Researchers discovered a new ransomware codenamed “ColdLock” that targeted several organizations in Taiwan. According to researchers from Trend Micro, the ransomware appears to target databases and email servers for encryption.
The researchers found similarities between ColdLock and previously discovered ransomware variants – Lockergoga, Freezing, and EDA2. “There have been no indications that this attack has hit any other organization outside of those targeted; we do not believe that this family is currently in widespread use,” the researchers stated.
How the Ransomware Is Injected
Hackers infuse the ransomware payload as a .NET executable (as a .DLL file), which is packed/protected using the ConfuserEx packer. It uses PowerShell reflective loading of .NET executables to run the .DLL file.
“It contains two checks to verify if it’s running. Firstly, it checks for the presence of %System Root%\ProgramData\readme.tmp, which is used by the ransom note. This check prevents a system from being reinfected by the same threat. More unusually, it will check the system clock. It will only run at or later than 12:10 PM on any given day; if it is earlier, it will sleep for 15 seconds until it is past the said time,” the researchers explained.
Encryption
Before encrypting the files, ColdLock performs certain preliminary routines. Initially, it terminates various services on the system if they are preventing file access violations. These services include:
- mariadb
- msexchangeis
- mssql
- mysql
- oracleservice
The ransomware also terminates the Outlook process and checks the Windows version running on the system. If it is running Windows 10, it carries out several Windows 10-specific routines. Windows Defender and Push notifications are disabled, including the ability to send feedback/malware samples to Microsoft.
“The encryption process uses the AES function in CBC mode. It generates the needed key and initialization vector (IV) using a salt and secret key; the former is embedded in the code while the latter is generated dynamically using the SHA-256 hash of a randomly generated 32-byte long string. This is then encrypted using a hard-coded public RSA key and then embedded in the ransom note. Encrypted files get the .locked extension,” the researchers added.
The ransom note is stored in different locations on the victim’s system, which include:
- %Desktop%\How To Unlock Files.Txt
- %System Root%\ProgramData\readme.tmp
- %User Startup%\How To Unlock Files.Txt
- {Encrypted Drive}:\How To Unlock Files.Txt
Ransom Note 
Image Courtesy: Trend MicroThe ransomware alters several registry settings and changes the system’s wallpaper for all users, it now contains an instruction to read a ransom note.
Trend Micro recommended some practices for users to protect against ransomware:
- Periodically back up files using the 3-2-1 rule. The rule entails creating three backups in two different formats and storing one copy offsite
- Regularly patch and update applications, software, and operating systems to address any exploitable vulnerabilities. For zero-day vulnerabilities, take advantage of virtual patching
- Activate sandbox analysis. This enables safe monitoring as malicious files can be executed in an isolated environment
