Insights, news, education and announcements from PolySwarm

Surtr Ransomware

Written by PolySwarm Tech Team | Mar 25, 2022 5:45:09 PM


Background

Arete recently reported on Surtr ransomware, a RaaS. A recently discovered Surtr sample paid tribute to the REvil/Sodinokibi ransomware gang.

What is Surtr Ransomware?

Surtr is a ransomware as a service (RaaS) targeting Windows systems and active since December 2021. The malware contains a warning to not be used in the Commonwealth of Independent States (CIS) including Russia, Ukraine, Armenia, Iran, Azerbaijan, Turkmenistan, Turkey, Georgia, Kazakhstan, Tajikistan, and Uzbekistan. Surtr uses a double extortion method, threatening to leak victim data if the ransom is not paid. The recently reported sample changes the victim’s system manufacturer name with “Tribute to the REvil <3.”

Surtr encrypts files in network shares and deletes volume shadow copies. It includes an exclusion list of extensions, file names, and folders to not encrypt. Surtr uses multilayer obfuscation and uses several anti-debugging and anti-sandboxing techniques. For file encryption, Surtr uses the Windows Native API “CryptGenRandom” to generate a 64bit random value, which in turn creates XOR keys used to encrypt the file’s contents. Surtr maintains persistence by copying itself into the StartUp folder and creating scheduled tasks to execute the ransomware on login and adds a registry value to restart the ransomware on reboot.

While Arete does not think Surtr has a direct link to REvil, they note the developers may have previously been affiliated with REvil, or the threat actors responsible for Surtr may be leveraging their mention of REvil to gain notoriety. REvil is the well-known ransomware gang that carried out attacks on Kaseya and several other high-profile entities. Law enforcement operations in late 2021 disrupted the group’s activities and resulted in the arrest of several individuals affiliated with REvil. Following these arrests, REvil announced its plan to cease operations.

IOCs

PolySwarm has multiple samples associated with Surtr Ransomware.

267fa786176679a2d99bf4d47cbcd8591640452ff393af7d61cfd5c0d8e67f33

40e5bb0526169c02126ffa60a09041e5e5453a24b26bc837036748b150fa3fae

7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b

8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980

47b22f45e81e746dba1ff1eca1833cbb43961be9a620406c3889af4b04cc8a50

c8ac8f8fae635b4e4fed8717c0456fa621d44d61e79d6046f5242430cb17dff9

You can use the following CLI command to search for all xx samples in our portal:

$ polyswarm link list -f Surtr


Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports