Recently Beacon Lab has conducted an investigation of an incident, in which a new ransomware group, named Red Ransomware Group according to their public blog, or also Red CryptoApp (because of the encryption extension), has been discovered. Like most of today’s ransomware groups, they use a double extortion strategy: file encryption and data exfiltration and their respective publication in a public blog (“Hall of Shame”). In this article we will discuss the tactics, techniques and procedures (TTP) of this new group, as well as some characteristics of their operation.
Operation of Red Ransomware Group:
At the time of the investigation, the group’s public blog (“Hall of Shame”) listed only about ten victims. Apparently, the first victims were posted on the portal on March 5, 2024, with the group’s attacks beginning at the earliest in mid-February 2024. Like most ransomware groups, this group leaves a ransom note in txt format, with the name HOW_TO_RESTORE_FILES.REDCryptoApp.txt on all encrypted folders. The note contains a reference to the private negotiation portal, and a unique ID for each client.
The negotiation portal consists of a chat with the group’s support team, as well as the payment details (wallet address and amount demanded, as well as some details of the attack). The exfiltrated data size data is most likely false. According to other analyzed notes, the wallet address is apparently the same for several victims. So far, no payments have been made to the wallet.
An analysis of this group’s public blog suggests that this is a new group, which began operations recently. At the time of the blog analysis, 12 victims were listed, all with the same date. In the last few days, only one new victim has been added. Although the download links for the published files currently point to a different address than the public blog and are broken, at the time of analysis the links were functional and it was found that they did indeed allow the download of legitimate exfiltrated files from the victims.
It is striking that, in some cases, the description of some victims does not actually correspond to the victim company, but to a description of another company with a similar name, demonstrating a certain carelessness when listing the company; it also demonstrates a semi-manual Google search process, prone to error.
Chain of infection and techniques:
Initial attack vector:
In the investigated incident, Red Ransomware Group was found to exploit vulnerability CVE-2023-47246 in SysAid software that had been publicly reported in early November 2023. It is a Path Traversal vulnerability that leads to code execution affecting SysAid on-premise versions prior to 23.3.36. Through this vulnerability, the actor was able to upload webshells to the SysAid root directory and take control of the server. The webshells were found in the “managerap” path, inside the root directory of SysAid’s Tomcat server, trying to camouflage themselves with the manager folder that is part of the real structure of the application. Several webshells were found, among them, Jsp File Browser, which, among other things, allows exploring the file system, reading, creating and modifying files, executing commands, uploading artifacts, etc. This webshell is used by the group to upload, execute and install other remote control software (RMM) on the server.
It cannot be ruled out that the group uses access previously acquired from other criminal groups that have previously compromised and gained access to servers, and that usually offer it in underground markets (“Access brokers”), since in the particular case investigated, there were already some webshells previously injected, all as a result of the exploitation of the mentioned SysAid vulnerability.
Command and control:
It has been observed that the group uses the JWrapper tool to deploy SimpleHelp Remote Access, a remote control software intended to provide remote support, in a client-server, self-hosted model. The SimpleHelp client connects to a server under the attacker’s control. In this case, the attacker’s server was located at https://64.31.63.240/access, hosted by LimeStone Neworks (France).
We also detected other remote control tools, which had been installed using the NSSM(Non-sucking Service Manager) tool, a legitimate tool for managing services on Windows operating systems. The executable of this program was located in C:windowssystem32, masked under the name HealthReport.exe. NSSM installed and executed AnyDesk, another popular remote control program, and a malicious DLL c:windowssystem32users.dll (Hash SHA256: e37b95bb9bee64cc0313eaad8a0269493745f89413bd78b58bb3b479b36084ae). This DLL is waiting for commands, which are sent to it from https://cl1p.net/101012. Cl1p.net is a free online tool that acts as an online clipboard where the attacker writes a command that is then read from the compromised server, thus being able to send commands to the server, evading security tools, which are not able to inspect the command that is sent. We also found that ScreenConnect was used, with a connection ID b5be755f21077092 It is not entirely clear if all of these tools are installed by Red Ransomware Group, or if some of them were provided by an Access Broker that had previously gained control over the compromised SysAid server. It was possible to verify the use of AnyDesk and ScreenConnect as a secondary C&C mechanism by this group. All command and control tools had been installed as system services and configured at startup to allow for greater persistence.
