Investigation: how we helped a company attacked by APT27 ransomware to regain access to files

The Positive Technologies security expert center (PT Expert Security Center, PT ESC) investigated a cyberattack of a ransomware virus on the infrastructure of one media outlet, restored access to data, revealed the two-year activity of a well-known ART group (presumably with Asian roots) and suppressed it.

The full version of the investigation is presented here., and in this article we will share its main facts.


The starting point for launching the investigation was the massive encryption of files in the client’s infrastructure, followed by a ransom demand. The exact amount of the ransom remained unknown, since the victim of the attack did not follow the attackers’ lead.

Cryptographers are one of the fastest growing areas of cybercrime, and today almost every fourth attack is carried out using these malicious programs. Some ransomware operators are demanding hotel ransoms for decrypting data and not disclosing stolen information. Typically, the ransom required is in the millions of dollars, depending on the specific victim and the nature of the stolen data.

How the attack evolved

The method of launching the ransomware can be called a classic, characteristic feature of Asian cyber groups. Three files are transferred to the victim’s computer:

  • GDFInstall.exe (MD5: 13435101240f78367123ef01a938c560) – a legitimate computer game component signed by Ubisoft

  • GameuxInstallHelper.dll (MD5: 1fd8402275d42e7389f0d28b9537db0f) is a .NET helper DLL (compiled on April 29, 2020) that is imported when GDFInstall.exe is run.

In fact, this is not the original component: exporting the GameExplorerInstallW symbol will execute the attackers’ code. This commonly used technique for downloading malicious code in the context of a legitimate application is called DLL hijacking

The file c: programdata Sysurl.Hex is read (previously copied from c: windows system32 Sysurl.Hex if absent), then the data is decrypted by linear XOR with the key ABCSCDFRWFFSDJJHGYUOIj. The result is decoded using Base64, and the resulting PE file is loaded and executed in memory using the .NET environment.

Also note that the payload and intermediate library are removed prior to shutdown. Deletion occurs in a standard, unreliable way, which allows you to recover data if the work with the disk was quickly stopped and the information was not overwritten.

  • Sysurl.Hex – Polar encrypted ransomware

The described payload call sequence (a legitimate application loads a malicious library, which in turn decrypts the third component and transfers control to it) is very often used to launch a backdoor PlugX, which is widely used by various Asian APT groups: for example, APT10, APT41, TA259, including Bronze Union.

One of the tasks that were set before PT ESC was just the recovery of encrypted data.

How did you manage to decrypt the files

A retrospective analysis conducted during the investigation showed that the company’s infrastructure was compromised at least two years ago. Initially, the infrastructure of one of the company’s branches in another country was infected. Further, the penetration into the parent organization took place.

In our opinion, the most likely point of penetration into the network was a vulnerable server on the external network perimeter: in February 2018, primary access was obtained and fixed in the system using web shells. Further, for almost a year and a half, as it turned out, the attackers used the seized capacities of the company to mine cryptocurrency (Monero). It was only in 2020 that a ransomware Trojan came into play: the ransomware Polar was sent and launched on behalf of the account of the compromised domain administrator. However, its creators made a mistake in the protection of the cryptosystem, which we managed to identify, due to which all encrypted files were restored.

The cybercriminals also attempted to regain control of the infrastructure using the still unresolved web shells in the network of the parent organization and the branch, right during the investigation, but this time their actions were unsuccessful.

What does the APT27 group have to do with it

The techniques, tactics, and tools used by the attackers were in the style of a number of cyber groups of Asian origin. However, a detailed analysis of the backdoors used in the hacking, including SysUpdate and HyperBro, suggests that the ART27 group is behind the attack (aka BRONZE UNION, LuckyMouse, Emissary Panda, Iron Tiger). This group, presumably of Asian roots, has existed and has been active since at least 2010. Its activities so far have focused on government agencies in the defense and energy sectors, aerospace enterprises, and the industrial complex.

This time, the media was attacked, which goes beyond the traditional victim portrait of this group. However, cybercriminals used publicly available and proprietary tools that they used in the past. Thus, the attackers did not change their techniques and tactics, but used uncharacteristic software specifically to monetize the attack. Perhaps the compromise of this company was an accident, and the criminals tried to get at least some benefit.

How not to fall victim to a ransomware and what to do after an attack

Positive Technologies experts remind that one should not agree with the demands of criminals: such a transaction does not guarantee that the data of the company or its clients will be restored, and even more so that they will not be later resold on the dark web. At the same time, the affected organization will have to restore the infrastructure and the affected information systems – otherwise, one cannot be sure that attackers will not be able to gain access to the infrastructure again at any time.

In the event of an attack, the company should promptly involve external specialists with experience in responding to incidents of this kind and their investigation: to stop the cyberattack, to make sure that the criminals no longer have access to the network, to understand what was the initial vector of the attack, how they managed to develop such large scale. The company also needs to take into account the existing shortcomings that led to negative consequences, and build a more effective system for protecting and restoring infrastructure.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *