Arete recently reported on Surtr ransomware, a RaaS. A recently discovered Surtr sample paid tribute to the REvil/Sodinokibi ransomware gang.
What is Surtr Ransomware?
Surtr is a ransomware as a service (RaaS) targeting Windows systems and active since December 2021. The malware contains a warning to not be used in the Commonwealth of Independent States (CIS) including Russia, Ukraine, Armenia, Iran, Azerbaijan, Turkmenistan, Turkey, Georgia, Kazakhstan, Tajikistan, and Uzbekistan. Surtr uses a double extortion method, threatening to leak victim data if the ransom is not paid. The recently reported sample changes the victim’s system manufacturer name with “Tribute to the REvil <3.”
Surtr encrypts files in network shares and deletes volume shadow copies. It includes an exclusion list of extensions, file names, and folders to not encrypt. Surtr uses multilayer obfuscation and uses several anti-debugging and anti-sandboxing techniques. For file encryption, Surtr uses the Windows Native API “CryptGenRandom” to generate a 64bit random value, which in turn creates XOR keys used to encrypt the file’s contents. Surtr maintains persistence by copying itself into the StartUp folder and creating scheduled tasks to execute the ransomware on login and adds a registry value to restart the ransomware on reboot.
While Arete does not think Surtr has a direct link to REvil, they note the developers may have previously been affiliated with REvil, or the threat actors responsible for Surtr may be leveraging their mention of REvil to gain notoriety. REvil is the well-known ransomware gang that carried out attacks on Kaseya and several other high-profile entities. Law enforcement operations in late 2021 disrupted the group’s activities and resulted in the arrest of several individuals affiliated with REvil. Following these arrests, REvil announced its plan to cease operations.
PolySwarm has multiple samples associated with Surtr Ransomware.
You can use the following CLI command to search for all xx samples in our portal:
$ polyswarm link list -f Surtr
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at email@example.com | Check out our blog | Subscribe to our reports