Threat Actor Leveraging Vice Society’s Codebase for Greater Impact
Custom-branded ransomware has recently seen a surge in development. We have observed Threat Actors (TAs) utilizing leaked source codes of a particular ransomware family to create new variants by modifying the existing code. This approach allows for the creation of ransomware that can be tailored to target specific industries, organizations, or geographic regions, increasing the effectiveness of ransomware variants when it comes to evading detection and successfully infecting victims. Additionally, using existing ransomware code as a starting point can significantly reduce the time and resources required to develop new ransomware families from scratch.
Cyble Research and Intelligence Labs (CRIL) has been closely monitoring the latest threats, including Ransomware, Remote Access Trojans (RATs), and Stealers, among others, and has been publishing blogs about them to keep our readers informed and aware.
Recently, CRIL came across a ransomware variant named Rancoz, initially identified by a researcher @siri_urz. Upon analysis, it has been observed that this ransomware shares notable similarities and overlaps with the Vice Society ransomware.
The Rancoz ransomware group employs a double extortion technique to maximize their chances of receiving payment from victims. This technique involves not only encrypting the victim’s data but also threats from the TAs to release the stolen data on their designated leak site.
The figure below shows the Onion leak page of the Rancoz ransomware and the affected organization.
For analysis purposes, we have taken a sample hash, b95a4443bb8bff80d927ac551a9a5a5cfac3e3e03a5b5737c0e05c75f33ad61e, which represents a 64-bit Console-based binary executable file compiled using MingGW (GCC), as demonstrated in the following figure.
Upon execution, the malware starts a command prompt window and meticulously records all its actions, comprehensively reporting its behavior in real-time. This suggests that the attacker will activate the ransomware manually upon gaining access to the victim’s computer.
Command Line Arguments
The ransomware starts by inspecting the command line arguments it receives to initiate its operation. It checks whether the number of arguments is greater than one. If not, the ransomware displays a message stating, “Command line arguments are not used.” However, if there are arguments, the ransomware proceeds to verify them.
The Rancoz ransomware checks the command line arguments it receives against a set of predefined arguments, which are listed as follows:
|/f||File argument. Encrypts only the file specified|
|/d||Directory argument. Encrypts the directory|
|/s||simply prints out any argument provided|
In the event that the passed arguments do not match the predefined arguments or there are no arguments passed at all, the Rancoz ransomware will display a message stating “Not Valid Arguments” and proceed with its default execution.
After executing the ransomware, it imports a hardcoded NTRU Public Key and saves it as configuration data to be used during the encryption process. While infecting the system, the ransomware keeps track of its progress and displays the status in real time on the command prompt window, as depicted in the below figure.
Deleting ShadowCopy & RDP
Next, the ransomware utilizes the ShellExecuteW() function to execute a set of commands that cause destructive consequences for the victim’s system, including deleting all Shadow Copies, removing values in the Windows Registry related to Remote Desktop Connection, deleting the default Remote Desktop Protocol (RDP) configuration file, and erasing all Windows event logs.
The table below shows the commands and the purpose.
|/c vssadmin.exe Delete Shadows /All /Quiet||Delete Volume Shadow Copies to prevent system restoration|
|reg delete “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default” /va /f reg delete “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers”||Remove registry keys related to Remote Desktop Protocol (RDP) connections, which can prevent the victim from connecting to remote servers to recover data or seek assistance|
|attrib Default.rdp -s -h del Default.rdp for /F “”tokens=*”” %1 in (‘wevtutil.exe el’) DO wevtutil.exe cl “”%1″””||Delete log files and RDP connection settings to remove any possible evidence of ransomware activity.|
The figure below shows the values passed to the ShellExecute() API function.
The Rancoz ransomware employs a multi-threading strategy to carry out file encryption. This is accomplished by creating four worker threads using the CreateThread() API function and synchronizing with the main thread. The worker threads are responsible for the encryption of the file contents.
Each worker thread handles various operations, such as reading the file content, performing ChaChapoly encryption, and writing the encrypted blocks back to the file.
The below figure shows the implementation of the ChaChapoly algorithm.
