Introduction

In our crimeware reporting service, we analyze the latest crime-related trends we come across. If we look back at what we covered last month, we will see that ransomware (surprise, surprise!) definitely stands out. In this blog post, we provide several excerpts from last month’s reports on new ransomware strains.

Luna: brand-new ransomware written in Rust

Last month, our Darknet Threat Intelligence active monitoring system notified us of a new advertisement on a darknet ransomware forum.

As one can see from the advertisement, the malware is written in Rust and runs on Windows, Linux and ESXi systems. Armed with this knowledge, we went hunting for samples, finding a few via the Kaspersky Security Network (KSN).

Command line options available in Luna

Judging by the command line options available, Luna is fairly simple. The encryption scheme it uses, however, is not so typical, as it involves x25519 and AES, a combination not often encountered in ransomware schemes.

Both the Linux and ESXi samples are compiled using the same source code with some minor changes from the Windows version. For example, if the Linux samples are executed without command line arguments, they will not run. Instead, they will display available arguments that can be used. The rest of the code has no significant changes from the Windows version.

The advertisement states that Luna only works with Russian-speaking affiliates. Also, the ransom note hardcoded inside the binary contains spelling mistakes. For example, it says “a little team” instead of “a small team”. Because of this, we assume with medium confidence that the actors behind Luna are speakers of Russian. Since Luna is a freshly discovered group, there is still little data on its victimology, but we at Kaspersky are following Luna’s activity.

Luna confirms the trend for cross-platform ransomware: current ransomware gangs rely heavily on languages like Golang and Rust. A notable example includes BlackCat and Hive. The languages being platform agnostic, the ransomware written in these can be easily ported from one platform to others, and thus, attacks can target different operating systems at once. In addition to that, cross-platform languages help to evade static analysis.

Black Basta

Black Basta is a relatively new ransomware variant written in C++ which first came to light in February 2022. The malware, the infrastructure and the campaign were still in development mode at the time. For example, the victim blog was not online yet, but the Black Basta website was already available to victims.

Black Basta supports the command line argument “-forcepath” that is used to encrypt only files in a specified directory. Otherwise, the entire system, with the exception of certain critical directories, is encrypted.

Two months after the first encounter, in April, the ransomware had grown more mature. New functionality included starting up the system in safe mode before encryption and mimicking Windows Services for persistence reasons.

The safe-mode reboot functionality is not something we come across every day, even though it has its advantages. For example, some endpoint solutions do not run in safe mode, meaning the ransomware will not be detected and files in the system can be “easily” encrypted. In order to start in safe mode, the ransomware executes the following commands:

• C:\Windows\SysNative\bcdedit /set safeboot networkChanges
• C:\Windows\System32\bcdedit /set safeboot networkChanges

Earlier versions of Black Basta contained a different rescue note from the one currently used, which showed similarities to the ransom note used by Conti. This is not as odd as it may seem, because Black Basta was still in development mode at the time.

Rescue notes comparison

To ascertain that there was indeed no code overlap between Conti and the earlier versions of Black Basta, we fed a few samples to the Kaspersky Threat Attribution Engine (KTAE). Indeed, as shown below, only the strings overlap. There is thus no overlap in code per se.

Overlap with Conti ransomware

Black Basta for Linux

In another report we wrote last month, we discussed the Black Basta version for Linux. It was specifically designed to target ESXi systems, but it could be used for general encryption of Linux systems as well, although that would be a bit cumbersome.

Just like the version for Windows, the Linux version supports only one command line argument: “-forcepath”. When it is used, only the specified directory is encrypted. If no arguments are given, the “/vmfs/volumes” folder is encrypted.

The encryption scheme for this version uses ChaCha20 and multithreading to speed up the encryption process with the help of different processors in the system. Given that ESXi environments typically use multiple CPUs to execute a VM farm, the malware’s design, including the chosen encryption algorithm, allows the operator to have the environment encrypted as soon as possible. Prior to encrypting a file, Black Basta uses the chmod command to get access to it in the same context as the user level.

