ransom attack

BleachGap Ransomware

Introduction

The researchers captured a ransomware with removable media spreading function named BleachGap. The ransomware first appeared in February 2021 and has been iterated in multiple versions.

ransomware has multiple functions such as adding auto-start, adding scheduled tasks, rewriting MBR, invalidating keyboard keys, and disseminating through removable media. It uses “AES-256” symmetric encryption algorithm to encrypt files, and when the key is known Can be decrypted quickly. At present, the function of ransomware is not limited to encrypting files, and it has begun to try to spread laterally through removable media.

Execution

1. Launch

After the ransomware runs, it releases three files, including “four-digit random character name.bat”, “aescrypt.exe”, and “DiscordSendWebhook.exe” to the %Temp% path.

2. Infection

(1) The bat script file uses a custom algorithm to randomly generate a key, and calls “aescrypt.exe” to encrypt the file;

(2) Call “DiscordSendWebhook.exe” to send user name, encryption key and other information to Discord server;

(3) Download “gameover.exe” and rename it to “final.exe”, rewrite the MBR after running;

(3) Create the “autorun.inf” file in the root directory of the disk to realize the self-starting of the batch script;

(5) Create and execute “p2d.bat”.

3.

“P2d.bat” creates 100 blackmail letters named “Pay2Decrypt(1-100).txt” on the desktop.

The malicious code rewrites the MBR and locks the computer when it is turned on:

bleachgap mbr

IOCs

https://cdn-35.anonfiles.com/9821W1G5p3/8a0b1f8a-1613613819/gameover.exe

46A1769D81D7DCDA455F0F05B9B29648
82FF688AA9253B356E5D890FF311B59E
FB7A78F485EC2586C54D60D293DD5352
8E5A7171F1BE0254DAD65BFD78646F34
4d56dffea9d04ee8ed174f1b3328675daf4be7b1
4a143fc08b6a55866403966918026509befcc7c1
d4e1f1061f7a872f9843e44c7d27d13ba7ef71bb
7a207db4d2a447a3c547fda5f34d3f6efda5dcf9
9e4f1334d3712298cb3d18e38cd954c893c890d09ad457683c8d7956a9bdb635
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9
b116ff00546620a598119d6704e9849393d2f9948fc8888d6ddf6211aa5b80b9
dd10602b2500fac1f816c54d698c55ebe6a9e208b909bdafc074ccdb2d82a725