Ironchain — Technical Analysis / V3

IronChain 3.0 Ransomware — Full Analysis

1. Sample Identification

IronChain 3.0 is a Python 3.14 ransomware distributed as a PyInstaller-packed Windows executable. The binary consists of a minimal PE32+ bootloader with the entire ransomware logic contained in a Python 3.14 bytecode module (IronChain.pyc) within the overlay archive. No obfuscation is applied — the bytecode disassembles to readable Python logic with clear string literals and function names.

Archive Contents

2. Infrastructure

3. Ransom Note

Filename

PLEASEREADTHIS.txt — dropped on Desktop and C:\Users\Public\, opened automatically via os.startfile()

Content (from bytecode strings @ multiple addresses)

IRONCHAIN RANSOMWARE

Your computer has been encrypted by IronChain 3.0.

All your important files (documents, photos, videos, databases, and other files) have been encrypted with military-grade encryption and unique key for your computer.

WHAT HAPPENED TO MY COMPUTER?
We encrypted all your files and you cannot access them anymore. Nobody can recover your files without our decryption software.

HOW TO RECOVER FILES?
The only way to recover your files is to buy decrypt tool and unique key for your computer.
This software will decrypt all your encrypted files.

WHAT GUARANTEES DO I HAVE?
We value our reputation in the security community. If you do not recover your files, nobody will pay us in the future, so it is in our own interests to get your files back to you.

You have 72 hours to contact us and make payment. After 72 hours, your unique key will be deleted from our servers and your files will be lost forever.

To prove that we can recover your files, you can send us 1 small file (less than 1MB) and we will decrypt it for free.

CONTACT:
1. Download Tor Browser from: https://www.torproject.org/
2. Visit: ironchaindecrypt7xfzq5tclm9jzpwq72uofgy2znkdsxm54zbcu2yid.onion
3. Enter your unique ID: [UNIQUE_ID_PLACEHOLDER]

Alternative contact:
TOX ID: 1A51DCBB33FBF603B385D223F599C6D64545E631F7C870FFEA320D84CE5DAF076C1F94100B5B

IMPORTANT WARNINGS:
* Do not rename encrypted files.
* Do not try to decrypt your data using third party software, it may cause permanent data loss.
* Decryptors of other vendors are incompatible and may destroy your files forever.

Your unique ID: [UNIQUE_ID_PLACEHOLDER]

HTA Interface

11 KB multilingual HTML Application (IronChain.hta) with EN/ES/FR/DE support, countdown timers (72h deadline + 24h doubling), and contact information. Launched via mshta.exe and designed as always-on-top single-instance interface.

4. Execution Flow (<module> @ IronChain.pyc:1)

1.  Single-instance mutex check (`IronChainMutex_<8random>`)
2.  Command-line parsing (`--old-path` for self-deletion)
3.  Admin elevation check + UAC re-launch if needed
4.  RSA-4096 keypair generation (runtime, never exfiltrated)
5.  Self-relocation to System32 subfolder with Microsoft binary masking
6.  Original process termination via WMIC
7.  Process criticality setting (kill = BSOD via NtSetInformationProcess)
8.  Defense evasion (kill 39 processes, stop 16 services)
9.  Persistence installation (6 layers: Run, Winlogon, Service, SafeBoot)
10. Recovery inhibition (VSS deletion, bcdedit safeboot minimal)
11. Install time anchor creation (`C:\ProgramData\IRONCHAIN\time.dat`)
12. Boot destruction (MBR + UEFI overwrite)
13. Ransom note generation and display (text + HTA)
14. Self-protection (HIDDEN+SYSTEM attributes, restrictive ACLs)
15. Network isolation (hosts file blocking 50 security/tool sites)
16. Background threads launch (6 daemons)
17. DDoS flood start (320 threads targeting gateway + external)
18. CD-ROM eject attempt (broken implementation)
19. Keyboard hook installation (WH_KEYBOARD_LL input blocking)
20. Message pump (maintains hook, ~11 days or until forced shutdown)

Thread Architecture

Main Thread: Message pump maintaining keyboard hook
Daemon Threads (6): - dos: Self-deletion cleanup (10s delay) - ew: Encryption orchestrator (ThreadPoolExecutor, 16 workers) - nw: Network lateral movement (10s rescan loop) - uw: USB propagation watcher (2s polling) - em: MFT destruction (parallel to encryption) - fc: Force shutdown (4min delay, kill explorer/notepad, shutdown)

Worker Pools: - Encryption: 16 threads via concurrent.futures - Network propagation: 50 threads for subnet scanning - DDoS: ~320 daemon threads (UDP/HTTP flood)

5. Encryption System

Key Exchange

Critical Flaw: The RSA private key exists only in process memory (rsa_key global) and is never serialized, transmitted, or stored. Process termination permanently destroys the only means of decryption.

