The Kuiper ransomware is a strain of ransomware written in Golang that encrypts data on various endpoints such as Windows, macOS, and Linux in exchange for money. It utilizes a combination of RSA, ChaCha20, and AES encryption algorithms to encrypt files on infected endpoints. Specifically, it employs RSA for key exchange, ChaCha20 for initial encryption, and AES for encrypting the bulk of the files. This triple encryption process significantly increases the difficulty of brute-forcing the decryption key.
Kuiper ransomware targets Windows, Linux, and macOS endpoints because it relies primarily on platform-independent code, enabling it to evade traditional OS-based defenses. However, some core functionalities such as disabling backups and terminating processes are designed for Windows endpoints.
In this blog post, we demonstrate how to use Wazuh to detect and remove Kuiper ransomware from an infected Windows endpoint.
Kuiper ransomware behavior
Kuiper ransomware exhibits several behaviors when it infects a Windows endpoint. These behaviors include the following:
- Deletes critical backup files to make recovery of encrypted files difficult using commands like
vssadmin resize shadowstorage /for=[drive]: /on=C: /maxsize=401MB, vssadmin delete shadows /all /quiet
, andwbadmin DELETE SYSTEMSTATEBACKUP
. - Clears system event logs in the Windows Event Viewer on the Windows endpoint using
wevtutil cl system
. - Clears security events logs in the Windows Event Viewer program using
wevtutil cl security
. - Clears application event logs in the Windows Event Viewer program using
wevtutil cl application
. - Terminates specific services and processes to ensure the ransomware executes successfully. Examples of the processes are
CETASvc.exe
,tmwscsvc.exe
,avgsvc.exe
,NortonSecurity.exe
,McAfeeFramework.exe
, andSophosSAU.exe
. - Disables Microsoft Defender using an encoded command in the format
powershell.exe -ep bypass -c Set-MpPreference -[setting] 1 -ErrorAction SilentlyContinue
.
Type | Value |
Hash (SHA256) | 0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985 |
Hash (SHA256) | df430ab9f5084a3e62a6c97c6c6279f2461618f038832305057c51b441c648d9 |
Hash (SHA256) | d6c1d2e77ce21d5a026e7abf99c9fffe55d87b282f460dc737da231211a12a0d |
Infrastructure
We use the following infrastructure to demonstrate the detection and removal of the Kuiper ransomware in an infected Windows endpoint.
- A pre-built, ready-to-use Wazuh OVA 4.7.3. Follow this guide to download the virtual machine (VM). This VM hosts the Wazuh central components (Wazuh server, Wazuh indexer, and Wazuh dashboard).
- A Windows 11 victim endpoint with Wazuh agent 4.7.3 installed and enrolled to the Wazuh server. To install the Wazuh agent, refer to the following installation guide.
Detection with Wazuh
We use the following techniques to detect the Kuiper ransomware on an infected Windows endpoint:
- Using detection rules to detect the Kuiper ransomware activities.
- Detecting and removing malicious files with the YARA integration and Wazuh active response module.
Detection rules
We use Sysmon to monitor several system events on the Windows endpoint and create rules on the Wazuh server to detect the activities of the Kuiper ransomware.
Windows endpoint
Perform the following steps to configure the Wazuh agent to capture and send Sysmon logs to the Wazuh server for analysis.
1. Download Sysmon from the Microsoft Sysinternals page.
2. Extract the compressed Sysmon file to your preferred location.
3. Download the Sysmon configuration file – sysmonconfig.xml using the Powershell command below. Replace <SYSMON_EXECUTABLE_PATH>
with the path to your Sysmon executable.
wget -Uri https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/sysmonconfig.xml -OutFile <SYSMON_EXECUTABLE_PATH>\sysmonconfig.xml
4. Switch to the directory with the Sysmon executable. Run the command below to install and start Sysmon using PowerShell with administrator privileges:
> .\Sysmon64.exe -accepteula -i sysmonconfig.xml
5. Add the following configuration within the <ossec_config>
block of the C:\Program Files (x86)\ossec-agent\ossec.conf
file. This configures the Wazuh agent to collect and forward Sysmon event logs to the Wazuh server.
<localfile> <location>Microsoft-Windows-Sysmon/Operational</location> <log_format>eventchannel</log_format> </localfile>
6. Restart the Wazuh agent to apply the configuration changes:
> Restart-Service -Name wazuh
Wazuh server
Perform the following steps to create detection rules on the Wazuh server.
1. Create a custom rule file kuiper_ransomware_rules.xml
in the /var/ossec/etc/rules/
directory:
# touch /var/ossec/etc/rules/kuiper_ransomware_rules.xml
2. Add the rules below to the /var/ossec/etc/rules/kuiper_ransomware_rules.xml
file:
<group name="kuiper,ransomware,"> <!-- Ransom note file creation --> <rule id="100011" level="15" timeframe="100" frequency="2"> <if_sid>61613</if_sid> <field name="win.eventdata.image" type="pcre2">\.exe</field> <field name="win.eventdata.targetFilename" type="pcre2">(?i)[C-Z]:.*.\\README_TO_DECRYPT.txt</field> <description>The file $(win.eventdata.targetFilename) has been created in multiple directories. Kuiper ransomware detected.</description> <mitre> <id>T1059</id> </mitre> </rule> <rule id="100012" level="12"> <if_sid>61603</if_sid> <field name="win.eventdata.CommandLine" type="pcre2">(?i)cmd.exe\s\/c\s\\\"vssadmin\sresize\sshadowstorage\s\/for=[C-Z]:\s\/on=C:\s\/maxsize=401MB|vssadmin\sdelete\sshadows\s\/all\s\/quiet</field> <description>Shadow copies have been deleted. Possible ransomware detected.</description> <mitre> <id>T1087</id> <id>T1059.003</id> </mitre> </rule> <rule id="100013" level="12"> <if_sid>61603</if_sid> <field name="win.eventdata.CommandLine" type="pcre2">(?i)powershell.exe\s\s-ep\sbypass\s-c\sSet-MpPreference\s-DisableRealtimeMonitoring 1\s-ErrorAction\sSilentlyContinue|powershell.exe\\"\s-ep\sbypass\s-w\shidden\s-c\s\\"while\(\$true\){\sSet-MpPreference\s-DisableRealtimeMonitoring\s\$true\s}\\"</field> <description>Microsoft Defender Real-time Monitoring disabled.Possible ransomware activity.</description> <mitre> <id>T1087</id> <id>T1059.003</id> </mitre> </rule> <rule id="100014" level="12"> <if_sid>92032</if_sid> <field name="win.eventdata.CommandLine" type="pcre2">(?i)taskkill\s\s\/f\s\/im\sCETASvc.exe</field> <description>Trend Micro process terminated. Possible ransomware activity detected.</description> <mitre> <id>T1087</id> <id>T1059.003</id> </mitre> </rule> <rule id="100015" level="12"> <if_sid>92032</if_sid> <field name="win.eventdata.CommandLine" type="pcre2">(?i)taskkill\s\s\/f\s\/im NortonSecurity.exe</field> <description>Norton Security process terminated. Possible ransomware activity detected.</description> <mitre> <id>T1087</id> <id>T1059.003</id> </mitre> </rule> <rule id="100016" level="12"> <if_sid>92032</if_sid> <field name="win.eventdata.CommandLine" type="pcre2">(?i)taskkill\s\s\/f\s\/im SophosSAU.exe</field> <description>Sophos process terminated. Possible ransomware activity detected.</description> <mitre> <id>T1087</id> <id>T1059.003</id> </mitre> </rule> <rule id="100017" level="12"> <if_sid>92036</if_sid> <field name="win.eventdata.CommandLine" type="pcre2">(?i)net\s\sstop\sTrend\sMicro</field> <description>Trend Micro service disabled. Possible ransomware activity detected.</description> <mitre> <id>T1087</id> <id>T1059.003</id> </mitre> </rule> <rule id="100018" level="12"> <if_sid>92036</if_sid> <field name="win.eventdata.CommandLine" type="pcre2">(?i)net\s\sstop\sNtrtscan</field> <description>Nortion Security service disabled. Possible ransomware activity detected.