A Serpent That Pretends to Be an Octopus: A New Step in Zyklon Ransomware Evolution

Serpent ransomware


Serpent cryptolocker is a heavily obfuscated .NET application written in C# and requiring .NET 3.0 to run. For those who don’t follow the news, Serpent is actually the 4th generation of the malware that was initially known as Zyklon. First, it became WildFire, then Hades Locker, and now, Serpent. This type of ransomware typically spreads through spear phishing emails with a link to download the cryptolocker.

Since it’s not new and is actually developed by professionals, Serpent is equipped with anti-analysis and anti-debugging techniques to make it difficult for the anti-malware professionals to analyze the software.

Static analysis

The analyzed file was compiled on July 16, 2017, and discovered in the wild on July 27, 2017 (see the Virustotal report).

Serpent ransomware

The original file name of this Serpent ransomware was ‘Octopus’.

Serpent ransomware - Octopus

Code obfuscation

Serpent implements several obfuscation techniques to complicate the analysis:

  1. Anti-analysis tricks against API monitors. Serpent generates numerous fake API calls as follows:

    Serpent ransomware fake API calls
    Serpent ransomware fake API calls
    Serpent ransomware fake API calls
     
  2. Renaming of methods, fields, and classes.

    Serpent ransomware Renaming of methods, fields, and classes
     
  3. Control flow obfuscation. The next block of code to be executed is determined based on the values calculated in the previously executed block. The ‘while (true)’ loop and ‘switch’ C# language constructs are used for that.

    Serpent ransomware Control flow obfuscation
     
  4. Wrong RVAs.

    Serpent ransomware Wrong RVAs

Installation

Serpent stores its copy as ‘exdatpus.dat’ in the %Temp% folder adding ‘x01’ to every byte to encrypt:

Serpent ransomware

Then, it creates ‘cpy.vbs’ in the Startup folder with the following content to decrypt and execute ‘exdatpus.exe’ on system boot up:

Serpent ransomware cpy.vbs

Serpent ransomware cpy.vbs

Encryption

First, Serpent receives the master RSA-2048 public key {n, e} from the C&C server and imports it in XML format.

Serpent ransomware master key

Serpent ransomware master key

The cryptolocker terminates the following process related to databases to unlock the database files for encryption.

msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, mydesktopqos.exe, agntsvc.exeisqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exeagntsvc.exe, agntsvc.exeencsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe 

It does not encrypt files on machines with the following localization codes obtained from the http://ipinfo.io/ service:

  • AM - Armenia
  • AZ - Azerbaijan
  • BY - Belarus
  • GE - Georgia
  • KG - Kyrgyzstan
  • KZ - Kazakhstan
  • MD - Moldova
  • RU - Russia
  • TM - Turkmenistan
  • TJ - Tajikistan

In addition, Serpent does not encrypt files with the specified strings in the path:

  • \program files (x86)\
  • \program files\
    tor browser
  • \windows\  
  • \programdata\
  • \$recycle.bin\

AES-256-CBC is used for file encryption.

Serpent ransomware AES-256-CBC

The file’s AES key and initialization vector are encrypted with an imported RSA-2048 key and stored in Base64 in the file’s footer.

Serpent ransomware AES key and initialization vector

It encrypts the files with the following extensions:

