Kuiper ransomware detection and response with Wazuh

| by | Wazuh 4.7.3
Post icon

The Kuiper ransomware is a strain of ransomware written in Golang that encrypts data on various endpoints such as Windows, macOS, and Linux in exchange for money.  It utilizes a combination of RSA, ChaCha20, and AES encryption algorithms to encrypt files on infected endpoints. Specifically, it employs RSA for key exchange, ChaCha20 for initial encryption, and AES for encrypting the bulk of the files. This triple encryption process significantly increases the difficulty of brute-forcing the decryption key.

Kuiper ransomware targets Windows, Linux, and macOS endpoints because it relies primarily on platform-independent code, enabling it to evade traditional OS-based defenses. However, some core functionalities such as disabling backups and terminating processes are designed for Windows endpoints.  

In this blog post, we demonstrate how to use Wazuh to detect and remove Kuiper ransomware from an infected Windows endpoint.

Kuiper ransomware behavior

Kuiper ransomware exhibits several behaviors when it infects a Windows endpoint. These behaviors include the following:

  • Deletes critical backup files to make recovery of encrypted files difficult using commands like vssadmin resize shadowstorage /for=[drive]: /on=C: /maxsize=401MB, vssadmin delete shadows /all /quiet, and wbadmin DELETE SYSTEMSTATEBACKUP.
  • Clears system event logs in the Windows Event Viewer on the Windows endpoint using wevtutil cl system.
  • Clears security events logs in the Windows Event Viewer program using wevtutil cl security.
  • Clears application event logs in the Windows Event Viewer program using wevtutil cl application.
  • Terminates specific services and processes to ensure the ransomware executes successfully. Examples of the processes are CETASvc.exe, tmwscsvc.exe, avgsvc.exe, NortonSecurity.exe, McAfeeFramework.exe, and SophosSAU.exe.
  • Disables Microsoft Defender using an encoded command in the format powershell.exe -ep bypass -c Set-MpPreference -[setting] 1 -ErrorAction SilentlyContinue.
TypeValue
Hash (SHA256)0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985
Hash (SHA256)df430ab9f5084a3e62a6c97c6c6279f2461618f038832305057c51b441c648d9
Hash (SHA256)d6c1d2e77ce21d5a026e7abf99c9fffe55d87b282f460dc737da231211a12a0d

Infrastructure

We use the following infrastructure to demonstrate the detection and removal of the Kuiper ransomware in an infected Windows endpoint.

  • A pre-built, ready-to-use Wazuh OVA 4.7.3. Follow this guide to download the virtual machine (VM). This VM hosts the Wazuh central components (Wazuh server, Wazuh indexer, and Wazuh dashboard).
  • A Windows 11 victim endpoint with Wazuh agent 4.7.3 installed and enrolled to the Wazuh server. To install the Wazuh agent, refer to the following installation guide

Detection with Wazuh

We use the following techniques to detect the Kuiper ransomware on an infected Windows endpoint:

  • Using detection rules to detect the Kuiper ransomware activities.
  • Detecting and removing malicious files with the YARA integration and Wazuh active response module.

Detection rules

We use Sysmon to monitor several system events on the Windows endpoint and create rules on the Wazuh server to detect the activities of the Kuiper ransomware.

Windows endpoint

Perform the following steps to configure the Wazuh agent to capture and send Sysmon logs to the Wazuh server for analysis.

1. Download Sysmon from the Microsoft Sysinternals page.

2. Extract the compressed Sysmon file to your preferred location. 

3. Download the Sysmon configuration file – sysmonconfig.xml using the Powershell command below. Replace <SYSMON_EXECUTABLE_PATH> with the path to your Sysmon executable.

wget -Uri https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/sysmonconfig.xml -OutFile <SYSMON_EXECUTABLE_PATH>\sysmonconfig.xml

4. Switch to the directory with the Sysmon executable. Run the command below to install and start Sysmon using PowerShell with administrator privileges:

> .\Sysmon64.exe -accepteula -i sysmonconfig.xml

5. Add the following configuration within the <ossec_config> block of the   C:\Program Files (x86)\ossec-agent\ossec.conf file. This configures the Wazuh agent to collect and forward Sysmon event logs to the Wazuh server.

<localfile>
  <location>Microsoft-Windows-Sysmon/Operational</location>
  <log_format>eventchannel</log_format>
</localfile>

6. Restart the Wazuh agent to apply the configuration changes:

> Restart-Service -Name wazuh

Wazuh server

Perform the following steps to create detection rules on the Wazuh server.

1. Create a custom rule file kuiper_ransomware_rules.xml in the /var/ossec/etc/rules/ directory:

# touch /var/ossec/etc/rules/kuiper_ransomware_rules.xml

2. Add the rules below to the /var/ossec/etc/rules/kuiper_ransomware_rules.xml file:

<group name="kuiper,ransomware,">
 <!-- Ransom note file creation -->
  <rule id="100011" level="15" timeframe="100" frequency="2">
    <if_sid>61613</if_sid>
    <field name="win.eventdata.image" type="pcre2">\.exe</field>
    <field name="win.eventdata.targetFilename" type="pcre2">(?i)[C-Z]:.*.\README_TO_DECRYPT.txt</field>
    <description>The file $(win.eventdata.targetFilename) has been created in multiple directories. Kuiper ransomware detected.</description>
    <mitre>
      <id>T1059</id>
    </mitre>
  </rule>
  
  <rule id="100012" level="12">
    <if_sid>61603</if_sid>
    <field name="win.eventdata.CommandLine" type="pcre2">(?i)cmd.exe\s\/c\s\\"vssadmin\sresize\sshadowstorage\s\/for=[C-Z]:\s\/on=C:\s\/maxsize=401MB|vssadmin\sdelete\sshadows\s\/all\s\/quiet</field>
    <description>Shadow copies have been deleted. Possible ransomware detected.</description>
    <mitre>
      <id>T1087</id>
      <id>T1059.003</id>
    </mitre>
  </rule>

  <rule id="100013" level="12">
    <if_sid>61603</if_sid>
    <field name="win.eventdata.CommandLine" type="pcre2">(?i)powershell.exe\s\s-ep\sbypass\s-c\sSet-MpPreference\s-DisableRealtimeMonitoring 1\s-ErrorAction\sSilentlyContinue|powershell.exe\"\s-ep\sbypass\s-w\shidden\s-c\s\"while\($true\){\sSet-MpPreference\s-DisableRealtimeMonitoring\s$true\s}\"</field>
    <description>Microsoft Defender Real-time Monitoring disabled.Possible ransomware activity.</description>
    <mitre>
      <id>T1087</id>
      <id>T1059.003</id>
    </mitre>
  </rule>

  <rule id="100014" level="12">
    <if_sid>92032</if_sid>
    <field name="win.eventdata.CommandLine" type="pcre2">(?i)taskkill\s\s\/f\s\/im\sCETASvc.exe</field>
    <description>Trend Micro process terminated. Possible ransomware activity detected.</description>
    <mitre>
      <id>T1087</id>
      <id>T1059.003</id>
    </mitre>
  </rule>

  <rule id="100015" level="12">
    <if_sid>92032</if_sid>
    <field name="win.eventdata.CommandLine" type="pcre2">(?i)taskkill\s\s\/f\s\/im NortonSecurity.exe</field>
    <description>Norton Security process terminated. Possible ransomware activity detected.</description>
    <mitre>
      <id>T1087</id>
      <id>T1059.003</id>
    </mitre>
  </rule>

  <rule id="100016" level="12">
    <if_sid>92032</if_sid>
    <field name="win.eventdata.CommandLine" type="pcre2">(?i)taskkill\s\s\/f\s\/im SophosSAU.exe</field>
    <description>Sophos process terminated. Possible ransomware activity detected.</description>
    <mitre>
      <id>T1087</id>
      <id>T1059.003</id>
    </mitre>
  </rule>

  <rule id="100017" level="12">
    <if_sid>92036</if_sid>
    <field name="win.eventdata.CommandLine" type="pcre2">(?i)net\s\sstop\sTrend\sMicro</field>
    <description>Trend Micro service disabled. Possible ransomware activity detected.</description>
    <mitre>
      <id>T1087</id>
      <id>T1059.003</id>
    </mitre>
  </rule>

  <rule id="100018" level="12">
    <if_sid>92036</if_sid>
    <field name="win.eventdata.CommandLine" type="pcre2">(?i)net\s\sstop\sNtrtscan</field>
    <description>Nortion Security service disabled. Possible ransomware activity detected.</description>
    <mitre>
      <id>T1087</id>
      <id>T1059.003</id>
    </mitre>
  </rule>

  <rule id="100019" level="12">
    <if_sid>92036</if_sid>
    <field name="win.eventdata.CommandLine" type="pcre2">(?i)net\s\sstop\sAvast\sAntivirus!</field>
    <description>Avast Antivirus service detected. Possible ransomware disabled.</description>
    <mitre>
      <id>T1087</id>
      <id>T1059.003</id>
    </mitre>
  </rule>

  <rule id="100020" level="12">
     <if_sid>92032</if_sid>
     <field name="win.eventdata.CommandLine" type="pcre2">(?i)wevtutil\s\scl\ssecurity</field>
     <description>Windows security event logs deleted. Possible ransomware activity detected.</description>
     <mitre>
       <id>T1070.001</id>
     </mitre>
  </rule>

  <rule id="100021" level="12">
     <if_sid>92032</if_sid>
     <field name="win.eventdata.CommandLine" type="pcre2">(?i)wevtutil\s\scl\sapplication</field>
     <description>Windows application event deleted. Possible ransomware activity detected.</description>
     <mitre>
       <id>T1070.001</id>
     </mitre>
  </rule>

</group>

Where:

  • Rule ID 100011 is triggered when Kuiper ransomware drops a ransom note with the file name README_TO_DECRYPT.txt in various folders.
  • Rule ID 100012 is triggered when Kuiper ransomware deletes all the shadow copies of the files and folders on the Windows endpoint.
  • Rule ID 100013 is triggered when Kuiper ransomware disables Microsoft Defender Real-time Monitoring.
  • Rule ID 100014 is triggered when Kuiper ransomware terminates the Trend Micro process on the Windows endpoint. 
  • Rule ID 100015 is triggered when Kuiper ransomware terminates the Norton Security process on the Windows endpoint. 
  • Rule ID 100016 is triggered when Kuiper ransomware terminates the Sophos process on the Windows endpoint. 
  • Rule ID 100017 is triggered when Kuiper ransomware disables the Trend Micro service on the Windows endpoint. 
  • Rule ID 100018 is triggered when Kuiper ransomware disables the Norton Security service on the Windows endpoint. 
  • Rule ID 100019 is triggered when Kuiper ransomware disables the Avast Antivirus service on the Windows endpoint. 
  • Rule ID 100020 is triggered when Kuiper ransomware clears the security event logs in the Windows Event Viewer. 
  • Rule ID 100021 is triggered when Kuiper ransomware clears the application event logs in the Windows Event Viewer.

3. Restart the Wazuh server for the changes to take effect:

# systemctl restart wazuh-manager

Detection results

The screenshot below shows the alerts generated on the Wazuh dashboard when the Kuiper ransomware is executed on the victim endpoint.

From the Agents tab in your Wazuh dashboard, select the Windows endpoint and navigate to the Security events tab to view the generated alerts.

Kuiper Ransomware endpoint

Detecting and removing malicious files with YARA integration

Wazuh can be integrated with YARA, a tool for detecting and classifying malware artifacts. This integration scans files that are added or modified on the Windows endpoint and checks if such files contain malware. 

We configure the Wazuh File Integrity Monitoring module to monitor a folder for file changes. When files are added or modified in the monitored folder, the Wazuh active response module automatically triggers YARA to scan the files and detect potentially malicious ones that match defined rules.

Windows endpoint

Download and install the following prerequisite packages for installing YARA.

1. Python v 3.12.2 or later (with pip pre-installed). Select the following checkboxes on the Python installation dialog box:

  • Use admin privileges when installing py.exe.
  • Add Python.exe to PATH. This places the interpreter in the execution path.

