Discovering ADHUBLLKA Ransomware Family: Tracing Roots of LOLKEK, BIT, OBZ, U2K TZW Variants
NOTE: The original work is attributed to NETENRICH Corporation. Here, you can find the official version. This article is not an in-depth reversing analysis of ransomware variants. This mainly discusses the methods used to uncover other ransomware campaigns of the Adhubllka Family using different techniques.
When successful ransomware is out in the wild, it is a common pattern to see the same ransomware samples being used by cyber criminals for piloting other projects by tweaking their codebase a little such as changing the Encryption Scheme and Ransom Notes or Changing C2 Communication channels, and re-branding themselves as “new” ransomware.
This often confuses security researchers at the time of classification. As it is important to attribute the observed/detected IOCs to the respective malware/ransomware; the newly re-branded names are also tied up with the old malware; making them duplicates (in some instances). As a result, while investigating for an IOC Hash, it became a roadblock to analysts/researchers by seeing multiple malware families bonded to the uploaded sample. To confirm further, Reversing is required to conclude.
Many such cases that happened in the past. For E.g. When the builder of the Babuk Ransomware code got leaked, we did see new ransomware get mushroomed within no time such as Rorschach, Mario, ESXi, RTM Locker, etc. The same happened when the Conti Source Code leaked.
In this Research, we are going to track down one such incident.
CASE STUDY
INTRODUCTION
In August, we came across a new ransomware strain (Filename: r.exe) which caught our attention. On analyzing further, it was evident that the newly found ransomware is a spin-off of an earlier variant titled Adhubllka Ransomware; which appeared on January 13, 2020. This newly spotted variant has been active since August 1, 2023.
Here, the discussed case is- MD5: 0f77484639b1193ad66e313040c92571. By looking up in VirusTotal, the following can be found: -
It’s already been detected by multiple engines and by tracking the genealogy, we can find traces of Cryptolocker, which has been prevalent since 2016. As many of the malware code bases get an exact match, we can’t finalize it as Cryptolocker. Additional parameters such as Contact Emails, Ransom Notes, and Execution Methods also play a vital role in the analysis.
By checking the ransom note, the following things are revealed:-
From there, we are now the following details: -
Victims are asked to communicate via the TOR-based Victim Portal to obtain decryption keys post-ransom payment.
TOR Address: mmcbkgua72og66w4jz3qcxkkhefax754pg6iknmtfujvkt2j65ffraad.onion
Alternate Communication Channel: https://yip.su/2QstD5
DARK WEB INTERACTION
Let’s dive deep into the Dark Web to extract more information about the Negotiation Phase.
Infected victims are advised to contact directly to Ransomware Group directly for further negotiation such as Sample File Submission, Payment Negotiation and finally receiving the Decryption Keys post payment, by opening a ticket.
Once the ticket is created, a channel is created on the fly and this message auto-pops up by default: -
While interacting with the Ransomware Operator, it can be seen that the person is rigid on the negotiation part and does not even flinch from his/her initial offered price for Decryption Keys (as per the observed chat).
The decrypted sample’s screenshot is provided on ImgBB, an Image Hosting Service. Decrypted files would not be passed directly to the victim but ensure that their decryptor is working by taking a screenshot of the submitted file sample. From this act, it can be confirmed that there is a working decryptor present with the group.
Communicated IPs
104.18.14.101
20.99.184.37
192.229.211.108
23.216.147.61
Decryption Key Cost: $1350 or 0.047BTCNOTE: It is also notable that the Threat Actor could delete the message that s(he) sent to their communicated victims to clear their track. The threat actor also deletes the created tickets once they get resolved.
FILE EXECUTION
The file is named “r.exe”. Once it gets executed, it begins to launch malicious tasks such as Process Injection, Dropping a malicious executable (AddInProcess32.exe) at the victim environment; and initializing the infection chain.
Once it gets executed; all files are encrypted and “.MMM” extensions are appended to the affected files.
All the encrypted files contain the string “CRYPTO LOCKER” along with the encrypted gibberish text.
To explore further: You can refer to/analyze the sample file from this Joe Sandbox Report.