.#vc, .$ac, ._vc, .00c, .07g, .07i, .08i, .09i, .09t, .10t, .11t, .123, .13t, .1cd, .1pa, .1pe, .2011, .2012, .2013, .2014, .2015, .2016, .2017, .210, .3dm, .3ds, .3fr, .3g2, .3gp, .3me, .3pe, .3pr, .500, .7z, .7zip, .aac, .aaf, .ab4, .abk, .ac, .ac2, .acc, .accd, .accdb, .accde, .accdr, .accdt, .ach, .aci, .acm, .acr, .act, .adb, .adp, .ads, .aep, .aepx, .aes, .aet, .afm, .agdl, .ai, .aif, .aiff, .ait, .al, .amj, .aoi, .apj, .arc, .arw, .as, .as3, .asc, .asf, .asm, .asp, .aspx, .asx, .ati, .avi, .awg, .back, .backup, .backupdb, .bak, .bank, .bat, .bay, .bb, .bc8, .bc9, .bd2, .bd3, .bdb, .bgt, .bik, .bin, .bk, .bk2, .bkc, .bke, .bkf, .bkn, .bkp, .blend, .bmp, .bpf, .bpp, .bpw, .brd, .brw, .btif, .bup, .bz2   .c, .cal, .cat, .cb, .cd, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdt, .cdx, .ce1, .ce2, .cer, .cf8, .cf9, .cfdi, .cfg, .cfp, .cgm, .cgn, .ch, .chg, .cht, .cib, .clas, .class, .clk, .cls, .cmd, .cmt, .cmx, .cnt, .cntk, .coa, .config, .contact, .cpi, .cpp, .cpt, .cpw, .cpx, .cr2, .craw, .crt, .crw, .cs, .csh, .csl, .csr, .css, .csv, .cur, .cus, .cvt, .d07, .dac, .dat, .db, .db-journal, .db_journal, .db3, .dbf, .dbk, .dbx, .dc2, .dch, .dcr, .dcs, .ddd, .ddoc, .ddrw, .dds, .defx, .der, .des, .design, .dgc, .dif, .dip, .dit, .djv, .djvu, .dng, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .drf, .drw, .ds4, .dsb, .dsf, .dtau, .dtb, .dtd, .dtl, .dwg, .dxb, .dxf, .dxg, .dxi, .ebc, .ebd, .ebq, .ec8, .edb, .efs, .efsl, .efx, .emd, .eml, .emp, .ens, .ent, .epa, .epb, .eps, .eqb, .erbsql, .erf, .ert, .esk, .ess, .esv, .etq, .ets, .exf, .exp, .fa1, .fa2, .fb, .fbw, .fca, .fcpa, .fcpr, .fcr, .fdb, .fef, .ffd, .fff, .fh, .fhd, .fim, .fkc, .fla, .flac, .flf, .flv, .flvv, .fmb, .fmv, .fon, .fpx, .frm, .fx0, .fx1, .fxg, .fxr, .fxw, .fyc, .gdb, .gem, .gfi, .gif, .gnc, .gpc, .gpg, .gray, .grey, .groups, .gry, .gsb, .gto, .gz, .h, .h10, .h11, .h12, .hbk, .hdd, .hif, .hpp, .hsr, .htm, .html, .hts, .hwp, .i2b, .iban, .ibank, .ibd, .ibz, .ico, .idml, .idx, .iff, .iif, .iiq, .img, .imp, .incpas, .indb, .indd, .indl, .indt, .ini, .int?, .intu, .inv, .inx, .ipe, .ipg, .itf, .jar, .java, .jin, .jng, .jnt, .jou, .jp2, .jpe, .jpeg, .jpg, .js, .jsd, .jsda, .jsp, .kb7, .kbx, .kc2, .kd3, .kdbx, .kdc, .key, .kmo, .kmy, .kpdx, .kwm, .laccdb, .lay, .lay6, .lcd, .ldc, .ldf, .ldr, .let, .lgb, .lhr, .lid, .lin, .lit, .lld, .lmr, .log, .lua, .lz, .m, .m10, .m11, .m12, .m14, .m15, .m16, .m2ts, .m3u, .m3u8, .m4a, .m4p, .m4u, .m4v, .mac, .max, .mbk, .mbsb, .mbx, .md, .mda, .mdb, .mdc, .mdf, .mef, .mem, .met, .meta, .mfw, .mhtm, .mid, .mkv, .ml2, .ml9, .mlb, .mlc, .mmb, .mml, .mmw, .mn1, .mn2, .mn3, .mn4, .mn5, .mn6, .mn7, .mn8, .mn9, .mne, .mnp, .mny, .mone, .moneywell, .mos, .mov, .mp2, .mp3, .mp4, .mpa, .mpe, .mpeg, .mpg, .mql, .mrq, .mrw, .ms11, .msg, .mwi, .mws, .mx0, .myd, .mye, .myi, .myox, .n43, .nap, .nd, .ndd, .ndf, .nef, .nk2, .nl2, .nni, .nop, .npc, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nv, .nv2, .nvram, .nwb, .nx2, .nxl, .nyf, .oab, .obi, .obj, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .oet, .ofc, .ofx, .ogg, .oil, .old, .omf, .op, .orf, .ost, .otg, .oth, .otp, .ots, .ott, .p08, .p12, .p7b, .p7c, .pab, .pages, .paq, .pas, .pat, .pbl, .pcd, .pcif, .pct, .pcx, .pd6, .pdb, .pdd, .pdf, .pef, .pem, .per, .pfb, .pfd, .pfx, .pg, .php, .php5, .phtml, .pic, .pif, .pl, .plb, .plc, .pls, .plt, .plus_muhd, .pma, .pmd, .png, .pns, .por, .pot, .potm, .potx, .pp4, .pp5, .ppam, .ppf, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .pr0, .pr1, .pr2, .pr3, .pr4, .pr5, .prel, .prf, .prn, .prpr, .ps, .psafe3, .psd, .psp    .pspimage, .pst, .ptb, .ptdb, .ptk, .ptx, .pvc, .pwm, .pxa, .py, .q00, .q01, .q06, .q07, .q08, .q09, .q43, .q98, .qb1, .qb20, .qba, .qbb, .qbi, .qbk, .qbm, .qbmb, .qbmd, .qbo, .qbp, .qbr, .qbw, .qbx, .qby, .qbz, .qch, .qcow, .qcow2, .qdf, .qdfx, .qdt, .qed, .qel, .qem, .qfi, .qfx, .qif, .qix, .qme, .qml, .qmt, .qmtf, .qnx, .qob, .qpb, .qpd, .qpg, .qph, .qpi, .qsd, .qsm, .qss, .qst, .qtx, .quic, .quo, .qw5, .qwc, .qwmo, .qxf, .r3d, .ra, .raf, .rar, .rat, .raw, .rb, .rcs, .rda, .rdb, .rdy, .reb, .rec, .resx, .rif, .rm, .rpb, .rpf, .rss, .rtf, .rtp, .rvt, .rw2, .rwl, .rwz, .rz, .s12, .s3db, .s7z, .saf, .safe, .saj            , .sas7bdat, .sav, .save, .say, .sba, .sbc, .sbd, .sbf, .sbk, .scd, .sch, .sct, .sd0, .sda, .sdf, .sdy, .seam, .ses, .set, .shw, .sic, .sik, .skg, .sldm, .sldx, .slk, .slp, .spf, .spi, .sql, .sqli, .sqlite, .sqlite3            .sqlitedb, .sr2, .srf, .srt, .srw, .ssg, .st4, .st5, .st6, .st7, .st8, .stc, .std, .sti, .stm, .str, .stw, .stx, .svg, .swf, .swp, .sxc, .sxd, .sxg, .sxi, .sxm, .sxw, .t00, .t01, .t02, .t03, .t04, .t05, .t06, .t07, .t08, .t09, .t10, .t11, .t12, .t13, .t14, .t15, .t99, .ta1, .ta2, .ta4, .ta5, .ta6, .ta8, .ta9, .tar, .tax, .tax0, .tax1, .tax2, .tb2, .tbk, .tbp, .tdr, .tex, .text, .tfx, .tga, .tgz, .thm, .tib, .tif, .tiff, .tjl, .tkr, .tlg, .tom, .tpl, .trm, .trn, .tt10, .tt11, .tt12, .tt13, .tt14, .tt15, .tt20, .ttf, .txf, .txt, .u08, .u10, .u11, .u12, .umb, .uop, .uot, .v30, .vb, .vbk, .vbox, .vbpf, .vbs, .vcf, .vdf, .vdi, .vhd, .vhdx, .vib, .vmb, .vmdk, .vmsd, .vmx, .vmxf, .vnd, .vob, .vrb, .vsd, .vyp, .vyr, .wab, .wac, .wad, .wallet, .war, .wav, .wb2, .wbk, .wi, .wk1, .wk3, .wk4, .wks, .wma, .wmf, .wmv, .wpd, .wpg, .wps, .x11, .x3f, .xaa, .xcf, .xeq, .xhtm, .xis, .xla, .xlam, .xlc, .xlk, .xll, .xlm, .xlr, .xls, .xlsb , .xlsb,3dm, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xpm, .xqx, .ycbcra, .yuv, .zdb, .zip, .zipx, .zix, .zka

