Adhubllka Ransomware Dissection

Researchers have discovered a complex web of interconnected ransomware strains that trace their origins back to a common source: the Adhubllka ransomware family.

The research delves into the lineage of various ransomware variants, including LOLKEK, BIT, OBZ, U2K and TZW. These are distinct ransomware strains share significant similarities in their codebase, tactics, and infrastructure.

Researchers were able to establish a genealogical relationship that ties them back to the original Adhubllka ransomware, which first surfaced in January 2020 that has undergone multiple iterations, each with slight modifications to encryption schemes, ransom notes and communication methods.

Advertisements

This practice is a common strategy among cyber-criminals to evade detection. Researchers also noted that reusing code and tactics can lead to misclassifications, making it crucial for investigators to consider multiple parameters beyond code similarities.

One key aspect was the analysis of ransom notes and communication channels used by the ransomware operators. The researchers discovered a progression from v2 Tor Onion URLs to v3 Tor URLs, as well as shifts in communication methods. Despite the evolving tactics, the researchers identified consistent patterns that link all the variants back to the Adhubllka family.

1. This ransomware strain targets individuals and small businesses and demands a ransom between the range of $800 to $1600 from each client. This is evident from their previous variants.

2. Adhubllka is also seen in various other cyber attack campaigns. Popular threat actor group TA547 used Adhubllka variants in their campaigns targeting various sectors of Australia in 2020.

3. All the malicious files of Adhubllka Ransomware variants are commonly file-named with their MD5 or SHA256 Hash names such as “MD5.vir” or “SHA256.bin” etc.

4. It can be assumed that this Ransomware Group has a Chinese nexus as one of the infected filenames (䶲䶮䶴䷣䷭䷢䷡䷠䶳䷠䷟䷞䷆䷩䷢.exe) is in Mandarin. This solidifies that a Chinese Group making use of this ransomware. In this file name, we can see Threat Actors had used Yijing Hexagram Symbols to name the executable, which is native to China.

5. TZW is the final variant that appeared (as of now) from the ADHUBLLKA Ransomware family. It also has the same portal for victims to communicate with.

6. Currently, this Ransomware family has not announced any DLS (Data Leak Site) on Dark Web at this moment, but once it gets a strong foothold; their DLS can be expected shortly and ransom demand could get more doubled

The researchers continue to say “By setting up an endpoint security solution, we can thwart the attacks to some extent. However, when ransomware is newly formed/coded, it can only be thwarted by basic security education like not to click on malicious links delivered via email,”

Advertisements

The important protections come from preventing threat actors from getting ransomware into an environment in the first place, which means looking for behavior anomalies, privilege escalation and the introduction of suspicious removable media into an environment.

2019 Variant
Attention!
All your files, documents, photos, databases and other important files are encrypted
The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files.
On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.
Alternate communication channel here: http://helpqvrg3cc5mvb3.onion/
2022-23 Variants

Attention!
All your files, documents, photos, databases and other important files are encrypted
The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files.
Alternate communication channel here: https://yip.su/2QstD5

U2K Variant
Attention!
All your files, documents, photos, databases and other important files are encrypted
The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files.
The server with your decryptor is in a closed network TOR.
TZW Variant
Attention!
All your files, documents, photos, databases and other important files are encrypted
The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files.
The server with your decryptor is in a closed network TOR.

While the Adhubllka ransomware family may undergo rebranding and new monikers may emerge, the distinct communication patterns utilized by the threat actors will remain a consistent thread. If the threat actor does not change their mode of communication, we will be able to trace all such cases back to the Adhubllka family.

MITRE ATT&CK TTP’s

T1091: Replication Through Removable Media
T1055: Process Injection
T1036: Masquerading
T1562.001: Disable or Modify Tools
T1497: Virtualization/Sandbox Evasion
T1158: Hidden Files and Directories
T1027: Obfuscated Files or Information
T1406.002: Software Packing
T1056: Input Capture
T1124: System Time Discovery
T1518.001: Security Software Discovery
T1057: Process Discovery
T1120: Peripheral Device Discovery
T1083: File and Directory Discovery
T1082: System Information Discovery
T1080: Taint Shared Content
T1091: Replication Through Removable Media
T1560: Archive Collected Data
T1573: Encrypted Channel
T1090: Proxy
T1486: Data Encrypted for Impact