2. Microsoft Visual C++ 2015 Redistributable.

Note: You can skip this section if you have already installed Python and Microsoft Visaul C++ 2015 Redistributable on the Windows endpoint.

After installing the above packages, follow the steps below to download the YARA executable.

1. Launch PowerShell with administrator privileges and download YARA:

> Invoke-WebRequest -Uri https://github.com/VirusTotal/yara/releases/download/v4.3.2/yara-4.3.2-2150-win64.zip -OutFile v4.3.2-2150-win64.zip

2. Extract the YARA executable:

> Expand-Archive v4.3.2-2150-win64.zip

3. Create a folder called C:\Program Files (x86)\ossec-agent\active-response\bin\yara\ and copy the YARA binary into it:

> mkdir 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\'
> cp .\v4.3.2-2150-win64\yara64.exe 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\'

Follow the steps below to download YARA rules:

1. Using the same PowerShell terminal launched earlier, install valhallaAPI using the pip utility. The valhallaAPI is used to retrieve the public signature-base YARA ruleset:

> pip install valhallaAPI

2. Create the file download_yara_rules.py, and copy the following script into it:

from valhallaAPI.valhalla import ValhallaAPI
v = ValhallaAPI(api_key="1111111111111111111111111111111111111111111111111111111111111111")
response = v.get_rules_text()
with open('yara_rules.yar', 'w') as fh:
    fh.write(response)

3. Download YARA rules and copy them to the C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\ folder:

> python download_yara_rules.py 
> mkdir 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\'
> cp yara_rules.yar 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\'

4. Edit the C:\Program Files e(x86)\ossec-agent\active-response\bin\yara\rules\yara_rules.yar file and add the following Kuiper ransomware YARA rule:

rule kuiper_ransomware {
   meta:
      description = "Kuiper ransomware executable detection"
      author = "Anthony Faruna"
      reference = "https://github.com/Neo23x0/yarGen"
      date = "2024-03-28"
   strings:
      $s1 = "os.(*ProcessState).Sys" fullword ascii
      $s2 = "os.(*ProcessState).sys" fullword ascii
      $s3 = "mstartbad sequence numberbad value for fielddevice not a streamdirectory not emptydisk quota exceededdodeltimer: wrong Perror to" ascii
      $s4 = "os/exec.Command" fullword ascii
      $s5 = "flag.commandLineUsage" fullword ascii
      $s6 = "eateFileMappingWCuba Standard TimeFiji Standard TimeGetComputerNameExWGetExitCodeProcessGetFileAttributesWGetModuleFileNameWIran" ascii
      $s7 = "level 3 resetload64 failedmin too largenil stackbaseout of memoryparsing time powrprof.dll" fullword ascii
      $s8 = "os/exec.(*Cmd).closeDescriptors" fullword ascii
      $s9 = "runtime: bad pointer in frame runtime: found in object at *(runtime: impossible type kind socket operation on non-socketsync: in" ascii
      $s10 = "VirtualUnlockWriteConsoleWadvapi32.dll" fullword ascii
      $s11 = "runtime.getempty.func1" fullword ascii
      $s12 = "runtime.getempty" fullword ascii
      $s13 = "runtime.execute" fullword ascii
      $s14 = "os/exec.(*Cmd).CombinedOutput" fullword ascii
      $s15 = "sync.runtime_SemacquireMutex" fullword ascii
      $s16 = "os/exec.(*Cmd).writerDescriptor" fullword ascii
      $s17 = "runtime.dumpregs" fullword ascii
      $s18 = "/*struct { F uintptr; pw *os.File; c *exec.Cmd }" fullword ascii
      $s19 = "uireContextWEgyptian_HieroglyphsGetAcceptExSockaddrsGetAdaptersAddressesGetCurrentDirectoryWGetFileAttributesExWGetProcessMemory" ascii
      $s20 = "runtime.hexdumpWords" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 8000KB and ( 8 of them )
      ) or ( all of them )
}

5. Edit the C:\Program Files (x86)\ossec-agent\ossec.conf file and add the configuration below within the <syscheck> block to monitor the Downloads folders of all users in real-time using the Wazuh FIM module:

<directories realtime="yes">C:\Users\*\Downloads</directories>

Note: In this blog post, the Downloads folders of all users are monitored. However, you can configure other folders you wish to monitor.

