Python based ransomware with potential cross-platform capabilities
Paladion’s Cyber Labs discovered the DogHousePower ransomware that specifically targets web servers and database servers running on the Windows Server operating system, and it was interesting to see that it was hosted on GitHub. We made many interesting observations on DogHousePower within our labs including; Python PyInstaller being utilized for creating the ransomware, fully-encrypted payload (wo_crypted), windows event logs being cleared (but did not show up in the sandbox results), and no network activity (or post-compromise communication). The rise of Python based malwares could be attributed to the ease of coding it or for its cross-platform nature.
You could check this paper to understand the steps that DogHousePower takes to fully compromise the affected host, their demand for ransom, and how they might expand into cross-platform implementation in the near future.
Initially we analyzed the ransomware binary “2.exe” using a Hybrid Analysis VxStream Sandbox and a Windows virtual machine. We observed that the struts_pwn attack tool targets vulnerability (CVE-2017-5638) in Apache Struts 2, delivering the ransomware payload using Microsoft PowerShell, which downloads and spreads the ransomware further. We called the Ransomware DogHousePower for the file-extension it uses for encrypted files.
Demand for Ransom
The ransom request file had partial messages in Chinese, which could’ve been inserted to misdirect victims and analysts on the origins of the message. However, the ransom amount was requested in bit coins equivalent to 5000 Yuan, which might suggest that the DogHouseRansomware was directed to an Asian population or that it originated from there.
According to the note, victims had three days to pay bit coins worth 5000 yuan to the mentioned address. The attackers stated that the price can be negotiated, and that if the victims took more than 3 days they need to pay 6000 yuan, or if they take more than 7 days they need to pay 7000 yuan – all in Zcash. It finally warned that if payment is not received within 13 days files will not be decrypted.
To get the files decrypted after the payment is made, a contact email address (atlantis[.]cf[@]yandex[.]com) was provided with instructions to send payment, screen shot, and ID. The attackers said that the files will be decrypted via email and that each email should not exceed 10mb.
The instructions included supported languages; English, Russian, Spanish, and Chinese, and provided instructions on buying Bitcoins in China.
A note from the attacker also said that they are being considerate in allowing users to access Windows, Documents, and Settings as usual.
When researching on the email address and the ZCash account that was on the ransom text file, and various other patterns from the DogHouseRansomware itself, we found the this ransomware could have been developed from the same family of ransomwares of ransomwares as the “.BELGIAN_COCOA”, “.MyChemicalRomance4EVER”, “LambdaLocker”, “Pickles” and “CryPy” ransomwares.
The ransomware targets a known vulnerability - CVE-2017-5638 in Apache Struts 2. Organizations should immediately patch the vulnerability to stay protected. We will make more updates on this in the coming days.