Middle East Government organizations hit with RanRan Ransomware

Palo Alto Networks discovered a new strain of ransomware, dubbed RanRan ransomware, that has been used in targeted attacks in Middle East.

Malware researchers at Palo Alto Networks have spotted a new strain of ransomware, dubbed RanRan, that has been used in targeted attacks against government organizations in the Middle East.

“Recently, Unit 42 has observed attacks against multiple Middle Eastern government organizations using a previously unseen ransomware family. Based on embedded strings within the malware, we have named this malware ‘RanRan’. ” reads the analysis published by PaloAlto Networks.

The threat actors instead of asking for a ransom are requesting victims to make a political statement on their website to decrypt their files.

RanRan is able to encrypt various types of files stored on the infected system, including documents, executables, logs, databases, archives, source code, images and video files. The ransomware appends the .zXz extension to encrypted files and adds an HTML file containing instructions on how to recover the files onto the target system.

Victims are told not to shut down their system or run any antivirus solution in order to avoid “accidental damage on files.”

The crooks behind the RanRan ransomware instruct victims to create a subdomain with a political name on their website.

Victims are also instructed to upload to the subdomain a file named “Ransomware.txt” containing the text message “Hacked!” and the email address of the attacker.

“The ransom note specifically attempts to extort a political statement by forcing the victims to create a public sub-domain with a name that would appear to advocate and incite violence against a Middle Eastern political leader.” continues the analysis.

“The malware itself is fairly rudimentary and makes a number of mistakes in how files are encrypted. This allowed Unit 42 to create a script that is able to decrypt some files that were encrypted by RanRan.”

According to PaloAlto Networks, the intent is to force victims to disclose the hack and publish a statement against the leader of its country.

The security firm did not reveal the name of the targeted organizations neither attributed the attacks to a specific threat actor.

“By performing these actions, the victim, a Middle Eastern government organization, has to generate a political statement against the leader of the country,” said Palo Alto Networks researchers. “It also forces the victim to publicly announce that they have been hacked by hosting the Ransomware.txt file.”

The analysis of the malware revealed that the threat is not sophisticated, the malware researchers also spotted some mistakes in the implementation the of the file encryption feature. which appears to be based on publicly available

The RanRan ransomware seems to be based on publicly available source code.

“RanRan makes a number of mistakes when encryption occurs,” continues the analysis published by PaloAlto Networks.

“For one, they use a symmetric cipher (RC4) with a re-used key. Additionally, some files are encrypted, but the originals are not deleted. This is due to a number of reasons, one of which being that encryption is attempted against system files and other files that are opened by running processes.”

The good news it that due to the errors in the encryption process, victims of RanRan could decrypt some of the files under specific conditions.

“Because we are provided with a situation where we have an original file, a file that has been encrypted, and the RC4 key is re-used against other encrypted files, we have the ability to decrypt some of this data.” continues the analysis.

“This only works in certain instances where the following criteria is met:

• An encrypted and unencrypted file must be present for a given file size group (0-5MB, 5-30MB, etc). Using these two files, we are able to acquire the RC4 stream cipher.
• The remaining encrypted files must be of lesser size than the previously obtained stream cipher. If a file is of greater size, it is only able to be partially decrypted.”

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – RanRan ransomware, hacking)