Ironcat Ransomware

The Ironcat Ransomware is a crypto locker threat written in the GO language and detected to be operational in the wild. Initially, researchers are inclined to connect the threat to other existing ransomware families such  the Sodinokibi Ransomware or the REvil Ransomware strains due to similarities in the ransom note. As it turns out, this is not the case, and Ironcat is a unique malware evidenced by an analysis of the threat released by its author himself.

Apparently, the Ironcat Ransomware was never intended to be a live threat. The binaries were created with the sole purpose of being used as training tools deployed only on a closed range network with the environments being wiped after the end of the exercises; they were never supposed to be disclosed to the public. The way they escaped the confines of their intended testing systems, according to the developer of Ironcat, is through a student who removed the binaries and subsequently uploaded them to VirusTotal.

Becoming a fully-fledged malware threat, Ironcat can indeed encrypt the files stored on the computer system of the compromised user. Before it can initiate the malicious process, however, the threat must be run as an administrator and will fail certain actions if run with user privilege. Ironcat itself is not equipped with any methods for privilege escalation or bypass mechanisms. Another threshold that must be cleared by the threat is establishing a connection by sending a packet to Fakebook.com, a training environment website.

If everything checks out, Ironcat will proceed to encrypt files in the targeted directories and append '.encrypted' to the original filename of every file. This will also change the registered file type to 'ENCRYPTED.' The ransom note, which in the original version of Ironcat was a near-identical copy of REevil is dropped in each folder containing encrypted data as a text file named 'pay_the_piper.txt.'

Beyond its encryption capabilities, the Ironcat Ransomware dropped four batch files into the 'C:\Windows' directory:

• Chtes.bat - launches an admin cmd.exe console upon pressing any key five times at the logon screen
• Netlogin.bat - creates a registry key that launches admin cmd.exe whenever ultiman.exe is initiated
• Shadow.bat - deletes the Volume Shadow Service copies of the default Windows backup service through the command 'cmd /C vssadmin delete shadows /all'
• Mssupdate.bat - deletes all Windows event logs

The author of Ironcat also provided ways for any affected victim to attempt to restore their affected data. The ransomware must be executed in much the same way, but this time with decrypt function. The same password that was utilized for the encryption must be used for the decryption, so the users must obtain it. The author of the binaries offers three possible ways, although there are some caveats. First, capture the HTTP POST request containing the base64 encoded data and reverse the encoding, which requires a packet capture service to have been established before Ironcat was executed. Otherwise, the windows event security log entry will contain the command line used to launch the binary if it hasn't been wiped. Lastly, conhost.exe can be used to access the console window that binary was originally executed in. This will allow the user to list the command and password used to run the encryption through the 'doskey /history' command. For this method to work, however, the attacker must have left the conhost.exe up, and victims need to log into the same session.