## Avaddon ransomware: an in-depth analysis and decryption of infected systems ### Javier Yuste[a,][∗], Sergio Pastrana[b] _aUniversidad Rey Juan Carlos, Madrid_ _bUniversidad Carlos III, Madrid_ ### Abstract This modus operandi disrupts legitimate businesses, which may become unavailable until the data is restored, thus ### Keywords: 1. Introduction _∗Corresponding author_ _Email address: javier.yuste@urjc.es (Javier Yuste)_ ----- ### initiated by a threat actor named TWISTED SPIDER in somware which is is to publicly ‘blame and shame’ victims been leaked and exposed online[1]. In addition, Avaddon 1For ethical and legal reasons, we have not downloaded nor checked the veracity of the exposed data since otherwise this would cause additional harm to users, and such analysis is not of public interest for the community [16] ### their modus operandi is similar. As a result of our 2. Background and related work 2.1. The Ransomware threat ----- ### stance, Huang et al. were able to track over $16 million be split in 8 stages [26]: fingerprint, propagate, communi- cate, map, encrypt, lock, delete and threaten. Kharaz et al. focused the detection on common tasks performed by 2.2. The ecosystem of Avaddon Avaddon[2] is a ransomware that was offered as an affil promoted on other underground forums afterwards.[3] Ac 2The name of the ransomware, Avaddon, may be derived from the Hebrew term Abaddon, the name of an angel of the abyss in the Bible, mainly associated with the meaning of “destruction” [18]. 3Due to ethical reasons, and to avoid promoting the site, we do not provide the name of the forums. ### ities and modus operandi. However, no decryption option ----- ### 3. Ransomware analysis Ninja [4], x64dbg [5] and Pestudio [6]) and a virtual machine ronment on top of VirtualBox [7] and install Windows 7 x64 The analyzed binary (MD5:c9ec0d9ff44f445ce5614 ``` cc87398b38d) is a Portable Executable (PE) file. ``` 4https://binary.ninja/ 5https://x64dbg.com/ 6https://www.winitor.com/ 7https://www.virtualbox.org/ ### 3.1. Packing protections 3.2. Imported functions (e.g., CryptGenKey or CryptEncrypt), persistence (e.g., RegCreateKeyW, StartServiceW ), anti-analysis (e.g., Is- DebuggerPresent) or activity control (e.g., DeleteService or TerminateProcess). ----- ### 3.3. Strings to folders or files (e.g., “C:\Temp”). While we initially can (i.e., “Microsoft Enhanced Cryptographic Provider v1 ``` .0” and “Microsoft Enhanced RSA and AES Cryptograph ic Provider”). These strings are normally used to acquire banal et al. [44]. ``` ### Algorithm 1: One of the functions responsible **1 0x4012a0: push 0x30;** ``` // Size of the encrypted string ``` **2 0x4012a2: push 0x49e180;** ``` // Encrypted string ``` **3 0x4012a7: mov ecx, 0x4f8a28;** ``` // Global variable ``` **4 0x4012ac: call 0x40a390;** ``` // Creates a global variable at ecx (0x4f8a28 in this case) with the string stored at the value previously pushed (0x49e180 in this case) ``` **5 0x4012b1: push 0x4874a0;** ``` // Destructor ``` **6 0x4012b6: call _atexit;** ``` // Register the destructor function to be called when the process ends ``` **7 0x4012bb: pop ecx;** **8 0x4012bc: retn;** ### CommandLine = DecryptString(GlobalVariable); CreateProcess(CommandLine); ----- ### Algorithm 2: Decryption of a global variable **1 0x40d110: mov edx, 0x4f8a28;** ``` // Global variable that contains an encrypted string ``` **2 0x40d115: lea ecx, [esp+0x8];** ``` // Local variable that will hold the decrypted string ``` **3 0x40d119: call decrypt_string;** ``` // Decrypts the string at edx (the global variable) and stores the result in ecx (the local variable) ``` **4 0x40d11e: push eax;** ``` // eax now contains the decrypted string (it is equal to [esp+0x8], the local variable) which, in this case, is a command line ``` **5 0x40d11f: call create_process;** ``` // Creates a process with the command line received as argument ### Algorithm 3: Characters decryption. ``` **1 0x40c820: mov al, byte [esi];** ``` // Move the current character to al (the lower 8 bits of eax) ``` **2 0x40c822: mov edx, dword [ebp-0x1c];** **3 0x40c825: sub al, 0x2;** ``` // Substract two units from the character ``` **4 0x40c827: mov edi, dword [ebp-0x18];** **5 0x40c82a: xor al, 0x43;** ``` // XOR the result with 0x43 ``` **6 0x40c82c: mov byte [ebp-0x30], al;** **7 0x40c82f: cmp edx, edi;** **8 0x40c831: jae 0x40c84d;** ### automates these tasks using the Binary Ninja tool in our public repository [8]. 3.4. Anti-analysis techniques [8https://github.com/JavierYuste/AvaddonDecryptor](https://github.com/JavierYuste/AvaddonDecryptor) ### String obfuscation. As mentioned in prior sections, Anti-debugging. We found a call to IsDebuggerPre- sent at offset 0x42e03d. Debuggers are programs designed ticular, IsDebuggerPresent is a function provided by the 1. Hook the call to IsDebuggerPresent so it always re When a call to IsDebuggerPresent is made, it re that may parse the PEB (i.e., not using IsDebuggerPre- sent), we decided to implement the second option. 3.5. Language checks ----- ### 3.6. Privilege escalation 1. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windo ``` ws\CurrentVersion\Policies\System EnableLUA =0 (disables the “administrator in Admin Approval 2. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windo ws\CurrentVersion\Policies\System ConsentPr omptBehaviorAdmin=0 (this option allows the Con 3. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wind ows\CurrentVersion\Policies\System EnableL inkedConnections=1 (makes user mapped drives ``` ### is “{3E5FC7F9-9A51-4367-9063-A120244FBEC7}”, the value “{6EDD6D74-C007-4E75-B76A-E5740995E ``` 24C}”. For the rest of this section, we refer to it as value “Elevation:Administrator!new:”. string is built by concatenating “Elevation:Admini strator!new:” and CLSID_CMSTPLUA. 5. Next, the execution calls the function CoGetObject CoGetObject(“Elevation:Administrator!new: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}”, 0x 24, &IID_ICMLuaUtil, &CMLuaUtil) named ShellExec (CMLuaUtil−→lpVtbl−→ShellExec). file (via a call to GetModuleFileNameW ) the binary ing ShellExec with the following parameters: ShellExec(CMLuaUtil, “C:\[...]\sample.ex e”, [...]) 3.7. Persistence and infection tracking ``` ----- ### • HKU\S-1-5-21-2724635997-1903860598-41043018 ``` 68-1000\Software\Microsoft\Windows\CurrentV ersion\Run\update: "C:\Users\%UserProfile%\ AppData\Roaming\%sample%.exe" • HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows \CurrentVersion\Run\update: "C:\Users\%User Profile%\AppData\Roaming\%sample%.exe" sample is dropped at runtime in "C:\Users\%UserProfil e%\AppData\Roaming\%sample%.exe", where “%sample%” more than once, a mutex is created with the value {2A0E 9C7B-6BE8-4306-9F73-1057003F605B}. If this mutex is 3.8. Process and service manipulation ``` ### 3.9. Key generation Public key import. The function at 0x413600 is responsi calling the Windows API function CryptImportKey with ``` CryptImportKey(hProv:CSP, pbData: Key to be imp orted, dwDataLen: Length