Symmetric Cipher

Multi-Layer Cipher (mc @ IronChain.pyc:745)

Critical Flaw: Before AES-GCM, files undergo a destructive transformation:

def mc(data):
    layers = random.randint(2, 7)        # 2-7 random Caesar layers
    shifts = []
    result = bytearray(data)
    for _ in range(layers):
        shift = random.randint(-255, 255)
        shifts.append(shift)
        for i in range(len(result)):
            if random.random() < 0.75:   # 75% probability per byte
                result[i] = (result[i] + shift) & 0xFF
    return bytes(result), shifts

The calling function ef() discards the shifts return value. These parameters are never stored and random is not seeded, making the transformation mathematically irreversible.

File Encryption Process (ef @ IronChain.pyc:760)

1. Open file for binary read, check exclusions
2. Generate AES key via get_random_bytes(32)
3. Apply mc() transformation (irreversible, shifts discarded)
4. Intermittent encryption logic: - Files ≤ 1,153,434 bytes: Full encryption (single AES-GCM) - Files > 1,153,434 bytes: Three chunks
   • First 500 KB
   • Random 50 KB (position between first_size and filesize-last_size-50KB)
   • Last 500 KB
5. RSA-OAEP wrap AES key with runtime public key
6. Write encrypted file with header + wrapped key + encrypted chunks
7. Delete original via os.remove()

Intermittent Encryption

• Files ≤ 1,153,434 bytes (~1.1 MB): Full encryption
• Files > 1.1 MB: First 500 KB + random middle 50 KB + last 500 KB
• Plaintext preservation: Middle sections between encrypted chunks remain unmodified

Encrypted File Format

[HEADER: 38 bytes]
  Marker: "CHAINED_6617-382+819=...!_(13RANDOM)"

[KEY_LENGTH: 2 bytes little-endian]

[WRAPPED_KEY: 512 bytes for RSA-4096]

--- For intermittent files (>1.1MB) ---
[NONCE_FIRST: 16 bytes][TAG_FIRST: 16 bytes]
[NONCE_MID: 16 bytes][TAG_MID: 16 bytes] 
[NONCE_LAST: 16 bytes][TAG_LAST: 16 bytes]
[ENCRYPTED_DATA: chunks with plaintext gaps]

--- For small files (≤1.1MB) ---
[NONCE: 16 bytes][TAG: 16 bytes]
[ENCRYPTED_DATA: complete]

6. File Targeting

Targeted Directories

Phase 1 — User Folders (8):
Desktop, Downloads, Documents, Pictures, Videos, Music, Favorites, 3D Objects

Phase 2 — Critical System Files:
Boot managers, system executables, critical DLLs (deliberately targeted to brick system)

Phase 3 — System Directories:
%SystemRoot%\System32, %SystemRoot%, %ProgramFiles%, %ProgramFiles(x86)%

Phase 4 — Additional Drives:
All fixed, removable, and CD-ROM drives (D:, E:, F:, etc.) — C: skipped as covered in phases 1-3

Excluded Directories

None implemented — the was() walker function applies no directory exclusions. All discovered directories are recursively processed.

Excluded Files

Critical System Targeting

Deliberately targeted for destruction: - bootmgr, bootmgr.exe - winload.exe, winload.efi - winresume.exe, winresume.efi - taskmgr.exe, regedit.exe, services.msc - winlogon.exe, services.exe, lsass.exe - advapi32.dll, cfgmgr32.dll

This targeting ensures system unbootability and critical process failure, supporting the assessment that IronChain functions as a wiper rather than recoverable ransomware.

7. Recovery Inhibition

Commands executed via rh()/rhl() subprocess wrappers:

Additional MFT Destruction (em @ IronChain.pyc:1258):

Raw volume access to \\.\C: with AES-CTR overwrite of 1 GB NTFS Master File Table region. The encryption key (get_random_bytes(32)) is never stored, ensuring permanent filesystem metadata corruption.

8. Targeted Services (16)

Stopped via net stop + disabled via sc config + deleted via sc delete:

Security services: AVP, KAV, BDSS, Bitdefender, avast! Antivirus, avast! Service, AVG, MBAMService, DrWeb, wscsvc (Security Center), SecurityHealthService, Sense (Defender ATP), WinDefend, WdNisSvc, MpKslDrv, NisSrv

Implementation: ss() @ IronChain.pyc:195 — 16 hardcoded service names processed sequentially with error suppression.

9. Targeted Processes (39)

Terminated via taskkill /f /im:

Administrative tools: taskmgr, regedit, cmd, msconfig, mmc, services.msc, control, SystemSettings, WindowsSecurity
Process analysis: procexp, procexp64
Security products: MsMpEng (Defender), AVP/KSDE/KAVSVC/AVPUI (Kaspersky), BDAGENT/BDSERVICEHOST/BDREDLINE/BDWTXAG (Bitdefender), AVASTUI/AvastSvc/AvastEmUpdate (Avast), AVGUI/AVGSvc/avgwdsvc (AVG), MBAM/mbamtray/MBAMService/mbamguard (Malwarebytes), dwengine/dwservice/dwagent (Dr.Web)
Command-line tools: powershell, pwsh, taskkill, wmic, diskpart, bootrec

Implementation: kp() @ IronChain.pyc:191 — 39 hardcoded process names with forced termination (/f flag).

