG_GenerateBlock a WolfSSL function, to randomly generate 44 bytes. The first 32 bytes of that are used as the ChaCha20 key and the other 12 bytes are used as the IV, it then calls a function to initiate the ChaCha20 structure block.chacha20_KeyIv that will be later used to encrypt the file content. At this point, the ransomware is ready to start encrypting and writing to the file.

Before encrypting a file, Cuba ransomware prepends a 1024 byte header, the first 256 bytes are the string FIDEL.CA and some DWORD bytes values, the next 512 bytes are the encrypted ChaCha20 KEY/IV with the public RSA key and the rest is padded with 0.

Before starting the encryption, the malware double checks if the file was already encrypted by comparing the first 8 bytes of the file to the header string FIDEL.CA. If equal, the malware terminates the encryption process as described below.

Then CUBA writes the 1024 byte header and if the file is larger than 2 MB it reads 1 MB of data at a time from the file and encrypts it with the ChaCha20 cipher. Otherwise, it will read and encrypt the entire contents at once.

The malware encrypts the file in 1 MB chunks and, depending on the file’s size, it will skip a preset number of bytes. This is done primarily to speed up the encryption process of large files, below is a table to illustrate.

Finally, it will rename the file by adding the extension .cuba.

MITRE ATT&CK Techniques

Using the MITRE ATT&CK® framework, techniques and sub techniques represent how an adversary achieves a tactical goal by performing an action.

• Data Encrypted for Impact
• Network Share Discovery
• Process Discovery
• Service Stop
• System Information Discovery
• Indicator Removal on Host: File Deletion
• Obfuscated Files or Information: Software Packing
• System Network Configuration Discovery
• System Location Discovery: System Language Discovery
• Data Encrypted for Impact
• Access Token Manipulation

Appendix

List of Terminated Processes

• sqlagent.exe
• sqlservr.exe
• sqlwriter.exe
• sqlceip.exe
• msdtc.exe
• sqlbrowser.exe
• vmwp.exe
• vmsp.exe
• outlook.exe
• Microsoft.Exchange.Store.Worker.exe

List of Terminated Services

• MySQL
• MySQL80
• SQLSERVERAGENT
• MSSQLSERVER
• SQLWriter
• SQLTELEMETRY
• MSDTC
• SQLBrowser
• vmcompute
• vmms
• MSExchangeUMCR
• MSExchangeUM
• MSExchangeTransportLogSearch
• MSExchangeTransport
• MSExchangeThrottling
• MSExchangeSubmission
• MSExchangeServiceHost
• MSExchangeRPC
• MSExchangeRepl
• MSExchangePOP3BE
• MSExchangePop3
• MSExchangeNotificationsBroker
• MSExchangeMailboxReplication
• MSExchangeMailboxAssistants
• MSExchangeIS
• MSExchangeIMAP4BE
• MSExchangeImap4
• MSExchangeHMRecovery
• MSExchangeHM
• MSExchangeFrontEndTransport
• MSExchangeFastSearch
• MSExchangeEdgeSync
• MSExchangeDiagnostics
• MSExchangeDelivery
• MSExchangeDagMgmt
• MSExchangeCompliance
• MSExchangeAntispamUpdate

Excluded Directories

• \windows\
• \program files\microsoft office\
• \program files (x86)\microsoft office\
• \program files\avs\
• \program files (x86)\avs\
• $recycle.bin\
• \boot\
• \recovery\
• \system volume information\
• \msocache\
• \users\all users\
• \users\default user\
• \users\default\
• \temp\
• \inetcache\
• \google\

Excluded File Extensions

• .exe
• .dll
• .sys
• .ini
• .lnk
• .vbm
• .cuba

YARA Rule

Elastic Security has created YARA rules to identify CUBA ransomware activity.

rule Windows_Ransomware_Cuba {
    meta:
        os = "Windows"
        arch = "x86"
        category_type = "Ransomware"
        family = "Cuba"
        threat_name = "Windows.Ransomware.Cuba"
        Reference_sample = "33352a38454cfc247bc7465bf177f5f97d7fd0bd220103d4422c8ec45b4d3d0e"

    strings:
       $a1 = { 45 EC 8B F9 8B 45 14 89 45 F0 8D 45 E4 50 8D 45 F8 66 0F 13 }
       $a2 = { 8B 06 81 38 46 49 44 45 75 ?? 81 78 04 4C 2E 43 41 74 }
     $b1 = "We also inform that your databases, ftp server and file server were downloaded by us to our     servers." ascii fullword
       $b2 = "Good day. All your files are encrypted. For decryption contact us." ascii fullword
       $b3 = ".cuba" wide fullword

    condition:
        any of ($a*) or all of ($b*)
}

Observations

Atomic indicators observed in our investigation.

Artifacts

Artifacts are also available for download in both ECS and STIX format in a combined zip bundle.