of the key, hPubKey: 0, d wFlags: 0, phKey: Handle to the imported key after the call) ``` ----- ### parameter hPubKey must be equal to 0 when the key to be imported is a public key (a PUBLICKEYBLOB object). Generated key. After importing the public key, a random CryptGenKey, with the following parameters: ``` CryptGenKey(hProv: CSP, Algid: CALG_AES_256, d wFlags: CRYPT_EXPORTABLE, phKey: Handle to the gen erated key after the call) The parameter Algid indicates that the generated key Keys destruction. Finally, the function located at 0x413f50 3.10. File encryption ``` ### • wmic.exe SHADOWCOPY /nointeractive • wbadmin DELETE SYSTEMSTATEBACKUP • wbadmin DELETE SYSTEMSTATEBACKUP -deleteOlde ``` st • bcdedit.exe /set {default} recoveryenabled No • bcdedit.exe /set {default} bootstatuspolicy i gnoreallfailures • vssadmin.exe Delete Shadows /All /Quiet Windows API function SHEmptyRecycleBinW. path is encrypted (i.e., C:\\*). Finally, shared folders and mapped volumes are enumerated and encrypted (e.g., D: \\*, Y:\\*, or \\VBoxSvr\\shared_folder\\*). There 1. C:\\Program Files\\Microsoft\\Exchange Serve r\\* 2. C:\\Program Files (x86)\\Microsoft\\Exchange Server\\* 3. C:\\ProgramFiles\\Microsoft SQL Server\\* 4. C:\\Program Files (x86)\\MicrosoftSQLServer\ \* 5. C:\\* 1. Strings from a whitelist. 2. File extensions. The extension of the file is checked. the following: bin, ini, sys, dll, lnk, dat, exe, dr v, rdp, prf, swp, mdf, mds and sql. 3. Prevent re-encryption. The third test checks if ``` ----- ### are encrypted. This is due to the last call to SetFilePoint- erEx, which sets the file pointer to the end of the file (line the parameter Final (line 15) in the call to the encryption routine is always set to False. This parameter should be True if the block to encrypt is the last block of the file. 4. Decryption of infected systems ### Algorithm 4: Function responsible for encrypt Input: File, file to be encrypted Key, a duplicate of the AES256 key **1 buffer_size ←** CryptEncrypt(hKey: Key, Final: **2 file_size ←** GetFileSizeEx(hFile: File); **3 file_pointer ←** 0; **4 do** **5** _bytes_read, number_of_bytes_read ←_ ### ReadFile(hFile: File, offset: file_pointer, **6** _i ←_ 0; **7** **do** **8** _bytes_to_encrypt ←_ ### bytes_read[i:i+0x2000] ; ``` // The file is encrypted in blocks of 0x2000 bytes ``` **9** _encrypted_bytes ←_ CryptEncrypt(hKey: ### Key, Final: False, pbData: bytes_to_encrypt); **10** WriteFile(hFile: File, lpBuffer: ### encrypted_bytes); **11** _i = i + 0x2000;_ **12** **while i ≤** _number_of_bytes_read - 0x2000_ ; **13** **if number_of_bytes_read - i < 0x2000 then** **14** _bytes_to_encrypt ←_ _bytes_read[i:]_ ; **15** _encrypted_bytes ←_ CryptEncrypt(hKey: ### Key, Final: False, pbData: bytes_to_encrypt); **16** WriteFile(hFile: File, lpBuffer: ### encrypted_bytes); **17** **end** **18** _file_pointer ←_ SetFilePointerEx(hFile: File, ### liDistanceToMove: 0, dwMoveMethod: FILE_END) ; ``` // This call sets the file pointer to the end of the file. This is done to stop processing more bytes from the file ``` **19 while number_of_bytes_read ≥** _0x100000 &&_ ### file_pointer < file_size; **20 WriteFile(hFile: File, lpBuffer: VictimID);** ``` // The Victim ID is written to the end of the file ``` **21 signature ←** GetSignature(); **22 WriteFile(hFile: File, lpBuffer: signature);** ``` // The signature is also written at the end ``` ----- ### the Windows API. The eleventh field, hCryptProv, points CryptAcquireContext or a similar