Detect Surtr Ransomware With YARA Rule.

1 minute read

Surtr Ransomware

Surtr is a ransomware as a service (RaaS) targeting Windows systems and active since December 2021. The malware contains a warning to not be used in the Commonwealth of Independent States (CIS) including Russia, Ukraine, Armenia, Iran, Azerbaijan, Turkmenistan, Turkey, Georgia, Kazakhstan, Tajikistan, and Uzbekistan. Surtr uses a double extortion method, threatening to leak victim data if the ransom is not paid. The recently reported sample changes the victim’s system manufacturer name with “Tribute to the REvil <3.”

Surtr encrypts files in network shares and deletes volume shadow copies. It includes an exclusion list of extensions, file names, and folders to not encrypt. Surtr uses multilayer obfuscation and uses several anti-debugging and anti-sandboxing techniques. For file encryption, Surtr uses the Windows Native API “CryptGenRandom” to generate a 64bit random value, which in turn creates XOR keys used to encrypt the file’s contents. Surtr maintains persistence by copying itself into the StartUp folder and creating scheduled tasks to execute the ransomware on login and adds a registry value to restart the ransomware on reboot.

Yara Rules

rule Surtr_ransomware: Surtr

{

meta:

author = "@MalGamy12"
md5 = "674e7ee905d24a89af47b53b53ffc23c"
reference = "https://twitter.com/MalGamy12/status/1587114169513512960?s=20&t=bjoyNNhzS-KX6EL8vpVgMg"

strings:

$str1 = "SurtrMUTEX" wide nocase
$str2 = "vssadmin.exe Delete" wide nocase
$str3 = "Tribute to the REvil" nocase
$str4 = "DisableTaskMgr"
$str5 = "surt" wide nocase
$str6 = "\NoRunAnyWay" wide nocase
$str7 = "\ProgramData\Service\" wide nocase


condition:

((uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)) and (6 of ($str*)))

}