Analysis: A new ransomware group emerges from the Change Healthcare cyber attack
As the full scope of the Change Healthcare cyber attack and ransomware story unfolds, a new leading gang has emerged known as ‘RansomHub’. This ‘new’ group has been claiming more victims since the massive February ransomware and data breach attack.
On April 8, Forescout Research – Vedere Labs obtained samples used by RansomHub affiliates in a separate incident. Here is our analysis of:
- The new group’s background information
- The auxiliary files
- The encryptor
- Similarities to ALPHV’s TTPs
The figure below shows a simplified timeline of the story detailed in this post.
The Change Healthcare cyber attack and RansomHub’s break from ALPHV
ALPHV’s cyber attack on Change Healthcare is one of the most impactful in history. Change Healthcare is one of the largest health payment processing companies in the world – and is a subsidiary of United Healthcare. As a clearing house for 15 billion medical claims a year, it makes up nearly 40% of all claims.
The attack has had severe implications for the affected organization and its customers. It has also put a new spotlight on the ransomware scene. RansomHub is recruiting former ALPHV affiliates after the former group’s ‘exit scam’.
On February 12, ALPHV ransomware affiliate “Notchy” compromised Change Healthcare, a large payment management company connecting more than 1.6 million health professionals, 70,000 pharmacies and 8,000 healthcare facilities in the US healthcare system.
The attackers leveraged compromised credentials on Citrix remote-access software that did not have multi-factor authentication enabled. Following lateral movement and data exfiltration, they deployed the ransomware nine days later. It’s had a reported financial impact of $872 million, and included the exfiltration of 6TB of sensitive data. It has taken months to restore systems and the company has had at least two congressional testimonies
Learn more: Watch United Healthcare’s CEO speak with the US Committee on Energy and Commerce about the attack:
There’s more. Change Healthcare paid $22 million in ransom to ALPHV which then appeared to not share the payment with Notchy. Notchy and several other former ALPHV affiliates then moved over to a new ransomware operation: RansomHub — which has been growing very quickly ever since. RansomHub started leaking Change Healthcare files on April 15 and extorted the company a second time — claiming that the original payment did not go to the right people.
RansomHub RaaS: From RAMP to Change Healthcare and beyond
RansomHub was announced as a new ransomware-as-a-service (RaaS) affiliate program on the well-known RAMP cybercriminal forum on February 2 by “koley”. The forum message (shown in the figure below) had details on:
- The “locker” encrypting malware developed by the group and leased to affiliates.
- The “panel” used by affiliates to manage negotiations with victims.
- The “ticket” conditions to join their program.
- The “rules” that affiliates must follow when in the program.
As a modern ransomware, it is written in Golang and C++. It supports Windows, Linux, ESXi and devices running on MIPS architectures. An interesting characteristic is that the program pays the affiliates first, who then pay RansomHub itself – a very different model from ALPHV and probably what attracted many disgruntled affiliates from other programs.
[RansomHub’s first post on the RAMP Forum – LinkedIn Screenshot]
The group claimed their first victim on February 10: YKP LTDA which is a financial consulting company from Brazil. They claimed 27 other victims between February 10 and April 8 when they first added Change Healthcare to their list.
There have been in total 45 victims between February and April 30. A majority of victims, 13, were in the US, followed by six victims in Brazil and three victims each in the UK, Italy and Spain.
Analysis of auxiliary files: STONESTOP and POORTRY
We start the analysis of the incident we observed by describing the following relevant files:
Filename | Hash | Description |
---|---|---|
disableAV.bat | 813f54d9053d91a46d9ec3381a2283f3ed8274a976e34fc795c5239fd4d01f4b | A batch file used to copy and run the files that disable AV protection. |
disableAV.bat | cc16267ba6bb49149183b6de2980824b8b4d5d1456fed51b6c5fd9099a904b50 | A batch file used to copy and run the files that disable the AV protection. The only difference with the previous one is that this file uses the “copy” command instead of “xcopy”. |
2JSqT5dzNXW.exe | d9a24f5c62928dd9f5900b4a9d8ce9e09b73509bc75537c223532ebf8c22e76d | An executable that loads a malicious driver (aSCGa.sys) and issues commands to it. |
aSCGa.sys | 9d3a9b9875175acfa8caabbb773e0723b83735a89969c581c0dfd846476378a5 | A malicious driver that is used to disable the AV protection. |
PSEXESVC.exe psexec.exe PsExec.exe | cc14df781475ef0f3f2c441d03a622ea67cd86967526f8758ead6f45174db78e a9affdcdb398d437e2e1cd9bc1ccf2d101d79fc6d87e95e960e50847a141faa4 078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b | Three variants of a lightweight Telnet replacement tool from Microsoft that allows to execute processes on remote systems. This tool is part of the Microsoft’s Sysinternal Suite, bad actors typically use it for lateral movement. |
smbexec.exe | 5d2f77971ffe4bab08904e58c8d0c5ba2eefefa414599ebac72092e833f86537 | A variant of the smbexec.py tool (part of the impacket python suite) compiled as a PE executable. This tool is often used by bad actors for lateral movement.