Black Basta targets

Analysis of the victims posted by the Black Basta group revealed that to date, the group has managed to attack more than forty different victims within a very short time it had available. The victim blog showed that various business sectors were affected including manufacturing, electronics, contractors, etc. Based on our telemetry, we could see other hits across Europe, Asia and the United States.

Conclusion

Ransomware remains a big problem for today’s society. As soon as some families come off the stage, others take their place. For this reason, it is important to stay on top of all developments in the ransomware ecosystem, so one can take appropriate measures to protect the infrastructure.

A trend, which we also discussed in our previous blog post, is that ESXi systems are increasingly targeted. The aim is to cause as much damage as possible. Luna and Black Basta are no exceptions. We expect that new variants will support encryption of VMs by default as well.

For questions or more information about our crimeware reporting service, please contact crimewareintel@kaspersky.com.

Yanluowang is a type of targeted ransomware discovered by the Symantec Threat Hunter team as they were investigating an incident on a large corporate network. Kaspersky experts have found a vulnerability in the Yanluowang encryption algorithm and created a free decryptor to help victims of this ransomware with recovering their files.

Yanluowang description

The ransomware is relatively recent, its name a reference to the Chinese deity Yanluo Wang, one of the Ten Kings of Hell. Unfortunately, we do not know much about the victims. According to Kaspersky Security Network data, attacks have been carried out in the United States, Brazil, Turkey and a few other countries. The low number of infections is due to the targeted nature of the ransomware: threat actors prepare and implement attacks on specific companies only.

Geography of the Yanluowang attacks, December 4th, 2021 – April 8th, 2022 (download)

In the ransom note, the cybercriminals demand not to contact law enforcement and not ‘keep them for fools’:

The ransomware program has the functionality to terminate virtual machines, processes and services. This is necessary to make files used by other programs available for encryption. The main parts of stopped services and processes include databases, email services, browsers, programs for working with documents, security solutions, backups and shadow copy services.

Lists of stopped services and processes

According to public information about the ransomware, it is only used in targeted attacks rather than in other RaaS families. Yanluowang itself needs parameters to be executed in the system, meaning it will be executed either manually or through a combination of scripts in the compromised system. The available syntax in the ransomware is:

encrypt.exe [(-p,-path,--path)<path>]

The Sosemanuk stream cipher is used to encrypt files, its key then encrypted using the RSA-1024 asymmetric algorithm. The RSA public key itself is embedded in the program but additionally encrypted with the RC4 stream cipher whose key is a string and also embedded in ransomware. Files before and after encryption:

When the encryption process is completed, the file extensions will be changed to .yanluowang

Yanluowang divides files into big and small along a 3 GB threshold. Small files are encrypted completely from beginning to end, big files are encrypted in stripes: 5 megabytes after every 200 megabytes.

The encryption code for big files

After a file is encrypted, an RSA-encrypted Sosemanuk key is written to the end of it. The encrypted endfile block has a size of 1024 bytes.

An encrypted block with a Sosemanuk key

Files decryption

Kaspersky experts have analyzed the ransomware and found a vulnerability that allows decrypting files of affected users via a known-plaintext attack. All that was required for this to work was added to the Rannoh decryption tool.

To decrypt a file, you should have at least one original file. As mentioned earlier, the Yanluowang ransomware divides files into big and small files along a 3 gigabyte threshold. This creates a number of conditions that must be met in order to decrypt certain files:

• To decrypt small files (less than or equal to 3 GB), you need a pair of files with a size of 1024 bytes or more. This is enough to decrypt all other small files.
• To decrypt big files (more than 3 GB), you need a pair of files (encrypted and original) no less than 3 GB in size each. This will be enough to decrypt both big and small files.

By virtue of the above points, if the original file is larger than 3 GB, it is possible to decrypt all files on the infected system, both big and small. But if there is an original file smaller than 3 GB, then only small files can be decrypted.

Indicators of Compromise

Kaspersky solutions detect and protect against this ransomware, detecting it as Trojan-Ransom.Win32.Yanluowang with File Threat Protection and proactively as PDM:Trojan.Win32.Generic with Behavior Detection.