Meanwhile, the main thread’s primary task is identifying and listing all available local and remote drives, including network shares on the compromised system. It accomplishes this by evaluating the drive types, which fall within the range of 0 to 4. These drive types include DRIVE_UNKNOWN, DRIVE_NO_ROOT_DIR, DRIVE_REMOVABLE, DRIVE_FIXED, and DRIVE_REMOTE.
The figure below shows the execution status of the ransomware after the drive enumeration process is completed.
Once the drives are identified, the main thread initiates the enumeration of directories and subdirectories to collect the file paths for encryption.
As part of its encryption process, the Rancoz ransomware refrained from encrypting particular folder names and file extensions listed in the table below. The following directories will be excluded from the encryption process.
|Install Shield Installation Information||Intel||Internet Explorer||Kaspersky Lab||McAfee|
|Microsoft||Microsoft Help||Microsoft SDKs||Microsoft Shared||Microsoft VS Code|
|Microsoft Visual Studio||Microsoft.NET||MovieMaker||Mozilla||Mozilla Firefox|
|NVIDIA Corporation||Opera||Package Cache||Packages||Reference assemblies|
|Spytechsoftware||Symantec||Symantec Client Security||System Volume Information||Temp|
|Windows||Windows App Certification Kit||Windows Defender||Windows Kits||Windows Mail|
|Windows Media Player||Windows Multimedia Platform||Windows NT||Windows Phone Kits||Windows Phone Silverlight Kits|
|Windows Photo Viewer||Windows Portable Devices||Windows Security||Windows Sidebar||WindowsApps|
The table below outlines the file extensions designated to be excluded from the encryption process.
After identifying the files, the main thread proceeds to commence the encryption process on the victim’s system utilizing the designated worker threads mentioned earlier.
Rancoz ransomware employs a combination of symmetric and asymmetric encryption techniques to encrypt files securely. It uses the NTRUEncrypt algorithm for asymmetric encryption, and for symmetric encryption, it uses the ChaCha20-Poly algorithm.
Furthermore, it drops a ransom note titled “HOW_TO_RECOVERY_FILES.txt” within all the enumerated directories. As a part of the encryption process, the ransomware alters the encrypted file names by appending the “.rec_rans” extension.
The below figure shows the encrypted files.
After successfully encrypting the files, the ransomware proceeds to modify the desktop background image of the infected system. The ransomware adds the below-mentioned registry key values to modify the desktop background image.
- Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
- Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
The accompanying figure shows the modified desktop background resulting from the ransomware’s actions.
The below image shows the ransom note utilized by the Rancoz ransomware. The ransom note also provides guidance to the victims on how to reach out to the TAs to recover their encrypted files/pay the ransom.
The constant evolution and release of new ransomware variants highlight the advanced skills and agility of TAs, indicating that they are responding to cybersecurity measures and checks being implemented and customizing their ransomware accordingly.
The appearance of a newly rebranded strain of ransomware further emphasizes the persistent danger posed by ransomware groups to organizations, individuals, and even governmental entities, serving as a reminder that the risk of ransomware attacks remains an ongoing concern in today’s digital landscape.
Cyble Research & Intelligence Labs continuously monitors all ransomware campaigns and will keep updating our readers with the latest information and our findings.
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
Safety Measures Needed to Prevent Ransomware Attacks
- Conduct regular backup practices and keep those backups offline or in a separate network
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile
- Refrain from opening untrusted links and email attachments without verifying their authenticity
Users Should Take the Following Steps After the Ransomware Attack
- Detach infected devices on the same network
- Disconnect external storage devices if connected
- Inspect system logs for suspicious events
Impact of Rancoz Ransomware
- Loss of Valuable Data
- Loss of the organization’s reputation and integrity
- Loss of the organization’s sensitive business information
- Disruption in organization operation
- Financial loss
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|Command and Scripting Interpreter |
|System Information Discovery |
Network Share Discovery
File and Directory Discovery
|Defense Evasion||T1070||Delete shadow drive data|
| Data encrypted for impact |
Inhibit System Recovery
Indicators of Compromise (IOCs)