Detecting Razr ransomware with Wazuh
Razr is a highly destructive ransomware that compromises systems by encrypting files, effectively rendering them inaccessible to users. This ransomware commonly propagates through phishing emails containing malicious attachments or by exploiting vulnerabilities in software and operating systems.
Once infected, the Razr ransomware scans for valuable data, including documents, images, and databases. It activates its payload by deploying a malicious binary that begins encrypting the discovered files. It avoids encrypting system-critical files, ensuring the operating system remains functional and allowing the attack to persist longer. Encrypted files are marked with the “.raz” extension, and the malware leaves a ransom note, often titled “README.txt” to provide instructions about obtaining the decryption key.
In this blog post, we show how to detect Razr ransomware infection on a Windows endpoint with Wazuh.
Razr behavior
Below are behaviors exhibited by Razr ransomware when it is executed on a Windows endpoint:
- It encrypts files on the infected system using the AES-256 encryption and adds the
.razfile extension. - It collects and transmits sensitive data from the infected endpoint to a command and control (C2) server.
- It maintains communication with the C2 server, enabling attackers to send malicious commands remotely.
- It hides in legitimate processes and encodes its payloads to conceal its activities.
Analyzed sample
| Type | Value |
| SHA256 | 43C7930EB18C02173F20A087D7CA5C568C0233E8F60225C259605C52E51E3E1E |
| SHA1 | 2D866CC1E92AFC43FE1CE0568CED6637AF1B4315 |
| MD5 | b1d3b35e14ed3d141760dd42e90743f6 |
Infrastructure
The following infrastructure is used to demonstrate the detection of Razr ransomware with Wazuh:
- A pre-built, ready-to-use Wazuh OVA 4.10.0 which includes the Wazuh central components (Wazuh server, Wazuh indexer, and Wazuh dashboard). Follow this guide to download and set up the Wazuh virtual machine.
- A Windows 11 victim endpoint with Wazuh agent 4.10.0 installed and enrolled to the Wazuh server.
Detection with Wazuh
In this section, we show how to configure the detection of the Razr ransomware with Wazuh.
Windows endpoint
We use Sysmon to monitor several system events on the victim Windows endpoint. Perform the following steps to configure the Wazuh agent to collect and forward Sysmon logs from the Windows endpoint to the Wazuh server for analysis.
1. Download Sysmon from the Microsoft Sysinternals page.
2. Use PowerShell with administrator privilege to create a Sysmon folder in the C:\ folder:
> New-Item -ItemType Directory -Path C:\Sysmon
3. Extract the content of the compressed Sysmon file to the C:\Sysmon folder:
> Expand-Archive -Path "<PATH>\Sysmon.zip" -DestinationPath "C:\Sysmon"
Replace <PATH> with the directory where the Sysmon.zip file was downloaded.
4. Download the Sysmon configuration file – sysmonconfig.xml to the C:\Sysmon folder using the PowerShell command below:
> wget -Uri https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/sysmonconfig.xml -OutFile C:\Sysmon\sysmonconfig.xml
5. Switch to the directory with the Sysmon executable and run the command below to install and start Sysmon using PowerShell with administrator privileges:
> cd C:\Sysmon > .\Sysmon64.exe -accepteula -i sysmonconfig.xml
6. Add the following configuration within the <ossec_config> block of the C:\Program Files (x86)\ossec-agent\ossec.conf file of the Wazuh agent:
<localfile> <location>Microsoft-Windows-Sysmon/Operational</location> <log_format>eventchannel</log_format> </localfile>
7. Restart the Wazuh agent to apply the configuration changes by running the following PowerShell command as an administrator:
> Restart-Service -Name wazuh
Wazuh server
We create custom rules to generate alerts when Razr ransomware activities are detected on the Windows endpoint. Perform the following steps to create detection rules on the Wazuh server.