MD5
afaf2d4ebb6dc47e79a955df5ad1fc8a
ba95a2f1f1f39a24687ebe3a7a7f7295

Piece of advice

Still, it is important for a company to have a security solution that would enable instant response to such ransomware threats in order to avoid large financial losses. Yanluowang was deployed in targeted human-operated attacks. As usual in such cases, we would like to remind you that a comprehensive cybersecurity strategy is required to protect against this type of threats.

Here are Kaspersky’s recommendations for staying safe from ransomware attacks:

• Do not expose remote desktop services (such as RDP) to public networks unless absolutely necessary, and always use strong passwords.
• Promptly install available patches for commercial VPN solutions that provide access for remote employees and act as gateways to your network.
• Always keep software up to date on all your devices to prevent ransomware from exploiting vulnerabilities.
• Focus your defense strategy on detecting lateral movement and data exfiltration to the Internet. Pay special attention to outgoing traffic to detect cybercriminals’ connections.
• Back up data regularly. Make sure you can quickly access your backups in an emergency.
• To protect the corporate environment, educate your employees. Dedicated training courses can help, such as the ones provided on Kaspersky Automated Security Awareness Platform.
• Use the latest Threat Intelligence information to stay on top of actual TTPs used by threat actors.
• Use solutions like Kaspersky Endpoint Detection and Response and Kaspersky Managed Detection and Response service which help to identify and stop an attack in the early stages, before attackers can achieve their objectives.
• Use a reliable endpoint security solution, such as Kaspersky Endpoint Security for Business, that is powered by exploit prevention, behavior detection and a remediation engine capable of rolling back malicious actions. KESB also has self-defense mechanisms that can prevent its removal by cybercriminals.

Earlier this year, we covered the threats related to gaming, and looked at the changes from 2020 and the first half of 2021 in mobile and PC games as well as various phishing schemes that capitalize on video games. Many of the threats faced by gamers are associated with loss of personal data, and particularly, accounts with various gaming services.

This tendency is not unique to PC or mobile games or to the gaming industry as a whole. Nevertheless, as games offer users plenty of in-game goodies and even feature their own currencies, gaming accounts are of particular interest to cybercriminals.

In this report, we take a closer look at threats linked to loss of accounts with popular video game digital distribution services, such as Steam and Origin. We also explore the kind of game-related data that ends up on the black market and the prices.

Background

In March 2021, we noticed an advertisement for malware named “BloodyStealer” on a Russian-speaking underground forum. According to the ad, BloodyStealer was a malicious stealer capable of fetching session data and passwords, and cookie exfiltration, and protected against reverse engineering and malware analysis in general. A buyer can use Telegram channels as well as traditional web panels for communication with the C&C. The author offered potential customers to get in touch via Telegram. The price of BloodyStealer is 700 RUB (less than $10) for one month or 3000 RUB (approx. $40) for lifetime.

The BloodyStealer ad (Source: https://twitter.com/3xp0rtblog)

The ad highlights the following features of BloodyStealer (translated from Russian as is):

• Grabber for cookies, passwords, forms, bank cards from browsers
• Stealer for all information about the PC and screenshots
• Steals sessions from the following clients: Bethesda, Epic Games, GOG, Origin, Steam, Telegram, VimeWorld
• Steals files from the desktop (.txt) and the uTorrent client
• Collects logs from the memory
• Duplicate logging protection
• Reverse engineering protection
• Not functional in the CIS

What caught our attention is BloodyStealer’s capability to fetch information related to computer games installed on an infected system. BloodyStealer targets major online gaming platforms, such as Steam, Epic Games Store, EA Origin, etc.

At the time of our investigation, the forum thread related to BloodyStealer was publicly unavailable, but the analysis of visible information on the forum revealed that discussions relating to BloodyStealer still continued in private channels. This, along with the fact that visible stealer activity had been observed since its release, suggested that the threat actor behind BloodyStealer had decided to offer its product only to VIP members of underground forums.

Kaspersky products detect the threat as Trojan-Spy.MSIL.Stealer.gen. For additional technical information about BloodyStealer (malicious techniques, YARA rules, etc.), please contact financialintel@kaspersky.com.

BloodyStealer technical details

Anti-analysis

During our research, we were able to identify several anti-analysis methods that were used to complicate reverse engineering and analysis of BloodyStealer, including the usage of packers and anti-debugging techniques. As the stealer is sold on the underground market, every customer can protect their sample with a packer of their choice or include it into a multistage infection chain. We had been monitoring BloodyStealer since its announcement, so we were able to notice that the majority of the BloodyStealer samples were protected with a commercial solution named “AgileNet”.

While analyzing samples discovered in the wild, we found that some of them were protected not only with AgileNet but also with other, very popular, protection tools for the .NET environment, such as Confuser.

Victim identification, communication with the C&C and data exfiltration

BloodyStealer is capable of assigning a unique identifier to every infected victim. The identifier is created by extracting data, such as the GUID and serial number (SID) of the system. This information is extracted at runtime. Besides this identification, BloodyStealer extracts the public IP address of the C&C by requesting the information from the domain whatleaks[.]com.

The request used to get the public IP

After assigning a UID to the victim and getting the C&C IP address, BloodyStealer extracts various data from the infected machine, creates a POST request with information about the exfiltrated data, and sends it to the malicious C&C. The data itself is sent to the configured C&C server later as a non-protected ZIP archive and has the structure shown below.

The IP address configured in the infected system is used as the name of the ZIP archive.

BloodyStealer as part of a multistage infection chain

In our analysis of BloodyStealer samples, we found out how various threat actors who had acquired this product decided to use the stealer as a part of other malware execution chains, for example, KeyBase or Agent Tesla. The criminals who combined the stealer component with other malware families also protected BloodyStealer with other packers, such as Themida.

BloodyStealer as used alongside other malware families or hacking tools

Based on the price that BloodyStealer is fetching on the underground market, we can expect that it will be used in combination with other popular malware families.

Command and Control

As mentioned above, BloodyStealer sends all exfiltrated data to a C&C server. Cybercriminals can access the data by using Telegram or via a web panel. The collected data can then be sold to other cybercriminals, who in turn will try to monetize it.

BloodyStealer C&C login page (Source: https://twitter.com/3xp0rtblog)

When a criminal is logged in to the C&C web panel, they will see a basic dashboard with victim-related statistics.

BloodyStealer stats dashboard (Source: https://twitter.com/3xp0rtblog)

While pivoting through the structure used for allocating the content panel, we were able to identify the second C&C server located at

hxxp://gwrg23445b235245ner.mcdir[.]me/4/654/login.php

Both C&C servers are placed behind Cloudflare, which hides their original IPs and provides a layer of protection against DDoS and web attacks.

Victimology

BloodyStealer is still quite new on the market when compared to other existent malware tools; however, by analyzing available telemetry data, we have found detections of BloodyStealer in Europe, Latin America and the APAC region. At the time of the investigation, we observed that BloodyStealer mostly affected home users.

Next links in the chain: darknet markets

Unfortunately, BloodyStealer is just one example of stealers targeting gamers. With many more in use, cybercriminals gather a significant number of game-related logs, login credentials, and other data, spurring a well-developed supply and demand chain for stolen credentials on the dark web. In this section, we will dig deeper into the dark gaming market and look at the types of game-related items available there.

Our experts, who specialize in understanding what goes on on the dark web, conducted research on the current state of user data as a commodity on these platforms to find out what kind of personal data is in demand, what it is used for, and how much it costs. For the purposes of this report, we analyzed active offers on twelve international darknet forums and marketplaces that use English or Russian.

Wholesale deals

Dark web sellers provide a broad variety of goods, sold both wholesale and retail. Specifically, one of the most popular wholesale products is logs.

In these examples, cybercriminals offer logs: an archive containing more than 65,000 logs for 150$ and packages with 1,000 private logs for 300$

Logs are credentials that are needed for accessing an account. These typically take the form of saved browser cookies, information about server logins, screenshots of the desktop, etc. They are the key for accessing victims’ accounts. Logs might be outdated, contain only old game sessions or even have no account-related data. That is why they need to be checked before use. In the chain of log sales, there are several roles.

