Virtualization Technology News and Information
Article
RSS
Professional Ransomware Zyklon Continues to Evolve - Meet Serpent!
Article Written by Jeff Grundy

 

What This Post Will Cover:

  • An Analysis of What Zyklon/Serpent is and What It Does
  • How Serpent is Distributed and Installed
  • How Zyklon/Serpent Protects Itself Against Analysis and Anti-Malware Programs
  • How Serpent Encrypts Victims' Files
  • How to Protect Yourself Against Serpent and Other Ransomware Variants

serpent-ransomware-virus_0 

Overview

In May 2016, BleepingComputer, Tripwire's State of Security, and other sources reported on the release of the ransomware known as Zyklon Locker (or just Zyklon for short.) Shortly after Zyklon was released, security experts discovered that is was a spinoff of the GNL Locker ransomware family and locked victims' files in a similar fashion. Researchers also discovered that it was virtually impossible to unlock or decrypt victims' encrypted file without a user-specific and randomly-generated 32-character password, which, of course, victims must pay for to obtain.

Known by Many Names

Since its initial release, Zyklon has been updated several times. And, with each different revision, the ransomware's name has changed as well. Zyklon became Wildfire, then Hades Locker, and now, the ransomware is known as Serpent. Regardless of what you call it, though, the latest iteration is a dangerous ransomware application developed by professionals to wreak as much havoc, and generate as much income, as possible. From the latest reports, it appears that Serpent is primarily affecting Danish computer users. However, infections can, and often do, spread with little or no notice. Therefore, in this post, we will discuss how Serpent works and how to protect against it.

Zyklon/Serpent Distribution

Like many other ransomware variants, Serpent is distributed and spread primarily through spear phishing emails. While most of the phishing emails include a link for downloading the ransomware, some come with attachments that include the Serpent code. In most of the emails, the link or attachment is described as an invoice or another important financial document. Of course, this is merely a ploy to convince users to download the Serpent ransomware and install it on their computers.

Code Obfuscation and Self-Protection

According to many security professionals, Serpent is ransomware developed by professionals and includes features that clearly reflect as much. As such, Serpent implements anti-analysis and anti-debugging techniques that make it difficult to analyze and several obfuscation techniques that block detection by many anti-malware and anti-virus applications. Of course, developers of Serpent included these measures as a means of self-protection and to help ensure that the ransomware installs successfully on victims' systems.

If you take a look at the screenshot images below, it is possible to get some insight into how Serpent uses some tricky code obfuscation to complicate analysis and detection:

From the following images, you can see how Serpent generates multiple fake API calls as anti-analysis measure against API monitors.

serpent-image007

 

serpent-image005 

serpent-image009 

To complicate things even more, Serpent also renames methods, fields, and classes, as you can see below.

 serpent-image011

 

Serpent also obfuscates control flow and produces incorrect RVAs to further hinder analysis and detection.

serpent-image013

 

serpent-image015 

 

With all the anti-analysis and obfuscation measures Serpent employs, it easy to see why not all anti-malware and anti-virus applications are able to detect and stop Serpent before it starts encrypting files. And, the countermeasures the ransomware uses to prevent analysis and detections are one of the reasons many industry experts consider the ransomware to be Serpent's development to be much more professional than many other strains currently being released.

Serpent Installation

As with other ransomware variants, Serpent requires user action before installation begins. This usually occurs when the user opens an infected attachment or launches a file downloaded from a malicious or hacked website. And, almost immediately upon execution, Serpent starts trying to hide and mask itself from detection and analysis.

During installation, Serpent stores an encrypted copy of the "exdatpus.dat" file in the %Temp% folder and also adds "x01" to every byte to encrypt. Next, Serpent writes "cpy.vbs" to the Startup folder, which decrypts the ".dat" file created earlier and executes "exdatpus.exe" after the system reboots.

