{"id":2531,"date":"2024-09-25T18:40:46","date_gmt":"2024-09-25T18:40:46","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=2531"},"modified":"2025-07-29T03:51:40","modified_gmt":"2025-07-29T03:51:40","slug":"nuclear-the-radioactive-ransomware","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/nuclear-the-radioactive-ransomware\/","title":{"rendered":"Nuclear \u2013 the radioactive ransomware"},"content":{"rendered":"
\n
\"\"<\/figure>\n<\/div>\n\n\n

Overview<\/ins><\/strong>

As ransomware variants continue to send users into meltdown, it\u2019s fitting that the latest variant to shake victims to their core has been dubbed \u2018Nuclear\u2019. This latest strain belongs to the BTCware ransomware family (which is itself an adaption of the cryptxxx family) and demands a bitcoin payment before user files are restored. Other BTCware variants include .aleta, .gryphon, .xfile and .master. <\/p>\n\n\n\n

Delivery<\/ins><\/strong>

One interesting feature of the BTCware family is its delivery method. Its authors favour hacking into networks via remote desktop services that employ weak passwords before dropping the ransomware. As the description suggests, there is no great level of skill involved in hacking these remote desktop services \u2013 the attackers literally guess the credentials, using the most common username and password combinations\u2026 Admin\/admin anyone?<\/p>\n\n\n\n

Infection<\/ins><\/strong>

Static Analysis:

SHA 256: 63ab37b3051369013734341941fdf548ac17ec886d8402a5b749b374aea29af5

File type and size: PE32 executable and around 752 KB in size.
<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 1 File metadata<\/em>

The above snapshot shows the malware\u2019s metadata, including the file type and creation timestamp. Nuclear\u2019s original file name was \u2018Underkeeper2.exe\u2019 and its original product name was \u2018kittorrent inc\u2019. The timestamp shows us the file was created on September 5, 2017 and the language code suggests the ransomware is of Albanian origin.

The below details indicate the file was compiled using visual basic: \u00a0<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 2 Compiler details of the sample<\/em><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 3 Visual Basic signature<\/em>

Version details:<\/ins><\/strong>

\u2022\u00a0\u00a0 \u00a0VALUE \u00a0“CompanyName”, “Ktobiti Inc.”

\u2022\u00a0\u00a0 \u00a0VALUE \u00a0“ProductName”, “Kittorrent Inc.”

\u2022\u00a0\u00a0 \u00a0VALUE \u00a0“FileVersion”, “1.03.0002”

\u2022\u00a0\u00a0 \u00a0VALUE \u00a0“ProductVersion”, “1.03.0002”

\u2022\u00a0\u00a0 \u00a0VALUE \u00a0“InternalName”, “Underkeeper2”

\u2022\u00a0\u00a0 \u00a0VALUE \u00a0“OriginalFilename”, “Underkeeper2.exe”

We ran the original file name (Underkeeper2.exe) and company name (Ktobiti Inc.) through the \u2018isthisfile safe\u2019 service and both were flagged as malicious:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 4 Underkeeper2 as the search value for file name<\/em>
<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 5 kitobiti Inc as search value for company name<\/em>

Based on the search results, we know all the files with the same version information have bad reputations.

File debugging:<\/ins><\/strong>

Analysing malware compiled in Visual Basic is always a little more complicated than other samples. In this case, we used the OllyVB plugin:\u00a0
<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 6 OllyVB name windows<\/em>

Using Ollyvb allowed us to uncover the dll function call details. Armed with this information, we can put breakpoints on all the dll function calls and proceed for full run:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 7 Breakpoints on the dll function calls<\/em>

Behaviour analysis:<\/ins><\/strong>

When we executed the sample in our controlled environment, we observed the sample accessing volume shadow copy. Shadow copy is a Windows service which takes periodic backup snapshots. Generally, one method of circumventing ransomware infections is to revert to earlier shadow copies. In this case, the malware author is one step ahead as the Nuclear variant deletes volume snapshots:\u00a0<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 8 volume snapshot delete<\/em>

The \u201cvssadmin.exe Delete Shadows \/All \/Quiet\u201d command is used by the ransomware to delete the shadow volume. Nuclear doesn\u2019t stop here, it also disables the Windows error recovery on start up by using the boot configuration data edit tool (BCDEdit).<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n


Figure 9 recoveryenabled Yes (Bcdedit)<\/em>

The above snapshot shows the recovery enabled status as \u201cYes\u201d but Nuclear runs the following command: \u201cbcdedit.exe \/set {default} recoveryenabled No\u201d. This disables the error recovery on start up. After this change has been made, the following commands are run:
<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 10 bootstatuspolicyignoreallfailures<\/em>

We found two interesting strings in the memory:\u00a0

\u2022\u00a0\u00a0 \u00a0“%APPDATA%\\HELP.hta”

\u2022\u00a0\u00a0 \u00a0DECRYPTINFO

Changes we observed in run entry relate to the above memory strings \u2013 \u00a0Help.hta is the physical location of file path and decryptinfo is the value in the run entry:<\/p>\n\n\n\n

HKCU\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN”
“DECRYPTINFO”
“%APPDATA%\\HELP.hta”<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

This helps the malware keep persistence. 

The hta file is the ransom note, which is displayed after files are encrypted with the .nuclear extension, along with the email id.<\/p>\n\n\n\n

Ransom note:<\/ins><\/strong>
\u00a0<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 11 Nuclear Ransomware Note<\/em>

Interestingly, the ransom note does not specify an amount to be paid \u2013 this amount is given to the victim after they contact the attackers. Payment can only be made in bitcoin and the attackers offer to decrypt three files (up to 1 MB) for free, as a good will gesture.\u00a0

Threat Indicators<\/ins><\/strong>

IOC details:<\/strong>

Email:<\/strong>\u00a0

assistance@firemail.cc

2ndsupport@protonmail.com

File Extension added:\u00a0<\/strong>

.[assistance@firemail.cc].nuclear

Mutex:\u00a0<\/strong>

\\Sessions\\1\\BaseNamedObjects\\NUCLEAR<\/p>\n\n\n\n

Conclusion<\/ins><\/strong>

The criminals behind Nuclear exploit weak username and password combinations of remote desktop services. This modus operandi simply wouldn\u2019t work if people didn\u2019t keep these credentials set as the default \u2013 or generally weak \u2013 combinations. 

Strong passwords \u2013 on everything requiring a password \u2013 are a crucial plank in a strong defensive posture.

Finally, keeping frequent backups will enable you to restore your files to a recent version in the event you do fall victim to ransomware.

 <\/p>\n","protected":false},"excerpt":{"rendered":"

Overview As ransomware variants continue to send users into meltdown, it’s fitting that the latest variant to shake victims to their core has been dubbed ‘Nuclear’. This latest strain belongs to the BTCware ransomware family (which is itself an adaption of the cryptxxx family) and demands a bitcoin payment before user files are restored. Other […]<\/p>\n","protected":false},"author":1,"featured_media":2544,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-2531","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2531","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=2531"}],"version-history":[{"count":3,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2531\/revisions"}],"predecessor-version":[{"id":4263,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2531\/revisions\/4263"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/2544"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=2531"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=2531"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=2531"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}