Firstly, there are people who steal logs with the help of botnets or phishing schemes. These are the operators. The operators might have thousands of collected logs in their clouds, but this whole data stream needs to be validated. To process the logs, the cybercriminal needs to check whether the login and password combination is still relevant, how many days have passed since the last password or email change (that is, whether the victim has found out that the account was stolen) and check the balance. The fraudsters might do it on their own, but this may prove quite time-consuming with thousands of logs to go through. For this, there are log checkers: cybercriminals who own special tools for processing logs. The software collects statistics about processed logs, and the checker gets a share of the profits: typically, 40%.

It is possible to purchase logs per unit and process them manually or purchase in bulk and process with the help of specialized services. The average price per log is 34¢; the price per 100 logs is $17.83.

This advertiser is offering a batch of logs for $25,000 to one person but makes no mention of the volume of data

There are also fraudsters who have websites with a large coverage, offering to place links to malware as a way of distribution. In their ads on the darknet, these fraudsters attach traffic and download statistics to attract more customers.

Retail options

If the cybercriminal specializes in small sales (two to ten items), then the type of goods they offer on the darknet will include certain games, in-game items, and accounts with popular gaming platforms. Importantly, these products are typically offered at just 60-70% of their original price, so customers get a good deal on darknet markets. Some criminals can possess thousands of accounts and offer access to these at an enormous discount, as many of these accounts are useless: some cost nothing, and others have already been recovered by their original owners.

A person is offering thousands of usernames and passwords for various game platforms for just $4000

Dark web sellers offer stolen accounts, the important selection criteria being the number of games available in the account and how long ago the account was created. Games and add-ons are not cheap, and this is where cybercriminals enter the fray, offering the same popular games at significantly lower prices. In addition to Steam, accounts on gaming platforms, such as Origin, Ubisoft Store, GOG, Battle.net, also get stolen and resold.

A seller is offering in-game items. The original price is $20.5, but customers can get these illegally for $16.45.

In addition to certain games and accounts, cybercriminals also sell rare equipment from a wide range of games with a discount 30-40% off the original price. This is possible if the Steam account that owns the items has no restrictions on sending gifts to other players, e.g., no email confirmation requirement.

Some cybercriminals also sell so-called “Steam balance”. Depending on the origin, Steam balance can be “white” or “black”. White means sold from the seller’s own account. A player could get tired of the game and decide to sell their account, along with all associated in-game goodies, offering it on the black market, as Valve does not approve this kind of deals. Accounts like that can be used for illegal activity, such as fraud or money laundering as they do not ­– yet – look suspicious to Steam. Black balance means that the Steam accounts were obtained illegally, e.g., through phishing, social engineering or other cybercriminal techniques. Cybercriminals do their best to withdraw money by buying Steam cards, in-game items, gifts, etc., before the original owners retake control of their property with the help of the support service.

A person is outlining a scheme for stealing accounts with the help of PUBG phishing pages

Besides buying goods, darknet forum visitors can also purchase access to phishing instruments, which is a less popular offer. As you can see in the screenshot, the cybercriminal is offering a tool named “Black Mafia”. Phishing tools can even be downloaded from GitHub, after accepting the condition that these will be used for educational purposes only.

A criminal can use the tool for creating a phishing link and sending it to an unsuspecting victim. This generally follows the tried and tested flow: the victim clicks the link and inputs their credentials, which then end up in the hands of the fraudsters.

