Urausy ransomware family, a quick internals overview

June 17, 2013  |  Alberto Ortega

Ransomware is popular among bad actors. Reveton malware family (based on Citadel) made a difference last year, now it is loosing popularity in favor of Urausy, just another lock-screen ransomware. There are a plenty of them living in the wild, but in this post we are going to focus on Urausy.

These malware families are being spread by using exploit kits like Blackhole or Cool EK, which exploit vulnerabilities in web browsers, flash or Java, to install malicious software in victim’s computers.

When the victim is vulnerable, and his computer gets infected with this kind of ransomware, the screen is locked supposedly from a legitimate law enforcement authority, asking for a “fine” that must be paid to restore normal access to the system and files. The malware accepts paysafe and ukash payments.

Spanish Urausy version as June 2013

Needless to say, this is a scam. Law enforcement authorities will never block your computer this way, and for sure they will never ask you for money from your computer.

People from botnets.fr have made a great work collecting a lot of screens locked by Urausy and some more ransomware lockers.

As we said, the infection vector is; vulnerable victim lands in an exploit kit infection page, which exploits a web browser vulnerability and executes malware (ransomware in this case).

The malware sample is packed to avoid AV detection, but it is detected by most AV companies, 37 / 47.

e8b714d4e9a380a09d1ef36dff09e814

Once unpacked, we get e2e610583e9f03c74c944ffb374416c3, which is detected by less AV companies, 30 / 47 (weird, some of them were matching just the packing?).

The piece has several anti-analysis tricks to avoid debugging and execution in sandboxing environments.

It checks if it is running under the eye of a debugger, and has some VM artifacts embedded, not to stop working but probably to change the behavior.

JoeSandbox antivm detections

When started, the malware injects itself in benign Windows process svchost as a new thread, copies the piece in “C:Documents and SettingsAdministratorApplication Dataskype.dat” and a .ini file in “C:Documents and SettingsAdministratorApplication Dataskype.ini” to run at startup and gain persistance, and finally goes to sleep for a long time to avoid automated analysis.

After that, the fireworks begin. The computer is locked with the screen shown at the beginning, to get this done, it uses CreateDesktopW (named MyDesktop) and CreateWindowEx (named YIWEFHIWQ) to take control over the whole UI, and then calls home (C&C).

The C&C host is kidje[.]biz -> 50.7.166.134

kidwhois

The communication is done by using HTTP and encapsulating encrypted data inside.

urausy_uri

urausy_response

We have developed a yara rule to match against memory of processes infected by Urausy, you can take it from our repo.

yara_urausy

AlienVault Unified Security Management (USM) is able to detect the activity of this ransomware family and all the other threats mentioned on this blog post.

>urausy_alarm

urausy_events

Security operators will see this kind of alarms for other similar ransomware families such as Rannoh, Bomba Locker, Galock or Reveton.

Share this with others

Get price Free trial