On the back of an upswing in Ransomware activity, we decided to carry out an in-depth analysis of Ghost Ransomware. Interesting fact about this malware is that it uses multiple components to encrypt user files.
Technical Analysis :
Main malware executable (Ghost.exe) is compiled using the DotNet Framework. The infection vector of this ransomware is still unknown, but this file may arrive on the victim’s machine via spam emails, malvertising, bundled with other files, etc. It uses an icon of the spreadsheet to deceive the user to think he has received an invoice/quotation etc.
Initially, Ghost.exe queries “www.12312312eewfef231.com”. This domain is not registered, but if it is registered then it can work as a kill switch as it performs its malicious activity in the catch for the exception as shown in Fig. 1.
Ghost.exe drops an executable GhostService.exe at location “%appdata%\Ghost” on the victim’s machine. It also creates a bat file (Ghost.bat) in Ghost folder and executes it. Ghost.bat creates a service with display name as“Ghost”, binpath as“%appdata%\Ghost\GhostService.exe” and start mode as “auto” as shown in Fig. 2. Due to auto mode, malware service will be auto-started on every system startup.
Once the service is successfully registered Ghost.exe starts “Ghost” service as shown in Fig. 4.
GhostService.exe creates a .txt file named “Do_Not_Delete_codeId.txt” at the root of“C” drive with Code ID as a content. This Code ID is randomly generated as shown in Fig. 5.
Now it calls a function “startProcess” to drop components at the root of “C” drive.
As shown in Fig. 6, GhostService.exe drops below components:
After dropping the components, it runs GhostForm.exe. Then it calls a function “Database” to stop MSSQLSERVER service and encrypt files in “Microsoft SQL Server” folder.
It has a list of file extensions which are to be encrypted as shown in Fig. 9.
Also, it calls a function “datosC” that encrypts files present only at the root of “C” drive.
GhostService.exe maintains a timer which repeats these tasks after every 120 seconds.
GhostForm.exe displays a Ransom note. It also maintains a timer, after every 120 seconds it closes the Ransom note.
Code ID in ransom note is same as one written to C:\Do_Not_Delete_codeId.txt.
As seen in Fig. 12 malware author demands Bitcoin worth 500 USD to be paid to the following address : https://blockchain.info/payment_request?address=1N7AmqH12EN3yAkVMPB5rZoVX758jgLbzj&amount_local=500¤cy=USD&nosavecurrency=true&message=Pay%20me!
Next, it calls a function “startEncrypt” to create a list of files present in the following folders :
As seen in the above list, malware encrypts the files at some specific locations only. It has targeted Desktop folder where the user usually keeps most of their data. Also, Document, Pictures, Videos, and Music are folders provided by Windows OS to store respective type of files.
Functions to get the list of files from above-mentioned folders are present in GhostFile.dll.
The malware creates a list of files based on extensions present in the extension list as shown in Fig. 20. Once the list of files is ready, encryption routine is called from GhostHammer.dll. Files are encrypted using AES algorithm and “.Ghost”extension is added to encrypted files.
Difference between the 2 extension list is “.txt” files are not encrypted by GhostService whereas they are encrypted by GhostForm.exe.
Quick Heal products detects these malware with below names :
We have seen the ransomware count to have significantly increased in recent times. Malware authors have started using different techniques to encrypt user files.
Some general recommendations to stay safe from Ransomware :
Subject Matter Expert:
Ravi Gidwani | Quick Heal Security Labs