Ransomware groups are posing a more significant and multi-pronged danger to organizations worldwide. The biggest hazard to businesses is losing access to their systems and data. Furthermore, ransomware gangs’ potential to expose data if their ransom demands are rejected or reported to law enforcement agencies has become more concerning.
Cyble Research Labs have come through new ransomware known as Koxic. This blog showcases the deep-dive analysis of one of the Koxic ransomware samples to identify their capabilities and the way to secure yourself/your organization from them.
Technical Analysis
Based on static analysis, we found that the malicious file is a 32-bit Graphical User Interface (GUI) based binary, as shown in Figure 1.
After execution, Koxic Ransomware tries to get system information using GetSystemInfo() API, which extracts the information such as ProcessorType, NumberOfProcessors, etc.
The following Registry values are added/modified by the ransomware, which helps the attacker set the Remote Desktop services settings, disables windows defender features, removes security and maintenance icons, and disables notifications and action centers.
- SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\MaxDisconnectionTime
- SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\MaxIdleTime
- SOFTWARE\\Policies\\Microsoft\\Windows\\HomeGroup\\DisableHomeGroup
- SOFTWARE\\Policies\\Microsoft\\Windows Defender\\DisableAntiSpyware
- SOFTWARE\\Policies\\Microsoft\\Windows Defender\\AllowFastServiceStartup
- SOFTWARE\\Policies\\Microsoft\\Windows Defender\\ServiceKeepAlive
- SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableRealtimeMonitoring
- SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableBehaviorMonitoring
- SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableScanOnRealtimeEnable
- SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableIOAVProtection
- SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableOnAccessProtection
- SOFTWARE\\Microsoft\\Windows Defender\\Spynet\\DisableBlockAtFirstSeen
- SOFTWARE\\Microsoft\\Windows Defender\\Spynet\\SubmitSamplesConsent
- SOFTWARE\\Microsoft\\Windows Defender\\UX Configuration\\NotificationSuppress
- SOFTWARE\\Microsoft\\Windows Defender\\Features\\TamperProtection
- Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideSCAHealth
- Software\\Policies\\Microsoft\\Windows\\Explorer\\DisableNotificationCenter
If they are actively running in the system, the ransomware terminates processes such as MSASCuiL.exe, MSMpeng.exe, and msseces.exe.
The malware also deletes the shadow copies using vssadmin and disables the database applications such as MongoDB, SQLWrite, and MSSQLServerOLAPService before starting the encryption.
Then, it executes a custom decryption logic for getting the name of the ransom note, as shown in the below figure.
After identifying the ransom note name, the ransomware calls the following APIs for getting the system privileges which supports the encryption process.
- SeBackupPriviledge(): This API grants access to the attacker for reading files for their encryption process.
- SeRestorePriviledge(): Grants access to attacker for writing files.
- SeManageVolumePriviledge(): Allows attackers to understand the volume details for their encryption process.
- SeTakeOwnershipPriviledge(): Allows attackers to take ownership of files or other objects.
The ransomware then steals sensitive system information and writes it to a file named “MOJPMLVBJ” in the TEMP folder, as shown in Figures 6 and 7. After the encryption process, the stolen information ends up with the attacker.
The malware calls GetLogicalDrives() function to get the details of the drive in the victim’s machine for encrypting the files. Next, the malware creates a mutex named “atus” to make sure another instance of the same program is not running on the machine. Finally, it drops ransom notes in all the locations.
The below figure demonstrates the ransom note dropped by the malware with the name “WANNA_RECOVER_KOXIC_FILEZ_KLIBD.txt” to instruct the victims to pay the ransom money for the decryption keys.
In their ransom note, the TAs have instructed victims to contact them via qTox on their TOXID: F3C777D22A0686055A3558917315676D607026B680DA5C8D3D4D887017A2A844F546AE59F59F and have also given an Email ID: wilhelmkox@tutanota[.]com. In case the victim does not pay the ransom, the attackers, through the ransom note, threaten the victims to leak or sell their data to black-market or to competitors, and they also threaten for DDOS attack on the victim’s infrastructure.
After dropping the ransom notes, the malware encrypts the files on the victim’s machine and appends the extension with “KOXIC_KLIBD” as shown in the below figure.
Finally, the malware deletes itself using CreateProcess() API, as shown in Figure 10.
Conclusion
To update their Ransomware programs with new Tactics, Techniques, and Procedures (TTPs) to target devices, TAs continually add new functionality to their code. Based on these interpretations, we can reasonably predict that future Koxic versions will include even more improvements.
We continuously monitor Koxic’s extortion campaigns and update our readers with the latest information.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
Safety measures needed to prevent ransomware attacks
- Conduct regular backup practices and keep those backups offline or in a separate network.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic. 
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
Users should take the following steps after the ransomware attack
- Detach infected devices on the same network.
- Disconnect external storage devices if connected.
- Inspect system logs for suspicious events.
Impacts and cruciality Of Koxic Ransomware
- Loss of Valuable data.
- Loss of organization’s reliability or integrity.
- Loss of organization’s businesses information.
- Disruption in organization operation.
- Economic loss.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial Access | T1078 | -Valid Accounts |
| Execution | T1059 | -Command and Scripting Interpreter |
| Privilege Escalation | T1548 | -Abuse Elevation Control Mechanism |
| Defense Evasion | T1112 T1027 T1562.001 | -Modify Registry -Obfuscated Files or Information -Impair Defenses: Disable or Modify Tools |
| Discovery | T1082 T1083 | -System Information Discovery -File and Directory Discovery |
| Impact | T1490 T1489 T1486 | -Inhibit System Recovery -Service Stop -Data Encrypted for Impact |
Indicators of Compromise (IOCs)
| Indicators | Indicator type | Description |
| 699159e695e230a48d94b6103b48940ed596d0b48fb6d936c04d86eed539cecd | SHA256 | Koxic Executable |
| wilhelmkox@tutanota[.]com | Email ID | Email ID mentioned in Koxic Ransom Note |
