Ransomware Roundup: Bisamware and Chile Locker

On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within the OSINT community and our datasets. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.

This latest edition of the Ransomware Roundup covers the Bisamware and Chile Locker ransomware.

Affected platforms: Microsoft Windows
Impacted parties: Microsoft Windows Users
Impact: Encrypts files on the compromised machine and demands ransom for file decryption
Severity level: High

Bisamware Ransomware

Bisamware is a Windows-focused ransomware reportedly being distributed through Microsoft Word files designed to exploit CVE-2022-30190. This vulnerability is in Microsoft Support Diagnostic Tool (MSDT) and abuses the MSDT URI scheme to download and run a malicious payload. CVE-2022-30190 was given the nickname “Follina” because the Word files exploit the vulnerability reference "0438", an area code for the Follina municipality in Italy. FortiGuard Labs released an Outbreak Alert and Threat Signal for CVE-2022-30190 at the end of May 2022.

Once executed, Bisamware ransomware will encrypt files on a compromised machine and add a “.BISAMWARE” ransomware extension to affected files.

Due to an apparent bug in the malware code, files in some directories are not removed after being encrypted by the ransomware.

It leaves a ransom note named “SYSTEM=RANSOMWARE=INFECTED.txt” that directs victims to contact the attacker through a chat room on TOR and purchase a decryption key. At the time of this writing, the TOR site was not accessible.

Chile Locker

Chile Locker is a recently reported ransomware. Chile's CSIRT team issued an alert about this variant at the end of August 2022, stating it had affected a government service in Chile on August 25^th. Despite the warning, Chile Locker variants were subsequently submitted to VirusTotal from Canada, Mexico, Romania, China, the UK, Spain, Uruguay, Netherland, Russia, Poland, Malaysia, and the U.S., which indicates that the ransomware attacker did not specifically target Chile.

Chile Locker encrypts files on a compromised machine and adds a “.crypt” extension to the affected files. The ransomware avoids encrypting files that have the following file extensions:

• .blf
• .regtrans-ms
• .library-ms
• .sys
• .tmp
• .log
• .LOG
• .log.tmp
• .exe
• .bat
• .msi
• .dll
• .ini
• .crypt

It also drops a ransom note in “readme_for_unlock.txt”. While we have been unable to get the ransomware to generate a ransom note, it reportedly demands the victim either contact or reach a deal with the attacker within three days through a Tor site operated by the attacker. The site requires a password included in the ransom note for login.

The ransomware also deletes any shadow copies of the infected machine, inhibiting the ability of victims to recover files.

Fortinet Protections

Fortinet customers are already protected from these malware variants through FortiGuard’s Web Filtering, AntiVirus, FortiMail, FortiClient, and FortiEDR services, as follows:

FortiGuard Labs detects known Bisamware ransomware variants with the following A.V. signature:

• W64/Bisamware.A!tr.ransom

FortiGuard Labs detects known Chile Locker ransomware variants with the following A.V. signatures:

• W32/Agent.BNQ!tr.ransom
• W64/Agent.BNQ!tr.ransom
• BAT/Starter.8E92!tr
• PossibleThreat.PALLASNET.H

IOCs

Bisamware

• 3758900465a0bbb5ce4eab1a5c981a7c35b8334427f606ab722223e2b2dacc73
• 1dfd69bff31a23a5f3660b9cfbd01bb6ef0ebae8cc3e7ed966fcc5c6a2ee3af4
• d30080f2fca1d0e8e62aa66bc51dfa96ef8fda1d3ec09eefb9e4afe6cd39e4f4
• 26ed1ffe74abd8a5f62d4f3b341a62ebb1a04d43e7ab9d64b9d283e184b35fd4

Chile Locker

• 39b74b2fb057e8c78a2ba6639cf3d58ae91685e6ac13b57b70d2afb158cf742d
• ac73234d1005ed33e94653ec35843ddc042130743eb6521bfd3c32578e926004
• 32708c5d376f130b48bf3bd706879c1945a2d701036d94e25aceea41a4042052
• 39b74b2fb057e8c78a2ba6639cf3d58ae91685e6ac13b57b70d2afb158cf742d
• b14cde376a8a7a9d7ad34cdfd07108c132ad8be7f60c5c0a0f17b6b63eb28b49
• ae8404687906b0d66394f70223660c4981054fed71ad570b2fd45ea663cb3ddc
• e1f01b2c624f705cb34c5c1b6d84f11b1d9196c610f6f4dd801a287f3192bf76
• 5634e4e97a71930c574b80e50ee479ab782b6888f5af31c7e7529fa651377f50

FortiGuard Labs Guidance

Due to the ease of disruption, damage to daily operations, potential impact to an organization's reputation, and the unwanted destruction or release of personally identifiable information (PII), etc. due to a successful ransomware attack, it is vital to keep all A.V. and IPS signatures up to date.

Since the majority of ransomware is delivered via phishing, organizations should also consider leveraging Fortinet solutions designed to train users to understand and detect phishing threats:

The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.

Our FREE NSE training: NSE 1 – Information Security Awareness includes a module on internet threats designed to help end users learn how to identify and protect themselves from various types of phishing attacks and can be easily added to internal training programs.

To effectively deal with the evolving and rapidly expanding risk of ransomware, many organizations need to make foundational changes to the frequency, location, and security of their data backups.

When coupled with potential digital supply chain compromise and a workforce telecommuting into the network, there is a real risk that attacks can come from anywhere. Cloud-based security solutions should all be investigated to minimize risk and reduce the impact of a successful ransomware attack. These include SASE to protect off-network devices, advanced endpoint security such as EDR (endpoint detection and response) solutions that can disrupt malware mid-attack, and Zero Trust Access and network segmentation strategies that can restrict access to applications and resources based on policy and context

As part of the industry's first fully integrated Security Fabric, delivering native synergy and automation across your entire security ecosystem, Fortinet also provides an extensive portfolio of technology and human-based as-a-service offerings. These services are powered by our global FortiGuard team of seasoned cybersecurity professionals to provide expertise and fill detection, response, and analysis gaps in existing security teams and deployments.

Best Practices include Not Paying a Ransom

Organizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom partly because payment does not guarantee that files will be recovered. According to a U.S. Department of Treasury's Office of Foreign Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to target additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit activities that could potentially be illegal. For organizations and individuals affected by ransomware, the FBI has a Ransomware Complaint page where victims can submit samples of ransomware activity via their Internet Crimes Complaint Center (IC3).

How Fortinet Can Help if You Have Been Affected

FortiGuard Labs’ Emergency Incident Response Service provides rapid and effective response when an incident is detected. And our Incident Readiness Subscription Service provides tools and guidance to help you better prepare for a cyber incident through readiness assessments, I.R. playbook development, and I.R. playbook testing (tabletop exercises).

Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard AI-powered security services portfolio.