Sangfor Technologies Security Lab (aka Quianlimu) has discovered a new version of an old ransomware used to attack Chinese enterprises. After attackers’ initial compromise of an internal jump server via brute-forcing, the invading malware uses a toolkit to infect hosts across the internal network and deliver the ransomware to encrypt files. The ransomware appends encrypted files with hardcoded suffix “.[].DEADMIN” and is the email address to contact hackers. In the ransom demand, attackers identify themselves as DEADMIN LOCKER. At the time of writing, there is no decryption tool for this ransomware.
Alert New version of DEADMIN LOCKER Ransomware 01
The toolkit obtained from infected hosts includes password collector, remote login tool and other attacking tools, such as AutoMIMI, Lazy, rdp_con, gmer, and even “!RDP” which is used to launch remote desktop connections.
Alert New version of DEADMIN LOCKER Ransomware 02
Password interception tools: AutoMIMI, mimi, netpass64.exe, and Lazy
Intranet scanning tools: masscan, !PortScan, Advanced_Port_Scanner, and NetworkShare
Brute-force attack tools: NLBrute
Remote access tools: psexec, !RDP, and rdp_con
Antivirus evasion tools: gmer, PCHunter64, PowerTool, PowerTool_64, and ProcessHacker64

Intrusion Tracking
1. During a live attack, Sangfor security consultants analyzed the security logs of multiple encrypted hosts and found login records from an internal host (later referred to as the “jumper server”) in the events of all ransom notes generated by infected hosts.
Alert New version of DEADMIN LOCKER Ransomware 03
2. The jump server was then investigated and the initial attack toolkit containing the intranet scanners and remote access tools was found.
Alert New version of DEADMIN LOCKER Ransomware 04
3. Analysis of the jump server security logs, looking at the time when the ransom notes were generated, found a public IP address ( This IP address was previously marked as malicious in the Sangfor threat intelligence Neural-X platform.

4. Before this attack, Sangfor discovered that the jump server had successfully been brute-forced before. According to the logs, more than ten IP addresses had been used to successfully log in. Most of them were detected as malicious IP addresses based on threat intelligence. That is to say, the host had become a hacking target a long time ago.

The Penetration Tool Analysis
We simulated and profiled the penetration behaviors against the internal network:

1. After local privilege escalation, hackers used mimikatz to intercept the login password of a host, using an automated script, launch.vbs, to simplify password interception.
Alert New version of DEADMIN LOCKER Ransomware 05
2. Hackers then added the passwords to a password dictionary because many administrators often use the same password on multiple servers, which makes password cracking easier.
Alert New version of DEADMIN LOCKER Ransomware 06
3. A port scanner was used to scan the internal network, and locate hosts with open ports 445 and 3389.
Alert New version of DEADMIN LOCKER Ransomware 07
4.  For hosts with port 3389 open, hackers used NLBrute to brute force login account username and password.
Alert New version of DEADMIN LOCKER Ransomware 08
5. For hosts with open port 445 only, hackers attempted to obtain user credentials by launching brute-force attacks.
Alert New version of DEADMIN LOCKER Ransomware 09
6. Once compromised, psexec was used to upload a script to target hosts to start an RDP service.
Alert New version of DEADMIN LOCKER Ransomware 10
7. After obtaining usernames and passwords of successfully brute forced hosts, hackers used rdp_con tool to connect to them.
Alert New version of DEADMIN LOCKER Ransomware 11
8. When rdp_con connected to the victim hosts, hackers uploaded a series of antivirus evasion tools to terminate antivirus software, and finally run the ransomware. At this point, the entire intrusion process is completed.

Ransomware Analysis
1. Ransomware file uses UPX to pack itself.  After being executed, it calls Winexec to delete the shadow disk volume to prevent users from restoring data. 
Alert New version of DEADMIN LOCKER Ransomware 12
2. Termination of the following service to ensure encryption process:
vmickvpexchange, vmicguestinterface, vmicshutdown, vmicheartbeat, vmicrdv, storflt, vmictimesync, vmicvss, MSSQLFDLauncher, MSSQLSERVER, SQLSERVERAGENT, SQLBrowser, SQLTELEMETRY, MsDtsServer130, SSISTELEMETRY130, SQLWriter, MSSQL, SQLAgent, MSSQLServerADHelper100, MSSQLServerOLAPService, MsDtsServer100, ReportServer, TMBMServer, postgresql-x64-9.4, UniFi, vmms, sql-x64-9.4, UniFi, vmms

