Cooking Up Autumn (Herbst) Ransomware

Fortiguard’s behavior-based system designed to identify new malware has detected a German targeted ransomware. We named it Herbst, a German word which in English means Autumn. 

Ransom Note

The Herbst ransom note appears in German in a dedicated window from its own running process. It demands that a ransom be paid in bitcoin. We have also been able to determine the bitcoin address. Ransome note details are listed below:

File encryption: AES 256 bit

Ransom Price: 0.1 Bitcoin or approximately USD $53.80 as of today.

Bitcoin Address: 18uM9JA1dZgvsgAaeeW2XZK13dTbk1jzWq

Figure 01: Ransom Note

Key Preparation

The key is prepared by concatenating two random numbers from 0 to 99999999. Next, it concatenates strings in random positions from the text variable, text.length times, as seen below. This key is hashed later and used as the AES key.

Figure 02: Key Preparation Function

Targeted Directories

After preparing the key, Herbst proceeds to enumerate files from the StartupPath. It encrypts all kinds of files in this directory, as shown by “*.*”.

It encrypts file in the following special folders:

Desktop, MyPictures, MyMusic, and Personal

Figure 03: File Enumeration

Encrypted File

The ransomware encrypts files and appends the extension to .herbst.

Figure 04: Encrypted File Sample

File Encryption

The encryption starts by reading the file and calling the function AES_Encrypt.

Figure 05: Encryption Function

The malware then proceeds to hash the key generated from the previous function, and this is used as the AES key for encrypting the files. After the file is encrypted with AES 256 bit, the malware then converts it to Base64String. 

Figure 06: AES Encryption Function

Figure 07: File Structure Before and After Encryption

Unfinished Business

This malware, written in C#, shows it’s unfinished because it has the following functions, but never calls them in the main function:

• Encrypt – believed to be the function in encrypting the AES key used before sending to the Command and Control (C&C.)
  
• Unlock – believed to be the decryption of the incoming traffic from the C&C.
  
• Http – believed to be used to send and receive encrypted messages to the C&C.
  

Figure 08: Malware Functions

Yes, the malware encrypts files and shows the decryption note; however ,it doesn’t send the AES key used to its C&C, and doesn’t verify the transaction ID when used in the ransom window, making this an unfinished ransomware.

Conclusion

Our analysis shows that cybercriminals could be cooking a ransomware targeting a German audience. From the analysis, we conclude that Herbst is a beta version which is still under development. The malware doesn’t provide any details on its C&Cs because it doesn’t call the HTTP function. We speculate that this version could just be a test to check AV vendors’ ability to detect it without giving away their C&C. 

Fortiguard will continue to monitor Herbst future activities and developments.

File detection: W32/Herbst.A!tr

SHA256: 18605f7a5a47ac16f722e3ec8a42121035bb95f731aaad5090c5e11104fc3185

-=FortiGuard Lion Team=-