The state of Ransomware in 2015


Introduction

Ransomware has been a threat for quite some years, although the ransomware as its currently known, encrypting files, has only been around a few years. This change started with the initial 2013 CryptoLocker infections authored by the creator of the notorious Zeus banking malware, Slavik. Since CryptoLocker, many new variants as well as completely new families of ransomware have been appearing. Some stayed alive and ran successful operations for a long period of time which spanned years in some cases, while others disappeared as quickly as they appeared.

Takedowns in the world of ransomware are few and far between. Occasionally large operations with law enforcement result in successful takedowns as seen with the original CryptoLocker takedown; Operation Tovar in which Fox-IT InTELL played a key role and released a whitepaper about: GameOver Zeus: Backgrounds on the Badguys and Backends. Together with the joint effort takedown with law enforcement, Fox-IT InTELL was also able to support CryptoLocker victims in decrypting and recovering their files.

Sadly there is still a lot of ransomware going around. In this article we describe what we consider the top 3 of ransomware families currently active. We take a look at how and what they target for encryption as well as how we at Fox-IT combat them, looking at it in terms of detection and prevention.

Top 3 Ransomware families

We consider the following three ransomware families to be at the top of the ransomware threats alive right now:

  • CryptoWall
  • CTB-Locker
  • TorrentLocker

All three of these have been around for quite some time making a lot of victims along the way. Using a combination of exploit kits and faked emails, posing to be postal or financial agencies for example, they have been making victims all through-out the world.

In the case of TorrentLocker we were, in cooperation with the Dutch NCSC, able to fend them off which ended in them abandoning their campaigns against the Netherlands. We first documented a new variant being active on October 15, 2014 in a blog article. This however did not end their campaigns in other countries which are still ongoing as of writing this article.

In the following subsections we will give a brief analysis of the individual ransomware variants listed in the top 3. The analysis structure will be the same formal setup for all three families to keep it nicely standardized, straight forward and allow for easy comparison between the three. In this analysis we will be referring to the criminal’s command and control server from which they control the ransomware as the ‘C&C’ in short.

 

Ransomware analysis: CryptoWall

History

This Ransomware has been around since at least November 2013, although the operators were active developing and using this ransomware before it was officially dubbed ‘CryptoWall’.

CryptoWall has gone through a lot of changes on all aspects including, persistence, cryptography and C&C communication. Initially when it was still called ‘CryptoDefense’, CryptoWall would generate its encryption keys on the local machine which was proven to be flawed in a new article; which was read by the authors who fixed this ‘issue’. The encryption for the current version of CryptoWall, version 3.0, uses AES for file encryption while versions below that used RSA-2048 directly for the files. Version 3.0 receives a 2048 bit RSA key from the C&C, but doesn’t use it directly to encrypt files; an AES key is generated to encrypt a file with, this AES key is then encrypted with the obtainedRSA-2048.

Originally CryptoWall’s first versions communicated via proxy servers setup by the criminals which would forward traffic towards the C&C server residing in Tor. In a newer version of CryptoWall communication was directly over the Tor network, this was originally seen as test version by the authors but it was later also used as their main way of C&C communication. A few days after the Tor only version it changed back to non-direct Tor followed by a version using the I2P network, a lot of testing was going on. After all these tests the authors settled on a communication setup consisting of two layers of proxies, basically the first original setup for the initial CryptoWall, but with one extra layer of proxies. These proxies are setup on hacked websites. While these servers are cleaned up or taken offline quickly, it is workable for the CryptoWall authors as the ransomware needs to get one single connection out in order to be able to obtain a key and encrypt files, it doesn’t need a constant C&C connection as seen with other types of malware.

The spread of CryptoWall has only been increasing since its start with constant active campaigns mostly through the use of exploit kit services. The authors have an affiliate program running which makes it even more interesting and profitable for other criminals to spread CryptoWall to get a cut of the profit. This affiliate program has greatly improved their business income.

Network behavior

As said earlier, CryptoWall communicates via proxy servers to its real, hidden within the Tor network, command and control server. These proxies are hosted on compromised websites mainly consisting of outdated WordPress and Joomla instances although Drupal instances are also spotted at times. All communication is done via plain HTTP POST requests in which the POST data and response data being encrypted with RC4.

