Paladion's Cyber Labs recently discovered the DogHousePower ransomware that specifically targets web servers and database servers running on the Windows Server operating system, and it was interesting to see that it was hosted on GitHub.
We made many interesting observations on DogHousePower within our labs including Python PyInstaller being utilised for creating the ransomware, fully-encrypted payload (wo_crypted), windows event logs being cleared (but did not show up in the sandbox results), and no network activity. The rise of Python-based malwares could be attributed to the ease of coding it and for its cross-platform nature.Ransomware Analysis
Initially we analysed the ransomware binary ‘2.exe' using a Hybrid Analysis VxStream Sandbox and a Windows virtual machine. We observed that the struts_pwn attack tool targets vulnerability (CVE-2017-5638) in Apache Struts 2, delivering the ransomware payload using Microsoft PowerShell, which downloads and spreads the ransomware further. We called the Ransomware DogHousePower for the file-extension it uses for encrypted files.Demand for Ransom
The ransom request file had partial messages in Chinese, which could have been inserted to misdirect victims and analysts on the origins of the message. However, the ransom amount was requested in bitcoins equivalent to 5000 yuan, which might suggest that the DogHousePower ransomware was directed to an Asian population or that it originated from there.
According to the note, victims had three days to pay bitcoins worth 5000 yuan to the mentioned address. The attackers stated that the price can be negotiated, and that if the victims took more than 3 days they need to pay 6000 yuan, or if they take more than 7 days they need to pay 7000 yuan - all in Zcash. The message also warned that if payment is not received within 13 days files will not be decrypted.
To get the files decrypted after the payment is made, a contact email address (atlantis[.]cf[@]yandex[.]com) was provided with instructions to send payment, screen shot, and ID. The attackers said that the files will be decrypted via email and that each email should not exceed 10mb.
The instructions included supported languages English, Russian, Spanish and Chinese, and provided instructions on buying bitcoins in China.
A note from the attacker also said that they are being considerate in allowing users to access Windows, Documents, and Settings as usual.Ransomware Family
When researching on the email address and the ZCash account that was on the ransom text file, and various other patterns from the DogHouseRansomware itself, we found the this ransomware could have been developed from the same family of ransomwares as the ‘.BELGIAN_COCOA', ‘.MyChemicalRomance4EVER', ‘LambdaLocker', ‘Pickles' and ‘CryPy' ransomwares.Stay Protected
The ransomware targets a known vulnerability - CVE-2017-5638 in Apache Struts 2. Organisations should immediately patch the vulnerability to stay protected. We will make more updates on this in the coming days.
The views expressed in this article are Shyaam Sundhar's own opinions and not necessarily those of ITP.Net.