Osiris - the new reincarnation of the Locky Trojan

Summary

At the end of January, Acronis experts discovered the new ransomware Osiris sample, which bypasses the protection of Windows Defender. Here are some details about the Osiris ransomware.

• Osiris belongs to the seventh generation of Locky family ransomware programs, and is usually distributed through spam;
  
  
• Osiris is difficult to detect, as it uses standard Windows components to download and execute malicious code (scripts and libraries);
  ')
  
• Osiris has the ability to detect virtual environments, which makes debugging and debugging on virtual machines difficult; this algorithm was significantly improved compared with the original version, which appeared in June 2016;
  
  
• It infects local devices and easily spreads over the network, infecting other computers and network folders;
  
  
• Osiris can also be distributed through CRM / customer support systems (including cloud) outside the same organization. An infected user from any organization can send a letter to the CRM address; its internal parser will analyze the incoming letter and attach the infected attachment to the automatically generated request (ticket). The customer support engineer will open the application, open the attachment in Excel and infect the network.
  
  
• As assumed by Acronis experts, the fraudsters began attacking backup solutions. Osiris directly attacks the Microsoft Volume Shadow Copy Service (VSS) of Windows operating systems, and removes already created shadow copies;
  
  
• Osiris uses powerful encryption algorithms, so that infected data cannot be decrypted by third-party tools;
  
  
• It infects devices on Windows, and also, perhaps, on Mac and Android;
  

Acronis Active Protection is the only technology that can block all versions of Osiris and at the same time instantly recover encrypted data, if Acronis True Image 2017 New Generation was launched on a computer at the time of a malicious attack.

Attacks on backup solutions

To prevent victims of an attack from restoring files from backups, Osiris disables the Microsoft Volume Shadow Copy Service (VSS). This technology is included in Microsoft Windows and allows you to make backups manually and automatically, or take a snapshot of the data.

Osiris also deletes already created shadow copies by running the "vssadmin.exe Delete Shadows / All / Quiet" command in silent mode. This does not allow the user to restore the system from the saved data on the infected computer.

Microsoft VSS does not contain security measures for its protection and creates shadow copies from deleted or modified ones. Acronis predicted such attacks on backup solutions and implemented self-defense techniques in its own products. Independent tests have already shown that Acronis products are resistant to the attacks used by Osiris.

Evolution of the Locky family

Locky ransomware Trojans received another update: the new extortionist coder called Osiris after the Egyptian god of the afterlife. The malware came out with an updated functionality designed for attacks, including files on backup programs, and is able to avoid detection. It adds the .orisis extension to the encrypted files and uses the standard ransomware scheme: infection, encryption, extortion. Osiris, based on the best practices of the Locky family, is one of the most serious security threats that computer users face today.

Locky was first discovered in February 2016 and has since undergone at least seven changes , trying to stay one step ahead of computer security solution providers attempting to detect and stop this type of ransomware program. There are suggestions that Locky was developed in Russia, because early versions of the program did not infect computers with a Russian locale. Excel tabs also use Russian names, and script functions are called Russian slang words.

• .locky - February 2016
• .zepto - June 2016. A month later, Locky began to support offline encryption using the built-in RSA keys in case he could not access his management server.
• .odin - September 2016
• .shit, .thor - October 2016
• .aesir - November 2016
• .zzzzz, .osiris - December 2016

Acronis security investigates the following example of Osiris extortionist:

• File Name: ekijLpDlRXB.zk
• Size: 161625 bytes
• Date: 01/29/2017
• MD5: 3545436c22a9a43e29396df87823013d

It is important to note that Osiris also infects Apple Mac and Android devices. Acronis experts are now engaged in the study of this issue, for which it is planned to issue a separate report.

Distribution scheme

1. Spam. Osiris is usually distributed through spam emails with the words "Account" or "Order Confirmation" in the subject line and a compressed attachment containing a malicious script. This can be an Excel file with a macro on VBA or an executable script.jse (dropper). When executed, it loads the DLL file and runs it with Rundll32.exe.

Osiris authors try to hide the malware without using the .exe extension, instead of using standard Windows components to run their scripts and DLL files.


An example of a spam letter containing an attachment infected with Osiris (image used with permission from BleepingComputer).

2. Malicious ads. Fraudsters using ransomware programs use legitimate ad networks to place special advertisements created for distributing ransomware programs with little or no user involvement. Among the sites infected last year were the BBC, MSN and AOL , with cyber criminals using automated ad networks to achieve their goals, allowing them to place malicious advertisements after their account was first tested.

Infection of corporate networks

Osiris, like Locky, is a trojan with a worm propagation method. It has the ability to be distributed over the network without user intervention. Some victims of his attacks noted the need to disable the domain controller to stop the spread of the attack. Osiris is capable of infecting thousands of shared folders, shared drives over a network, and other devices on the network. For any business, the damage from the loss of so many devices on one network may be irreparable.

Osiris can also be distributed through CRM / customer support systems (including cloud) outside the same organization. An infected user from any organization can send a letter to the CRM address; its internal parser will analyze the incoming letter and attach the infected attachment to the automatically generated request (ticket). The customer support engineer will open the application, open the attachment in Excel and infect the network.

