February 10, 2017

Yesterday, ProofPoint posted about their discovery of a new ransomware called Serpent that is being distributed via SPAM emails. It was further determined that this ransomware appears to be a new variant of the HadesLocker and Wildfire ransomware family.

Below I have given a brief recap of the distribution methods discovered by ProofPoint as well as detailed information on what I have learned about how Serpent runs based on its source code. Unfortunately, at this time there is no way to decrypt files encrypted by the Serpent Ransomware. While a potential method is researched, if you would like support or to discuss this ransomware you can use our dedicated Serpent Ransomware Help & Support Topic.

How Serpent Ransomware Is Being Distributed

ProofPoint has an excellent writeup on this ransomware that includes how it is distributed. For completeness, I have provided a brief summary of what they discovered below, but for the full scoop, I suggest you read their article as well.

Serpent Ransomware is being distributed via SPAM emails targeting Danish victims that pretend to be outstanding invoices. These emails will have a subject like "Sidste pÄmindelse for udestÄende faktura 1603750" and will contain a link to a Word document that the victim is told to download.

serpent 11                                                                                        Serpent SPAM Email
                                                                                         Source: ProofPoint

If a user downloads and opens this Word document, the document will try and trick the user into enabling macros by having them click on the Enable content button as shown below.
serpent 21                                                                         Malicious Word Document
                                                                            Source: ProofPoint

Once a user clicks on this button, the macros will execute and download and install the Serpent Ransomware.

How Serpent Ransomware Encrypts a Computer

As MalwareHunterTeam was able to deobfuscate and extract the source code for the Serpent Ransomware, we are able gain a much greater insight into how the ransomware operates.

When Serpent Ransomware is executed, it will copy itself to a random named folder under the %AppData% folder. It will then connect to to determine the victim's IP address and country. If the ransomware detects that your IP address is from one of the following countries, it will exit and not encrypt your computer.
serpent1If you not from one of the above countries, it will then connect to the ransomware's Command & Control server and send the victim's unique hardware id, a campaign ID, the IP address, and the country. In response the Command & Control server will respond with a public RSA key.

Serpent Ransomware will then terminate the following mostly database related processes so that their files are not in use and thus can be encrypted.
serpent2Serpent will now proceed to encrypt the data on a victim's computer by searching for files that contain specific file extensions. If it detects a targeted file it will encrypt the file using AES-256 encryption. While encrypting a file, it will also append to the file the AES encryption key, which was further encrypted by the downloaded RSA key. A full list of the 876 targeted file extensions can be found at the end of the article.

When the Serpent Ransomware encrypts a file, it will append the .serpent. extension to the file name. For example, a file called test.jpg would be encrypted and renamed as test.jpg.serpent. You can see an example of how the encrypted files would appear below.

encrypted files                                                                                Serpent Encrypted Files

During this process, Serpent will also clear the Windows Volume Shadow Copies so that they cannot be used to recover files. The command executed to clear the shadow copies is:
serpent3When it has finished encrypting a drive, Serpent will use the Cipher.exe command to overwrite deleted data to make it more difficult to recover files. The command that is used is:
serpent5While running, the ransomware will also create a VBS file in the Start Menu's Startup folder so that the ransomware is executed every time the victim logs into the computer. An example of this VBS script can be seen below.

autorun                                                                                     VBS Autorun File

When it has finished, ransom notes named HOW_TO_DECRYPT_YOUR_FILES_[random_3_chars].html and HOW_TO_DECRYPT_YOUR_FILES_[random_3_chars].txt will be preset throughout the computer and on the Windows desktop.

html ransom note                                                                          Serpent Ransomware Ransom Note

When a victim opens up one of these ransom notes, they will be provided with links to the Serpent Ransomware payment site. These links will contain a victim's unique hardware ID so that a victim can login and see details about the ransom payment.

More detailed information about the payment site is in the next section.

The Serpent Ransomware Payment Site

When a victim uses one of the links in the ransom note they will be brought to the Serpent Ransomware payment site. This site contains information such as the ransom amount, the bitcoin address a payment must be made to, a frequently asked questions page, and a support page.

Currently the ransom payment is set to .75 bitcoins or approximate $730 USD. If the ransom amount is not paid within 7 days, this amount will increase to 2.25 bitcoins, or approximately $2,200 USD.

The main page for the payment site can be seen below. This page contains a 7 day countdown timer, the ransom payment amount, the bitcoin address to send payment to, and an area that details how many payments have been made and their status.

tor payment site                                                                       Serpent Ransomware Payment Site

The Serpent Ransomware FAQ page contains a list of frequently asked questions about what has happened to a victim's files.

payment site faq page                                                                             Frequently Asked Questions Page

The instructions page contains information on how to use the decryptor once a payment has been made.

payment site instructions page                                                                                       Instructions Page

Finally, the support page contains a form where a victim can ask the malware developers a question.

payment site support page                                                                         Serpent Ransomware Support Page

As previously stated, at this time there is no way to decrypt files encrypted by the Serpent Ransomware for free. For those who wish to discuss this ransomware or receive support, you can use our dedicated Serpent Ransomware Help & Support Topic.

Associated Serpent Ransomware Files:
serpent6Network Communication:
serpent8Ransom Note Text:
serpent9Targeted File Extensions:
img1News Courtesy :