function). Finally, the ### The key_data_s structure contains three fields whose • alg contains the algorithm ID of the algorithm for • flags contains the value of the flags parameter passed in the call to CryptGenKey at 0x48f024. Therefore, • key_size, as it name hints, contains the size of the showed in Algorithm 4, the Final parameter in the Cryp- tEncrypt calls was never set to True. According to the documentation, this parameter should be True when the CryptDecrypt. ----- ``` https://github.com/JavierYuste/AvaddonDecryptor. ### 5. Experimentation nals suite [9]. Note that we can freely drop executable files in the system before stopping Avaddon, since the exe ex ``` [9https://docs.microsoft.com/en-us/sysinternals/](https://docs.microsoft.com/en-us/sysinternals/) |Col1|Col2| |---|---| ||| ||| ||| ||| ||| Table 1: Results of the experimentation in a virtual environment. ### 6. Conclusions present. Indeed, the modus operandi of Avaddon, that we ----- ### Acknowledgements References [1] T. C. of Economic Advisers, The Cost of Malicious Cyber Ac[tivity to the U.S. Economy, https://www.whitehouse.gov/wp-](https://www.whitehouse.gov/wp-content/uploads/2018/02/The-Cost-of-Malicious-Cyber-Activity-to-the-U.S.-Economy.pdf) ``` content/uploads/2018/02/The-Cost-of-Malicious-Cyber ``` `Activity-to-the-U.S.-Economy.pdf,` [Online; accessed 28September-2020] (2 2018). [2] B. Collier, R. Clayton, A. Hutchings, D. Thomas, Cybercrime is (often) boring: maintaining the infrastructure of cybercrime economies, 2020, workshop on the Economics of Information Security, WEIS ; Conference date: 14-12-2020 Through 15-122020. [3] National Intelligence Officer, A Guide to Cyber Attribution, `https://www.dni.gov/files/CTIIC/documents/ODNI_` `A_Guide_to_Cyber_Attribution.pdf,` [Online; accessed 09October-2020] (9 2018). [4] Infosec, The Attribution Problem in Cyber Attacks, ``` https://resources.infosecinstitute.com/attribution ``` `problem-in-cyber-attacks/,` [Online; accessed 09-October2020] (2 2013). [5] K. Huang, M. Siegel, S. Madnick, Systematically understanding the cyber attack business: A survey 51 (4). [6] S. Pastrana, A. Hutchings, A. Caines, P. Buttery, Characterizing eve: Analysing cybercrime actors in a large underground forum, in: International symposium on research in attacks, intrusions, and defenses, Springer, 2018, pp. 207–227. [7] PandaLabs, PandaLabs Reveals its Predictions for Cybersecurity Trends in 2018, `https://www.pandasecurity.com/` ``` mediacenter/pandalabs/annual-report-cybersecurity predictions-2018/, [Online; accessed 28-September-2020] (11 ``` 2017). [8] R. Van Wegberg, S. Tajalizadehkhoob, K. Soska, U. Akyazi, C. H. Ganan, B. Klievink, N. Christin, M. Van Eeten, Plug and prey? measuring the commoditization of cybercrime via online anonymous markets, in: 27th {USENIX} security symposium ({USENIX} security 18), 2018, pp. 1009–1026. [9] Auld, Andy, What’s behind the increase in ransomware attacks [this year?, https://www.pwc.co.uk/issues/cyber-security-](https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html) ``` services/insights/what-is-behind-ransomware-attacks increase.html, [Online; accessed 03-October-2020] (2020). ``` [10] S. Ghafur, S. Kristensen, K. Honeyford, G. Martin, A. Darzi, P. Aylin, A retrospective impact analysis of the wannacry cyberattack on the nhs, NPJ digital medicine 2 (1) (2019) 1–7. [11] The CrowdStrike Intel Team, Double Trouble: Ransomware with Data Leak Extortion, Part 1, `https:` ``` //www.crowdstrike.com/blog/double-trouble-ransomware ``` `data-leak-extortion-part-1/,` [Online; accessed 28September-2020] (9 2020). [12] Panda security, Ransomware has a new trick: pay up or suffer [a data breach, https://www.pandasecurity.com/mediacenter/](https://www.pandasecurity.com/mediacenter/security/ransomware-data-breach-blackmail/) ``` security/ransomware-data-breach-blackmail/, [Online; ac ``` cessed 28-September-2020] (3 2020). [13] C. Cimpanu, Conti (Ryuk) joins the ranks of ransomware gangs operating data leak sites, `https:` ``` //www.zdnet.com/article/conti-ryuk-joins-the-ranks of-ransomware-gangs-operating-data-leak-sites/, [Online; ``` accessed 28-September-2020] (8 2020). [14] M. J. Schwartz, Ransomware + Exfiltration + Leaks [= Data Breach, https://www.bankinfosecurity.com/blogs/](https://www.bankinfosecurity.com/blogs/ransomware-exfiltration-leaks-data-breach-p-2913) `ransomware-exfiltration-leaks-data-breach-p-2913,` [Online; accessed 28-September-2020] (7 2020). [15] Intel471, Ransomware-as-a-service: The pandemic within a pandemic, `https://intel471.com/blog/ransomware-as-a-` ``` service-2020-ryuk-maze-revil-egregor-doppelpaymer/, ``` [Online; accessed 18-December-2020] (2020). [16] D. R. Thomas, S. Pastrana, A. Hutchings, R. Clayton, A. R. [Beresford, Ethical issues in research using datasets of illicit ori-](https://doi.org/10.1145/3131365.3131389) [gin, in: Proceedings of the 2017 Internet Measurement Con-](https://doi.org/10.1145/3131365.3131389) ference, IMC ’17, Association for Computing Machinery, New York, NY, USA, 2017, p. 445–462. `doi:10.1145/3131365.` ``` 3131389. ``` [URL https://doi.org/10.1145/3131365.3131389](https://doi.org/10.1145/3131365.3131389) [[17] S. Tripathi, Avaddon Ransomware, https://www.subexsecure.](https://www.subexsecure.com/pdf/malware-reports/June-2020/Avaddon_Ransomware.pdf) ``` com/pdf/malware-reports/June-2020/Avaddon_Ransomware. pdf, [Online; accessed 22-September-2020] (6 2020). ``` [[18] A. Ivanov, Avaddon Ransomware, https://id-ransomware.](https://id-ransomware.blogspot.com/2020/06/avaddon-ransomware.html) `blogspot.com/2020/06/avaddon-ransomware.html,` [Online; accessed 14-October-2020] (6 2020). [19] H. Security, Avaddon: From seeking affiliates to in-the-wild in 2 days, `https://www.hornetsecurity.com/en/security-` ``` information/avaddon-from-seeking-affiliates-to-in-the wild-in-2-days/, [Online; accessed 23-August-2020] (6 2020). ``` [20] M. Malubay, Ransom.Win32.AVADDON.YJAF-A, `https:` ``` //www.trendmicro.com/vinfo/us/threat-encyclopedia/ ``` `malware/Ransom.Win32.AVADDON.YJAF-A,` [Online; accessed 22-September-2020] (6 2020). [21] R. Brewer, Ransomware attacks: detection, prevention and cure, Network Security 2016. [22] K. Zetter, What Is Ransomware? A Guide to the Global [Cyberattack’s Scary Method, https://www.wired.com/2017/](https://www.wired.com/2017/05/hacker-lexicon-guide-ransomware-scary-hack-thats-rise/) ``` 05/hacker-lexicon-guide-ransomware-scary-hack-thats rise/, [Online; accessed 16-October-2020] (5 2017). ``` [23] D. Y. Huang, M. M. Aliapoulios, V. G. Li, L. Invernizzi, E. Bursztein, K. McRoberts, J. Levin, K. Levchenko, A. C. Snoeren, D. McCoy, Tracking ransomware end-to-end, in: 2018 IEEE Symposium on Security and Privacy (SP), 2018, pp. 618– 631. [24] S. Pastrana, G. Suarez-Tangil, A first look at the crypto-mining malware ecosystem: A decade of unrestricted wealth, in: Proceedings of the Internet Measurement Conference, IMC ’19, Association for Computing Machinery, New York, NY, USA, 2019, p. 