Research Saturday 10.3.20
Ep 154 | 10.3.20

Smaug: Ransomware-as-a-service drag(s)on.


Dave Bittner: Hello everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Joakim Kennedy: We constantly sort of keep an eye out for emerging threats, and ransomware is something we see from time to time.

Dave Bittner: Our guests this week are Rory Gould and Joakim Kennedy. They're members of the research team at Anomali. Today, we're discussing their research on the Smaug ransomware-as-a-service.

Joakim Kennedy: But this one was caught in our collection, and it was sort of identified to be somewhat of a new ransomware-as-a-service that we hadn't really seen much of an analysis about it. We decided to sort of dig deeper into it.

Dave Bittner: That's Joakim Kennedy.

Joakim Kennedy: And what we found first was a quick sort of report around the initial panel that has been found as part of its announcement or advertisement on the Dark Web. But we couldn't find anything around sort of the malware, how it worked, and things like that. So now when we actually had a sample, we could actually take the time and sort of dig into it and find out how it operated, what it did, and if it did something different compared to other sort of ransomware that's out there. And then we sort of wanted to go ahead and put the whole picture together and do an analysis based on the threat actor that's behind it, and where it sort of is announced on the Dark Web, and kind of what they're selling potential customers, as we want to say – what they can do with it.

Dave Bittner: Well, let's go through the research together, first of all, in terms of the threat actor, who do you suppose is behind this?

Rory Gould: Now, that's a very loaded question.

Dave Bittner: (Laughs) Sorry about that.

Rory Gould: Not at all.

Dave Bittner: That's Rory Gould.

Rory Gould: Unfortunately, it's quite difficult to really pin down, you know, who this person is or where perhaps they come from. I mean, there are a few flags. I mean, for instance, you know, there was a rather – within the original post on the Russian Dark Web forum, it says that targeting any CIS – as in Commonwealth of Independent States – is prohibited and will result in an immediate ban. So that might make one think, OK, you know, maybe it's a Russian or it's a Russian-speaking actor. But to be honest, whenever you sort of – whenever you dig through the panel and you look at the screenshots that they present you, you can see that there's Mandarin characters hidden within some of the ransom notes. So, to be honest, can't really come off the fence on this one and can't really give it any sort of attribution. But, you know, there are certain things that might make you think. 

Dave Bittner: Well, and you suspect that it's a small team behind this?

Rory Gould: Yeah, we would be of the opinion it would be a very small team. At least two people. Can't really put a maximum on it, but I wouldn't imagine it would be a particularly large team or large effort behind it.

Dave Bittner: Well, let's go through it together. I mean, the story sort of begins with some forum activity that you all tracked down. Take us through the story here.

Rory Gould: So, essentially, after Joakim found sort of some public-facing stuff displaying the panel, displaying the ransomware-as-a-service, that it was for sale, I looked through some forums that I knew would generally be used to sell these sorts of items. One forum in particular, a Russian-language one. So I went through the forum, I searched for it, and it was rather easy to find, actually. As you can see – anybody that looks at the blog – you can see the original posting. You know, it's fairly generic. They give you a link to it. They tell you all the things it does. You know, how configurable it is. It gives you the price. It gives you the service fee. So, yeah, you know, as a starting point, that was a good space to go with.

Dave Bittner: Yeah, it's interesting to me to see the posts that you share here, kind of the salesmanship that's on display here. Also a very good use of English.

Rory Gould: Yes, a suspiciously good use of English, because obviously this is the – you know, this is the initial offering of the ransomware. But if you take into the profile of the actor – well, we'll just call them "corinda," because that's what their username was – if you dig into their user history within the forum – I think it was maybe about four or five months before the Smaug offering – there was a post looking for a front-end dev. You know, they wanted somebody who was fluent in English and they were willing to pay two-thousand dollars in Bitcoin. This post itself was written in rather broken English, which would sort of contrast with the Smaug offering, which was in perfect English, you know, grammatically and in all ways. So, the distinction between the two would lead us to believe that there were in fact at least two different people – you know, an English-speaking front-end dev and then somebody else in the shadows, as it were.

Dave Bittner: Well, let's dig into the ransomware offering itself. Can you walk us through – someone who would engage with them, what sort of thing would they find themselves able to use?