</description> <mitre> <id>T1087</id> <id>T1059.003</id> </mitre> </rule> <rule id="100019" level="12"> <if_sid>92036</if_sid> <field name="win.eventdata.CommandLine" type="pcre2">(?i)net\s\sstop\sAvast\sAntivirus!</field> <description>Avast Antivirus service detected. Possible ransomware disabled.</description> <mitre> <id>T1087</id> <id>T1059.003</id> </mitre> </rule> <rule id="100020" level="12"> <if_sid>92032</if_sid> <field name="win.eventdata.CommandLine" type="pcre2">(?i)wevtutil\s\scl\ssecurity</field> <description>Windows security event logs deleted. Possible ransomware activity detected.</description> <mitre> <id>T1070.001</id> </mitre> </rule> <rule id="100021" level="12"> <if_sid>92032</if_sid> <field name="win.eventdata.CommandLine" type="pcre2">(?i)wevtutil\s\scl\sapplication</field> <description>Windows application event deleted. Possible ransomware activity detected.</description> <mitre> <id>T1070.001</id> </mitre> </rule> </group>
Where:
- Rule ID
100011
is triggered when Kuiper ransomware drops a ransom note with the file nameREADME_TO_DECRYPT.txt
in various folders. - Rule ID
100012
is triggered when Kuiper ransomware deletes all the shadow copies of the files and folders on the Windows endpoint. - Rule ID
100013
is triggered when Kuiper ransomware disables Microsoft Defender Real-time Monitoring. - Rule ID
100014
is triggered when Kuiper ransomware terminates the Trend Micro process on the Windows endpoint. - Rule ID
100015
is triggered when Kuiper ransomware terminates the Norton Security process on the Windows endpoint. - Rule ID
100016
is triggered when Kuiper ransomware terminates the Sophos process on the Windows endpoint. - Rule ID
100017
is triggered when Kuiper ransomware disables the Trend Micro service on the Windows endpoint. - Rule ID
100018
is triggered when Kuiper ransomware disables the Norton Security service on the Windows endpoint. - Rule ID
100019
is triggered when Kuiper ransomware disables the Avast Antivirus service on the Windows endpoint. - Rule ID
100020
is triggered when Kuiper ransomware clears the security event logs in the Windows Event Viewer. - Rule ID
100021
is triggered when Kuiper ransomware clears the application event logs in the Windows Event Viewer.
3. Restart the Wazuh server for the changes to take effect:
# systemctl restart wazuh-manager
Detection results
The screenshot below shows the alerts generated on the Wazuh dashboard when the Kuiper ransomware is executed on the victim endpoint.
From the Agents tab in your Wazuh dashboard, select the Windows endpoint and navigate to the Security events tab to view the generated alerts.
Detecting and removing malicious files with YARA integration
Wazuh can be integrated with YARA, a tool for detecting and classifying malware artifacts. This integration scans files that are added or modified on the Windows endpoint and checks if such files contain malware.
We configure the Wazuh File Integrity Monitoring module to monitor a folder for file changes. When files are added or modified in the monitored folder, the Wazuh active response module automatically triggers YARA to scan the files and detect potentially malicious ones that match defined rules.
Windows endpoint
Download and install the following prerequisite packages for installing YARA.
1. Python v 3.12.2 or later (with pip
pre-installed). Select the following checkboxes on the Python installation dialog box:
- Use admin privileges when installing py.exe.
- Add
Python.exe
to PATH. This places the interpreter in the execution path.