6. Create a batch file yara.bat in the C:\Program Files (x86)\ossec-agent\active-response\bin\ folder.

7. Copy the script below into the yara.bat file. The active response module automatically executes this file to perform YARA scans for malware detection and removal:

:: This script deletes Kuiper ransomware as well as other malicious files matched by the YARA Rules
 
@echo off
setlocal enableDelayedExpansion
reg Query "HKLM\Hardware\Description\System\CentralProcessor
> Restart-Service -Name wazuh
" | find /i "x86" > NUL && SET OS=32BIT || SET OS=64BIT if %OS%==32BIT ( SET log_file_path="%programfiles%\ossec-agent\active-response\active-responses.log" ) if %OS%==64BIT ( SET log_file_path="%programfiles(x86)%\ossec-agent\active-response\active-responses.log" ) set input= for /f "delims=" %%a in ('PowerShell -command "$logInput = Read-Host; Write-Output $logInput"') do ( set input=%%a ) set json_file_path="C:\Program Files (x86)\ossec-agent\active-response\stdin.txt" set syscheck_file_path= echo %input% > %json_file_path% FOR /F "tokens=* USEBACKQ" %%F IN (`Powershell -Nop -C "(Get-Content 'C:\Program Files (x86)\ossec-agent\active-response\stdin.txt'|ConvertFrom-Json).parameters.alert.syscheck.path"`) DO ( SET syscheck_file_path=%%F ) set yara_exe_path="C:\Program Files (x86)\ossec-agent\active-response\bin\yara\yara64.exe" set yara_rules_path="C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\yara_rules.yar" echo %syscheck_file_path% >> %log_file_path% for /f "delims=" %%a in ('powershell -command "& \"%yara_exe_path%\" \"%yara_rules_path%\" \"%syscheck_file_path%\""') do ( echo wazuh-yara: INFO - Scan result: %%a >> %log_file_path% :: Deleting the scanned file. del /f "%syscheck_file_path%" >nul 2>&1 if exist "%syscheck_file_path%" ( echo wazuh-yara: INFO - Error removing threat: %%a >> %log_file_path% ) else ( echo wazuh-yara: INFO - Successfully deleted: %%a >> %log_file_path% ) ) exit /b

8. Restart the Wazuh agent using PowerShell for the changes to take effect:

<group name= "syscheck,">
  <rule id="100024" level="7">
    <if_sid>550</if_sid>
    <field name="file" type="pcre2">(?i)C:\Users.+Downloads</field>
    <description>File modified in the Downloads folder.</description>
  </rule>

  <rule id="100025" level="7">
    <if_sid>554</if_sid>
    <field name="file" type="pcre2">(?i)C:\Users.+Downloads</field>
    <description>File added to the Downloads folder.</description>
  </rule>
</group>

Wazuh server

Follow the steps below to configure rules, custom decoders, and active response on the Wazuh server.

1. Create custom rules in the /var/ossec/etc/rules/local_rules.xml file. These rules will generate alerts about files that are added or modified in the Downloads directory on the monitored endpoint.

<command>
  <name>yara</name>
  <executable>yara.bat</executable>
  <timeout_allowed>no</timeout_allowed>
</command>
<active-response>
  <command>yara</command>
  <location>local</location>
  <rules_id>100024,100025</rules_id>
</active-response>

Where:

  • Rule ID 100024 is triggered when a file is modified in the Downloads directory.
  • Rule ID 100025 is triggered when a file is added to the Downloads directory.