Rory Gould: Unfortunately for businesses and individuals out there, it's actually rather easy to do this. In the initial offering, it gives you an Onion link to the website that Smaug is hosted on. Once you click through to that URL and you go to it, you're presented with a fairly generic registration. You know, you put your email in, you generate a password, you confirm your password, and you enter a security code. Once you do that, you get a confirmation, and it's sent to your email address pretty quickly. From there, you're given a Bitcoin wallet address, you send your 0.2 Bitcoin to that address. And once you're there, you know, you're account's active. You're essentially – you're good to go from that point. You can immediately go into the dashboard that the developers created.

Rory Gould: If anybody looks at the blog, they can see the photos of it. It's actually – I would argue it's quite a nice UI. It's pretty clean. It's rather sparse. You know, it does what it needs to do. And honestly, from there, it's just – it's point-and-click. You don't need to program anything. You really don't need to do anything at all. You just, you know, come up with a campaign title, you know, whatever company you're targeting, like the BBC or something, you can call it "BBC." Set it to "Business" model, so it'll infect all the computers within that network, but it only needs one decryption code to release all of them. Or if you really want to be nasty, you could send it out under the "Regular" mode, which means every single computer needs its own decryption key. You can generate a ransom message saying, you know, "Haha, you've been pwned. Send money to this Bitcoin address." And there you go. You just click the "create" button and that's it. You're away.

Dave Bittner: Now, in terms of the messages actually going out to infect people – the email messages, I suppose, a phishing campaign, something like that – is that outside of what Smaug will do? That's – you're on your own for that part of it?

Rory Gould: Yes, in terms of infection vectors or people you might want to target, that's one of the places you will be on your own, and you have to figure that one out yourself.

Joakim Kennedy: Yeah, and I would say it's something they kind of see. And one of the things that the ransomware-as-a-service provides is they provide you with the actual ransomware. They do handle the decryption part and the money part of that for the users of the service. And then it's sort of up to the user to try to infect and target the specific victims that they want to target. They just make it easier from sort of getting to that point and then sort of cashing out.

Rory Gould: Yes, they're very generous. They will manage the funds coming in and take their twenty-percent fee off it before you ever get to it. So I suppose that's one drawback from it.

Dave Bittner: Hmm. Well, let's dig into the ransomware itself, I mean, you all were able to take a look at the code here, what's going on under the hood?

Joakim Kennedy: So, under the hood, it's actually a relatively simple ransomware. Sort of in general, all ransomware have a very, very similar sort of functionality. They look for specific files on the machine, they encrypt them, and then sort of inform the user that this has happened and now to sort of achieve a decryption key. But then, in addition to that, other sort of ransomware that will do other things – some try to propagate through the network and try to remove certain backups, target specific backup files. Something we see with Windows, it tries to disable the Shadow Copy and remove any Shadow Copy files so you can't do the easy sort of recovery. And this sample – the current sort of generation of this ransomware – doesn't have any of these functionalities. The other sort of things – while some programs are running, they may lock specific files to prevent them from being tampered with or removed. So some ransomware will actually go through all the running processes on the machine and sort of turn off and stop all these processes to release those files. And it doesn't even have that sort of functionality. So, it's relatively simple. 

Joakim Kennedy: But flipping on that side, it is sort of a ransomware that is – it's marketed to function on multiple operating systems. So it works for – on the panel, they sell it for both Windows, for Mac, and for Linux. And what we've found is we've found samples for both Windows and Linux in the wild. So far, none of the Mac one has sort of come onto our radar. And the fact that it's sort of simple allows sort of the same code base to be used. They don't have to write specific sort of codes for a certain operating system to do certain tasks, and they can just compile to different architectures and different operating systems directly from the same code base. That's sort of part of it. So it's relatively easy from the development standpoint.

Dave Bittner: Now, does that simplicity, does that lead it to being, I guess, for lack of a better word, noisy? Is it easy to detect?

Joakim Kennedy: Ransomware in general are relatively easy to detect. They're pretty noisy when they do run. Most sort of EDR systems would pick this sort of activity up, as they are reading and writing a lot of files pretty quickly, which is usually a very abnormal activity. But in terms of that, it doesn't do anything else, so there's no other sort of direct indicators. It doesn't try to reach out to any network servers or something like that to pull something down, so you won't have any network-based indicators directly from this ransomware, in addition to how it sort of landed on the machine. So I wouldn't say it's sort of harder or easier than any other kind of ransomware.

Dave Bittner: And it's not actively going after your backups or anything like that, right?