TRACING THE FAMILY
While tracing down this ransomware sample, a few parameters such as sample, ransom note, email addresses, and others need to be considered; to find the root of this ransomware.
We can understand that this is not only limited to a single family. A genealogy can be found here:-
ADHUBLLKA (DEATH RANSOM) — > BIT — > LOLKEK — > OBZ — > U2K →TZW
Here by listing down the hashes observed in the wild with each variant with a timeline: -
MD5 HASHES OBSERVED IN THE WILD FOR EACH ONION DOMAIN (OLD & NEW)
mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion: NEW
==============================================================
e3f6878bcafe2463f6028956f44a6e74
2f121145ea11b36f9ade0cb8f319e40a
291bea114eb566d39f69d8c2af059548
e4e439fc5ade188ba2c69367ba6731b6
d14aab030b254bae3c6977c71cbc8a0b
ae3353674bf514175deda25b96496a83
de9d7afe742c551522bafb785c706f4f
0e5bd98bcf1ef9bef39f19f41e1aabfb
0148dc4f8a43b7fa1c31578f1a3c13bf
34b2b644c22861346ed07b4c7eeea7fb
da07dd4894c10fe94eba4f32ae4a57e6
mmcbkgua72og66w4jz3qcxkkhefax754pg6iknmtfujvkt2j65ffraad.onion: NEW
==============================================================
0f77484639b1193ad66e313040c92571
121f5beface8337c7105cc6a257a87ed
tzw7ckhurmxgcpajx6gy57dkrys12sigfrt6nk4a3rvedfldigtor7ad.onion: NEW
==============================================================
341c316be98f624f7321d198c5345bc9
1f640e3f37ec3b93c958c5910eb6a3e7
957f3db87f8c9a1540269e6aa08c14b2
f1ab4f5cbf5fc72c4033699edadc4622
alcx6zctcmhmn3kx.onion: OLD
======================
860b89a4138f744adbe41cee1de0848f
5990a32cddde5978959321237f9b0ee1
decrmbgpvh6kvmti.onion and helpinfh6vj47ift.onion: OLD
==================================================
22dce5b7daed8cfb14aa9e8e7eed1d2f
7rzpyw3hflwe2c7h.onion: OLD
======================
43c89b8dc5f9cac3d143238ba74c9002
3dcb42c5e7545c629c30d501feb908d5
54fjmcwsszltlixn.onion: OLD
======================
8ba537f8d00a73d6cc1cc5dffa566ed1
helpqvrg3cc5mvb3.onion: OLD
======================
2c72015e22b53c215403979536bce826
e58b77e4de54b09be77c852436a904b6
mrv44idagzu47oktcipn6tlll6nzapi6pk3u7ehsucl4hpxon45dl4yd.onion: OLD
==============================================================
fc9ca0a85e47088d25483dd47fba3244
obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion: NEW
==============================================================
d0c67160c740f62c25b0558e9563a824
1a7ddd5e16d0fc9c3969d1c63e5c6cda
6953d6e1a2d8df8e0d2e76263e8b3115
13d8c2f2cdf5f6208c3e999621019304
09d5701f1f4a6d50f9833fc78d3f2371
5f77cb5129da0751684b33dd4348b842
u2kqti2utfaiefucegnmd6yh6hledbsfanaehhnnn3q5usk6bvndahqd.onion: NEW
==============================================================
5355cce5601f471579f6154708d87fd7
34vm2smykaqtzzzm4bgycfzg5fwyhhksrkpahdbiswmmuwuu7hmvuvqd.onion: NEW
==============================================================
71852d35ddc0e13d2d830fcf6d185171
ab8f0580cc0d74e0215e7de19515c8a6
55044ed5d04a20844fcedb17a3f5bb31
842d42bb052a77759c8f55d46021b2e0
a735ff10e359539181c1eca593091ee6
29250c34e78857b17ee2576f68757d01Here, you can see the above data in a graphical format to catch a glance:-
All the v2 Tor Onion links are defunct now.
RANSOM NOTE ANALYSIS
Here, we can do a few Ransomware Note Analyses as different variants dropped ransom notes at the victim’s computer.
