Yatron Ransomware Plans to Spread Using EternalBlue NSA Exploits

by chebbi abir

A new Ransomware-as-a-Service called Yatron is being promoted on Twitter that plans on using the EternalBlue and DoublePulsar exploits to spread to other computer on a network. This ransomware will also attempt to delete encrypted files if a payment has not been made in 72 hours.

BleepingComputer was first notified about the Yatron RaaS by a security researcher who goes by the name A Shadow. Since then, the actor behind this ransomware has strangely been promoting the service by tweeting to various ransomware and security researchers as shown below.

Tweet from Ransomware Developer
Tweet from Ransomware Developer

After seeing one of these tweets, BleepingComputer was able to find a sample on VirusTotal and with the help of Michael Gillespie, we started to examine the source code of the ransomware.

Like any other ransomware, when executed it will scan the computer for targeted files and encrypt them. When encrypting a file, it will append the .Yatron extension to an encrypted file’s name as shown below.

Encrypted Yatron Files
Encrypted Yatron Files

After it has finished encrypting files, it will send the encryption password and unique ID back to the ransomware’s command and control server. According to Gillespie, this ransomware is based off of HiddenTear, but its encryption algorithm has been modified so that it cannot be decrypted using current methods.

Once the encryption is done, things begin to get more interesting.

Yatron contains code to utilize the EternalBlue and DoublePulsar exploits to spread to Windows machines on the same network using SMBv1 vulnerabilities that should have been patched a long time ago. Thankfully, the code to utilize these exploits is incomplete and the ransomware does not currently include the Eternalblue-2.2.0.exe and Doublepulsar-1.3.1.exe executables that it relies on.

You can see, though, some of the code that attempts to configure variables that will be used to execute the exploit commands in the screenshot below..

Configuring various variables to perform the exploit
Configuring various variables to perform the exploit

The next screenshot is the ransomware trying to trigger these exploits if the required executables existed on the computer.

Executing the Eternalblue exploit commands
Executing the Eternalblue exploit commands

In addition to exploiting vulnerabilities, Yatron will attempt to spread via P2P programs by copying the ransomware executable to default folders used by programs like Kazaa, Ares, eMule, and more. The goal is that when these programs are started, the ransomware will automatically be shared by the P2P client.

P2P Sharing
P2P Sharing

When finished, the ransomware will display an interface that contains a 72 hour countdown until the encrypted files are deleted.  To protect files from being deleted, a user can simply terminate the ransom process using a tool like Process Explorer running as an Administrator.

Yatron Ransomware
Yatron Ransomware

As the sample we analyzed may not be the most up-to-date, some of the above features may have changed or become fully functional. If we find a newer sample, we will update the article as needed.

Promoted as a RaaS

Yatron is promoted as a Ransomware-as-a-Service, but does things a bit differently than most RaaS services.

Typically, when wannabe criminals join a RaaS, the developer takes a revenue share of all submitted ransom payments. For example, some RaaS services will take 20% of all ransom payments, while the affiliate/distributor earns the remaining 80%.

Like another recent RaaS called Jokeroo, the developer of Yatron is selling access to the RaaS for $100 in bitcoins and then there is no fee going forward. This new model is being used as most RaaS services do not earn any money and by having affiliates buy into it, the ransomware developers earn some revenue up front.

Yatron RaaS Service
Yatron RaaS Service

Like all RaaS offerings, Yatron promises a FUD executable, the ability to encrypt a computer, and the deletion of shadow copies. As described earlier in the article, this ransomware also aims to be able to spread via P2P, USB, and LAN.

At the time of this writing, no one has paid to gain access to this ransomware.

To read the original article:

https://www.bleepingcomputer.com/news/security/yatron-ransomware-plans-to-spread-using-eternalblue-nsa-exploits/

Top

Interdit de copier  ce contenu