Ransomware Roundup - Retch and S.H.O.

On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.

This edition of the Ransomware Roundup covers the Retch and S.H.O ransomware.

Affected platforms: Microsoft Windows
Impacted parties: Microsoft Windows Users
Impact: Encrypts and exfiltrates victims’ files and demands ransom for file decryption
Severity level: High

Retch Ransomware Overview

Retch is a new ransomware variant first discovered in mid-August 2023. It encrypts files on compromised machines and leaves two ransom notes asking victims to pay a ransom for file decryption.

Infection Vector

Information about the infection vector used by the Retch ransomware threat actor is not currently available. However, it is unlikely to be significantly different from other ransomware groups.

Retch ransomware samples have been submitted to a public file scanning service from the following countries:

• United States
• Iran
• Germany
• Russia
• France
• Colombia
• Korea
• Italy

Ransomware Execution

Once the ransomware runs, it looks for and encrypts files with the following file extensions:

.txt, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpeg, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb,   .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos .mov, .vdf, .ztmp .sis, .sid, .ncf,           .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x,        .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl,  .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk,           .rgss3a, .pak, .big, .wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .p7c, .pk7, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .pptm, .xlk, .xlsb, .xlsm, .wps, .docm, .odb, .odc, .odm, .odp, .ods, .cs, .exe, .lnk, .mpeg, .mp3, .mkv, .divx, .ogg, .wav, .bat, .index, .flac, .vob, .mpg

The following directories are excluded from file encryption:

• "Windows"
• "Program Files"
• "Program Files (x86)"

The ransomware adds a “.Retch” extension to encrypted files.

It then drops a ransom note labeled "Message.txt" in every folder where files are encrypted.

In the ransom note, the Retch attacker asks victims to pay Bitcoins worth 300 euros for file decryption. Due to the low ransom demand, Retch ransomware is likely used to target consumers rather than enterprises. As shown in Figure 2, the ransom message is available in French and English, leading us to believe that the Retch ransomware primarily targets French users. However, further investigation revealed that this isn't the case.

We also discovered that the ransom note dropped on the Desktop differs from “Message.txt.” The ransom note left on the Desktop is labeled “HOW TO RECOVER YOUR FILES.txt” and asks victims to pay Bitcoin worth $1000 for file decryption. This ransom note has a different contact email address and includes the attacker’s Bitcoin wallet address.

It turns out that the Retch ransomware was developed based on a publicly available ransomware source code that claims to be for educational purposes, which appears to be based on a well-known open-source ransomware, “HiddenTear.” The open-source ransomware has the ransom note shown in Figure 2 by default. The attacker appears to have only customized the ransom note on the desktop, which is only in English, leaving the ransom notes in all other locations untouched. This indicates that the Retch ransomware was not targeting French users as we first thought. As mentioned, the countries from which the files were submitted to the public file scanning service are widespread, further suggesting our suspicion is correct.

At the time of our investigation, the attacker’s Bitcoin wallet had not recorded any transactions.

S.H.O Ransomware Overview

Infection Vector

Information about the infection vector used by the S.H.O ransomware threat actor is not currently available. However, it is unlikely to be significantly different from other ransomware groups.

S.H.O ransomware samples have been submitted to a public file scanning service from the following countries:

• United States
• Canada

Ransomware Execution

After the ransomware runs, it encrypts files on compromised machines and adds five random letters and numbers as a file extension.

S.H.O attempts to encrypt files with the following extensions:

.myd, .ndf, .qry, .sdb, .sdf, .tmd, .tgz, .lzo, .txt, .jar, .dat, .contact, .settings, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpg, .mka, .mhtml, .oqy, .png, .csv, .py, .sql, .indd, .cs, .mp3, .mp4, .dwg, .zip, .rar, .mov, .rtf, .bmp, .mkv, .avi, .apk, .lnk, .dib, .dic, .dif, .mdb, .php, .asp, .aspx, .html, .htm, .xml, .psd, .pdf, .xla, .cub, .dae, .divx, .iso, .7zip, .pdb, .ico, .pas, .db, .wmv, .swf, .cer, .bak, .backup, .accdb, .bay, .p7c, .exif, .vss, .raw, .m4a, .wma, .ace, .arj, .bz2, .cab, .gzip, .lzh, .tar, .jpeg, .xz, .mpeg, .torrent, .mpg, .core, .flv, .sie, .sum, .ibank, .wallet, .css, .js, .rb, .crt, .xlsm, .xlsb, .7z, .cpp, .java, .jpe, .ini, .blob, .wps, .docm, .wav, .3gp, .gif, .log, .gz, .config, .vb, .m1v, .sln, .pst, .obj, .xlam, .djvu, .inc, .cvs, .dbf, .tbi, .wpd, .dot, .dotx, .webm, .m4v, .amv, .m4p, .svg, .ods, .bk, .vdi, .vmdk, .onepkg, .accde, .jsp, .json, .xltx, .vsdx, .uxdc, .udl, .3ds, .3fr, .3g2, .accda, .accdc, .accdw, .adp, .ai, .ai3, .ai4, .ai5, .ai6, .ai7, .ai8, .arw, .ascx, .asm, .asmx, .avs, .bin, .cfm, .dbx, .dcm, .dcr, .pict, .rgbe, .dwt, .f4v, .exr, .kwm, .max, .mda, .mde, .mdf, .mdw, .mht, .mpv, .msg, .myi, .nef, .odc, .geo, .swift, .odm, .odp, .rar, .orf, .pfx, .p12, .pl, .pls, .safe, .tab, .vbs, .xlk, .xlm, .xlt, .xltm, .svgz, .slk, .tar.gz, .dmg, .ps, .psb, .tif, .rss, .key, .vob, .epsp, .dc3, .iff, .opt, .onetoc2, .nrw, .pptm, .potx, .potm,.pot, .xlw, .xps .xsd, .xsf, .xsl, .kmz, .accdr, .stm, .accdt, .ppam, .pps, .ppsm, .exe, .p7b, .wdb, .sqlite, .sqlite3, .dacpac, .zipx, .lzma, .z, .tar.xz, .pam, .r3d, .ova, .1c, .dt, .c, .vmx, .xhtml, .ckp, .db3, .dbc, .dbs, .dbt, .dbv, .frm, .mwb, .mrg, .txz, .mrg, .vbox, .wmf, .wim, .xtp2, .xsn, .xslt

The following files are excluded in all directories:

These directories are also excluded from having their contents encrypted:

S.H.O encrypts each file using an RSA public key and the Microsoft “Rijndael Managed” C# library.

Upon completing the encryption run, it replaces the Desktop wallpaper with its own that asks victims to find and read the file “readme.txt,” which is a ransom note.

FortiGuard Labs has identified two S.H.O ransomware variants that leave different ransom notes. Although the ransom notes have different Bitcoin addresses belonging to the attacker, the ransom fee stays consistent at $200.

The ransom messages have a very fearful and ominous tone that may be an attempt to scare victims into paying the ransom.

Neither of the Bitcoin wallets was available at the time of our investigation.

Fortinet Protections

Fortinet customers are already protected from these malware variants through our AntiVirus and FortiEDR services, as follows:

FortiGuard Labs detects the Retch ransomware samples with the following AV signature:

• MSIL/Filecoder.AK!tr.ransom

FortiGuard Labs detects the S.H.O ransomware samples with the following AV signature:

• MSIL/Filecoder.APU!tr.ransom

The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. Fortinet EPP customers running current AntiVirus updates are also protected.

IOCs

FortiGuard Labs Guidance

Due to the ease of disruption, damage to daily operations, potential impact on an organization’s reputation, and the unwanted destruction or release of personally identifiable information (PII), etc., it is vital to keep all AV and IPS signatures up to date.

Since the majority of ransomware is delivered via phishing, organizations should consider leveraging Fortinet solutions designed to train users to understand and detect phishing threats:

The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.

Our FREE NSE training: NSE 1 – Information Security Awareness includes a module on internet threats designed to help end users learn how to identify and protect themselves from various types of phishing attacks and can be easily added to internal training programs.

Organizations will need to make foundational changes to the frequency, location, and security of their data backups to effectively deal with the evolving and rapidly expanding risk of ransomware. When coupled with digital supply chain compromise and a workforce telecommuting into the network, there is a real risk that attacks can come from anywhere. Cloud-based security solutions, such as SASE, to protect off-network devices; advanced endpoint security, such as EDR (endpoint detection and response) solutions that can disrupt malware mid-attack; and Zero Trust Access and network segmentation strategies that restrict access to applications and resources based on policy and context, should all be investigated to minimize risk and to reduce the impact of a successful ransomware attack.

As part of the industry's leading fully integrated Security Fabric, delivering native synergy and automation across your security ecosystem, Fortinet also provides an extensive portfolio of technology and human-based as-a-service offerings. These services are powered by our global FortiGuard team of seasoned cybersecurity experts.

Best Practices Include Not Paying a Ransom

Organizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom partly because the payment does not guarantee that files will be recovered. According to a US Department of Treasury's Office of Foreign Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to target additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit activities that could potentially be illegal. For organizations and individuals affected by ransomware, the FBI has a Ransomware Complaint page where victims can submit samples of ransomware activity via their Internet Crimes Complaint Center (IC3).

How Fortinet Can Help

FortiGuard Labs’ Emergency Incident Response Service provides rapid and effective response when an incident is detected. Our Incident Readiness Subscription Service provides tools and guidance to help you better prepare for a cyber incident through readiness assessments, IR playbook development, and IR playbook testing (tabletop exercises).