73–86. [25] R. Richardson, M. North, Ransomware: Evolution, mitigation and prevention, International Management Review 13 (2017) 10. [26] G. Hull, H. John, B. Arief, Ransomware deployment methods and analysis: views from a predictive model and human responses, Crime Science 8 (2019) 1–22. [27] A. Kharaz, S. Arshad, C. Mulliner, W. Robertson, E. Kirda, UNVEIL: A large-scale, [automated approach to detecting](https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/kharaz) [ransomware, in: 25th USENIX Security Symposium (USENIX](https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/kharaz) Security 16), USENIX Association, 2016, pp. 757–772. URL `https://www.usenix.org/conference/` ``` usenixsecurity16/technical-sessions/presentation/ kharaz ``` [28] E. Kolodenker, W. Koch, G. Stringhini, M. Egele, Paybreak: Defense against cryptographic ransomware, in: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, ASIA CCS ’17, Association for Computing Machinery, 2017, p. 599–611. [29] D. Sgandurra, L. Muñoz-González, R. Mohsen, E. Lupu, Automated dynamic analysis of ransomware: Benefits, limitations and use for detection, ArXiv abs/1609.03020. ----- [30] R. Vinayakumar, K. P. Soman, K. K. Senthil Velan, S. Ganorkar, Evaluating shallow and deep networks for ransomware detection and classification, in: 2017 International Conference on Advances in Computing, Communications and Informatics (ICACCI), 2017, pp. 259–265. [31] K. Lee, S. Lee, K. Yim, Machine learning based file entropy analysis for ransomware detection in backup systems, IEEE Access 7 (2019) 110205–110215. [32] J. Caballero, C. Grier, C. Kreibich, V. Paxson, Measuring payper-install: the commoditization of malware distribution., in: Usenix security symposium, Vol. 13, 2011. [33] Kaspersky, xDedic – the shady world of hacked servers [for sale, https://securelist.com/xdedic-the-shady-world-](https://securelist.com/xdedic-the-shady-world-of-hacked-servers-for-sale/75027/) `of-hacked-servers-for-sale/75027/, [Online;` accessed 04February-2021] (6 2016). [34] R. Bhalerao, M. Aliapoulios, I. Shumailov, S. Afroz, D. McCoy, Mapping the underground: supervised discovery of cybercrime supply chains, in: 2019 APWG Symposium on Electronic Crime Research (eCrime), IEEE, 2019, pp. 1–16. [35] PintSizeNore, AVADDON Ransomware (.avdn; [id][readme.html) Support Topic, https://www.bleepingcomputer.](https://www.bleepingcomputer.com/forums/t/724607/avaddon-ransomware-avdn;-id-readmehtml-support-topic/page-2#entry5061940) ``` com/forums/t/724607/avaddon-ransomware-avdn;-id ``` `readmehtml-support-topic/page-2#entry5061940,` [Online; accessed 14-October-2020] (09 2020). [36] M. De Jesus, M. Malubay, A. Christelle Ramos, Ransomware Report: Avaddon and New Techniques Emerge, Industrial Sector Targeted, `https://www.trendmicro.` ``` com/vinfo/us/security/news/cybercrime-and-digital threats/ransomware-report-avaddon-and-new-techniques ``` `emerge-industrial-sector-targeted,` [Online; accessed 22-September-2020] (7 2020). [37] M. J. Schwartz, Avaddon Ransomware Joins Data-Leaking Club, `https://www.bankinfosecurity.com/avaddon-` `ransomware-joins-data-leaking-club-a-14809,` [Online; accessed 22-September-2020] (8 2020). [38] L. Abrams, Avaddon ransomware launches data leak site to extort victims, `https://www.bleepingcomputer.com/news/` ``` security/avaddon-ransomware-launches-data-leak-site to-extort-victims/, [Online; accessed 22-September-2020] (8 ``` 2020). [39] L. Abrams, Avaddon ransomware launches data leak site to extort