Crypto Guest at Dawn Endpoint (Midnight) ransomware analysis
Summary
EndPoint is a ransomware variant formerly known as Midnight, which is believed to be built on the Babuk ransomware framework. It targets not only Windows environments, but also ESXi and NAS environments, and uses a double extortion method that combines file encryption with Data exfiltration threats.
Overview
Since the Babuk source code leak, several derivative ransomware have emerged, and EndPoint is one of them. infected files are given the .endpoint extension, and the ransom note includes a uTox ID to contact the victim. in the past, the schipkealfred@gmail.com account in the ransom note impersonated the director of the East Asia Institute, which has been identified as being used by North Korea-linked threat actors since 2024.
Analysis includes
File encryption
EndPoint uses execution arguments to adjust the scope of encryption. the -paths= encrypts only specific Paths, /n encrypts only network shared folders, and /e disables changing the .endpoint extension. a debug.endpoint file is created in the executable path to log FindFirstFileW and MoveFileExW failures.
before encryption, terminate several processes such as database, office, mail client, etc. and delete volume shadow copies with the command vssadmin.exe delete shadows /all /quiet. Also, forcibly stop backup and security related Services such as vss, sql, Veeam, Sophos, Acronis, etc.
it excludes some directories such as Windows, Program Files, and AppData, files such as bootmgr and ntuser.dat, and file extensions such as .exe, .dll, .msi, and .endpoint from the encryption target. It creates threads based on the number of CPU cores and uses the Mutexisfunnylocal mutex to prevent duplicate execution.
chaCha20 (symmetric key cipher) is used for encryption, and the generated session key is protected by an in-house implemented RSA public key operation. depending on the file size, we use partial encryption, which encrypts only a portion of the file instead of the whole, to control processing speed and impact. after encryption, the session key and SHA-256 hash are stored in the footer.
Ransom note
the desktop background is not changed, and a ransom note is created in all encrypted paths with the name How To Restore Your Files.txt. the ransom note includes the fact that the data was stolen and encrypted, claims to support recovery after payment, provides a contact method based on the Session messenger, offers 3 free decrypted files, and warns that the amount will increase if you delay.
AhnLab Response Overview
the AhnLab family is diagnosed as Trojan/Win.Generic.C5765109, Ransom/MDP.Delete.M2117, Ransom/MDP.Command.M2255, Ransom/MDP.Decoy.M1171, Ransom/MDP.Event.M1946, Ransom/MDP.Event.M1875, SystemManipulation/EDR.Event.M2486, Ransom/EDR.Decoy.M2470.
Conclusion
EndPoint has a systematic structure, including partial encryption techniques that adjust the encryption scope according to the file size, ChaCha20-based encryption, computing its own RSA public key, storing information based on footers, and using mutexes. the combination of efficiency and stealth makes it a threat that aims to spread damage quickly and prevent recovery.
Response Guide
data should be backed up offsite, separated from the Service network, and backup storage access control and regular recovery drills should be practiced. it is also necessary to apply the latest security updates to operating systems and software, keep security software up-to-date, keep offline or separate network backups, beware of untrusted links and attachments, and use passwords that are difficult to guess and 2FA authentication.