2. Add the following configuration to the /var/ossec/etc/ossec.conf file within the <ossec_config> block:

<decoder name="yara_decoder">
    <prematch>wazuh-yara:</prematch>
</decoder>
<decoder name="yara_decoder1">
    <parent>yara_decoder</parent>
    <regex>wazuh-yara: (\S+) - Scan result: (\S+) (\S+)</regex>
    <order>log_type, yara_rule, yara_scanned_file</order>
</decoder>

<decoder name="yara_decoder1">
    <parent>yara_decoder</parent>
    <regex>wazuh-yara: (\S+) - Successfully deleted: (\S+) (\S+)</regex>
    <order>log_type, yara_rule, yara_scanned_file</order>
</decoder>

<decoder name="yara_decoder1">
    <parent>yara_decoder</parent>
    <regex>wazuh-yara: (\S+) - Error removing threat: (\S+) (\S+)</regex>
    <order>log_type, yara_rule, yara_scanned_file</order>
</decoder>

The Wazuh active response module executes the yara.bat script when a file is added or modified in the Downloads folder.

Where:

  • <name> specifies the name of the command being called in the active response section.
  • <executable> specifies the executable file to run.
  • <command> specifies the command that the active response will use.
  • The <active response> block calls the <command> block when the rule ID 100029 or 100030 is triggered.
  • <location> specifies where the active response script is executed.

3. Add the following decoders to the /var/ossec/etc/decoders/local_decoder.xml file to decode the logs generated by the active response script:

<!--  Rule for the decoder (yara_decoder) -->
<group name="yara,">
  <rule id="100026" level="0">
    <decoded_as>yara_decoder</decoded_as>
    <description>Yara grouping rule</description>
  </rule>

<!--  YARA scan detects a positive match -->
  <rule id="100027" level="12">
    <if_sid>100026</if_sid>
    <match type="pcre2">wazuh-yara: INFO - Scan result: </match>
    <description>File "$(yara_scanned_file)" is a positive match. Yara rule: $(yara_rule)</description>
  </rule>

<!--  Wazuh successfully deletes malware with a positive match -->
  <rule id="100028" level="12">
    <if_sid>100026</if_sid>
    <match type="pcre2">wazuh-yara: INFO - Successfully deleted: </match>
    <description>Successfully removed "$(yara_scanned_file)" by active response due to YARA rule $(yara_rule) positive match</description>
  </rule>

<!--  Wazuh encounters an error when deleting malware with a positive match -->
  <rule id="100029" level="12">
    <if_sid>100026</if_sid>
    <match type="pcre2">wazuh-yara: INFO - Error removing threat: </match>
    <description>Error removing "$(yara_scanned_file)". YARA rule: $(yara_rule)</description>
  </rule>
</group>

4. Create custom rules in the /var/ossec/etc/rules/local_rules.xml to alert when there is a YARA active response action:

$ sudo systemctl restart wazuh-manager

Where:

  • Rule ID 100026 is the base rule for detecting YARA events.
  • Rule ID 100027 is triggered when YARA scans and detects a malicious file.
  • Rule ID 100028 is triggered when the detected file has been successfully removed by the Wazuh active response module.
  • Rule ID 100029 is triggered when the detected file is not removed successfully by Wazuh active response.

5. Restart the Wazuh manager for the changes to take effect:

$ sudo systemctl restart wazuh-manager

Detection results

The Wazuh dashboard generates alerts when Kuiper ransomware is downloaded to the Downloads folder of the victim endpoint. From the Agents tab in your Wazuh dashboard, select the Windows endpoint and navigate to the Security events tab to view the generated alerts.

Ransomware security events

Conclusion

Kuiper ransomware poses a significant threat to organizations and individuals worldwide, leveraging sophisticated techniques to encrypt data and extort ransom payments from victims. Therefore, organizations need to develop proactive security measures, and robust incident response strategies to mitigate the risk of ransomware attacks.

In this blog post, we demonstrated how to detect and remove Kuiper ransomware on Windows endpoints with Wazuh. We utilized Sysmon to enrich logs from the victim endpoint and created rules to detect malicious activities associated with Kuiper ransomware. Additionally, we used YARA with the Wazuh active response module to detect and remove the Kuiper ransomware once downloaded to the monitored endpoint.

Wazuh is a free and open source security platform with several capabilities to monitor and secure your infrastructure against malicious activities. You can also join our Slack community of professionals and users if you have any questions on this blog post or Wazuh in general.

References