• News
  • Security
  • Products
  • About Seqrite
Seqrite Blog Blog
  • News
  • Security
  • Products
  • About Seqrite
Home  /  Malware • Ransomware • Security  /  The Runner: a key component of the SamSam ransomware campaign – An analysis by Quick Heal Security Labs
08 February 2018

The Runner: a key component of the SamSam ransomware campaign – An analysis by Quick Heal Security Labs

Written by Amar Patil
Amar Patil
Malware, Ransomware, Security
  • 4
    Shares
Estimated reading time: 4 minutes

In Jan 2018, Greenfield, Indiana-based Hancock Health (healthcare network) was attacked by SamSam ransomware. It encrypted the files containing patients’ data which disrupted their critical services. Even though SamSam is not a new ransomware, it has evolved over a period of time. We had observed its first variant in Feb 2016 that used the RSA algorithm to encrypt targeted users’ files. However, this time, we have observed a significant change in the way this ransomware was launched. The major difference between the old and new variants is the use of the executable ‘runner.exe’ – it decrypts the ‘.stubbin’ extension file and executes the decrypted content. The result of the decryption is a SamSam ransomware file.

Fig 1 below depicts the attack chain of the current SamSam ransomware campaign.

Fig 1. SamSam Ransomware attack chain

 

The technique of deployment makes the ‘Runner’ a key component in the SamSam ransomware campaign. However, we are not aware of the source of infection for ‘runner.exe’. In this post, we will be taking a deeper look into ‘runner.exe’ – a key component of this campaign.

The Runner

We have seen different variants of ‘runner.exe’ in the last few months. With every variant, we noticed a change in the number of arguments passed to ‘runner.exe’. The first argument is used as a password to decrypt the ‘.stubbin’ file and the remaining arguments are passed to decrypt the payload which is the SamSam ransomware.

Fig 2. Execution sequence of the Runner

Let’s look at the details of the .NET compiled executable (runner.exe) of the variant with three command line arguments.

Fig 3. Execution sequence code

‘Runner.exe’ searches for files with the ‘.stubbin’ extension in its current working directory. The first file found is the desired encrypted file. It then copies the content of the file into an array (arg_4E_0) and deletes the original ‘.stubbin’ file. The array of encrypted bytes and the first argument from the command line (password) is passed to the ‘Decrypt’ function. The Runner then loads the decrypted bytes into the memory and executes it by passing its remaining command-line arguments as the input.

Decryption of ‘.stubbin’ file

‘Runner.exe’ uses the Rijndael algorithm to decrypt the bytes passed as Cipher data. This is a symmetric key cryptographic algorithm. Here, it uses a 32 bytes key and 16 bytes of Initialization Vector (IV) to decrypt the ‘.stubbin’ file.

Figure 4 below shows the generation of key and IV using password.

Fig 4 .IV and Key generation

‘PasswordDeriveBytes’ class is used to generate a key and IV. It is a pre-defined .NET constructor which takes a password and salt as an input to generate a key. Salt is a random data used as an additional input to a function that “hashes” the password and used to make a common password uncommon.

Fig 5 below shows the decryption routine which decrypts the SamSam ransomware file.

Fig 5 .Decryption routine of core .stubbin file

‘CryptoStream’ constructor and Rijndael decryptor are used for cryptographic operations which are performed on CipherData. Using IV, the key to Rijndael algorithm on Cipher data will result in the ransomware payload.

The runner variants

In the oldest version of SamSam ransomware, no ‘runner.exe’ was observed. Only the payload got executed with an RSA symmetric key as a command-line argument. But, the latest variant uses ‘runner.exe’ with 4 arguments.

Fig 6 below shows the difference between the arguments passed in different variants of ‘runner.exe’.

Fig 6 .Variants of ‘runner.exe’

We are also observing a few variants using obfuscation in their code and function names.

Fig 7 .Obfuscation in ‘runner.exe’

The deployment techniques used in the SamSam ransomware campaign makes the retrieval of the core ransomware difficult. It thus hinders the process of providing static detections on the SamSam ransomware file. A timedatestamp trait in the variants depicts the arrival of fresh variants of ‘runner.exe’ every month. So, in the coming days, we may see new variants with more obfuscation and with some advanced functionalities.

