Exploring Ransomware Samples Written As Windows Batch File / HTA Hybrids

In this blog post, I’d like to go over some interesting Ransomware samples I found on VirusTotal using Windows Batch files utilizing a Btach one-liner to encode a victim’s files. However, before we analyze these batch ransomware samples, let’s first understand what a Ransomware attack is for context.

What is a Ransomware Attack?

A Ransomware attack is an attack deployed by malware that weaponizes encryption to encrypt a victim's files and other data to prevent the victim from accessing their data. At the same time, the ransomware operators demand, through a ransom note, something of value (often money or cryptocurrency, such as Bitcoin) for the key to decrypt the files. Ransomware attacks are a common problem for businesses and individuals worldwide as malicious actors use ransomware infections to profit by holding data hostage. In a recent study, 73% of organizations were hit by ransomware, with a third saying they were hit more than once. Ransomware variants and the threat actors who deploy them continue to affect the largest companies worldwide, such as the ransomware attack on MGM by the ALPHV/BlackCat ransomware group. The most sophisticated ransomware attacks involve complex attack chains with the following:  social engineering attacks, phishing emails, malware/viruses, and zero-day and/or n-day exploits. 

Ransomware Written In Windows Batch

While threat hunting VirusTotal, I recently discovered what could be the tiniest ransomware written in the original OG Windows: Windows batch. These batch files with merely a few lines of batch code can evade antivirus detection and encrypt a victim's files. In most cases, the batch files I uncovered on VirusTotal were tiny, less than 2KB. 

I uncovered a little less than 50 batch files during my threat-hunting operation. These files ranged from less than 100KB to as small as 1 KB. The ransomware family used was a modified version of RamonWare, a proof-of-concept Ransomware uploaded to GitHub that uses aescrypt.exe as the file encryption mechanism. In the samples, I uncovered aescrypt.exe was replaced with certutil -encode, which is a simple tool to base64 encode data.

RamonWare Batch Ransomware on GitHub

RamonWare Batch Ransomware on GitHub

In addition to being written in Windows Batch, this ransomware contained an HTA (HTML Application) that displayed the ransom note using the mshta.exe command.

Exploring Malware-Enabled Batch Files

This section will explore the hosting, execution process, and the logical components of this ransomware written in batch.

Batch Files Hosted On Discord

To infect the victim's machine, the victim must first download and execute the malicious batch file. Some telemetry suggests that these batch files are uploaded to Discord and passed around various channels where attackers pass these batch files disguised as other tools or as "pranks" where unsuspecting victims download and then execute the batch file, which triggers the payload and leads to infection.

Ransomware message hosted on Discord as an image

Ransomware Execution via Command Prompt

The batch files can be executed through the command prompt (CMD) or the Powershell terminal to start the encryption process. This method relies on user execution to kickstart the ransomware process tree.

cmd.exe process as seen through app.any.run malware sandbox

cmd.exe process as seen through app.any.run malware sandbox

Some less-skilled threat actors (especially common trolls) use a standard method to embed infected scripts inside of archive files, such as a zip file disguised as some software or tool, and instruct less savvy users to run the batch or PowerShell script to "install" the software. These actors rely on user ignorance to execute malicious scripts leading to an infected machine.

These malware-driven archives are posted on various forums and channels, such as Discord, for unsuspecting victims to unzip and execute. Let us analyze the malicious batch file to understand what is being executed.

Exploring the Malicious Batch File & HTA Application

Let's explore the single line responsible for base64 encoding files. The "encrypting" component relies on a single batch for loop, a single-line ransomware. Wow!

Batch for loop one-liner responsible for file encoding

The Batch for loop one-liner responsible for file encoding

In the above figure, we are utilizing a Batch for loop along with the /r flag to search directories recursively to find files with common file type extensions. If these extensions are found, the threat actors use the certutil utility to base64 encode the file inside to a new file with a .enc extension. Finally, the original file is deleted from the disk.

Next, the malware-enabled batch file executes a malicious HTA (HTML Application) using the mshta.exe command.

mshta.exe is assigned to Batch variable

mshta.exe is assigned to Batch variable

The HTA application contains the ransom message, which demands the infected user pay $300 in Bitcoin for malware removal and file decryption. In many instances of ransomware, the ransom operators include an email address and some identifier to identify the victim. When the victim contacts the operators, they pass their unique identifier, after which the ransomware operator provides a password to decrypt the encrypted files. However, in this operation, the malicious actors did not. This is due to the unsophisticated nature and one-size-fits approach to the ransom operation. 

The HTA application displays the ransom message.

The HTA application displays the ransom message.

Once mshta.exe executes the malicious HTA application, the victim is hit with a Ransomware message.

The ransom message as displayed by the HTA application

Note: It’s important to note that Ransomware generally encrypts data using an algorithm such as AES. In this batch/HTA hybrid instance, the malicious actors merely encode the data. Anyone familiar would not pay the ransom and use certutil -decode to decode the encoded data. The threat actors in these examples rely on user ignorance and fear.

Ransomware Process Execution Tree

The full process tree is as follows: cmd.exe (execute script) -> mode (set's console window) -> certutil base64 encodes files -> mshta.exe is invoked to display the ransom message.

The process tree of the Batch ransomware from Malware sandbox

The process tree of the Batch ransomware

VirusTotal Detection

To collect samples from VirusTotal, I wrote a simple Retrohunt to gather all samples. Many malicious ransomware batch files remain undetected, with the highest detection rate among antivirus engines being 12 and most sitting within the 2 to 3 engine range.

VirusTotal retrohunt results

VirusTotal retrohunt results

Significant still is the sample used in the blog which had a shocking 0 detection rate from antivirus engines on VirusTotal.

VirusTotal 0 detections for Batch Ransomware

VirusTotal 0 detections for Batch Ransomware

This highlights the continued usefulness of Windows Batch as a language to remain fully undetected by antivirus solutions and the continued difficulties in detecting these types of files.

Indicators of Compromise (IOC)

fcb05e895df344f1419fd61a30eddccacd3d44820215155d11f9c092a4b92f11

4aa36a904fd0e7f2b447ea91ea122615b1363d1acf4b639a7e6232cf599aacda

44a7c5d45ffcfc207f33f40bf97a48823c2d3a19c0bb9a0c54e32c0e45c0ae91

691a0c16558fde11bba955e047dcf4980e79fe001165099481e57de6b12427e7

ab26a7732a067dbba66fcf1e73dfad6d34f41f81f2ca211869eda5f3d27542f0

5359924f65421e21bfbc4a531d6d8d4d11a59d1dec962872a898294ad47110ac

ab2b672faf1e754106aec83c375ae6c15fd460250079d8ad1b973bc495df57ac

ee4dfcd54252969d74b78bce3feb30e69f07570643c9357f60c9b070c0cf23db

a054752ef392b4b989a4ec5417a263ffc0fab94bc418ff8ddf95de881820f187

165404516d561741326fc19293c2e6e81076e7a255d9552bda9694ab39cc402c

83aac19b9c1f4ed91ac39e2abc055ea230038cbfef579bdbb72228ed9e0f732a

dd9f9718faca4ef0d2255550b738e35652778aa664c418fd1f7cd5d8b71e311d

36426520a5ef575a9a181eed0f6d779e69b3155435e91d61a834ab83b23afe30

6a51f1ac48fc9668cb1c8617e204fb89f77fd0a9c720f60c743fb317b2af2476

29f0490a37f97ce5d06bc12acde1c95040271dbbeabfa6e835040403d1a7d5da

0604cbf8b8ac31502833d7d59bb8021d0610927a060b45b3429b3cf8ff11733c

de9761b69778926dcb80c5d27a9a32552d38d0e91054babdcbb8dec1838b3639

76c42bb2331833df2b10df7ebf6e9577917bbbc3b0a4d1ec6c9006226d1aaeda

7f4738dd9f71931dd35f5878525f7c45b7fab7e93a2de02a7ac8bd0febd38b34

2d8d16a03edf5a175ff38276add053a3995a7e5295472e57462f28094387233b

9ada8d3b7b742fe548f4cc27d972701ee0e4a92ad40aec388dfacb48382b66d4

09e5b0bc722d0a4bac9f0fb0185e6b2a67837df166d1b4c8a8602b82b712a811

ed91c88dd70cd2b3b2501d275bcebfd5167c116eb7a125067662fe7c63d54207

bf8a8e11a1bb92453fb1d9f83eed069130f05a32c311b52055d7139818d90539

631ee7e11b7a7efe33905f6da539d066278f7fd60b04a39548ecbbe2b8463c36

7ee274c40adf4fcd5fbb69ad746380979bba0728256dce22fb8347e813104f30

6aee496fadfc275bf998ba47dc2789368f1787e3c19242b626a0ffdb45f834d6

61fbbcde58f1133f8ce955a93760cb1cef73ad76744707d8d83326e3a49d0f21

997c7d68c6bd950696c41355332836154355baaa85c69aa10053c09c2d72227e

49c45f59ac2093e3f7c590f1c1ae22946b4fee2a137131b718e53bd985939e0a

3386f8bdaa0ee5d6c1e02b2bdeb94d4b9d91c666ac40ba4e6177ac449c443faf

cfabacd0f04eb503f65c1257c0eb131e1077288f5be6acb20d06defa49e3c527

ef2d78c6f51cf3810e621f3b6b8651bd3508d0f534c3ede5409903ae09ed5d43

7fece43feb003c6a4d734d1a0ac62894207ae650b3e26e9b0b751fc15b6b1856

cd574381dea52fa4f272dbb9063cd1dd07800a0aa65d7736f263fec3e07fe4f2

53d53b598ec9ef7f83ab90ef03280f4a65929c63bc1567d27d181628002f856b

73d362ac06ca68b8c90f2eb5348103a145d4054291bec6a5a63a1ed8ca23bea9

4dc44f14bbe415f7f4c6850ab38e8d6f38109f353cf84301a5ae43a5f07d6778

830e3f8bca9146893aa0cc3b0402e2e22cf675b8e29876c71783322119f6e8fe

949bff9c8deca704ae60b3b90383cf52315abe13900c6afe912fc3d7509f5049

35e0fe26c9de0b99229a51a16792fa7d96ff395ac49c3e019ee7fe17500ac815

acd00136a8d2a0662685645beb083f63cdf7fd5ed2f4157ad4dffe4cefd2bcb6

How to Protect Yourself

Never install software from untrusted sources to protect yourself from these Ransomware attacks. Public servers where anyone can post content, such as Discord, should be considered highly suspicious. Please be careful about archives hosted on public services such as cloud servers, Discord, and random zip files containing PowerShell scripts, batch scripts, bash scripts, and executables. Always understand the risks involved with running an executable file! If you'd like to learn more about Ransomware, the Cybersecurity and Infrastructure Security Agency (CISA) provides an excellent #StopRansomware Guide. This resource provides comprehensive guidance to organizations on how to reduce the risk of ransomware incidents. It includes best practices for detecting, preventing, responding, and recovering from potential attacks, with step-by-step approaches to address them. The publication was created by the Joint Ransomware Task Force (JRTF), a government body established by Congress under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The JRTF aims to promote collaboration and coordination among agencies in countering the increasing threat of ransomware attacks.

Previous
Previous

Rust std::fs Programming - Filetype Struct, Learning Through Rust Code

Next
Next

Rust vs. C/C++: Ensuring Memory Safety & Security