1. Create a custom rule file razr_rules.xml in the /var/ossec/etc/rules/ directory of the Wazuh server:
# touch /var/ossec/etc/rules/razr_rules.xml
2. Add the custom rules for the Razr ransomware below to the /var/ossec/etc/rules/razr_rules.xml file:
<group name="razr, ransomware, malware">
<!-- Encryption of system files -->
<rule id="111900" level="2">
<if_sid>61613</if_sid>
<field name="win.eventdata.image" type="pcre2">(?i)[C-Z]:.*\\\\.*.exe</field>
<field name="win.eventdata.targetFilename" type="pcre2">(?i)[C-Z]:.*\\\\.*.raz</field>
<description>Razr ransomware executable $(win.eventdata.image) has encrypted the $(win.eventdata.targetFilename) file.</description>
<mitre>
<id>T1486</id>
<id>T1036.005</id>
</mitre>
</rule>
<!-- Encryption of system files -->
<rule id="111901" level="15" timeframe="100" frequency="5" ignore="30">
<if_matched_sid>111900</if_matched_sid>
<description>Multiple files have been encrypted by Razr ransomware $(win.eventdata.image) using the ".raz" extension.</description>
<mitre>
<id>T1486</id>
<id>T1036.005</id>
</mitre>
</rule>
<!-- Ransome note file creation -->
<rule id="111902" level="2">
<if_sid>61613</if_sid>
<field name="win.eventdata.image" type="pcre2">(?i)[C-Z]:.*\\\\.*.exe</field>
<field name="win.eventdata.targetFilename" type="pcre2">(?i)[C-Z]:.*\\\\README.txt</field>
<description>Possible Razr ransomware detected. A ramsomeware note $(win.eventdata.targetFilename) has been created.</description>
<mitre>
<id>T1486</id>
</mitre>
</rule>
<!-- Ransome note file creation -->
<rule id="111903" level="12" timeframe="100" frequency="5" ignore="30">
<if_matched_sid>111902</if_matched_sid>
<description>Possible Razr ransomware detected. Multiple ramsomeware notes (README.txt) have been created by $(win.eventdata.image).</description>
<mitre>
<id>T1486</id>
</mitre>
</rule>
</group>
Below are the rules triggered by Razr ransomware activities and their trigger conditions:
| Rule ID | Trigger condition |
111900 | Triggered when Razr ransomware encrypts a file on the endpoint using the .raz extension. This rule will not show on the dashboard because it is set to level 2 to mute it. |
111901 | Triggered every 30 seconds when the Razr ransomware encrypts multiple files using the .raz extension. This rule is triggered when it matches rule 111900 at a frequency of 5 times within 100 seconds timeframe to reduce the volume of logs. |
111902 | Triggered when the Razr ransomware creates a README.txt file in any system folder. This rule will not show on the dashboard because it is set to level 2 to mute it. |
111903 | Triggered every 30 seconds when the Razr ransomware creates multiple README.txt files. This rule is triggered when it matches rule 111902 at a frequency of 5 times within 100 seconds timeframe to reduce the volume of logs. |
3. Restart the Wazuh manager for the changes to take effect:
# systemctl restart wazuh-manager
Visualizing alerts on the Wazuh dashboard
The alerts below are generated on the Wazuh dashboard when the Razr ransomware is executed on the victim endpoint. Perform the following steps to view the alerts on the Wazuh dashboard.
1. Navigate to Threat intelligence > Threat Hunting.
2. Click + Add filter. Filter for rule.groups in the Field field.
3. Filter for is in the Operator field.
4. Filter for razr in the Values field.
5. Click Save to enable the filter.
Protection and removal of ransomware with Wazuh
Ransomware has the characteristic of rendering infected endpoints unusable, thereby making it difficult to recover. The best approach to protection will be to configure pre-execution protection using the Wazuh File Integrity Module (FIM) and the integration with VirusTotal or YARA. This approach matches the hash of a downloaded file against popular threat intelligence databases and triggers an active response script that removes the malicious file before execution.
For post-execution protection, the Wazuh Active Response module is used to recover shadow copies of the system files from a backup that was taken before the ransomware execution.
To configure pre-execution and post-execution ransomware protection with Wazuh, refer to the Ransomware protection on Windows with Wazuh blog post.
Note: Use the rule_id used in the Razr ransomware detection rules to configure the Active Response module in the /var/ossec/etc/ossec.conf file.
Conclusion
This blog shows how to detect Razr ransomware on a Windows endpoint using Wazuh. By integrating Sysmon, we enhance Windows event logs from the affected endpoint and create rules to identify malicious activities linked to the Razr ransomware.
Wazuh is a free, open source enterprise-ready security platform for threat detection, incident response, and compliance. It integrates with third-party platforms and has a growing community where users are supported. To learn more about Wazuh, please check out our documentation and blog posts.
References