X-Industry

Retch is a new ransomware variant first discovered in mid-August 2023.  It encrypts files on compromised machines and leaves two ransom notes asking victims to pay a ransom for file decryption.

Infection Vector - Information about the infection vector used by the Retch ransomware threat actor is not currently available.  However, it is unlikely to be significantly different from other ransomware groups.[1]  Retch ransomware samples have been submitted to a public file scanning service from the following countries:

• United States
• Iran
• Germany
• Russia
• France
• Colombia
• Korea
• Italy

Ransomware Execution - Once the ransomware runs, it looks for and encrypts files with the following file extensions:

.txt, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpeg, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb,   .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos .mov, .vdf, .ztmp .sis, .sid, .ncf,           .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x,        .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl,  .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk,           .rgss3a, .pak, .big, .wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .p7c, .pk7, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .pptm, .xlk, .xlsb, .xlsm, .wps, .docm, .odb, .odc, .odm, .odp, .ods, .cs, .exe, .lnk, .mpeg, .mp3, .mkv, .divx, .ogg, .wav, .bat, .index, .flac, .vob, .mpg

• The following directories are excluded from file encryption:
• "Windows"
• "Program Files"
• "Program Files (x86)"

The ransomware adds a “.Retch” extension to encrypted files.

Figure 1: Files encrypted by Retch ransomware.

It then drops a ransom note labeled "Message.txt" in every folder where files are encrypted.

Figure 2: Ransom note dropped by Retch ransomware.

In the ransom note, the Retch attacker asks victims to pay Bitcoins worth 300 euros for file decryption.  Due to the low ransom demand, Retch ransomware is likely used to target consumers rather than enterprises.  

As shown in Figure 2, the ransom message is available in French and English, leading us to believe that the Retch ransomware primarily targets French users.  However, further investigation revealed that this isn't the case. 

Analysts also discovered that the ransom note dropped on the Desktop differs from “Message.txt.”  The ransom note left on the Desktop is labeled “HOW TO RECOVER YOUR FILES.txt” and asks victims to pay Bitcoin worth $1000 for file decryption.  This ransom note has a different contact email address and the attacker’s Bitcoin wallet address.

Figure 3: Ransom note “HOW TO RECOVER YOUR FILES.txt” left on the Desktop by Retch ransomware.

It turns out that the Retch ransomware was developed based on a publicly available ransomware source code that claims to be for educational purposes. It appears based on a well-known open-source ransomware, “HiddenTear.”  The open-source ransomware has the ransom note shown in Figure 2 by default.  The attacker appears to have only customized the ransom note on the desktop, which is only in English, leaving the ransom notes in all other locations untouched.  This indicates that the Retch ransomware was not targeting French users as we first thought.  As mentioned, the countries from which the files were submitted to the public file scanning service are widespread, suggesting our suspicion is correct.  At the time of the Fortinet investigation, the attacker’s Bitcoin wallet had not recorded any transactions.

S.H.O Ransomware

Infection Vector - Information about the infection vector used by the S.H.O. ransomware threat actor is not currently available.  However, it is unlikely to be significantly different from other ransomware groups. S.H.O ransomware samples have been submitted to a public file scanning service from the following countries:

• United States
• Canada

Ransomware Execution - After the ransomware runs, it encrypts files on compromised machines and adds five random letters and numbers as a file extension.

Figure 4: Files encrypted by S.H.O. ransomware.