2. Microsoft Visual C++ 2015 Redistributable.
Note: You can skip this section if you have already installed Python and Microsoft Visaul C++ 2015 Redistributable on the Windows endpoint.
After installing the above packages, follow the steps below to download the YARA executable.
1. Launch PowerShell with administrator privileges and download YARA:
> Invoke-WebRequest -Uri https://github.com/VirusTotal/yara/releases/download/v4.3.2/yara-4.3.2-2150-win64.zip -OutFile v4.3.2-2150-win64.zip
2. Extract the YARA executable:
> Expand-Archive v4.3.2-2150-win64.zip
3. Create a folder called C:\Program Files (x86)\ossec-agent\active-response\bin\yara\
and copy the YARA binary into it:
> mkdir 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\' > cp .\v4.3.2-2150-win64\yara64.exe 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\'
Follow the steps below to download YARA rules:
1. Using the same PowerShell terminal launched earlier, install valhallaAPI
using the pip
utility. The valhallaAPI
is used to retrieve the public signature-base YARA ruleset:
> pip install valhallaAPI
2. Create the file download_yara_rules.py
, and copy the following script into it:
from valhallaAPI.valhalla import ValhallaAPI v = ValhallaAPI(api_key="1111111111111111111111111111111111111111111111111111111111111111") response = v.get_rules_text() with open('yara_rules.yar', 'w') as fh: fh.write(response)
3. Download YARA rules and copy them to the C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\
folder:
> python download_yara_rules.py > mkdir 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\' > cp yara_rules.yar 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\'
4. Edit the C:\Program Files e(x86)\ossec-agent\active-response\bin\yara\rules\yara_rules.yar
file and add the following Kuiper ransomware YARA rule:
rule kuiper_ransomware { meta: description = "Kuiper ransomware executable detection" author = "Anthony Faruna" reference = "https://github.com/Neo23x0/yarGen" date = "2024-03-28" strings: $s1 = "os.(*ProcessState).Sys" fullword ascii $s2 = "os.(*ProcessState).sys" fullword ascii $s3 = "mstartbad sequence numberbad value for fielddevice not a streamdirectory not emptydisk quota exceededdodeltimer: wrong Perror to" ascii $s4 = "os/exec.Command" fullword ascii $s5 = "flag.commandLineUsage" fullword ascii $s6 = "eateFileMappingWCuba Standard TimeFiji Standard TimeGetComputerNameExWGetExitCodeProcessGetFileAttributesWGetModuleFileNameWIran" ascii $s7 = "level 3 resetload64 failedmin too largenil stackbaseout of memoryparsing time powrprof.dll" fullword ascii $s8 = "os/exec.(*Cmd).closeDescriptors" fullword ascii $s9 = "runtime: bad pointer in frame runtime: found in object at *(runtime: impossible type kind socket operation on non-socketsync: in" ascii $s10 = "VirtualUnlockWriteConsoleWadvapi32.dll" fullword ascii $s11 = "runtime.getempty.func1" fullword ascii $s12 = "runtime.getempty" fullword ascii $s13 = "runtime.execute" fullword ascii $s14 = "os/exec.(*Cmd).CombinedOutput" fullword ascii $s15 = "sync.runtime_SemacquireMutex" fullword ascii $s16 = "os/exec.(*Cmd).writerDescriptor" fullword ascii $s17 = "runtime.dumpregs" fullword ascii $s18 = "/*struct { F uintptr; pw *os.File; c *exec.Cmd }" fullword ascii $s19 = "uireContextWEgyptian_HieroglyphsGetAcceptExSockaddrsGetAdaptersAddressesGetCurrentDirectoryWGetFileAttributesExWGetProcessMemory" ascii $s20 = "runtime.hexdumpWords" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 8000KB and ( 8 of them ) ) or ( all of them ) }
5. Edit the C:\Program Files (x86)\ossec-agent\ossec.conf
file and add the configuration below within the <syscheck>
block to monitor the Downloads
folders of all users in real-time using the Wazuh FIM module:
<directories realtime="yes">C:\Users\*\Downloads</directories>
Note: In this blog post, the Downloads
folders of all users are monitored. However, you can configure other folders you wish to monitor.