The below screenshot shows the content of the exdatpus.dat / exdatpus.exe file created by Serpent during installation.

serpent-image017

serpent-image019

serpent-image021

 


How Serpent Encryption Works

Like many other modern ransomware strains, Serpent connects to a command-and-control (or C&C) server to obtain keys needed to encrypt files on victims' computers. Therefore, in order for Serpent to start encrypting files on an infected machine, an active Internet connection must be present. Once a connection is established, though, Serpent downloads the master RSA-2048 public key in XML format.

serpent-image023

After Serpent downloads the public key and starts the crypto locker process, it terminates any database-related processes it finds so that the databases files can be encrypted. Processes usually halted by Serpent include the following:

msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, mydesktopqos.exe, agntsvc.exeisqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exeagntsvc.exe, agntsvc.exeencsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe

Country Based Selection

Before starting the actual encryption of files on the system, Serpent connects to http://ipinfo.io/ to obtain localization codes for the system. If the query results in localization codes from certain countries, Serpent remains on the system but does not encrypt any files on the machine. Systems located in the following countries get a "free pass" and are not encrypted:

  • AM - Armenia
  • AZ - Azerbaijan
  • BY - Belarus
  • GE - Georgia
  • KG - Kyrgyzstan
  • KZ - Kazakhstan
  • MD - Moldova
  • RU - Russia
  • TM - Turkmenistan
  • TJ - Tajikistan

Note - If your system becomes infected and is not located in one of the above countries, Serpent will start encrypting virtually all the user-created files on your machine.

How Country Based Selection Works

As mentioned above, Serpent requests the victim computer's country code and IP address from http://ipinfo.io/json. After sending the request, Serpent then sends a check-in request to one of the C&C servers listed in the configuration data. These servers are:

  • hxxp://185.106.122.86 (Romania)
  • hxxp://31.7.188.86 (Germany)
  • hxxp://169.239.128.114 (South Africa)

serpent-image031

serpent-image033

serpent-image035

Here's a sample of the process in action:

Based on data retrieved from http://ipinfo.io/, Serpent sends a check-in request to the C&C server in South Africa:

hxxp://169.239.128.114/register.php

The check-in request sent by Serpent contains the following information:

  • hwid - the hardware ID of the infected machine
  • campaign #1 - the number assigned to the ransomware campaign
  • ip - the victim computer's IP address
  • country - the country code obtained from http://ipinfo.io/

After receiving the check-in request, the C&C server then replies with the master RSA-2048 public key. The key is represented as {n,e} in XML format (where n - module and e - public exponent.)

serpent-image037

 

File Path Exclusions

In addition to not encrypting files on systems in the above countries, Serpent also does not encrypt files with certain path strings. For example, Serpent does not encrypt files that include the following path strings:

  • \program files (x86)\
  • \program files\
  • tor browser
  • \windows\
  • \programdata\
  • \$recycle.bin\

 

The Encryption Process

Once Serpent receives the master public RSA-2048 key and determines your system is in a country that warrants targeting, it proceeds to start encrypting files on your machine. For the actual encryption of files, Serpent uses AES-256-CBC, which on its own is already very secure and extremely difficult to break. Couple that, though, with the fact that the AES encryption key and initialization vector is then encrypted with an imported RSA-2048 key, and you have a recipe that makes decryption or cracking virtually impossible with current technology. After Serpent encrypts the AES key and initialization vector, it stores them in the encrypted file's footer using the Base64 format.

serpent-image027

serpent-image029

 

What Files Does Serpent Encrypt?

Most ransomware strains target files with extensions created by popular word processing, graphics, database, and other commonly-used applications. And, while Serpent is certainly no different, it takes the number of targeted file extensions to a whole new level. For instance, many ransomware encryptors target 10 or 20 popular file extensions, such as .DOCX, .PDF, .XLSX, and so on. Serpent, on the other hand, targets 876 common, and not so common, extensions generated with user-created files. So, with Serpent, it is probably much easier to ask what the ransomware doesn't encrypt, which - of course - is not much. Here is a list of the file extensions that Serpent targets when encrypting files on victims' computers:

