This article provides an in-depth analysis of the Risen ransomware, a malicious software designed to encrypt user files and extort payments from victims. The analysis involves reverse engineering the ransomware using various tools to uncover its code structure, execution flow, and encryption logic.
Tools Used for Ranswomare Analysis
The analysis is performed using industry-standard tools such as:
- IDA Pro: A powerful disassembler for examining the ransomware’s binary code and functions.
- Spy, Immunity Debugger, KRA, and DNS Spy: These tools assist in malware debugging, process analysis, and reverse engineering.
- LetsDefend Lab Environment: A controlled sandbox environment used for safe execution and testing of the ransomware sample.
Encryption and Ransom Demand
Risen ransomware follows a dual-extortion strategy, where it not only encrypts files but also threatens to leak sensitive data unless a ransom is paid. The malware uses Windows API calls to manipulate files, encrypt data, and display a ransom note. The ransom demand is typically requested in Bitcoin, ensuring anonymity for the attacker.
Ransom Note & Contact Information
Upon infection, the malware displays a ransom note that contains:
- The attacker’s Bitcoin address as the only means of payment.
- A Telegram username and email for victims to negotiate with the attacker.
- A threat of data leakage if the ransom is not paid.
Risen Ransomware Evasion Techniques
To evade detection and hinder forensic analysis, the ransomware employs several anti-analysis techniques:
- System Language Check: It checks the system’s default UI language and avoids execution in five specific countries (likely Russia and its allies).
- Mutex Creation: A mutex named “Ryzen Mutex” prevents multiple instances of the ransomware from running simultaneously.
- Conditional Jumps: The ransomware executes a sequence of five conditional jumps to determine whether it should proceed with the attack or terminate execution.
Windows API Calls Used
The ransomware heavily relies on Windows API calls to execute its malicious functions, including:
- CreateFileW – Creates and modifies files, including the ransom note.
- SetProcessShutdownParameters – Ensures the malware remains persistent.
- GetSystemDefaultUILanguage – Retrieves the system language to decide execution.
- MoveFileW – Renames encrypted files with new extensions.
- CryptEncrypt – Encrypts files using dynamically generated cryptographic keys.
Ransomware Execution & Analysis in Sandbox
In the video walkthrough, we demonstrate how the ransomware is executed in a controlled lab environment (LetsDefend challenge lab). The malware is unpacked and extracted using 7-Zip, then analyzed in IDA. Analysts examine:
- The structure of the ransomware binary.
- Function calls and execution flow.
- Encryption and evasion mechanisms.
Extraction & Decryption Analysis
When encrypting files, the ransomware:
- Scans the file system to identify files to encrypt.
- Creates an encryption key dynamically, which is not hardcoded.
- Renames encrypted files using an extension that includes the attacker’s contact details.
Key Discovery Process
The encryption key is generated dynamically and wiped from memory after use, making it difficult to retrieve. The video suggests using a GDB debugger to monitor memory and extract the key during execution.
Automated Task Scheduling
To ensure persistence, the ransomware:
- Uses “schedul task.exe” to create a Windows scheduled task.
- Assigns the task the name “System Defense”.
- Ensures that the ransomware is executed repeatedly even after system reboots.
Communication Methods
The ransomware uses Telegram and email for victim communication, enabling attackers to negotiate payments and provide decryption keys in exchange for ransom.
File System Manipulation & Persistence
The ransomware employs multiple techniques to maintain persistence and manipulate files:
Memory Clearing: Sensitive data, including encryption keys, is wiped from memory after execution.
File Enumeration: It scans system drives for files to encrypt.
File Renaming: Encrypted files are renamed with an extension containing the attacker’s details.
String & Function Analysis
A deep dive into function calls reveals:
- GetDriveTypeW – Used to determine if the drive is removable or fixed.
- CryptEncrypt & CryptImportKey – Handles encryption and key importation.
- CRC Checksum Calculation – Ensures file integrity post-encryption.
File Encryption Process Breakdown
The ransomware encrypts files in a systematic manner:
- Identifies target files based on their extensions.
- Uses Windows API functions (
CreateFile,SetFilePointer) to access files. - Applies encryption using
CryptEncrypt. - Renames the encrypted file using
MoveFileW, appending a new extension. - Deletes original file contents and clears memory buffers.
Final Key Findings
- The ransomware checks system language to avoid execution in certain countries.
- Uses Windows API calls extensively for file encryption and persistence.
- Employs mutex locks to prevent multiple infections.
- Dynamically generates encryption keys and deletes them from memory after use.
- Utilizes scheduled tasks for persistence under the name System Defense.
- Victims are instructed to contact the attacker via Telegram or email.
LetsDefend Risen Ransomware Walkthrough and Answers
Which text file was opened by the malware after initializing a critical section?
RisenLogs.txt
What is the mutex that was created by the malware?
RISEN_MUTEX
How many countries (system languages) does the malware prevent itself from running in?
5
What is the address of GetSystemInfo? (In Hex)
Answer Format:0x123ABC
0x404B51
What is the first API that is resolved in the sub_403120 function?
IsWow64Process
What is the scheduled task name created by the malware?
SystemDefense
What is the array name that contains the volume used by the ransomware to encrypt files?
off_44CB08
What is the Telegram username of the threat actor?
@tokyosupp