2019 Variant
Attention!
All your files, documents, photos, databases and other important files are encrypted
The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files.
On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.
Alternate communication channel here: http://helpqvrg3cc5mvb3.onion/
2022-23 Variants
Attention!
All your files, documents, photos, databases and other important files are encrypted
The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files.
Alternate communication channel here: https://yip.su/2QstD5
U2K Variant
Attention!
All your files, documents, photos, databases and other important files are encrypted
The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files.
The server with your decryptor is in a closed network TOR.
TZW Variant
Attention!
All your files, documents, photos, databases and other important files are encrypted
The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files.
The server with your decryptor is in a closed network TOR.From the above Ransom Notes, it can be found that the group has changed their communication channel from v2 TOR Onion URLs to v3 TOR URLs as v2 Onion domains got deprecated by the TOR Community.
It is important to note that there is the additional sentence “The server with your decryptor is in a closed network TOR.” can only be seen in 2 new variants namely TZW and U2K.
Additionally, it is also seen that the group had used URL Shortener Service to redirect to the Freshdesk ticketing site.
Expanding https://yip.su/2QstD5 leads you to a freshdesk support site, bit7.freshdesk.com.
Upon investigating further, it was found that this link (bit7.freshdesk.com/support/tickets/) appeared in Pastebin on December 27th, 2019, which is used by U2K Ransomware, a 2022 variant of Adhubllka Ransomware.
From this, it is evident that: the newer variant of Adhubllka Ransomware U2K had made use of the Freshdesk Ticketing Tool to communicate with its victim. This solidifies the fact that the Freshdesk Ticketing tool was active for the last 3 years, but it is no longer available.
By checking the profile of Antex7, it can be seen that there are 3 Pastes from this profile, where the other 2 pastes have the IP Address listed as 192.3.157.96:3306 which is associated with LimeRAT.
When the short URL: yip.su/2QstD5 is again loaded at another timeline (2022), this message appeared:-
This signifies the fact that the Threat Actor is maintaining a direct line of communication via email filessupport@cock.li for its victims (in case the TOR Site gets down or the ticketing service gets canceled).
It is also important to note that this email address is being seen with multiple ransomware variants at different timelines, which hardens up the fact that the Threat Actor(s) have been same since 2019.
URLs used in each Ransomware Project
====================================
alcx6zctcmhmn3kx.onion: JOPE,DeathRansom
decrmbgpvh6kvmti.onion: DOCM
helpinfh6vj47ift.onion: DOCM
7rzpyw3hflwe2c7h.onion: Adhubllka, Bit
54fjmcwsszltlixn.onion: Bit
24cduc2htewrcv37.onion: Bit
helpqvrg3cc5mvb3.onion: Bit
mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion: MME, GlobeImposter XLS, Bit, Lolkek
mmcbkgua72og66w4jz3qcxkkhefax754pg6iknmtfujvkt2j65ffraad.onion: Lolkek
mrv44idagzu47oktcipn6tlll6nzapi6pk3u7ehsucl4hpxon45dl4yd.onion: Bit,
yip.su/2QstD5: MME, OBZ,WHY ADHUBLLKA?
Adhubllka is chosen as the anchor point due to the large number of reports covering the same email address pr0t3eam@protonmail.com, which belongs to the ransomware group and the sample spotted (MD5: 77d0a95415ef989128805252cba93dc2) in 2019 has still relevancy with 2023 variant.
Moreover, DeathRansom’s note and contact emails (which contains the “death” keyword as main) are different from Adhubllka even though it uses Adhubllka as an extension after encrypting the files in a scenario. But PCRisk confirmed that the group behind Adhubllka Ransomware had updated its version where TOR Support exists and “.readme” extensions are added to the encrypted files instead of Adhubllka. It is also notable that Lolkek samples also encrypt the file with “.readme” extension. Hence, we can classify them as the Adhubllka variant.
NOTE: It can be considered as LOLKEK Ransomware, but as it appeared after Adhubllka (comparing timelines), the roots are traced to Adhubllka Family.