victims, `https://www.bleepingcomputer.com/news/` ``` security/another-ransomware-now-uses-ddos-attacks-to force-victims-to-pay/, [Online; accessed 03-February-2021] ``` (1 2021). [40] Emsisoft, Urgently Needed! Avaddon ransomware (.avdn), ``` https://support.emsisoft.com/topic/33623-urgently ``` `needed-avaddon-ransomware-avdn/,` [Online; accessed 21October-2020] (2020). [41] B. Computer, AVADDON Ransomware (.avdn; [id][readme.html) Support Topic, https://www.bleepingcomputer.](https://www.bleepingcomputer.com/forums/t/724607/avaddon-ransomware-avdn;-id-readmehtml-support-topic/page-2) ``` com/forums/t/724607/avaddon-ransomware-avdn;-id ``` `readmehtml-support-topic/page-2,` [Online; accessed 21October-2020] (2020). [42] Microsoft, PE Format, `https://docs.microsoft.com/en-` `us/windows/win32/debug/pe-format,` [Online; accessed 01October-2020] (2020). [43] R. Lyda, J. Hamrock, Using entropy analysis to find encrypted and packed malware, IEEE Security and Privacy 5 (2) (2007) 40–45. [44] P. V. Sabanal, M. V. Yason, Reversing c++, Black Hat DC. [45] hfiref0x2017, UAC bypass using CMSTPLUA COM interface, `https://gist.github.com/api0cradle/` `d4aaef39db0d845627d819b2b6b30512,` [Online; accessed 31August-2020] (2017). [46] A. Osipov, Trickbot Trojan leveraging a new Windows 10 UAC [bypass, https://blog.morphisec.com/trickbot-uses-a-new-](https://blog.morphisec.com/trickbot-uses-a-new-windows-10-uac-bypass) `windows-10-uac-bypass,` [Online; accessed 31-August-2020] (2020). [47] S. in bits, UAC bypass analysis (Stage 1) Ataware Ransomware – Part 0x2, `https://www.securityinbits.com/malware-` ``` analysis/uac-bypass-analysis-stage-1-ataware ``` `ransomware-part-2/,` [Online; accessed 31-August-2020] (2019). [48] Microsoft, EnableLUA, `https://docs.microsoft.com/en-` ``` us/openspecs/windows_protocols/ms-gpsb/958053ae-5397 ``` `4f96-977f-b7700ee461ec,` [Online; accessed 21-July-2020] (2019). [49] Microsoft, ConsentPromptBehaviorAdmin, `https://docs.` ``` microsoft.com/en-us/openspecs/windows_protocols/ms ``` `gpsb/341747f5-6b5d-4d30-85fc-fa1cc04038d4,` [Online; accessed 21-July-2020] (2019). [50] Microsoft, Mapped drives are not available from an elevated prompt when UAC is configured to "Prompt for credentials" in Windows, `https://support.microsoft.com/en-` ``` us/help/3035277/mapped-drives-are-not-available-from ``` `an-elevated-prompt-when-uac-is-co,` [Online; accessed 21-July-2020] (2015). [51] Lockheed Martin, The Cyber Kill Chain, `https://www.` ``` lockheedmartin.com/en-us/capabilities/cyber/cyber kill-chain.html, [Online; accessed 08-October-2020]. ``` [52] B. Baskin, TAU Threat Analysis: Medusa Locker Ransomware, `https://www.carbonblack.com/blog/tau-threat-` `analysis-medusa-locker-ransomware/,` [Online; accessed 19-October-2020] (June 2020). [53] A. Zsigovits, Ransomware-LockBit, `https://github.com/` ``` sophoslabs/IoCs/blob/master/Ransomware-LockBit, [Online; ``` accessed 19-October-2020] (2020). [54] Microsoft, CryptImportKey function, `https://docs.` ``` microsoft.com/en-us/windows/win32/api/wincrypt/nf wincrypt-cryptimportkey, [Online; accessed 27-August-2020] ``` (2018). [55] Sasza, Structure of HCRYPTKEY Data, `https:` ``` //forums.codeguru.com/showthread.php?79163-Structure ``` `of-HCRYPTKEY-Data,` [Online; accessed 26-September-2020] (2020). [56] Microsoft, ALG_ID, `https://docs.microsoft.com/en-` `us/windows/win32/seccrypto/alg-id,` [Online; accessed 26-September-2020] (2018). ----- ### Appendix A Table 2: List of whitelisted strings in the encryption process. -----