New ransomware with ‘.SaveTheQueen’ extension discovered by Varonis

The findings regarding this ‘next-generation’ ransomware were put forward via a blog post by Varonis.

The progress of the newly uncovered malware was found to be tracked using the system volume (SYSVOL) folder found on active directory (AD) domain controllers.

The initially infected user, who contacted Varonis to report the ransomware, named a file ‘hourly’ and saved it in the SYSVOL folder. This would be accessed by various IP addresses.

The ransomware was found to be concealed by ConfuserEX, an open source .NET protector.

Who’s taking malware seriously? SonicWall’s CEO has the answers

Bill Conner, president and CEO of SonicWall, takes Information Age through the current cyber security landscape. Read here

However, while the way the malware infiltrated the system and the way it was made up was new, the payload was not.

“The final payload is very plain ransomware. No persistence, no C2 connection — just good old asymmetric encryption to make the victims’ files unreadable,” the blog post from Varonis explained.

Its function’s parameters allowed it to:

  • Use a public key to encrypt the files;
  • Apply the file extension ‘.SaveTheQueen’ after encryption, and
  • Include the author’s email in the ransom note.


After looking for files within local and mapped drives to encrypt, attempts were made to close any process using those files.

Files were then renamed ‘<file>.SaveTheQueenING’ with the aid of the MoveFile function, before encryption.

Once the files were encrypted, their names were changed again to ‘<file>.SaveTheQueen’.

Then, the ransom note was added to the directory.

This ransomware, according to Varonis, does not encrypt EXE, DLL, MSI, ISO, SYS or CAB file types, nor does it encrypt files in the following folders:

  • C:windows
  • C:Program Files
  • C:Program Files (x86)
  • C:Users<user>AppData
  • C:inetpub

Encryption and lawful access; the problem with Barr’s judgement

US Attorney General William Barr has reignited the debate over lawful access, but cybersecurity expert, Callum Tennent argues that if governments are given the power to break encryption these powers will be abused. Read here

Keeping watch

Log files were created in the same folder by the person behind the attacks, each of which were named after a device within the affected domain.

“We concluded that the log files were used to monitor the infection process on new devices, and that the ‘hourly’ file was a scheduled task that ran malware on the new devices using a PowerShell script, samples ‘v3’ and ‘v4’,” said the blog post.

“The attacker had likely obtained and used domain admin privileges to write files to SYSVOL. The attacker ran PowerShell code on the infected hosts that created scheduled task to open, decode and run the malware.”

Before trying and failing to decode the malware once they found it, Varonis staff opted to utilise the ‘Magic’ method from GCHQ‘s CyberChef app.

Using this, they found that the file responsible was Gzip under base64, after which the file was decompressed to reveal that the injector of the ransomware was an unprotected .NET file.

The shellcode

“After reading the source code using DNSpy, we understood its sole purpose was to inject shellcode into the “winlogon.exe” process,” said Varonis’s blog post.

Injecting shellcode into winlogon.exe, a standard component of Windows operations, made it even harder than usual to detect.

AI in cyber security: a necessity or too early to introduce?

The threats against organisations are growing in volume and success, but can AI in cyber security stop the rot and turn failure into success? Read here

“We used Hexacorn’s shellcode2exe utility to ‘compile’ the shellcode into an executable to debug and analyse. We then realised that the shellcode worked on both 32-bit and 64-bit machines,” the post continued.

“Writing even simple shellcode in native assembly can be difficult; writing full shellcode ransomware that works on 32-bit and 64-bit systems requires a high set of skills, so we started to wonder about the sophistication of the attacker.”

After further digging, Varonis found that the shellcode was written with the aid of generic software for this task, and that it could be written in exactly the same way using a tool called Donut.

“To confirm our theory, we compiled our own code using Donut and compare it with the sample – it was a match,” explained the blog post.

From there, the team unpacked the code using Elektrokill Unpacker.

A new generation of ransomware

This news comes following the recent discovery of the ‘Ekans’, or ‘Snake’, attack, which targets Windows systems used within industrial control infrastructures.

Designed to stop 64 different processes, something that makes the attack unique, it’s capable of attacking oil refineries, power grids and other high-value industrial systems.

Regarding how to stop new ransomware attacks such as these, Nick Palmer, technical director at Attivo Networks, said: “No matter how good your cyber defences are, it is always a good idea to prepare for a ransomware attack by having a playbook that documents how to respond, to avoid a situation where employees are learning what to do as an attack is happening.

“Companies can give themselves extra time to respond effectively with tools like deception technology that slow the ransomware down, and, where possible, divert it to non-critical systems.

“In the event of a successful ransomware attack, determine ahead of time under what conditions, if any, you would pay. Discuss the pros and cons and the risks you are prepared to accept if you are unable to regain access to your files.”

Avatar photo

Aaron Hurst

Aaron Hurst is Information Age's senior reporter, providing news and features around the hottest trends across the tech industry.