In another instance, the older onion address alcx6zctcmhmn3kx.onion is associated with DeathRansom which indirectly links to Adhubllka Ransomware. This hash 860b89a4138f744adbe41cee1de0848f was identified in May 2019, and categorized as Adhubllka.
CONFUSION WITH GLOBEIMPOSTER
It is seen that the above-discussed ransomware sample or other associated samples are being tagged as GlobeImposter Ransomware, which appeared in 2016. In various sandbox engines, it is still classified as GlobeImposter due to the Code Re-usage Match parameter.
But here, we cannot classify it as GlobeImposter, as the infection chain is different and the method of Ransom Negotiation is also different from the GlobeImposter scenario.
In the case of GlobeImposter, the number of encrypted file extensions used a large number (instead of using a single extension) and the emails/TOR Domains used by Threat Actors do not overlap with any current Ransomware Campaigns.
Even if they have changed their Modus Operandi by changing their toolset or improvised method of Dark Web Communication, still we can consider this as the Adhubllka (DeathRansom) Family, as the same (observed tactic) is ongoing and did not come to an end since 2019.
KEY POINTS
1. This ransomware strain targets individuals and small businesses and demands a ransom between the range of $800 to $1600 from each client. This is evident from their previous variants.
2. Adhubllka is also seen in various other cyber attack campaigns. Popular threat actor group TA547 used Adhubllka variants in their campaigns targeting various sectors of Australia in 2020.
3. All the malicious files of Adhubllka Ransomware variants are commonly file-named with their MD5 or SHA256 Hash names such as “MD5.vir” or “SHA256.bin” etc.
4. It can be assumed that this Ransomware Group has a Chinese nexus as one of the infected filenames (䶲䶮䶴䷣䷭䷢䷡䷠䶳䷠䷟䷞䷆䷩䷢.exe) is in Mandarin. This solidifies that a Chinese Group making use of this ransomware. In this file name, we can see Threat Actors had used Yijing Hexagram Symbols to name the executable, which is native to China.
5. TZW is the final variant that appeared (as of now) from the ADHUBLLKA Ransomware family. It also has the same portal for victims to communicate with.
6. It can be seen that this Ransomware has been active for a long on the Dark Web before the release of version 3 Onion URLs, as Version 2 URLs were also used in their earlier infections.
7. Currently, this Ransomware family has not announced any DLS (Data Leak Site) on Dark Web at this moment, but once it gets a strong foothold; their DLS can be expected shortly and ransom demand could get more doubled.
CONCLUSION
It is evident that this ransomware has been highly active since 2019 and can observe a few changes by noting down their v3 TOR Domain Names and other parameters.
There are various other names assigned to the same piece such as ReadMe, MMM, MME, Lolkek, GlobeImposter2.0, etc. which all again belongs to Adhubllka Ransomware Family.
In the future, the same might get rebranded with other names or other groups might use it to launch their ransomware campaigns. But as long as the threat actor does not change their mode of communication, all such cases can be traced back to the Adhubllka Family.