6. Create a batch file yara.bat
in the C:\Program Files (x86)\ossec-agent\active-response\bin\
folder.
7. Copy the script below into the yara.bat
file. The active response module automatically executes this file to perform YARA scans for malware detection and removal:
:: This script deletes Kuiper ransomware as well as other malicious files matched by the YARA Rules @echo off setlocal enableDelayedExpansion reg Query "HKLM\Hardware\Description\System\CentralProcessor\0" | find /i "x86" > NUL && SET OS=32BIT || SET OS=64BIT if %OS%==32BIT ( SET log_file_path="%programfiles%\ossec-agent\active-response\active-responses.log" ) if %OS%==64BIT ( SET log_file_path="%programfiles(x86)%\ossec-agent\active-response\active-responses.log" ) set input= for /f "delims=" %%a in ('PowerShell -command "$logInput = Read-Host; Write-Output $logInput"') do ( set input=%%a ) set json_file_path="C:\Program Files (x86)\ossec-agent\active-response\stdin.txt" set syscheck_file_path= echo %input% > %json_file_path% FOR /F "tokens=* USEBACKQ" %%F IN (`Powershell -Nop -C "(Get-Content 'C:\Program Files (x86)\ossec-agent\active-response\stdin.txt'|ConvertFrom-Json).parameters.alert.syscheck.path"`) DO ( SET syscheck_file_path=%%F ) set yara_exe_path="C:\Program Files (x86)\ossec-agent\active-response\bin\yara\yara64.exe" set yara_rules_path="C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\yara_rules.yar" echo %syscheck_file_path% >> %log_file_path% for /f "delims=" %%a in ('powershell -command "& \"%yara_exe_path%\" \"%yara_rules_path%\" \"%syscheck_file_path%\""') do ( echo wazuh-yara: INFO - Scan result: %%a >> %log_file_path% :: Deleting the scanned file. del /f "%syscheck_file_path%" >nul 2>&1 if exist "%syscheck_file_path%" ( echo wazuh-yara: INFO - Error removing threat: %%a >> %log_file_path% ) else ( echo wazuh-yara: INFO - Successfully deleted: %%a >> %log_file_path% ) ) exit /b
8. Restart the Wazuh agent using PowerShell for the changes to take effect:
> Restart-Service -Name wazuh
Wazuh server
Follow the steps below to configure rules, custom decoders, and active response on the Wazuh server.
1. Create custom rules in the /var/ossec/etc/rules/local_rules.xml
file. These rules will generate alerts about files that are added or modified in the Downloads
directory on the monitored endpoint.
<group name= "syscheck,"> <rule id="100024" level="7"> <if_sid>550</if_sid> <field name="file" type="pcre2">(?i)C:\\Users.+Downloads</field> <description>File modified in the Downloads folder.</description> </rule> <rule id="100025" level="7"> <if_sid>554</if_sid> <field name="file" type="pcre2">(?i)C:\\Users.+Downloads</field> <description>File added to the Downloads folder.</description> </rule> </group>
Where:
- Rule ID
100024
is triggered when a file is modified in theDownloads
directory. - Rule ID
100025
is triggered when a file is added to theDownloads
directory.
2. Add the following configuration to the /var/ossec/etc/ossec.conf
file within the <ossec_config>
block:
<command> <name>yara</name> <executable>yara.bat</executable> <timeout_allowed>no</timeout_allowed> </command> <active-response> <command>yara</command> <location>local</location> <rules_id>100024,100025</rules_id> </active-response>
The Wazuh active response module executes the yara.bat
script when a file is added or modified in the Downloads
folder.