3. Traverse processes to terminate the following:
sqlbrowser.exe, sqlwriter.exe, sqlservr.exe, msmdsrv.exe, MsDtsSrvr.exe, sqlceip.exe, fdlauncher.exe, Ssms.exe, sqlserv.exe, oracle.exe, ntdbsmgr.exe, ReportingServecesService.exe, fdhost.exe, SQLAGENT.exe, ReportingServicesService.exe, msftesql.exe, pg_ctl.exe, postgres.exe, UniFi.exe, sqlagent.exe, ocssd.exe, dbsnmp.exe, synctime.exe, mydesctopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, erbird.exe, visio.exe, winword.exe, wordpad.exe

4. Generate an AES secret key, use RSA to encrypt the AES secret key, and then use AES algorithm to encrypt file. 
Alert New version of DEADMIN LOCKER Ransomware 13
5. Create a .txt ransom note on desktop and drop it under each root directory during directory traversal and encryption:
Alert New version of DEADMIN LOCKER Ransomware 14
6. Traverse and encrypt disks. Determine whether directory under C drive is system directory.   If it is system directory, skip it.
Alert New version of DEADMIN LOCKER Ransomware 15
7. Delete itself after encryption:
Alert New version of DEADMIN LOCKER Ransomware 16
At the time of writing, there is no decryption tool for this ransomware. You must isolate infected hosts and disconnect them from network. Sangfor recommends performing virus scans on all systems to locate and removal the malware as soon as possible.

Detection and Removal
1. Sangfor Ransomware Protection Solution, based on the Sangfor’s NGAF and Endpoint Secure products, is capable of detecting and removing this ransomware virus.
Alert New version of DEADMIN LOCKER Ransomware 17
2. Sangfor offers customers and users free anti-malware software to scan for, and remove the ransomware. It can be downloaded from:
Package for 64-bit Windows:
Anti-Malware Software

1. Patch Windows to remove open vulnerabilities.
2. Back up critical data files regularly to other hosts or storage devices.
NOTE: This is the single easiest way to defeat ALL ransomware!
3. Change and strengthen your computer passwords and do not use the same passwords for different computers, to avoid compromising multiple systems.
4. Do not click on any email attachment or included web link from unknown sources or download any software from untrusted websites.
5. Disable unnecessary file sharing.
6. Disable RDP if not needed.

Solution for Sangfor Customers
1. When an DEADMIN LOCKER attack is found, Sangfor NGAF or Endpoint Secure should block ports 3389 and 445 to stop ransomware from spreading.
2. Sangfor NGAF and Endpoint Secure can prevent brute-force attacks. Turn on brute-force attack prevention on NGAF and enable Rule 11080051, 11080027 and 11080016. Turn on brute-force attack prevention on Sangfor EDR.
3. Schedule Sangfor Endpoint Secure to run both virus and vulnerability scans on all endpoints.
4. For Sangfor NGAF customers, update NGAF to version 8.0.5 or higher and enable AI-based Sangfor Engine Zero to identify incoming malware.
5. Sangfor Endpoint Secure can identify most popular hack tools, and block and disable them when detected. For Sangfor Endpoint Secure customers, enable ransomware prevention to block ransomware.
6. Make sure all Sangfor security products are connected to cloud-based Sangfor Neural-X Threat Intelligence, to detect new threats.
7. Subscribe to Sangfor Security Operations HealthCheck services to audit your existing security deployment by reviewing current security policies, evaluating security threats and risks, scanning for relevant vulnerabilities, and updating policies to enhance your protection.

Listen To This Post


Get in Touch

Get in Touch with Sangfor Team for Business Inquiry

Related Articles

Cyber Security

Cybersecurity Awareness Month CSAM 2023: Key Strategies

Date : 15 Sep 2023
Read Now

Cyber Security

Dallas Ransomware Attack Affects 30,253 People

Date : 29 Aug 2023
Read Now

Cyber Security

Rhysida Ransomware: Everything You Need to Know

Date : 17 Aug 2023
Read Now

See Other Product

Cyber Command - NDR Platform
Endpoint Secure
Internet Access Gateway (IAG)
Sangfor Network Secure - Next Generation Firewall
Sangfor Access Secure
icon notification