List of File Extensions Targeted by Serpent Encryption

".#vc, .$ac, ._vc, .00c, .07g, .07i, .08i, .09i, .09t, .10t, .11t, .123, .13t, .1cd, .1pa, .1pe, .2011, .2012, .2013, .2014, .2015, .2016, .2017, .210, .3dm, .3ds, .3fr, .3g2, .3gp, .3me, .3pe, .3pr, .500, .7z, .7zip, .aac, .aaf, .ab4, .abk, .ac, .ac2, .acc, .accd, .accdb, .accde, .accdr, .accdt, .ach, .aci, .acm, .acr, .act, .adb, .adp, .ads, .aep, .aepx, .aes, .aet, .afm, .agdl, .ai, .aif, .aiff, .ait, .al, .amj, .aoi, .apj, .arc, .arw, .as, .as3, .asc, .asf, .asm, .asp, .aspx, .asx, .ati, .avi, .awg, .back, .backup, .backupdb, .bak, .bank, .bat, .bay, .bb, .bc8, .bc9, .bd2, .bd3, .bdb, .bgt, .bik, .bin, .bk, .bk2, .bkc, .bke, .bkf, .bkn, .bkp, .blend, .bmp, .bpf, .bpp, .bpw, .brd, .brw, .btif, .bup, .bz2   .c, .cal, .cat, .cb, .cd, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdt, .cdx, .ce1, .ce2, .cer, .cf8, .cf9, .cfdi, .cfg, .cfp, .cgm, .cgn, .ch, .chg, .cht, .cib, .clas, .class, .clk, .cls, .cmd, .cmt, .cmx, .cnt, .cntk, .coa, .config, .contact, .cpi, .cpp, .cpt, .cpw, .cpx, .cr2, .craw, .crt, .crw, .cs, .csh, .csl, .csr, .css, .csv, .cur, .cus, .cvt, .d07, .dac, .dat, .db, .db-journal, .db_journal, .db3, .dbf, .dbk, .dbx, .dc2, .dch, .dcr, .dcs, .ddd, .ddoc, .ddrw, .dds, .defx, .der, .des, .design, .dgc, .dif, .dip, .dit, .djv, .djvu, .dng, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .drf, .drw, .ds4, .dsb, .dsf, .dtau, .dtb, .dtd, .dtl, .dwg, .dxb, .dxf, .dxg, .dxi, .ebc, .ebd, .ebq, .ec8, .edb, .efs, .efsl, .efx, .emd, .eml, .emp, .ens, .ent, .epa, .epb, .eps, .eqb, .erbsql, .erf, .ert, .esk, .ess, .esv, .etq, .ets, .exf, .exp, .fa1, .fa2, .fb, .fbw, .fca, .fcpa, .fcpr, .fcr, .fdb, .fef, .ffd, .fff, .fh, .fhd, .fim, .fkc, .fla, .flac, .flf, .flv, .flvv, .fmb, .fmv, .fon, .fpx, .frm, .fx0, .fx1, .fxg, .fxr, .fxw, .fyc, .gdb, .gem, .gfi, .gif, .gnc, .gpc, .gpg, .gray, .grey, .groups, .gry, .gsb, .gto, .gz, .h, .h10, .h11, .h12, .hbk, .hdd, .hif, .hpp, .hsr, .htm, .html, .hts, .hwp, .i2b, .iban, .ibank, .ibd, .ibz, .ico, .idml, .idx, .iff, .iif, .iiq, .img, .imp, .incpas, .indb, .indd, .indl, .indt, .ini, .int?, .intu, .inv, .inx, .ipe, .ipg, .itf, .jar, .java, .jin, .jng, .jnt, .jou, .jp2, .jpe, .jpeg, .jpg, .js, .jsd, .jsda, .jsp, .kb7, .kbx, .kc2, .kd3, .kdbx, .kdc, .key, .kmo, .kmy, .kpdx, .kwm, .laccdb, .lay, .lay6, .lcd, .ldc, .ldf, .ldr, .let, .lgb, .lhr, .lid, .lin, .lit, .lld, .lmr, .log, .lua, .lz, .m, .m10, .m11, .m12, .m14, .m15, .m16, .m2ts, .m3u, .m3u8, .m4a, .m4p, .m4u, .m4v, .mac, .max, .mbk, .mbsb, .mbx, .md, .mda, .mdb, .mdc, .mdf, .mef, .mem, .met, .meta, .mfw, .mhtm, .mid, .mkv, .ml2, .ml9, .mlb, .mlc, .mmb, .mml, .mmw, .mn1, .mn2, .mn3, .mn4, .mn5, .mn6, .mn7, .mn8, .mn9, .mne, .mnp, .mny, .mone, .moneywell, .mos, .mov, .mp2, .mp3, .mp4, .mpa, .mpe, .mpeg, .mpg, .mql, .mrq, .mrw, .ms11, .msg, .mwi, .mws, .mx0, .myd, .mye, .myi, .myox, .n43, .nap, .nd, .ndd, .ndf, .nef, .nk2, .nl2, .nni, .nop, .npc, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nv, .nv2, .nvram, .nwb, .nx2, .nxl, .nyf, .oab, .obi, .obj, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .oet, .ofc, .ofx, .ogg, .oil, .old, .omf, .op, .orf, .ost, .otg, .oth, .otp, .ots, .ott, .p08, .p12, .p7b, .p7c, .pab, .pages, .paq, .pas, .pat, .pbl, .pcd, .pcif, .pct, .pcx, .pd6, .pdb, .pdd, .pdf, .pef, .pem, .per, .pfb, .pfd, .pfx, .pg, .php, .php5, .phtml, .pic, .pif, .pl, .plb, .plc, .pls, .plt, .plus_muhd, .pma, .pmd, .png, .pns, .por, .pot, .potm, .potx, .pp4, .pp5, .ppam, .ppf, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .pr0, .pr1, .pr2, .pr3, .pr4, .pr5, .prel, .prf, .prn, .prpr, .ps, .psafe3, .psd, .psp    .pspimage, .pst, .ptb, .ptdb, .ptk, .ptx, .pvc, .pwm, .pxa, .py, .q00, .q01, .q06, .q07, .q08, .q09, .q43, .q98, .qb1, .qb20, .qba, .qbb, .qbi, .qbk, .qbm, .qbmb, .qbmd, .qbo, .qbp, .qbr, .qbw, .qbx, .qby, .qbz, .qch, .qcow, .qcow2, .qdf, .qdfx, .qdt, .qed, .qel, .qem, .qfi, .qfx, .qif, .qix, .qme, .qml, .qmt, .qmtf, .qnx, .qob, .qpb, .qpd, .qpg, .qph, .qpi, .qsd, .qsm, .qss, .qst, .qtx, .quic, .quo, .qw5, .qwc, .qwmo, .qxf, .r3d, .ra, .raf, .rar, .rat, .raw, .rb, .rcs, .rda, .rdb, .rdy, .reb, .rec, .resx, .rif, .rm, .rpb, .rpf, .rss, .rtf, .rtp, .rvt, .rw2, .rwl, .rwz, .rz, .s12, .s3db, .s7z, .saf, .safe, .saj, .sas7bdat, .sav, .save, .say, .sba, .sbc, .sbd, .sbf, .sbk, .scd, .sch, .sct, .sd0, .sda, .sdf, .sdy, .seam, .ses, .set, .shw, .sic, .sik, .skg, .sldm, .sldx, .slk, .slp, .spf, .spi, .sql, .sqli, .sqlite, .sqlite3, sqlitedb, .sr2, .srf, .srt, .srw, .ssg, .st4, .st5, .st6, .st7, .st8, .stc, .std, .sti, .stm, .str, .stw, .stx, .svg, .swf, .swp, .sxc, .sxd, .sxg, .sxi, .sxm, .sxw, .t00, .t01, .t02, .t03, .t04, .t05, .t06, .t07, .t08, .t09, .t10, .t11, .t12, .t13, .t14, .t15, .t99, .ta1, .ta2, .ta4, .ta5, .ta6, .ta8, .ta9, .tar, .tax, .tax0, .tax1, .tax2, .tb2, .tbk, .tbp, .tdr, .tex, .text, .tfx, .tga, .tgz, .thm, .tib, .tif, .tiff, .tjl, .tkr, .tlg, .tom, .tpl, .trm, .trn, .tt10, .tt11, .tt12, .tt13, .tt14, .tt15, .tt20, .ttf, .txf, .txt, .u08, .u10, .u11, .u12, .umb, .uop, .uot, .v30, .vb, .vbk, .vbox, .vbpf, .vbs, .vcf, .vdf, .vdi, .vhd, .vhdx, .vib, .vmb, .vmdk, .vmsd, .vmx, .vmxf, .vnd, .vob, .vrb, .vsd, .vyp, .vyr, .wab, .wac, .wad, .wallet, .war, .wav, .wb2, .wbk, .wi, .wk1, .wk3, .wk4, .wks, .wma, .wmf, .wmv, .wpd, .wpg, .wps, .x11, .x3f, .xaa, .xcf, .xeq, .xhtm, .xis, .xla, .xlam, .xlc, .xlk, .xll, .xlm, .xlr, .xls, .xlsb , .xlsb,3dm, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xpm, .xqx, .ycbcra, .yuv, .zdb, .zip, .zipx, .zix, .zka."