The same encryption key and initialization vector are used for all files.

The encrypted file get the ‘.srpx’ extension after the encryption.

Deleting file backups

The cryptolocker removes shadow copies of the encrypted files:

WMIC.exe shadowcopy delete /nointeractive

And overwrites data on drives, making it impossible to recover:

cipher.exe /W: <DRIVE:>

Network activity

To get the victim’s IP address and country code, the ransomware sends a request to: http://ipinfo.io/json .

Then, Serpent sends a check-in request to one of the C&C servers mentioned in the configuration data:

  • hxxp://185.106.122.86 (Romania)
  • hxxp://31.7.188.86 (Germany)
  • hxxp://169.239.128.114 (South Africa)

Serpent ransomware C&C servers

Serpent ransomware C&C servers

Serpent ransomware C&C servers

For example:

hxxp://169.239.128.114/register.php

The check-in request contains:

  • hwid - an ID of the infected machine
  • campaign #1 - the number of ransomware campaign
  • ip - a victim’s IP address
  • country - a country code obtained from http://ipinfo.io/

Serpent ransomware check-in request

The server replies with the master RSA-2048 public key represented as {n,e} in XML format, where n - modulus, e - public exponent.

Ransom note

Serpent creates a ransom note in text and html formats and places it in the folders with the encrypted files.

README_TO_RESTORE_FILES_<RANDOM 3 CHARACTERS>.txt

Serpent ransomware Ransom note

README_TO_RESTORE_FILES_<RANDOM 3 CHARACTERS>.html

Serpent ransomware Ransom note

Decryption service

A decryption service is available via one of the following links:

  • 3o4kqe6khkfgx25g.onion
  • hxxp://hmkwegza.pw
  • hxxp://pwmhgfhm.pw

For example:

Serpent ransomware Decryption service

Acronis True Image blocks Serpent

Acronis True Image 2017 New Generation or True Image 2018 Beta with Acronis Active Protection easily detects Serpent ransomware and blocks the attack.

Acronis detects Serpent ransomware

Acronis blocks Serpent ransomware

Acronis recovers Serpent ransomware

 

Download Acronis True Image to back up and protect your computers from ransomware attacks!