|
amd64.exe | 7539bd88d9bb42d280673b573fc0f5783f32db559c564b95ae33d720d9034f5a | This executable encrypts the victim’s filesystem. It can also stop virtual machines and encrypt remote systems (potentially using external tools, such as psexec and smbexec). |
These files were used as shown in the figure below, for TA0005 – Defense Evasion, TA0008 – Lateral Movement and TA0040 – Impact.
Since the files used for lateral movement are already very well-known, we focus in this section on the analysis of the files used for defense evasion and in the next section on the encryptor file used for impact.
Both batch files (disableAV.bat) were used to copy 2JSqT5dzNXW.exe and aSCGa.sys from a local IP address (likely the first compromised machine) and to run the former file. Here are the contents of one of the batch files (the only difference between them is that one uses the “copy” command, while the other uses “xcopy”):
STONESTOP and POORTRY were used by the SCATTERED SPIDER cybercriminal group (tracked as UNC3944 by Mandiant) for stopping AV and EDR software. SCATTERED SPIDER is a group that has reportedly deployed the ALPHV ransomware in many cases in the past.
The samples we obtained have a few differences from the samples described by Sophos and Mandiant – but there are many similarities.
STONESTOP appears to be packed with UPX. However, a closer look at the binary suggests a custom packer. After unpacking the sample, we could understand how it controls POORTRY:
- It creates a copy of the POORTRY sample (aSCGa.sys) in the TEMP folder of a current user and loads it as a service. Note that it requires ADMIN privileges to do that which suggests that this is done after the local ADMIN account is compromised. The sample contains no privilege escalation exploits.
- Next, the executable sends a specific IOCTL 0x222088 to POORTRY. This IOCTL is a way to authenticate with POORTRY. In this case, it expects a hardcoded string “ED AD FG HG GF TR SY UT GH NG GT”. If POORTRY receives this string along with this IOCTL, it will execute other functionality when specific IOCTLs are sent from the userland executable. Otherwise, the IOCTL request will be ignored.
- Finally, our variant of STONESTOP instructs POORTRY to recursively delete all files within the installation folder of the Kaspersky AV solution. It will then enter the infinite loop in which it will periodically instruct POORTRY to find processes related to AV software and kill them. In our sample, these were Kaspersky and Windows Defender.:
As the analysis shows, they were targeting different AV and EDR solutions. It appears that the attackers create a new executable for each of their victims customizing it according to the AV and EDR solutions present.STONESTOP and POORTRY are heavily obfuscated. Both use some sort of string and control flow graph obfuscation. For example, POORTRY uses Microsoft Control Flow Guard among other things while STONESTOP contains self-rewriting code.
A full analysis would take significant time. What we noticed, however, is that it seems to be a next iteration of the POORTRY variant described by Sophos:
- It uses a simple authentication message, instead of a full handshake.
- A different “legitimate” certificate is used to sign the binary.
- It contains a subset of IOCTL values described previously, however, it also has some new functionality. Some may have been missed:
IOCTL | Functionality |
---|---|
0x222088 | Authenticate STONESTOP with POORTRY. |
0x222184 | Delete a file from the filesystem. |
0x222094 | Kill a running process. |
0x22218c | Overwrite a file (appears to be unused in our STONESTOP sample). |
0x22208c | ??? (appears to be unused in our STONESTOP sample). |
0x222188 | ??? (appears to be unused in our STONESTOP sample). |
0x222190 | ??? (appears to be unused in our STONESTOP sample). |
0x2221c4 | ??? (appears to be unused in our STONESTOP sample). |
0x2221c8 | ??? (appears to be unused in our STONESTOP sample). |
0x222264 | ??? (appears to be unused in our STONESTOP sample). |
This new variant of POORTRY masquerades as Internet Download Manager TDI driver from Tonec Inc.:
The driver is signed with a valid certificate from “Shanghai Yikaoda Information Consulting Co., Ltd.”, but it expired in 2016. It appears the attackers used a stolen certificate. We could not find any information about this company online, so it may be forged.
Analysis of the encryptor and similarities with ALPHV
The file amd64.exe (7539bd88d9bb42d280673b573fc0f5783f32db559c564b95ae33d720d9034f5a) is a filesystem encryptor that has several capabilities, such as:
- Selective encryption: only process files within specific path or encrypt only local disks
- Selective propagation: only process specific SMB hosts
- Run in Safe Mode
The sample is packed (likely with VMProtect and some custom packing), however it is not virtualized. The sample is developed in Golang, however all the symbol information was stripped from the binary. Additionally, the authors used the gobfuscate tool (https://github.com/unixpickle/gobfuscate).
