Beware of the Armage Ransomware – the File Destroyer!

In July last week, Quick Heal Security Labs detected a new ransomware called Armage. It appends ‘.Armage’ extension to files it encrypts.

Armage ransomware uses the AES-256 encryption algorithm to encode files making them inoperable. It spreads via spam emails and corrupted text files.

Technical analysis

Once executed on the infected computer, Armage ransomware opens the command line message narrating the encryption algorithm it has used. See fig 1.

Fig 1. Command line prompt

The ransomware does not drop any artifact to perform the malicious activity or to encrypt data. The entire malicious activity (encryption) is carried out by the mother file itself.

After invading, the ransomware searches for the first file alphabetically to encrypt the data using Windows API FindFirstFileA as shown in fig 2 and to find the next file it has used FindNextFileA API as shown in fig 3.

Fig.2 FindFirstfileA API is used.

Fig 3. FindNextFileA API is used to find the files recursively

After encrypting the data from the folder, Armage drops ‘Notice.txt’ – a ransom note mentioning the ransom to be paid with other details. Further, the ransomware drops ‘Notice.txt’ in all the folders wherever data is encrypted.

Fig.4 Code used to create a new file ‘Notice.txt’

Fig 5. Code used to show details to the victim

The ransom note also mentions the below.

‘Your files was encrypted using AES-256 algorithm. Write me to e-mail: armagedosevin@aol.com to get your decryption key.’

As per the PE file analysis, we have found that ransomware injects itself into the processes that run with the administrative privileges so that it can delete shadow copies using command ‘vssadmin delete shadows /all.

This command executes the vssadmin.exe utility and deletes all copies quietly. Fig 5 below shows the code used to delete the shadow copies.

Fig 6. Code used to delete the shadow copies

Below are the API’s used by ransomware to encrypt the data.

Fig 7. API’s used to encrypt the files

The ransomware encrypts all PE and Non-PE files with ‘.armage’ extension as shown below.

Fig 8. Encrypted files with ‘.armage’ extension

How Quick Heal protects its users from the Armage ransomware

Quick Heal successfully blocks Armage with the following multilayered protection layers:

• Virus Protection
• Behavior-based Detection
• Anti-Ransomware

Fig 9. Behavior detection system blocks the malware.

Fig 10. Anti-Ransomware tool also blocks the malware

How to stay safe from ransomware attacks

• Always take a backup of your important data in external drives like HDD and pen drives. Consider using a reliable Cloud service to store the data.
• Never install any freeware or cracked versions of any software.
• Do not open any advertisement pages shown on websites without knowing that they are genuine.
• Disable macros while using MS Office.
• Update your antivirus to protect your system from unknown threats.
• Never click on links or downloads attachments in emails from unexpected, unknown or unwanted sources.

Indicators of compromise

• SHA256 :67697dcd8493f287a880cff6165b903bfe1daf3b55814e90de879cd1fb8df004

Subject Matter Experts

Poonam Dongare, Priyanka Dhasade, Shashikala Halagond, Manish Patil, Shivani Mule | Quick Heal Security Labs

Shriram Munde