In July last week, Quick Heal Security Labs detected a new ransomware called Armage. It appends ‘.Armage’ extension to files it encrypts.
Armage ransomware uses the AES-256 encryption algorithm to encode files making them inoperable. It spreads via spam emails and corrupted text files.
Once executed on the infected computer, Armage ransomware opens the command line message narrating the encryption algorithm it has used. See fig 1.
Fig 1. Command line prompt
The ransomware does not drop any artifact to perform the malicious activity or to encrypt data. The entire malicious activity (encryption) is carried out by the mother file itself.
After invading, the ransomware searches for the first file alphabetically to encrypt the data using Windows API FindFirstFileA as shown in fig 2 and to find the next file it has used FindNextFileA API as shown in fig 3.
Fig.2 FindFirstfileA API is used.
Fig 3. FindNextFileA API is used to find the files recursively
After encrypting the data from the folder, Armage drops ‘Notice.txt’ – a ransom note mentioning the ransom to be paid with other details. Further, the ransomware drops ‘Notice.txt’ in all the folders wherever data is encrypted.
Fig.4 Code used to create a new file ‘Notice.txt’
Fig 5. Code used to show details to the victim
The ransom note also mentions the below.
‘Your files was encrypted using AES-256 algorithm. Write me to e-mail: firstname.lastname@example.org to get your decryption key.’
As per the PE file analysis, we have found that ransomware injects itself into the processes that run with the administrative privileges so that it can delete shadow copies using command ‘vssadmin delete shadows /all.
This command executes the vssadmin.exe utility and deletes all copies quietly. Fig 5 below shows the code used to delete the shadow copies.
Fig 6. Code used to delete the shadow copies
Below are the API’s used by ransomware to encrypt the data.
Fig 7. API’s used to encrypt the files
The ransomware encrypts all PE and Non-PE files with ‘.armage’ extension as shown below.
Fig 8. Encrypted files with ‘.armage’ extension
How Quick Heal protects its users from the Armage ransomware
Quick Heal successfully blocks Armage with the following multilayered protection layers:
Fig 9. Behavior detection system blocks the malware.
Fig 10. Anti-Ransomware tool also blocks the malware
How to stay safe from ransomware attacks
Indicators of compromise
Subject Matter Experts
Poonam Dongare, Priyanka Dhasade, Shashikala Halagond, Manish Patil, Shivani Mule | Quick Heal Security Labs