Joakim Kennedy: It has a list of certain file extensions, so it will actually crawl through for those and look for files. So there are certain – so if it has, like, a ".backup" or common sort of file extensions that people might put on backup files, it would decrypt them. But it doesn't try to sort of connect to, say, a network share, for example, and try to decrypt – or encrypt that. And then also sort of if you have in Windows the Shadow Copy enabled, it currently doesn't remove those and disable that.

Dave Bittner: I see. What is your sense for how successful this has been? Has it caught on? Are you seeing much usage of it?

Joakim Kennedy: I'd say since we started looking at it, it's started to – first initial sort of samples coming in were more of a test type system. It seemed like maybe users were buying it and just sort of generating something and seeing how it worked to see, potentially, how it was detected by AV products. And that's mainly based on sort of the ransomware notes that were put in, some of them would have sort of the generic, the default one, and some had "test" in them, and things like that. We have picked up a couple of samples that are – appears to be some decoy files. So it was at the end of June, we started to see the first one, which was a self-extracting executable that was – it was looking like a Word file, so it had an icon of Microsoft Word, and it had a sort of a file name of a corporate detail, June 2020, which could intend this might be some sort of a potential phishing lure that might have been used.

Rory Gould: To be honest, if Joakim hadn't found those live samples, I would have been incredibly skeptical about this Smaug ransomware completely. You know, there's no activity on any of the forums. People are not talking about it. Even on that initial offering post, there were a few replies to it – maybe three or four – and it was people saying, can anybody vouch for this? Is this real? There was no replies. There was no reputation for the author. Since then, I've seen some more activity mentioning Smaug on other forums. But again, it is just people saying, you know, has anybody used this? Is this legit? Does anybody have any info, any feedback, anything? And nothing. None of those posts receive any replies whatsoever. And I mean, it got to the point where the moderators in the forum locked the post, the initial offering post, after ten days, and asked if the actor, corinda, would move eight-thousand dollars into an escrow account for the forum because they were beginning to become convinced that it was an exit scam and didn't really believe that there was anything behind it. So, that would caution me, I'll say that.

Dave Bittner: Yeah, that's interesting. So, I guess, I mean, that's an interesting component to this as well, that it's possible that some of these offerings may be scams themselves. I mean, it's sort of layers upon layers.

Rory Gould: It's entirely possible. You know, the moderators for the forums, as silly as it sounds, work very hard to try and combat any sort of exit scams or any scams in general or phishing or whatever it might be, because, of course, these are all heavily reputation-based. So they will – they'll be a very active middleman in any sort of process which will involve large sums of money being moved about between sellers and buyers or whatever the relationship may be.

Dave Bittner: So, in general, I mean, wrapping up on this one, is it more of an interesting one to take a look at from a research point of view, but probably something, at least at this point, that isn't a real active threat?

Joakim Kennedy: I think it's – you can kind of take it in sort of both ways. It's – obviously, one of the things is you don't really know what the next big threat's going to be, and it's always good to be prepared about whatever is out there. So sort of with regards to this one, when sort of the panel first came up, because there were no samples, anyone who knew anything about it, it was hard to sort of write detections for it. Now, when it's sort of – it has been identified, at least sort of like on the defender side, we're actually aware of the threat, so we can sort of at least prepare for that. In the end, it doesn't really matter which successful ransomware service or malware is actually infecting you. Either way, they do their job. They do, you know, encrypt and destroy people's data...

Dave Bittner: Right.

Joakim Kennedy: ...And it's, you know, even if it's successful or not, it still hurts the people that actually get infected by it.

Dave Bittner: Right. Right.

Joakim Kennedy: So, if we can at least prepare and help, you know, sort of the community protect against that, that's what we're all about.

Dave Bittner: Yeah, absolutely.

Rory Gould: Yes. I would agree with Joakim there. Because it's a ransomware-as-a-service, it may seem a little more amateurish or not as serious of a threat, and it'd be quite easy to be lulled into a false sense of security, thinking that no serious actor is going to use this or, you know, it's not going to seriously damage you. But it only takes that one person to infect you with it, and it's a huge issue. And of course, there could be other concerns that perhaps other more serious threat actors or threat groups could use something like this to avoid attribution. You know, you really just don't know.

Dave Bittner: Our thanks to Rory Gould and Joakim Kennedy from Anomali for joining us. We'll have a link to their research on the Smaug ransomware-as-a-service in the show notes.

Dave Bittner: The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.