Infection

Dropper Osiris.js uses the cheburgen function to download malicious code ekijLpDlRXB.zk. ( Cheburgen is a compound word referring to the characters of the well-known cartoon Cheburashka and Crocodile Gena).

The latest version of the Osiris dropper, dated January 29, 2017, weighs 71 KB, which is twice the previous version released in December 2016. Currently, Windows Defender cannot detect it.


In the screenshot of the Monitor API you can see the execution of the cheburgen function.

The first attempt to download the malicious code was made using a Polish server.


In the screenshot of Process Monitor you can see how the dropper is trying to contact home.net.pl

However, the program then switched to the Russian server elixe [.] Net, which is currently blocked by most antivirus programs.


The Process Monitor screenshot shows the process of downloading malware from elixe [.] Net


The process of downloading ekijLpDlRXB.zk to the user’s temporary files directory.


The Wireshark screenshot shows the download of malicious code of 161894 bytes in size. IP 92.255.47.9 probably belongs to the pool of IP addresses of the Osiris management server.

After a successful download, ekijLpDlRXB.zk is activated via rundll32.exe using the following command (for this instance):

"C: \ Windows \ System32 \ rundll32.exe C: \ Users \% UserName% \ AppData \ Local \ Temp \ EKIJLP ~ 1.ZK, 0QaQzdZN8Pft5YPfVEdEYu"


The Process Monitor screenshot shows the execution process using runndll32.exe

After activation, Osiris immediately begins to encrypt files and displays a message requesting a ransom using a default browser, for example, Firefox:

firefox.exe -osint -url "%USERPROFILE%\DesktopOSIRIS.htm" 

Message Osiris demanding redemption.

Virtual Environment Discovery

Apparently, the detection mechanism of virtual machines, introduced in July 2016, did not cope with the task. The authors of Osiris improved the logic by replacing the function GetProcessHeap () with the function GetOEMCP (), updated the criteria for detecting the virtual environment based on CPU cycles (20 instead of 10), and also increased the number of checks (from one to two). They also changed the detection criteria for virtual machines, reducing the runtime difference in virtual and physical environments from ten to three times.

Detection of virtual machines is designed to prevent anti-virus experts from testing this malware inside virtual machines. This algorithm, however, is inefficient, as Acronis experts were able to successfully test in a virtual environment. The pseudocode function is presented below:

 BOOL passNewImprovedVMCheck() {      unsigned __int64 tsc1;      unsigned __int64 tsc2;      unsigned __int64 tsc3;      BOOL firstPassResult;      BOOL secondPassResult;      int i = 0; //    20  (   Locky   10 ) —  ,    Locky          for (i = 0; i < 20; i++)      {       tsc1 = __rdtsc(); //      ,  CloseHandle          GetOEMCP();       tsc2 = __rdtsc(); //       ,  GetOEMCP          CloseHandle(0);       tsc3 = __rdtsc(); //         (    Locky  «  ») //      CloseHandle    GetOEMCP()? if ( ( LODWORD(tsc3) - LODWORD(tsc2) ) / ( LODWORD(tsc2) - LODWORD(tsc1) ) >= 3)         firstPassResult = TRUE;      }      if (!firstPassResult)                { //      GetOEMCP  CloseHandle    — ,    !        return FALSE;      } //    ... if ( ( LODWORD(tsc3) - LODWORD(tsc2) ) / ( LODWORD(tsc2) - LODWORD(tsc1) ) >= 3)        secondPassResult = TRUE;      }           if (!secondPassResult)      { //      GetOEMCP  CloseHandle    — ,    !        return FALSE;      }      return TRUE; } 

How to protect against Osiris

Deciphering Osiris files “manually” is impossible, as it uses strong encryption algorithms. The probability of the appearance of utilities for decryption is extremely small.

At the same time, Acronis Active Protection successfully protects computer systems from Osiris malware . The basis of the innovative technology used in Acronis True Image 2017 New Generation , which is in the process of obtaining a patent, are behavioral heuristics, due to which it easily identifies and stops the activity of Osiris. It also allows the user to instantly recover any infected files.


Osiris detection on a computer running Acronis True Image 2017 New Generation and Acronis Active Protection protection enabled.


The screenshot shows that the attack was stopped, but several files were encrypted.


Four files encrypted with Osiris ransomware.


All files were instantly restored to their original state using Acronis Active Protection without paying the ransom.

Can you afford to lose data in eight years?

According to media reports, the Osiris ransomware program was used to infect the Cockrell Hill Police Department in Texas, which resulted in the loss of important evidence for eight years .

"The official report of the police department said that the malware came from" a cloned address that mimics the address given by the department, "and after a successful infection demanded a ransom in the amount of 4 Bitcoins, which today is about $ 3,600, or the department said, “almost 4,000 US dollars,” says the Register news site . Data was lost due to the fact that the department did not use proper backup procedures and active data protection such as Acronis Active Protection.

Can you afford to be the next victim of a program of extortionists? We don’t think, so we recommend protecting the data on your Windows machines with Acronis True Image 2017 New Generation with the Acronis Active Protection feature.

→ Download White-paper about Acronis Active Protection