Internal scanning:
The group uses SoftPerfect Network Scanner (netscan.exe) to scan other computers on the network. It is a portable scanner that allows you to discover hosts, scan ports, discover shared folders, and extract computer details via WMI, SNMP, HTTP, SSH and PowerShell.
We also checked the use of Nmap and Advaced IP Scanner, but it is very likely that they were installed and made available by other Access Brokers.
Lateral movement:
To move laterally to other computers on the network, the Red Ransomware Group mostly uses Pass the Hash. To dump hashes the group uses the Procdump tool, a command line tool developed by Microsoft, part of SysInternals, which is used to create dumps of processes on Windows systems. In this case, the actor obtains the hashes from the dump of the lsass.exe process.
C:Programdatap64.exe -accepteula -ma lsass.exe C:Programdatao.dmp
The dump allows him to obtain the domain administrator hashes, which will then be used to connect to various machines to deploy artifacts, including the encrypter. Using the SMBExec tool, the attacker enables Restricted Admin Mode, which allows him to perform Pass-the-Hash lateral movements via RDP: Obfuscated command:
%COMSPEC% /Q /c echo powershell -exec bypass -enc TgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACIASABLAEwATQA6AFwAUwB5AHMAdABlAG0AXABDAHUAcgByAGUAbgB0AEMAbwBuAHQAcgBvAGwAUwBlAHQAXABDAG8AbgB0AHIAbwBsAFwATABzAGEAIgAgAC0ATgBhAG0AZQAgACIARABpAHMAYQBiAGwAZQBSAGUAcwB0AHIAaQBjAHQAZQBkAEEAZABtAGkAbgAiACAALQBWAGEAbAB1AGUAIAAiADAAIgAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIABEAFcATwBSAEQAIAAtAEYAbwByAGMAZQA= ^> \127.0.0.1C$__output 2^>^&1 > %TEMP%execute.bat & %COMSPEC% /Q /c %TEMP%execute.bat & del %TEMP%execute.bat
Deofuscated command:
%COMSPEC% /Q /c echo powershell -exec bypass -enc New-ItemProperty -Path "HKLM:SystemCurrentControlSetControlLsa" -Name "DisableRestrictedAdmin" -Value "0" -PropertyType DWORD -Force > \127.0.0.1C$__output 2^>^&1 > %TEMP%execute.bat & %COMSPEC% /Q /c %TEMP%execute.bat & del %TEMP%execute.bat
Exfiltration:
Red Ransomware Group uses the well-known Rclone tool, a command-line tool for synchronizing files and directories from a computer with the most popular cloud content hosting providers. The actor sends the exfiltrated data to Put.io, a well-known cloud hosting service that has been used by other groups in the past. In the case under investigation, the exfiltration took place only on one of the affected servers.
Persistence:
To ensure persistence, the actor creates several users, both local and workgroup, which were added to the local administrator groups of the affected computers, using native Windows commands (quser and net):
Evasion:
We have observed that the group uses the well-known anti-rootkit tools GMER and AVAST aswArPot, masked under the name un63td1n.exe and aswQP_Avar.sys respectively. To interrupt the processes corresponding to the Antivirus / EDR, thus evading any protection or blocking that these may cause.
Impact:
To deploy the ransomware, the attacker uses PDQ Deploy, a tool used for mass deployment of scripts to multiple devices.
With this tool, the attacker builds an XML that is deployed and executes various actions on all the servers to which he has previously gained access, among them:
- Eliminate the records of the most known EDRs, preventing their initiation.
- Ensuring autostart of AnyDesk and Screenconnect
- Creation of an ekrnEpfwFF service that ensures the start of AAA.ps1, previously created, with the restart of the operating system:
- The script AAA.ps1, which is obfuscated, copies the binary corresponding to the encrypter in the path C:programdata, with the name exe, creates and executes some powershell scripts (S01.ps1 and S02.ps2) in charge of the encrypter execution and then deletes some traces, including these scripts.
