The ransomware 7ev3n-HONE$T is a new version of an existing ransomware, 7ev3n, with a twist – a much lower ransom fee. Early this year, as reported in January by Graham Cluley, BleepingComputer and others, the original 7ev3n ransomware was spotted in the wild encrypting victims‘ files on Windows machines and demanding a rather steep ransom of 13 Bitcoins (around $5900 USD) in return for the decryption key. While this approach may have some success with the 1% in First Class, the malware authors clearly decided a more mass market approach was needed for those in Economy. They’ve now given us 7ev3n-HONE$T with a ransom demand of a relatively modest 1 Bitcoin (about $450 at current exchange rates).
Analysis of 7ev3n-HONE$T
We start the analysis by uploading the dropper, or initial executable, that may be delivered via a malicious link on a compromised website or embedded in an Office document. The full analysis report is here. The executable starts a version of itself with an unpacked section in a child process. This process sends a GET Request to the web page httx://46.45.169.106/sellKfjmfokt5lm5v14kol1vj35/redirect.php and gets a bitcoin account.
From the dump of the network traffic we see that 17tqLx56d2vhE646Gcx8DvqYAb1dD7DU2H is the Bitcoin account provided.
After that it drops a new executable named conlhost.exe into the C:usersPublic folder and starts it as a new child process. Conlhost.exe is now the main executable, which then starts an unpacked child process of itself. This process starts the encryption routine, a popup window that can’t be closed, and a few more processes to cleanup.
Then it sends a GET Request with the parameters:
RIGHTS=admin&WIN=77601&WALLET=17tqLx56d2vhE646Gcx8DvqYAb1dD7DU2H&ID=203711939025113012092911638711631259376&UI=888 to httx://46-45-169-106.turkrdns.com to register the new victim.
While the encryption is running, the cleanup process starts a command to run the del.bat script.
This script deletes the first running 7ev3n-HONE$T executable and the script itself. We then take a look at the process graph, where we can see that in the last step two instances of reg.exe are started.
The reg.exe process provides persistence (in other words, ensures the ransomware stays installed and runs after a reboot of the machine). A registry key is added that starts conlhost.exe on every Windows start. Another registry key is added to mark the system as encrypted.
The permanent popup window gives you step-by-step instructions on how to pay:
The VIEW button shows you what files are encrypted at this point, the TEST DECRYPTION button is for a test decryption on 3 to 5 random files and the last button HOW TO PAY is self-explanatory. The encryption routine encrypts files very rapidly with a speed of up to 7GB/hour. If a file is encrypted the filename changes to an ascending number with the suffix R5A, for example A01.R5A. This indicates that the encryption is probably RSA. The authors helpfully provide links to some relevant reading, including a New York Times article on How my mom got hacked.
Threat Identifier (VTI) Result
Our VMRay Threat Identifier (VTI) engine identifies this new ransomware (first found at the end of April) as clearly malicious. We can see from the severity score details that page allocation, code injection and persistence, amongst other observed attributes contribute to the high score.
Related links
http://www.vmray.com/analyses/3190115/report/overview.html
https://blog.botfrei.de/2016/04/ransomware-7ev3n-honet-verschluesselt-und-erweitert-ihre-dateien-mit-r5a/
http://www.nyxbone.com/malware/7ev3n-HONE$T.html
http://www.nytimes.com/2015/01/04/opinion/sunday/how-my-mom-got-hacked.html?_r=0
https://virustotal.com/de/file/575e6fa02a54b9e3cd5977a66d09cf0e841d6efbe59be334056cf8fe8613194a/analysis/