Where:
<name>
specifies the name of the command being called in the active response section.<executable>
specifies the executable file to run.<command>
specifies the command that the active response will use.- The
<active response>
block calls the<command>
block when the rule ID100029
or100030
is triggered. <location>
specifies where the active response script is executed.
3. Add the following decoders to the /var/ossec/etc/decoders/local_decoder.xml
file to decode the logs generated by the active response script:
<decoder name="yara_decoder"> <prematch>wazuh-yara:</prematch> </decoder> <decoder name="yara_decoder1"> <parent>yara_decoder</parent> <regex>wazuh-yara: (\S+) - Scan result: (\S+) (\S+)</regex> <order>log_type, yara_rule, yara_scanned_file</order> </decoder> <decoder name="yara_decoder1"> <parent>yara_decoder</parent> <regex>wazuh-yara: (\S+) - Successfully deleted: (\S+) (\S+)</regex> <order>log_type, yara_rule, yara_scanned_file</order> </decoder> <decoder name="yara_decoder1"> <parent>yara_decoder</parent> <regex>wazuh-yara: (\S+) - Error removing threat: (\S+) (\S+)</regex> <order>log_type, yara_rule, yara_scanned_file</order> </decoder>
4. Create custom rules in the /var/ossec/etc/rules/local_rules.xml
to alert when there is a YARA active response action:
<!-- Rule for the decoder (yara_decoder) --> <group name="yara,"> <rule id="100026" level="0"> <decoded_as>yara_decoder</decoded_as> <description>Yara grouping rule</description> </rule> <!-- YARA scan detects a positive match --> <rule id="100027" level="12"> <if_sid>100026</if_sid> <match type="pcre2">wazuh-yara: INFO - Scan result: </match> <description>File "$(yara_scanned_file)" is a positive match. Yara rule: $(yara_rule)</description> </rule> <!-- Wazuh successfully deletes malware with a positive match --> <rule id="100028" level="12"> <if_sid>100026</if_sid> <match type="pcre2">wazuh-yara: INFO - Successfully deleted: </match> <description>Successfully removed "$(yara_scanned_file)" by active response due to YARA rule $(yara_rule) positive match</description> </rule> <!-- Wazuh encounters an error when deleting malware with a positive match --> <rule id="100029" level="12"> <if_sid>100026</if_sid> <match type="pcre2">wazuh-yara: INFO - Error removing threat: </match> <description>Error removing "$(yara_scanned_file)". YARA rule: $(yara_rule)</description> </rule> </group>
Where:
- Rule ID
100026
is the base rule for detecting YARA events. - Rule ID
100027
is triggered when YARA scans and detects a malicious file. - Rule ID
100028
is triggered when the detected file has been successfully removed by the Wazuh active response module. - Rule ID
100029
is triggered when the detected file is not removed successfully by Wazuh active response.
5. Restart the Wazuh manager for the changes to take effect:
$ sudo systemctl restart wazuh-manager
Detection results
The Wazuh dashboard generates alerts when Kuiper ransomware is downloaded to the Downloads
folder of the victim endpoint. From the Agents tab in your Wazuh dashboard, select the Windows endpoint and navigate to the Security events tab to view the generated alerts.
Conclusion
Kuiper ransomware poses a significant threat to organizations and individuals worldwide, leveraging sophisticated techniques to encrypt data and extort ransom payments from victims. Therefore, organizations need to develop proactive security measures, and robust incident response strategies to mitigate the risk of ransomware attacks.
In this blog post, we demonstrated how to detect and remove Kuiper ransomware on Windows endpoints with Wazuh. We utilized Sysmon to enrich logs from the victim endpoint and created rules to detect malicious activities associated with Kuiper ransomware. Additionally, we used YARA with the Wazuh active response module to detect and remove the Kuiper ransomware once downloaded to the monitored endpoint.
Wazuh is a free and open source security platform with several capabilities to monitor and secure your infrastructure against malicious activities. You can also join our Slack community of professionals and users if you have any questions on this blog post or Wazuh in general.
References