All these countermeasures make static analysis extremely difficult. The authors prevent dynamic analysis by protecting the encryptor config with a 32-byte passphrase. The cryptographic algorithm used by the authors appears to be ChaCha20-Poly1305. But we could not decrypt the config and analyze the sample further, since we did not have the required passphrase. Despite obfuscation, several interesting strings were present in the binary. For example, some parts of the JSON config:
The JSON config contains quite a few similarities to the ALPHV ransomware that we analyzed in the past. We also noticed a few sentences in the ransom note that appear to be copied from the ALPHV sample mentioned by CISA:
However, this is where the most obvious similarities end. The ALPHV encryptor sample that we analyzed earlier plus a few additional samples were written in Rust, not Golang.
There are also additional obfuscation measures present in the RansomHub sample not previously seen in ALPHV. Yet, while there are significant differences between the present encryptor sample and the ALPHV samples dissected in previous research, the current sample may be the next step in the evolution of ALPHV.
There are plenty of similarities in configuration parameters. They all require a strong passphrase to decrypt an embedded config. The present sample – just like the ALPHV samples we have seen before – appears to have functionality to stop virtual machines present in the victim’s environment.
Is RansomHub a rebrand of ALPHV?
The timing of ALPHV’s disappearance and RansomHub’s appearance, with a new affiliate prepayment model, is very close. This leads many researchers to suspect that RansomHub could be just a rebrand of ALPHV and all the “Notchy”/Change Healthcare drama could be staged.
This would not be the first rebrand of a major ransomware group after a massive attack. ALPHV itself appeared in November 2021 as a rebrand of DarkSide — the group responsible for the Colonial Pipeline hack – and BlackMatter.
In the incident we observed, the actors used variations of the same tools (STONESTOP and POORTRY) known to be used by SCATTERED SPIDER to deploy ALPHV in the past. However, the technical analysis of the RansomHub encryptor shows that it is significantly different to the ALPHV encryptor used until very recently. Although it bears many similarities, such as modes of operation, strings in config files and ransom notes,hese similarities are now common to several ransomware families.
From this one isolated incident it is difficult to conclude whether RansomHub is a rebrand of ALPHV or a ‘spiritual successor’ taking many of the former group’s affiliates. Regardless of the specific tools used in an attack or the affiliate that perpetrates it, the good news for defenders is that most ransomware incidents boil down to the same TTPs.
Mitigation guidance
Basic cyber hygiene recommendations are still effective against these ransomware TTPs. These recommendations are detailed on CISA’s Stop Ransomware project page, especially their ransomware guide including:
- Identifying and patching vulnerable devices in your network
- Segmenting the network to avoid spreading an infection
- Monitoring network traffic to detect signs of intrusion, lateral movement or payload execution
Forescout Threat Detection & Response has dedicated rules for ransomware that collect telemetry and logs from a wide range of sources such as security tools, applications, and other enrichment sources, correlates attack signals to generate high-fidelity threats for analyst investigation and enables automated response actions across the enterprise.
The figure below shows a description of the “Ransomware Attack Detection” detection rule which triggers when events occur, including when known ransomware artifacts are detected, when shadow copies are deleted or modified using PowerShell, or when files are encrypted.
Indicators of compromise
The indicators of compromise below are also available on Forescout Vedere Lab’s threat feed:
- 813f54d9053d91a46d9ec3381a2283f3ed8274a976e34fc795c5239fd4d01f4b – bat
- cc16267ba6bb49149183b6de2980824b8b4d5d1456fed51b6c5fd9099a904b50 – bat
- d9a24f5c62928dd9f5900b4a9d8ce9e09b73509bc75537c223532ebf8c22e76d – exe
- 9d3a9b9875175acfa8caabbb773e0723b83735a89969c581c0dfd846476378a5 – sys
- cc14df781475ef0f3f2c441d03a622ea67cd86967526f8758ead6f45174db78e – exe
- a9affdcdb398d437e2e1cd9bc1ccf2d101d79fc6d87e95e960e50847a141faa4 – exe
- 078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b – exe
- 5d2f77971ffe4bab08904e58c8d0c5ba2eefefa414599ebac72092e833f86537 – exe
- 7539bd88d9bb42d280673b573fc0f5783f32db559c564b95ae33d720d9034f5a – amd64.exe
- 9667288503bc26ed9e957050f7e87929f1a7931e8b21797180b68de22a430411 – certificate used to sign POORTRY