S.H.O attempts to encrypt files with the following extensions:

.myd, .ndf, .qry, .sdb, .sdf, .tmd, .tgz, .lzo, .txt, .jar, .dat, .contact, .settings, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpg, .mka, .mhtml, .oqy, .png, .csv, .py, .sql, .indd, .cs, .mp3, .mp4, .dwg, .zip, .rar, .mov, .rtf, .bmp, .mkv, .avi, .apk, .lnk, .dib, .dic, .dif, .mdb, .php, .asp, .aspx, .html, .htm, .xml, .psd, .pdf, .xla, .cub, .dae, .divx, .iso, .7zip, .pdb, .ico, .pas, .db, .wmv, .swf, .cer, .bak, .backup, .accdb, .bay, .p7c, .exif, .vss, .raw, .m4a, .wma, .ace, .arj, .bz2, .cab, .gzip, .lzh, .tar, .jpeg, .xz, .mpeg, .torrent, .mpg, .core, .flv, .sie, .sum, .ibank, .wallet, .css, .js, .rb, .crt, .xlsm, .xlsb, .7z, .cpp, .java, .jpe, .ini, .blob, .wps, .docm, .wav, .3gp, .gif, .log, .gz, .config, .vb, .m1v, .sln, .pst, .obj, .xlam, .djvu, .inc, .cvs, .dbf, .tbi, .wpd, .dot, .dotx, .webm, .m4v, .amv, .m4p, .svg, .ods, .bk, .vdi, .vmdk, .onepkg, .accde, .jsp, .json, .xltx, .vsdx, .uxdc, .udl, .3ds, .3fr, .3g2, .accda, .accdc, .accdw, .adp, .ai, .ai3, .ai4, .ai5, .ai6, .ai7, .ai8, .arw, .ascx, .asm, .asmx, .avs, .bin, .cfm, .dbx, .dcm, .dcr, .pict, .rgbe, .dwt, .f4v, .exr, .kwm, .max, .mda, .mde, .mdf, .mdw, .mht, .mpv, .msg, .myi, .nef, .odc, .geo, .swift, .odm, .odp, .rar, .orf, .pfx, .p12, .pl, .pls, .safe, .tab, .vbs, .xlk, .xlm, .xlt, .xltm, .svgz, .slk, .tar.gz, .dmg, .ps, .psb, .tif, .rss, .key, .vob, .epsp, .dc3, .iff, .opt, .onetoc2, .nrw, .pptm, .potx, .potm,.pot, .xlw, .xps .xsd, .xsf, .xsl, .kmz, .accdr, .stm, .accdt, .ppam, .pps, .ppsm, .exe, .p7b, .wdb, .sqlite, .sqlite3, .dacpac, .zipx, .lzma, .z, .tar.xz, .pam, .r3d, .ova, .1c, .dt, .c, .vmx, .xhtml, .ckp, .db3, .dbc, .dbs, .dbt, .dbv, .frm, .mwb, .mrg, .txz, .mrg, .vbox, .wmf, .wim, .xtp2, .xsn, .xslt

The following files are excluded in all directories:

Figure 5: List of files excluded from encryption.

These directories are also excluded from having their contents encrypted:

Figure 6: List of directories excluded from encryption.

S.H.O. encrypts each file using an RSA public key and the Microsoft “Rijndael Managed” C# library.

Figure 7: File encryption routine.

Upon completing the encryption run, it replaces the Desktop wallpaper with its own, asking victims to find and read the file “readme.txt,” a ransom note.

Figure 8: Wallpaper replaced by S.H.O. ransomware.

FortiGuard Labs has identified two S.H.O ransomware variants that leave different ransom notes.  Although the ransom notes have different Bitcoin addresses belonging to the attacker, the ransom fee stays consistent at $200.

Figure 9: Ransom note dropped by an S.H.O ransomware variant.

Figure 10: Ransom note dropped by another S.H.O ransomware variant.

The ransom messages have a very fearful and ominous tone that may be an attempt to scare victims into paying the ransom.  Neither of the Bitcoin wallets was available at the time of our investigation.

This article is presented at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and has reported extensively on AI technology.  For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com    

Weekly Cyber Intelligence Briefings:

• Reporting: https://www.redskyalliance. org/
• Website: https://www.redskyalliance. com/
• LinkedIn: https://www.linkedin. com/company/64265941 

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5504229295967742989

[1] https://www.fortinet.com/blog/threat-research/ransomware-roundup-retch-and-sho/