5ss5c Ransomware

5ss5c is newly observed ransomware that has been attributed to the same threat actor that developed Satan.

Threat ID:: CC-3344
Category:: Ransomware
Threat Severity:: Medium
Threat Vector:: Exploit
Published:: 16 January 2020 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

5ss5c is newly observed ransomware that has been attributed to the same threat actor that developed Satan.

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - All versions

Threat details

5ss5c is distributed by a spreader module that uses both hardcoded credentials and the SMB EternalBlue exploit. It is accompanied by credential stealing modules including Mimikatz.

When executed, 5ss5c will stop database processes and then encrypt files with the following extensions: 7z, bak, cer, csv, db, dbf, dmp, docx, eps, ldf, mdb, mdf, myd, myi, ora, pdf, pem, pfx, ppt, pptx, psd, rar, rtf, sql, tar, txt, vdi, vmdk, vmx, xls, xlsx, zip.

Encrypted files are renamed with the email address 5ss5c@mail[.]ru at the beginning and the extension .5ss5c at the end. A ransom note in Chinese is then saved to the root directory of the C:\ drive.

Remediation steps

Type	Step
	If a device on your network becomes infected with ransomware it will begin encrypting local machine files and files on any network the logged-in user has permission to access. For system administration accounts this may include backup storage locations. To avoid becoming infected with ransomware, ensure that: A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails. All operating systems, anti-virus and other security products are kept up to date. All day to day computer activities such as email and internet are performed using non-administrative accounts and that permissions are always assigned based on the principle of least privilege. Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security. Identifying the source of infection: Identifying the affected device and disconnecting or quarantining it from the network is essential to damage limitation. Users should immediately report infections to their IT support provider, disconnect their network cable and power the computer down. File auditing should be enabled, and file server logs should be monitored to detect signs of unauthorised encryption and allow the source of encryption to be identified (i.e. the infected device). To limit the damage of ransomware and enable recovery: All critical data must be backed up, and these backups must be sufficiently protected/kept out of reach of ransomware. Multiple backups should be created including at least one off-network backup (e.g. to tape). The only guaranteed way to recover from a ransomware infection is to restore all affected files from their most recent backup.

Type

Step

If a device on your network becomes infected with ransomware it will begin encrypting local machine files and files on any network the logged-in user has permission to access. For system administration accounts this may include backup storage locations.

To avoid becoming infected with ransomware, ensure that:

A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
All operating systems, anti-virus and other security products are kept up to date.
All day to day computer activities such as email and internet are performed using non-administrative accounts and that permissions are always assigned based on the principle of least privilege.
Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Identifying the source of infection:
Identifying the affected device and disconnecting or quarantining it from the network is essential to damage limitation.

Users should immediately report infections to their IT support provider, disconnect their network cable and power the computer down.
File auditing should be enabled, and file server logs should be monitored to detect signs of unauthorised encryption and allow the source of encryption to be identified (i.e. the infected device).

To limit the damage of ransomware and enable recovery:
All critical data must be backed up, and these backups must be sufficiently protected/kept out of reach of ransomware.

Multiple backups should be created including at least one off-network backup (e.g. to tape).
The only guaranteed way to recover from a ransomware infection is to restore all affected files from their most recent backup.

Indicators of compromise

Main indicators

IP Addresses

58.221.158[.]90
61.186.243[.]2

URLs

58.221.158[.]90:88/car/down.txt
58.221.158[.]90:88/car/c.dat
58.221.158[.]90:88/car/cpt.dat

Email Addresses

5ss5c@mail[.]ru

File path:

C:\Program Files\Common Files\System\Scanlog
C:\Program Files\Common Files\System\cpt.exe
C:\Program Files\Common Files\System\tmp
C:\ProgramData\5ss5c_token
C:\ProgramData\blue.exe
C:\ProgramData\blue.fb
C:\ProgramData\blue.xml
C:\ProgramData\down64.dll
C:\ProgramData\mmkt.exe
C:\ProgramData\poc.exe
C:\ProgramData\star.exe
C:\ProgramData\star.fb
C:\ProgramData\star.xml
C:_如何解密我的文件_.txt

SHA256 File Hashes

82ed3f4eb05b76691b408512767198274e6e308e8d5230ada90611ca18af046d
dc3103fb21f674386b01e1122bb910a09f2226b1331dd549cbc346d8e70d02df
9a1365c42f4aca3e9c1c5dcf38b967b73ab56e4af0b4a4380af7e2bf185478bc
af041f6ac90b07927696bc61e08a31a210e265a997a62cf732f7d3f5c102f1da
ca154fa6ff0d1ebc786b4ea89cefae022e05497d095c2391331f24113aa31e3c
e685aafc201f851a47bc926dd39fb12f4bc920f310200869ce0716c41ad92198
e5bb194413170d111685da51b58d2fd60483fc7bebc70b1c6cb909ef6c6dd4a9
ddfd1d60ffea333a1565b0707a7adca601dafdd7ec29c61d622732117416545f
ef90dcc647e50c2378122f92fba4261f6eaa24b029cfa444289198fb0203e067
47fa9c298b904d66a5eb92c67dee602198259d366ef4f078a8365beefb9fdc95
68e644aac112fe3bbf4e87858f58c75426fd5fda93f194482af1721bc47f1cd7
ea7caa08e115dbb438e29da46b47f54c62c29697617bae44464a9b63d9bddf18
23205bf9c36bbd56189e3f430c25db2a27eb089906b173601cd42c66a25829a7
a46481cdb4a9fc1dbdcccc49c3deadbf18c7b9f274a0eb5fdf73766a03f19a7f
cf33a92a05ba3c807447a5f6b7e45577ed53174699241da360876d4f4a2eb2de
8e348105cde49cad8bfbe0acca0da67990289e108799c88805023888ead74300
ad3c0b153d5b5ba4627daa89cd2adbb18ee5831cb67feeb7394c51ebc1660f41

Registry keys:

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5ss5cStart

Commands:

C:\Windows\system32\cmd.exe /c cd /D C:\ProgramData&blue.exe --TargetIp
star.exe --OutConfig a --TargetPort 445 --Protocol SMB --Architecture x64 --Function RunDLL --DllPayload C:\ProgramData\down64.dll --TargetIp

Mutexes:

SSSS_Scan
5ss5c_CRYPT

Last edited: 29 June 2021 12:00 pm