Conclusion

This overview demonstrates the structure of the game log and login stealing business. With the gaming industry growing, we do not expect this cybercriminal activity to wane in the future – on the opposite, this is the area in which we are likely to see more attacks as tools for targeting gamers continue to develop. BloodyStealer is a prime example of an advanced tool used by cybercriminals to penetrate the gaming market. With its efficient anti-detection techniques and attractive pricing, it is sure to be seen in combination with other malware families soon. Furthermore, with its interesting capabilities, such as extraction of browser passwords, cookies, and environment information as well as grabbing information related to online gaming platforms, BloodyStealer provides value in terms of data that can be stolen from gamers and later sold on the darknet. The overview of game-related goods sold on the darknet forums, too, confirms that this is a lucrative niche for cybercriminals. With online gaming platform accounts holding valuable in-game goods and currency, these become a juicy target. Although purchasing accounts is a gamble, as these may or may not contain goods that can be sold, cybercriminals are willing to take a bet – and are certain to find customers that are looking to save on entertainment.

To minimize the risks of losing your gaming account, follow these simple tips:

• Wherever possible, protect your accounts with two-factor authentication. For others, comb through account settings.
• A strong, reliable security solution will be a great help to you, especially if it will not slow down your computer while you are playing. At the same time, it will protect you from all possible cyberthreats. We recommend Kaspersky Total Security. It works smoothly with Steam and other gaming services.
• It is safer to buy games on official sites only and wait for the sales – these take place fairly often and are typically tied to big holidays such as Halloween, Christmas, Saint Valentine’s Day, so you will not be sitting on your hands for long.
• Try to avoid buying the first thing that pops up. Even during Steam’s summer sale, before forking out the dough for a little-known title, at least read some reviews of it. If something is fishy, people will probably have figured it out.
• Beware of phishing campaigns and unfamiliar gamers contacting you. It is a good idea to double-check before clicking website links you receive via email and the extensions of files you are about to open.
• Try not to click on any links to external sites from the game chat, and carefully check the address of any resource that requests you to enter your username and password: the page may be fake.

Black Kingdom ransomware appeared on the scene back in 2019, but we observed some activity again in 2021. The ransomware was used by an unknown adversary for exploiting a Microsoft Exchange vulnerability (CVE-2021-27065).

The complexity and sophistication of the Black Kingdom family cannot bear a comparison with other Ransomware-as-a-Service (RaaS) or Big Game Hunting (BGH) families. The ransomware is coded in Python and compiled to an executable using PyInstaller; it supports two encryption modes: one generated dynamically and one using a hardcoded key. Code analysis revealed an amateurish development cycle and a possibility to recover files encrypted with Black Kingdom with the help of the hardcoded key. The industry already provided a script to recover encrypted files in case they were encrypted with the embedded key.

Background

The use of a ransomware family dubbed Black Kingdom in a campaign that exploited the CVE-2021-27065 Microsoft Exchange vulnerability known as ProxyLogon was publicly reported at the end of March.

Around the same time, we published a story on another ransomware family used by the attackers after successfully exploiting vulnerabilities in Microsoft Exchange Server. The ransomware family was DearCry.

Analysis of Black Kingdom revealed that, compared to others, it is an amateurish implementation with several mistakes and a critical encryption flaw that could allow decrypting the files due to the use of a hardcoded key. Black Kingdom is not a new player: it was observed in action following other vulnerability exploitations in 2020, such as CVE-2019-11510.

Technical analysis

Delivery methods

Black Kingdom’s past activity indicates that ransomware was used in larger vulnerability exploitations campaigns related to Pulse Secure or Microsoft Exchange. Public reports indicated that the adversary behind the campaign, after successfully exploiting the vulnerability, installed a webshell in the compromised system. The webshell enabled the attacker to execute arbitrary commands, such as a PowerShell script for downloading and running the Black Kingdom executable.

Sleep parameters

The ransomware can be executed without parameters and will start to encrypt the system, however, it is possible to to run Black Kingdom with a number value, which it will interpret as the number of seconds to wait before starting encryption.

‘Sleep’ parameter used as an argument

Ransomware is written in Python

Black Kingdom is coded in Python and compiled to an executable using PyInstaller. While analyzing the code statically, we found that most of the ransomware logic was coded into a file named 0xfff.py. The ransomware is written in Python 3.7.

Black Kingdom is coded in Python

Excluded directories

The adversary behind Black Kingdom specified certain folders to be excluded from encryption. The purpose is to avoid breaking the system during encryption. The list of excluded folders is available in the code:

• Windows,
• ProgramData,
• Program Files,
• Program Files (x86),
• AppData/Roaming,
• AppData/LocalLow,
• AppData/Local.

The code that implements this functionality demonstrates how amateurishly Black Kingdom is written. The developers failed to use OS environments or regex to avoid repeating the code twice.

PowerShell command for process termination and history deletion

Prior to file encryption, Black Kingdom uses PowerShell to try to stop all processes in the system that contain “sql” in the name with the following command:

Get-Service*sql*|Stop-Service-Force2>$null

Once done, Black Kingdom will delete the PowerShell history in the system.

PowerShell commands run by Black Kingdom

Combined with a cleanup of system logs, this supports the theory that the attackers try to remain hidden in the system by removing all traces of their activity.

Encryption process

The static analysis of Black Kingdom shows how it generates an AES-256 key based on the following algorithm.

The pseudo-algorithm used by Black Kingdom

The malware generates a 64-character pseudo-random string. It then takes the MD5 hash of the string and uses it as the key for AES-256 encryption.

The code contains credentials for sending the generated key to the third-party service hxxp://mega.io. If the connection is unsuccessful, the Black Kingdom encrypts the data with a hardcoded key available in the code.

Below is an example of a successful connection with hxxp://mega.io.

Connection established with mega.io

 The credentials for mega.io are hardcoded in base64 and used for connecting as shown below.

Hardcoded credentials

The file sent to Mega contained the following data.

Black Kingdom will encrypt a single file if it is passed as a parameter with the key to encrypt it. This could allow the attacker to encrypt one file instead of encrypting the entire system.

Function for encrypting a single file

If no arguments are used, the ransomware will start to enumerate files in the system and then encrypt these with a ten-threaded process. It performs the following basic operations:

1. Read the file,
2. Overwrite it with an encrypted version,
3. Rename the file.

The function used for encrypting the system

Black Kingdom allows reading a file in the same directory called target.txt, which will be used by the ransomware to recursively collect files for the collected directories specified in that file and then encrypt them. Black Kingdom will also enumerate various drive letters and encrypt them. A rescue note will be delivered for each encrypted directory.

Rescue note used by the ransomware

Encryption mistakes

Amateur ransomware developers often end up making mistakes that can help decryption, e.g., poor implementation of the encryption key, or, conversely, make recovery impossible even after the victim pays for a valid decryptor. Black Kingdom will try to upload the generated key to Mega, and if this fails, use a hardcoded key to encrypt the files. If the files have been encrypted and the system has not been able to make a connection to Mega, it will be possible to recover the files using the hardcoded keys.

Hardcoded key in Base64

While analyzing the code statically, we examined the author’s implementation of file encryption and found several mistakes that could affect victims directly. During the encryption process, Black Kingdom does not check whether the file is already encrypted or not. Other popular ransomware families normally add a specific extension or a marker to all encrypted files. However, if the system has been infected by Black Kingdom twice, files in the system will be encrypted twice, too, which may prevent recovery with a valid encryption key.

System log cleanup

A feature of Black Kingdom is the ability to clean up system logs with a single Python function.

The function that cleans up system logs

This operation will result in Application, Security, and System event viewer logs being deleted. The purpose is to remove any history of ransomware activity, exploitation, and privilege escalation.

Ransomware note

Black Kingdom changes the desktop background to a note that the system is infected while it encrypts files, disabling the mouse and keyboard with pyHook as it does so.

Function to hook the mouse and keyboard

Written in English, the note contains several mistakes. All Black Kingdom notes contain the same Bitcoin address; sets it apart from other ransomware families, which provide a unique address to each victim.

***************************
| We Are Back            ?
***************************

We hacked your (( Network )), and now all files, documents, images,
databases and other important data are safely encrypted using the strongest algorithms ever.
You cannot access any of your files or services .
But do not worry. You can restore everthing and get back business very soon ( depends on your actions )

before I tell how you can restore your data, you have to know certain things :

We have downloaded most of your data ( especially important data ) , and if you don't  contact us within 2 days, your data will be released to the public.

To see what happens to those who didn't contact us, just google : (  Blackkingdom Ransomware  )

***************************
| What  guarantees        ?
***************************

We understand your stress and anxiety. So you have a free opportunity to test our service by instantly decrypting one or two files for free
just send the files you want to decrypt to (support_blackkingdom2@protonmail.com

***************************************************
| How to contact us and recover all of your files  ?
***************************************************

The only way to recover your files and protect from data leaks, is to purchase a unique private key for you that we only posses .


[ + ] Instructions:

1- Send the decrypt_file.txt file to the following email ===> support_blackkingdom2@protonmail.com

2- send the following amount of US dollars ( 10,000 ) worth of bitcoin to this address :

[ 1Lf8ZzcEhhRiXpk6YNQFpCJcUisiXb34FT ]

3- confirm your payment by sending the transfer url to our email address

4- After you submit the payment, the data will be removed from our servers, and the decoder will be given to you,
so that you can recover all your files.

## Note ##

Dear system administrators, do not think you can handle it on your own. Notify your supervisors as soon as possible.
By hiding the truth and not communicating with us, what happened will be published on social media and yet in news websites.

Your ID ==>
FDHJ91CUSzXTquLpqAnP

The associated Bitcoin address is currently showing just two transactions.

Transactions made to a Bitcoin account

Code analysis

After decompiling the Python code, we found that the code base for Black Kingdom has its origins in an open-source ransomware builder available on Github.

The adversary behind Black Kingdom adapted parts of the code, adding features that were not originally presented in the builder, such as the hardcoded key or communication with the mega.io domain.

Victims

Based on our telemetry we could see only a few hits by Black Kingdom in Italy and Japan.

Attribution

We could not attribute Black Kingdom to any known adversary in our case analysis. Its involvement in the Microsoft Exchange exploitation campaign suggests opportunism, rather than a resurgence in activity from this ransomware family.

For more information please contact: financialintel@kaspersky.com

Appendix I – Indicators of Compromise

Note: The indicators in this section were valid at the time of publication. Any future changes will be directly updated in the corresponding .ioc file.

File Hashes

b9dbdf11da3630f464b8daace88e11c374a642e5082850e9f10a1b09d69ff04f
c4aa94c73a50b2deca0401f97e4202337e522be3df629b3ef91e706488b64908
a387c3c5776ee1b61018eeb3408fa7fa7490915146078d65b95621315e8b4287
815d7f9d732c4d1a70cec05433b8d4de75cba1ca9caabbbe4b8cde3f176cc670
910fbfa8ef4ad7183c1b5bdd3c9fd1380e617ca0042b428873c48f71ddc857db
866b1f5c5edd9f01c5ba84d02e94ae7c1f9b2196af380eed1917e8fc21acbbdc
c25a5c14269c990c94a4a20443c4eb266318200e4d7927c163e0eaec4ede780a

Domain:

hxxp://yuuuuu44[.]com/vpn-service/$(f1)/crunchyroll-vpn

YARA rules:

import "hash"
import "pe"
rule ransomware_blackkingdom {
   
   meta:

      description = "Rule to detect Black Kingdom ransomware"
      author = "Kaspersky Lab"
      copyright = "Kaspersky Lab"
      distribution = "DISTRIBUTION IS FORBIDDEN. DO NOT UPLOAD TO ANY MULTISCANNER OR SHARE ON ANY THREAT INTEL PLATFORM"
      version = "1.0"
      last_modified = "2021-05-02"
      hash = "866b1f5c5edd9f01c5ba84d02e94ae7c1f9b2196af380eed1917e8fc21acbbdc"
      hash = "910fbfa8ef4ad7183c1b5bdd3c9fd1380e617ca0042b428873c48f71ddc857db"

    condition:

        hash.sha256(pe.rich_signature.clear_data) == "0e7d0db29c7247ae97591751d3b6c0728aed0ec1b1f853b25fc84e75ae12b7b8"
}

Appendix II – MITRE ATT&CK Mapping

This table contains all TTPs identified during the analysis of the activity described in this report.