- Creation of user Administrator2 (password P@ssw0rd1234!), in Autologon mode
- SMB connection to target server to be encrypted, with Workgroup test user (P@ssw0rd123)
- Copy AAA.ps1 script to C:programdata of each computer to be encrypted.
The encrypter is copied with the name AAQQ.exe. The executable is packaged with UPX and is written in Go. Its hash (SHA-256) is: ba84c8200820016298ad5e15a5f3eb9ab608491963ff333ae0e1267ac48ac909606e
Other interesting facts:
To execute some of the post-exploitation actions after connecting via SimpleHelp, the group uses Win-PTY (winpty-agent.exe, https://github.com/rprichard/winpty), a tool that provides a Unix-like pseudo-terminal interface to communicate with Windows console programs and send CMD commands in a more convenient way. Powershell Script Obfuscation: All Powershell scripts of this attacker are obfuscated with a simple character replacement algorithm.
Script S01.ps1: Although, the attacker deletes said file, it was possible to obtain it from the AAA.ps1 script that generates it. It is the script in charge of deleting backup copies and removing traces, mainly. It consists of 7 sections, which execute a series of actions, such as:
- Disables Windows Defender and all its modules (automatic sample submission, real-time protection, intrusion prevention, etc.)
- Set full control permissions (Everyone:F) on various locations, including disk drives, folders in the root of C: (excluding those related to the system), desktop folders, downloads and documents for each user.
- Stops and disables a number of enumerated services and processes, matching a list of words (Veeam, Barracuda, Trend, Cylance, sql, etc).
- Using vssadmin.exe removes all shadow copies on the system.
(except for the C: partition), and to adjust the maximum shadow storage size on all available drives (reduce it to 401MB).
Then make sure that they have been removed again, using the wmic and Get-WmiObject commands. - With bcdedit disable system recovery and set the boot state policy to ignore all failures.
- The Get-EventLog and Clear-EventLog commands clear the event logs from the system.
Script S02.ps1: This is the script in charge of executing the encrypter itself. To do so, it defines a key that appears to be an MD5 hash. We could not determine if it is a unique key for each victim or if it is a universal key. The encryptor is then run in a loop for each drive as follows:
C:ProgramdataAAQQ.exe <clave> <unidad_disco>
It can be seen that, on disk C:, the attacker avoids encrypting any folder containing “Windows”, “Program”, “users”, “driver”, “boot”, probably to avoid interfering with or corrupting the operating system.
Conclusions:
This new group, while still with a limited number of victims, will most likely continue to grow its operations and victims. Considering that, according to Shodan, there are currently more than 500 SYSAid servers exposed to the Internet, and that the group may expand its arsenal of initial access exploits, it is possible that the group’s activities will begin to claim more victims. Like other current groups, this actor leverages many legitimate IT management tools (Living-off-the-Land, LotL) to reduce the likelihood of detection by seeking to go undetected. In addition, it demonstrates a high degree of automation of its actions and tasks, reducing the victim’s reaction time between initial compromise and encryption of all systems. To minimize the chances of being a victim of this type of group, Beaconlab recommends:
- Always keep software up to date, with the latest security patches, especially applications and services exposed to the Internet.
- Use EDR/XDR solutions that allow early detection of signs of compromise.
Remember that endpoint protection solutions, even if they have the capacity to block threats, must be permanently monitored by specialized analysts; likewise, remember to review the configuration frequently to ensure that protection levels are adequate. - Implement a centralized visibility and traceability strategy that enables early detection of any type of intrusion at different layers.
Keep in mind that attackers often seek to disrupt EDR/XDR processes, and defense and visibility in depth is critical to address this risk. - Perform hardening according to some baseline, e.g. CIS Benchmarks, for each system and according to each use or application of that system.
- Perform an exhaustive review of users with administrator privileges and eliminate those that are not strictly necessary, limiting it to the minimum necessary personnel.
- Implement a protection strategy against lateral movement techniques (Pass-the-Hash, Pass-the-Ticket or similar), taking into account that these exploit design weaknesses in the AD architecture itself. Microsoft has published an official guide to address this:
Indicators of Commitment (IoC):
To download the IoCs you can redirect to the following link here