Indicator of compromise

D8469E625AE90AB64D4AEF0B63F42150

7A25B0D43047552CBDAD17CFB488317D

038FB413F51B0AB7EB088E0F3EA7BE90

A82DB52BC6F1E5477EB1809CD5F23489

Subject Matter Experts

Dhwanit Shrivastava, Yogesh Bane | Quick Heal Security Labs

 Previous PostWhy you should never pay ransom to hackers
Next Post  Data Security: Where are the SMBs failing in securing their data
Amar Patil
About Amar Patil

Amar is a security researcher at Quick Heal Security Labs and has 6 years of experience in the cybersecurity domain. He is interested in reverse engineering and...

Articles by Amar Patil »

Related Posts

  • BEC and Ransomware attacks unsettle businesses globally.

    BEC and Ransomware attacks increase during the pandemic

    January 22, 2021
  • Thanos Ransomware adopts hyper-weaponized RIPlace tactics — collects huge pay-offs.

    Thanos Ransomware Evading Anti-ransomware Protection With RIPlace Tactic

    November 18, 2020
  • Malware-as-a-service: Cybercrime’s nine-to-five

    Anyone, even you, can carry out cyberattacks with the Malware-as-a-Service model

    October 30, 2020

No Comments

Leave a Reply.Your email address will not be published.

Cancel reply

CAPTCHA Image
Refresh Image

Popular Posts

  • RAT used by Chinese cyberspies infiltrating Indian businesses RAT used by Chinese cyberspies infiltrating Indian businesses December 18, 2020
  • How can EdTech companies deal with rising security challenges? How can EdTech companies deal with rising security challenges? December 24, 2020
  • Benefits of having Intrusion Prevention/Detection System in your enterprise Benefits of having Intrusion Prevention/Detection System in your enterprise February 15, 2018

Featured Authors

  • Seqrite
    Seqrite

    Follow us for the latest updates and insights related to security for...

    Read more..
  • Viraj Talikotkar
    Viraj Talikotkar

    Viraj is a Lead Technical Writer at Quick Heal Technologies. He is always on...

    Read more..
  • Sanjay Katkar
    Sanjay Katkar

    Sanjay Katkar is the Joint Managing Director and Chief Technology Officer of...

    Read more..

Latest Posts

  • BEC and Ransomware attacks increase during the pandemic

    BEC and Ransomware attacks increase during the pandemic

    January 22, 2021
  • Are we prepared against risks generating from the IoT revolution?

    Are we prepared against risks generating from the IoT revolution?

    January 15, 2021
  • Proactiveness is the key to resolving hybrid cloud’s security challenges

    Proactiveness is the key to resolving hybrid cloud’s security challenges

    January 6, 2021

Stay Updated!

Topics

Antivirus For Linux (10) Antivirus For Server (9) BYOD (9) Cyber-attack (31) cyber-attacks (56) cyberattacks (12) Cybersecurity (275) cyber security (25) Cyber threat (29) cyber threats (44) Data (10) data breach (50) data breaches (27) data loss (28) data loss prevention (33) data protection (21) data security (13) DLP (49) Encryption (16) endpoint security (102) Enterprise security (14) EPS (9) Exploit (12) firewall (11) hackers (9) incident response plan (9) IoT (10) malware (58) malware attack (22) malware attacks (12) MDM (25) mobile device management (9) Network security (18) Patch Management (12) phishing (16) Ransomware (55) ransomware attack (29) ransomware attacks (30) ransomware protection (12) Seqrite (24) Seqrite Encryption (27) Seqrite EPS (33) Seqrite Services (16) UTM (34) Vulnerability (10)

Products

  • Endpoint Security (EPS)
  • Seqrite Encryption Manager
  • Seqrite Endpoint Security Cloud
  • Cloud Security
  • Seqrite mSuite
  • Seqrite MobiSMART
  • Unified Threat Management
  • Seqrite Secure Web Gateway
  • Antivirus for Server
  • Antivirus for Linux

Resources

  • White Papers
  • Datasheets
  • Threat Reports
  • Manuals
  • Case Studies

About Us

  • Company Overview
  • Leadership
  • Why choose SEQRITE?
  • Awards & Certifications
  • Newsroom

Archives

  • By Date
  • By Category

© 2020 Quick Heal Technologies Ltd. (Formerly Known as Quick Heal Technologies Pvt. Ltd.) Cookie Policies Privacy Policies

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website.
By browsing this website, you agree to our cookie policy.