ATTACK MATRIX TECHNIQUES
T1091: Replication Through Removable Media
T1055: Process Injection
T1036: Masquerading
T1562.001: Disable or Modify Tools
T1497: Virtualization/Sandbox Evasion
T1158: Hidden Files and Directories
T1027: Obfuscated Files or Information
T1406.002: Software Packing
T1056: Input Capture
T1124: System Time Discovery
T1518.001: Security Software Discovery
T1057: Process Discovery
T1120: Peripheral Device Discovery
T1083: File and Directory Discovery
T1082: System Information Discovery
T1080: Taint Shared Content
T1091: Replication Through Removable Media
T1560: Archive Collected Data
T1573: Encrypted Channel
T1090: Proxy
T1486: Data Encrypted for Impact
IOC
MD5 Hashes
==========
77d0a95415ef989128805252cba93dc2
e3f6878bcafe2463f6028956f44a6e74
2f121145ea11b36f9ade0cb8f319e40a
291bea114eb566d39f69d8c2af059548
e4e439fc5ade188ba2c69367ba6731b6
0f77484639b1193ad66e313040c92571
121f5beface8337c7105cc6a257a87ed
341c316be98f624f7321d198c5345bc9
1f640e3f37ec3b93c958c5910eb6a3e7
860b89a4138f744adbe41cee1de0848f
5990a32cddde5978959321237f9b0ee1
22dce5b7daed8cfb14aa9e8e7eed1d2f
43c89b8dc5f9cac3d143238ba74c9002
8ba537f8d00a73d6cc1cc5dffa566ed1
2c72015e22b53c215403979536bce826
e58b77e4de54b09be77c852436a904b6
fc9ca0a85e47088d25483dd47fba3244
d0c67160c740f62c25b0558e9563a824
5355cce5601f471579f6154708d87fd7
518a38b47292b1e809c5e6f0bb1858be
3e7591082b36244767c1b5393a44f846
71852d35ddc0e13d2d830fcf6d185171
ab8f0580cc0d74e0215e7de19515c8a6
55044ed5d04a20844fcedb17a3f5bb31
842d42bb052a77759c8f55d46021b2e0
1a7ddd5e16d0fc9c3969d1c63e5c6cda
a735ff10e359539181c1eca593091ee6
6953d6e1a2d8df8e0d2e76263e8b3115
29250c34e78857b17ee2576f68757d01
13d8c2f2cdf5f6208c3e999621019304
21dd14135e2dc4b22591ab35cf98b115
09d5701f1f4a6d50f9833fc78d3f2371
d14aab030b254bae3c6977c71cbc8a0b
a15419df02ffae775b6231dd77fd9c6f
ae3353674bf514175deda25b96496a83
de9d7afe742c551522bafb785c706f4f
0e5bd98bcf1ef9bef39f19f41e1aabfb
0148dc4f8a43b7fa1c31578f1a3c13bf
34b2b644c22861346ed07b4c7eeea7fb
da07dd4894c10fe94eba4f32ae4a57e6
957f3db87f8c9a1540269e6aa08c14b2
f1ab4f5cbf5fc72c4033699edadc4622
3dcb42c5e7545c629c30d501feb908d5
5f77cb5129da0751684b33dd4348b842IP ADDRESSES
============
194.85.61.76
109.70.26.37
8.209.75.209
47.91.93.231
47.75.127.193
5.101.49.142
91.239.235.200
20.80.129.13
23.35.69.10
23.35.69.32
23.35.69.35
23.35.69.42
23.35.69.48
23.35.69.66
162.0.235.197
13.107.4.50
162.159.129.233
162.159.130.233
162.159.133.233
162.159.134.233
162.159.135.233
20.99.184.37
192.229.211.108
104.18.14.101
23.216.147.61
23.216.147.64
13.107.4.52
20.190.160.17
20.190.160.20
20.190.160.22
20.99.132.105
40.126.32.133
40.126.32.140
40.126.32.68
40.126.32.74
131.107.255.255
217.19.146.198
217.19.146.200
91.199.212.52
167.88.170.23
20.189.173.20
23.197.192.11
23.197.192.74
20.82.210.154TOR DOMAINS
===========
mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion
mmcbkgua72og66w4jz3qcxkkhefax754pg6iknmtfujvkt2j65ffraad.onion
34vm2smykaqtzzzm4bgycfzg5fwyhhksrkpahdbiswmmuwuu7hmvuvqd.onion
obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion
u2kqti2utfaiefucegnmd6yh6hledbsfanaehhnnn3q5usk6bvndahqd.onion
tzw7ckhurmxgcpajx6gy57dkrys12sigfrt6nk4a3rvedfldigtor7ad.onion
7rzpyw3hflwe2c7h.onion
54fjmcwsszltlixn.onion
24cduc2htewrcv37.onion
decrmbgpvh6kvmti.onion
helpqvrg3cc5mvb3.onion
helpinfh6vj47ift.onion
mrv44idagzu47oktcipn6tlll6nzapi6pk3u7ehsucl4hpxon45dl4yd.onionCONTACT EMAILS
==============
pr0t3eam@protonmail.com
filessupport@onionmail.org
filessupport@cock.li
rick5@xmpp.jp : Jabber