Important Note - During the encryption process, Serpent uses the same encryption key and initialization vector for all encrypted files. Additionally, all files are encrypted with the ".srpx" file extension.

Serpent Circumvents Shadow Copy Rescue

With some ransomware infections, it may be possible to access important files even after they've been encrypted by restoring shadow copies or previous versions of the affected files. The Windows Volume Shadow Copy Service creates copies of many files on the computer, including most user-created ones, and allows users to roll back to previous copies or versions when needed. Unfortunately, with Serpent, this type of access to previous versions or shadow copies is not possible.

Serpent Deletes All Shadow Copies and Previous Versions

Serpent ensures that you lose access to all your user-created files by deleting any shadow copies or previous versions you may have on the system. To do this, Serpent first checks to see if the Volume Shadow Service is running on your system. If the service is running, then Serpent stops it with the following command:

WMIC.exe shadowcopy delete /nointeractive

Next, Serpent ensures that the shadow copy or version data is not retrievable by overwriting the deleted files (which makes them impossible to recover) with the following command:

cipher.exe /W: <DRIVE:>

As you can see above, once Serpent encrypts files on your system, it takes steps to ensure that the only way to retrieve your files is to pay the ransom. That is, unless, you take steps to protect your files beforehand, which we will cover below.

The Serpent Ransom Demand

After Serpent encrypts all the files on your computer, it will create two copies of a ransom note in each folder where encrypted files reside (one in .html format and the other as a .txt file.)

The file used for the .txt file version of the ransom note:

README_TO_RESTORE_FILES_<RANDOM 3 CHARACTERS>.txt

Here is a screenshot of the actual ransom note file:

serpent-image039 

 

The file used for the HTML version of the ransom note is:

README_TO_RESTORE_FILES_<RANDOM 3 CHARACTERS>.html

And, here is a screenshot of the HTML version:

 

serpent-image041 

 

Super Expensive Ransom

As you can see from the ransom note, there are two separate website addresses, as well as one TOR site, that the user can visit to pay the ransom amount. However, the ransom amount is never mentioned in the ransom note itself. It is reported, though, that the Serpent payment sites are demanding 0.25 (~$1025) Bitcoins as a ransom for the release of the decryptor. If payment is not made within 7 days of the initial encryption, then the ransom amount reportedly increases to 0.75 Bitcoins (~$3075). As of the writing of this post, the current Bitcoin value is pegged at nearly $4100 to 1 Bitcoin, which makes Serpent's ransom amount one of the most expensive around.

Paying the Ransom and Decrypting Files

If you don't have a backup of your system, you'll need to pay the ransom to decrypt your locked files. Serpent provides a payment/decryption service website at the following links:

  • 3o4kqe6khkfgx25g.onion
  • hxxp://hmkwegza.pw
  • hxxp://pwmhgfhm.pw

Here's a sample image of one of the Serpent decryption service pages:

serpent-image043

As you can see from the image, there is a link that allows you to decrypt 2 (two) of your encrypted files for free. This link is provided as a means of convincing you that the decryption service works and to pay the ransom to unlock your other files. Presently, there is no known way to decrypt files locked by Serpent without paying the ransom and downloading the decryptor program.

Protect Your Files From Serpent

The best way to protect yourself from ransomware or any other type of malware or virus is with a reliable backup strategy. That way, if your system does ever become infected, you can restore it with confidence and without the need to pay a hefty ransom. Now, you may already be aware that Acronis True Image is the fastest and best backup software available. What you may not be aware of, though, is that our backup software also includes one of the most effective ransomware detection and deterrent systems available as well: Acronis Active Protection.

Acronis Active Protection Stops Ransomware Dead!

Acronis True Image 2017 New Generation and True Image 2018 both include Acronis Active Protection, which offers complete ransomware protection against Serpent and other variants. If Serpent or another variant does attempt to encrypt files, Acronis Active Protection stops the ransomware dead in its tracks and restores automatically any affected files from the latest backup versions. Take a look below to see how Acronis Active Protection protects your computer and files against Serpent ransomware.

serpent-image045

serpent-image047

serpent-image051 


Published Monday, August 21, 2017 2:54 PM by David Marshall
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
Calendar
<August 2017>
SuMoTuWeThFrSa
303112345
6789101112
13141516171819
20212223242526
272829303112
3456789