Mr. Robot Hacks: How f/society Ransomed Evil Corp for $5.9 million

Cybersecurity Hacking Ransomware

Welcome back, my greenhorn cyberwarriors!

For those of you who are new to Mr. Robot, Elliot Alderson is an asocial IT security engineer who teams up a with a group of hackers (f/society) determined to use their hacking skills to make a better world. They were able to seriously damage the data on the world’s largest holder of consumer and student debt, Evil Corp. Elliot, played brilliantly by Rami Malek, suffers from delusions involving his late father, played by Christian Slater. As season two begins, Elliot is trying to “recover” and gain a grip on his delusions while staying with his mother, while the world financial system is reeling from a global financial crisis brought on by the f/society hack of Evil Corp.

In this series of articles, rather than recount the story details of this brilliant TV series, I will attempt to show how each of the realistic hacks of this show are done. We had two major hacks in this first episode, the ransomware against Evil Corp and the SmartHome hack of the Evil Corp’s General Counsel.

Ransomware

In this first episode of Season 2, f/society was able to infect Evil Corp’s data with ransomware (if you look closely, it is CryptoWall). Ransomware is a type of malware that has become very popular in recent years. After infecting the victim’s computer, it then encrypts their data making it unusable. The victim can only recover their data after paying a ransom to get the key to decrypt it. Generally, the ransoms are relatively small, usually in the $300-500 range, but there have been cases where hospitals and other large institutions have paid $20,000 or more. In the case of the Colonial Pipeline attack in 2021, the ransom was $5 million about the same as f/society’s here.

Let’s take a look at an example of some actual ransomware that was captured in the wild to better understand how it works. All ransomware tends function similarly. To understand how the f/society ransomware works, let’s look at Chimera, a variant of the ransomware genre of malware found in Germany.

Using Chimera as an Example

Most ransomware has been used against consumers, but Chimera–like the the f/society ransomware– has been used to attack businesses in Germany. Since most ransomware works similarly, let’s use it as a model for how f/society encrypted the data and ransomed on Evil Corp for $5.9m!

In this analysis, I will summarize how Chimera works, leaving out some steps for the sake of brevity. If you would like a copy of Chimera to conduct your own thorough analysis, I have posted it in my Pastebin account here.

Step 1: Delivering the Malware

Like much of the ransomware that has appeared in recent years, Chimera was delivered by email, likely with a social engineering component to get someone to click on a link or a file (in this episode, Darlene uses the Social Engineering Toolset in Kali to load the ransomware onto a flash drive). Chimera was written in .NET.

In this first stage, Chimera initially delivers an executable stub, whose only job is to call, decrypt, and decode the second stage payload, to the victim.

 
Step 2: The AES Algorithm

The second stage is the encrypted and encoded payload that contains a method that is clearly an AES encryption algorithm. Very likely, f/society would have it run in multiple threads to speed up the process. Considering the fact that Evil Corp has petabytes of data, encrypting it all would take some time.

Step 3: Mapping to Memory

In the next stage, Chimera then manually maps its processes to memory. This is very likely to bypass ASLR and DEP protections that are built into Windows and other operating systems. These protections randomize where a process will likely be in memory, making it more difficult to implement a buffer overflow, as the malware cannot predict the location of the pointer. By manually mapping the process to memory, it makes it more likely that the malware will function as expected.

Step 4: Find 32-Bit Process to Host

Next, Chimera goes through every Windows process looking for a 32-bit process that can host its payload and then open it.

Step 5: Finding the Local IP

Next, this ransomware goes out and finds the public IP of the machine it has infected by using www.whatismyipaddress.com. It then stores that value in a variable.

Step 6: Call Back to Command & Control Servers

Once Chimera has the IP of the infected host, it then calls out to its command and control (C&C) servers. In this case, those servers are at 95.165.168.168 and 158.222.211.81.

Chimera uses Bitmessage to communicate via a P2P protocol on ports 8444 and 8080. Bitmessage is a secure, encrypted P2P messaging system that enables a single person to send out messages to one or many recipients. You can see in the screenshot below that Chimera calls the Bitmessage client PyBitmessage.

Step 7: Browse & Find Hard Drives, Then Files

Next, the malware must find the hard drives where the data is stored. It needs to browse each of the logical drives and then store these locations into a variable for later use in the encryption process.

Step 8: Get Random Key

Now that this ransomware has successfully taken over a 32-bit process, mapped itself to memory to avoid ASLR, and enumerated the hard drives, it needs to call back to its command and control server to get a random key with which to encrypt the files.

Once the random key has been obtained from the command and control server, Chimera calls the function from Step #2 above—the AES encryption algorithm—and begins to encrypt critical files.

Before it starts the encryption, it looks for the following file types:

.jpg, .jpeg, .xml, .xsl, .wps, .cmf, .vbs, .accdb, .ini, .cdr, .svg, .conf, .config, .wb2, .msg, .azw, .azw1, .azw3, .azw4, .lit, .apnx, .mobi, .p12, .p7b, .p7c, .pfx, .pem, .cer, .key, .der, .mdb, .htm, .html, .class, .java, .asp, .aspx, .cgi, .php, .jsp, .bak, .dat, .pst, .eml, .xps, .sqllite, .sql, .jar, .wpd, .crt, .csv, .prf, .cnf, .indd, .number, .pages, .x3f, .srw, .pef, .raf, .rf, .nrw, .nef, .mrw, .mef, .kdc, .dcr, .crw, .eip, .fff, .iiq, .k25, .crwl, .bay, .sr2, .ari, .srf, .arw, .cr2, .raw, .rwl, .rw2, .r3d, .3fr, .eps, .pdd, .dng, .dxf, .dwg, .psd, .png, .jpe, .bmp, .gif, .tiff, .gfx, .jge, .tga, .jfif, .emf, .3dm, .3ds, .max, .obj, .a2c, .dds, .pspimage, .yuv, .3g2, .3gp, .asf, .asx, .mpg, .mpeg, .avi, .mov, .flv, .wma, .wmv, .ogg, .swf, .ptx, .ape, .aif, .av, .ram, .m3u, .movie, .mp1, .mp2, .mp3, .mp4, .mp4v, .mpa, .mpe, .mpv2, .rpf, .vlc, .m4a, .aac, .aa3, .amr, .mkv, .dvd, .mts, .vob, .3ga, .m4v, .srt, .aepx, .camproj, .dash, .zip, .rar, .gzip, ., mdk, .mdf, .iso, .bin, .cue, .dbf, .erf, .dmg, .toast, .vcd, .ccd, .disc, .nrg, .nri, .cdi

These file types are likely critical to the business operation. These are graphics files, spreadsheet files, database files, backup files, email files, Java files, audio files, movie files, and encryption keys. Without them, the business is crippled.

Step 9: Ransom Request

Finally, Chimera makes a ransom request to the business owner. Note that the browser and its associated files are exempt from the encryption to enable the browser request and receive the payment of the ransom.

I hope this helps you to understand how f/society was able to ransom Evil Corp for $5.9 and I will attempt to demonstrate each and every hack from season 2, so keep coming back to Hackers-Arise, my greenhorn hackers!

For more on ransomware, check out;

1. Build Your Own Ransomware;

2. The History and Evolution of Ransomware;

3. Analyzing the Ransomware, Wannacry

4. Snake, the Variant of Ransomware Targeting SCADA/ICS