PayloadBin Ransomware has only just appeared on the malware scene but has already been attributed to Evil Corp, who were hit with US sanctions in 2019. It is believed that the ransomware strain is an effort to rebrand on behalf of the gang to evade strict measures imposed by the US Treasury Department’s Office of Foreign Assets Control (OFAC). The Evil Corp gang, also known as Indrik Spider and the Dridex gang, started as an affiliate for the ZeuS botnet. Over time, they formed a group that focused on distributing the banking trojan and downloader called Dridex via phishing emails.
As the cultural shift in the malware scene began to change, Evil Corp adapted and focused on the highly profitable world of ransomware attacks. The group initially distributed BitPaymer ransomware, which was delivered via their Dridex downloader.
Evil Corp made over $100 million from their ransomware schemes, and eventually caught the eye of OFAC. The gang were charged with conspiracy, computer hacking, wire fraud, and bank fraud in a 10-count indictment concerning the distribution of the malware they used to automate the theft of sensitive financial and personal information like banking credentials, as well as for infecting their victims with ransomware in numerous attacks.
OFACs’ charges made it so that any corporation who paid ransom to Evil Corp would face heavy fines or advanced legal action from the Treasury Department.
Evil Corp began renaming their ransomware operations to different names such as WastedLocker, Hades, and Phoenix to bypass these sanctions.
Though the initial thought was that the site was a rebranding for Babuk, it was soon revealed it was infact Evil Corp. The information was discovered after analysing PayloadBin Ransomware, finding it to be previous Ransomware strains belonging to the gang with only a fresh coat of paint.
The discovery was seconded by both Fabian Wosar of Emsisoft and Michael Gillespie of ID Ransomware.
While discussing why they would have impersonated another cybercrime group, Wosar felt that they saw and took an opportunity to impersonate a hacking group that is not sanctioned.
“Now they had a gang rebranding and just took the opportunity.” – Fabian Wosar.
As the ransomware is now attributed to a sanctioned hacking group, most ransomware negotiation firms will likely not help facilitate payments for victims affected by the PayloadBin ransomware.
PayloadBin Ransomware Analysis
Note: This analysis was carried about by SecureList and initially concerned WastedLocker. However, as PayloadBin Ransomware is identical to its predecessors, it remains a valid analysis.
PayloadBin Ransomware has a command-line interface that allows it to process several arguments that control the way it operates.
Priority processing: the trojan will encrypt the specified directory first, and then add it to an internal exclusion list (to avoid processing it twice) and encrypt all the remaining directories on available drives.
Encrypt only the specified directory.
-u username:password \\hostname
Encrypt files on the specified network resource using the provided credentials for authentication.
Launch the sequence of actions:
- Delete ;
- Copy to %WINDIR%\system32\<rand>.exe using a random substring from the list of subkeys of the registry key SYSTEM\CurrentControlSet\Control\;
- Create a service with a name chosen similarly to the method described above. If a service with this name already exists, append the prefix “Ms” (e.g. if the service “Power” already exists, PayloadBin Ransomware will create a new one with the name “MsPower”). The command line for the new service will be set to “%WINDIR%\system32\<rand>.exe -s”;
- Start this service and wait until it finishes working;
- Delete the service.
Start the created service. It will lead to the encryption of any files Payload Ransomware can find.
Another interesting feature of PayloadBin Ransomware is the chosen method of UAC bypass. When the trojan starts, it will check the integrity level it was run on. If this level is not high enough, the malware will try to silently elevate its privileges using a known bypass technique.
- Create a new directory in %appdata%; the directory name is chosen at random from the substrings found in the list of subkeys of the registry key SYSTEM\CurrentControlSet\Control\;
- Copy a random EXE or DLL file from the system directory to this new directory;
- Write the trojan’s own body into the alternate NTFS stream “:bin” of this system file;
- Create a new temporary directory and set its mount point to “C:\Windows ” (with a trailing whitespace) using the API function NtFsControlFile with the flag IO_REPARSE_TAG_MOUNT_POINT;
- Create a new subdirectory named “system32” inside the temporary directory. As a result of the previous step, this new subdirectory can be equally successfully addressed as “%temp%\<directory_name>\system32” or “C:\Windows \system32” (note the whitespace);
- Copy the legitimate winsat.exe and winmm.dll into this subdirectory;
- Patch winmm.dll: replace the entry point code with a short fragment of malicious code whose only purpose is to launch the content of the alternate NTFS stream created on step 2;
- Launch winsat.exe, which will trigger the loading of the patched winmm.dll as a result of DLL hijacking.
The above sequence of actions results in PayloadBin Ransomware being relaunched from the alternate NTFS stream with elevated administrative privileges without displaying the UAC prompt.
To encrypt victims’ files, the developers of the trojan employed a combination of the AES and RSA algorithms that has already become a ‘classic’ among different crypto-ransomware families.
The search mask to choose which files will be encrypted, as well as the list of the ignored paths are set in the configuration of the malware.
For each processed file, PayloadBin Ransomware generates a unique 256-bit key and a 128 bit IV which will be used to encrypt the file content using the AES-256 algorithm in CBC mode. The implementation of the file operations is worthy of note, as it employs file mapping for data access. It must have been an attempt by the criminals to maximize the trojan’s performance and/or avoid detection by security solutions.
When installed, the ransomware will append the .PAYLOADBIN extension to encrypted files, as shown below.
Furthermore, the ransom note is named ‘PAYLOADBIN-README.txt’ and states that the victim’s “networks is LOCKED with PAYLOADBIN ransomware.”
Ransomware is a crowded scene, with new threats rising and falling almost every day. It is important that business owners and families have the best tools for the job when it comes to protecting their devices. One of these tools is SaferNet.
SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories
Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.