Secrets Behind Ever101 Ransomware

A victim called the incident response teams of Global Threat Center, reporting a seemingly new stream of ransomware attack. Upon investigation, we determined the extension of the encrypted files was certainly new, but the malware displayed significant similarities with several ransomware families — a combination that made attribution an interesting and difficult riddle. The attack’s signature was a Music folder containing an arsenal of tools, which the malware dropped and executed on each of the encrypted machines. Throughout our investigation, we primarily focused on the toolset utilized by the threat actor, in order to build an in-depth profile of the incident in hopes of making an attribution. While many of the tools used by the threat actor were not custom, we were still able to assemble a temporary portfolio of tactics, techniques, and procedures (TTPs), which pointed us to potential links to a few existing ransomware groups with similar TTPs. This portfolio was particularly helpful during the negotiation process, as we were able to gain vital information, such as assessing the reliability of the threat actor in terms of providing a working decryption tool. In fact, during the negotiation, the attackers offered a video documenting the decryption process, which also revealed they used a free software from BandiCam and WinRAR, in what seems to be Arabic.

The ransomware had the extension “.ever101,” and was using the CryptoPP8 library (an inbuilt C++ library) for encryption. It utilizes Salsa20 for encrypting file data, and RSA-2048 for encrypting file keys. We confirmed many — but not all — of the tools in the arsenal. Because they were encrypted during the attack, we had little hope of discovering their origin. We were able to establish that the EVER101 ransomware is almost identical to a number of ransomware families, such as CURATOR and Paymen45, both of which are believed to be developed by the EverBe group. Our hypothesis is that this ransomware was built through a “Ransomware-as-a-Service” builder, rather than being fully developed by the threat actor or group, whose identity and location remain unknown.

During our investigation of the bitcoin movement related to the attack, we made an interesting discovery of a transfer of approximately US$600, to a platform of massage providers across major cities in the United States. This gave us a specific lead to the threat actors, and we developed potential explanations for this questionable transfer.

Full report is available here