10. Persistence & Evasion

Self-Relocation (mt @ IronChain.pyc:56)

Target: C:\Windows\System32\<random_subfolder>\<microsoft_binary_name>.exe
Masking: Copies self with legitimate Microsoft executable names for camouflage
Process: Creates batch script for original deletion, launches relocated copy with --old-path argument

Persistence Layers (6)

Process Protection

Critical Process Flag: mpc() @ IronChain.pyc:155
NtSetInformationProcess(handle, 29, &flag, 4) with ProcessBreakOnTermination
Effect: Terminating the process triggers BSOD (CRITICAL_PROCESS_DIED)

Registry Tampering (dci @ IronChain.pyc:257)

Image File Execution Options: - HKLM/HKCU\...\IFEO\cmd.exe → Debugger=svchost.exe - Effect: All cmd.exe executions redirect to svchost.exe

Policy Restrictions: | Policy | Registry Value | Effect | |---|---|---| | DisableTaskMgr | 1 | Block Task Manager | | NoRun | 1 | Disable Run dialog | | DisableRegistryTools | 1 | Block regedit access | | NoControlPanel | 1 | Hide Control Panel | | EnableLUA | 0 | Disable UAC | | DisallowRun | 1-11 entries | Block specific tools |

Defender Disabling

Registry tampering: DisableAntiSpyware = 1 in Windows Defender policies
Service termination: WinDefend, WdNisSvc, SecurityHealthService, Sense
Process killing: MsMpEng
Exclusion addition: PowerShell Add-MpPreference -ExclusionPath for dropper location

Keyboard Input Blocking (hp @ IronChain.pyc:1313)

Hook: SetWindowsHookEx(WH_KEYBOARD_LL, hp, ...) with global low-level keyboard hook
Callback: Returns 1 for all WM_KEYDOWN messages
Effect: All keyboard input swallowed — user cannot type in any application

Network Isolation (bw @ IronChain.pyc:1054)

Hosts file modification: C:\Windows\System32\drivers\etc\hosts
Blocked domains (50): Security vendors, update servers, tutorial sites, and critically: torproject.org
Auto-sabotage bug: Torproject.org is blocked despite being needed for payment access

Anti-Analysis Summary

11. Command-Line Arguments

Usage: Set by self-relocation mechanism (mt) to enable cleanup of original dropper location via background thread (dos).

12. Static Imports Summary

Note: As a PyInstaller Python executable, traditional PE imports are minimal. Functionality is provided through Python bytecode imports:

13. IDA Analysis — Python Functions

Note: Analysis performed via Python 3.14 native dis module on extracted bytecode. Function addresses reference line numbers in disassembly.

14. Indicators of Compromise (IOCs)

Hashes

Network

Files

Registry

Behavioral

• Raw disk write to \\.\PhysicalDrive0 (MBR overwrite)
• Raw volume write to \\.\C: at MFT offset (filesystem destruction)
• bcdedit /set {default} safeboot minimal execution
• Mass taskkill /f /im across 39 process names
• net stop + sc delete across 16 service names
• WH_KEYBOARD_LL hook with input swallowing
• SMB share access to \\<IP>\C$\Users\Public\ across subnet ranges
• PowerShell WMI remote process creation (Invoke-WmiMethod)
• Hosts file modification blocking 50 domains including torproject.org

Distinctive Strings

• "CHAINED_6617-382+819=...!_(13RANDOM)" (file header)
• "IronChainMutex_" (mutex prefix)
• "IRONCHAIN v3.0 - Your data is our business" (HTA footer)
• "CHAINED - PAY TO DECRYPT" (MBR message)
• "IronChainSecurity" (service name)

15. MITRE ATT&CK Mapping

16. Summary

IronChain 3.0 represents a sophisticated destructive malware masquerading as ransomware. While the operational tradecraft demonstrates advanced understanding of Windows persistence, lateral movement, and anti-forensics techniques, the cryptographic implementation contains fundamental flaws that prevent file recovery regardless of payment.

Key Findings:

1. Cryptographic Impossibility: The multi-layer cipher discards shift values and the RSA private key is never exfiltrated, making decryption mathematically impossible even with operator cooperation.

2. Destructive Intent: Parallel MFT destruction, deliberate system file targeting, and boot loader overwrite before encryption completion indicate wiper functionality rather than profit-motivated ransomware.

3. Operational Sophistication: Six-layer persistence including SafeBoot survival, comprehensive lateral movement via SMB/WMI, and 320-thread DDoS anti-recovery demonstrate advanced threat actor capabilities.

4. Self-Sabotage: Multiple bugs including Tor portal blocking suggest either intentional destruction or extraordinary incompetence in monetization implementation.

IronChain 3.0 should be classified as a destructive wiper with ransomware theater. Organizations should prioritize containment and backup recovery rather than payment negotiation, as the threat actor lacks the technical means to restore encrypted data.