After getting on a victim’s PC, CryptoWall will start looking for a proxy server that is functioning. When it has found one it will start by sending the C&C server a few things to start of:

  • A unique campaign identifier (basically the source of the infection like spam or an exploit kit)
  • Its IP address (because the C&C runs inside Tor it needs to know the real IP address to be able to geolocate an infection)
  • Its unique identifier (identifier generated for an infected machine to be able to identify it from other infections)

The C&C server responds with:

  • The location of the ransom payment page (where victims can buy the decryption software)
  • The country the victim is originating from
  • An RSA-2048 public key used for file encryption

After receiving this information the client will start encrypting files on the machine. After it is finished encrypting the files, the ransomware reports the amount of encrypted files back to the C&C. The C&C responds with an image shown to the user indicating that CryptoWall encrypted all their files:

CryptoWall ransom note

File-system behavior

Besides encrypting all the files specified in its target file-types list, CryptoWall also performs the following operations on the file-system of the infected system:

  • Drop the lock screen image
  • Drop a TXT file containing the same instructions as seen on the image

CryptoWall will also run a set of commands to disable volume shadow copies (Windows automatic volume backups) and the Windows Error Recovery boot screen. It also disables Windows updates and if enabled various security services like Windows Defender.

Overview

Distribution source(s) :
  • Exploit kits
  • Email
C&C communication scheme : Traffic send through a proxy (usually a hacked website) towards a server (controlled by the criminals) that proxies the data further onto the C&C server hidden within the Tor network.
Cryptography scheme for files : AES
Targets network shares : Yes, enumerates all connected drives networked or not.

Targeted file types

Documents Photos Code Images Audio & Video Backup
odt         ppt         indd       oab        ods         pptx pct          nk2         odp       pptm     prf          eml odm       rtf           des       wb2       odc         msg

iif            pdd        odb

pages    nd           thm

doc         tex         qba

der         docx      txt

tlg           cer          docm

wpd       qbb        crt

wps        pdf         qbm

pem       xls           db

qbr         pfx         xlr

dbf         qbw       p12

xlsx        mdb       qby

p7b        xlsm       mdf

ach         p7c         xlsb

pst          key         xlk

sql          ost          wallet

pps         accdb    pab

3dm       kd

dxf         3ds

erf          dxg

max       mef

psd         obj

mrw       dds

ai             nef

pspimage

eps         nrw

tga          ps

orf          yuv

svg         raf

dng        cdr

rwl          arw

rw2        srf

raw        sr2

r3d         bay

ptx         crw

pef         3fr

srw         cr2

x3f          dcr

dwg

pdb        c

cpp         hhpp

class       cs

dtd         fla

java        lua

m            pl

py           pas

jpe         jpg

jpeg

3g2         3gp

asf          asx

avi          flv

m4v       mov

mp4       mpg

rm          srt

swf         vob

vmw      mp3

wav        flac

Bak

back

 

Ransomware analysis: CTB-Locker

History

CTB-Locker was first seen being sold in the underground communities back in the middle of June 2014. Researcher Kafeine wrote an article on this original sale by the author. The name CTB stands for Curve-Tor-Bitcoin, referring to items it utilizes: Curve refers to the elliptic curve encryption scheme used for file encryption, Tor refers to its usage of the Tor network to hide its C&C server and Bitcoin refers to the single ransom payment method available: Bitcoins.

CTB was originally only supporting Russian and English translations for its ransom demand message, but has been supporting more languages as it was being developed. It currently supports Russian, English, Italian, Dutch, German, Spanish, French and Latvian for its ransom message. In the Netherlands we’ve seen several waves of CTB-locker, mostly impersonating a financial institution normally involved with sending out payment forms which CTB fakes as attachments.

CTB’s command and control servers reside in the Tor network, but are not needed for the initial infection. A user’s files can be encrypted while the machine has no internet connectivity. This is possible due to the way the encryption and payment system of CTB works. The file encryption is a combination of SHA256 from Curve25519 operations, the exact details of this are explained in great detail by a researcher named Massimiliano Felici, who published an article on his blog named ‘CTB-Locker encryption/decryption scheme in details’.

Just like CryptoWall, CTB-locker has an affiliate program where other criminals can spread CTB-locker in order to get a cut of the profits. This affiliate program has been publicly exposed and researched by researcher Kafeine on his blog. This affiliate program has a website running inside the Tor network just like the C&C server. On this affiliate website the author of CTB-locker also keeps an updated log on the updates/extending in the functionality of CTB-locker.

Network behavior

As said earlier CTB-locker does not require an internet connection to be present on the infected client. Would it have internet connectivity, it does send the encryption information to the C&C within Tor. It does this by having the ability to talk to its server inside the Tor network via variants of the Tor2Web service, which act like a proxy into the Tor network.

Besides sending this information to the C&C it will also do an online lookup for its external IP address.

File-system behavior

Besides encrypting all the files specified in its target file-types list, CTB-locker also performs the following operations on the file-system of the infected system:

  • Drop the lock screen image and set it as a background; an example of this:
  • CTB Lock screen
  • Have an application pop-up with similar instructions as seen on the background image. This application is stored on the local machine. It contains a payment ID, a list of encrypted files, a countdown counter and instruction on how to pay the ransom amount to recover encrypted files. This example is the English translation, clicking any of the flags at the top of the application changes the language:
  • CTB Lock screen

 

Besides these graphical messages a copy of the text is also put on the file-system in the form of a text file as well as a copy of the background image.

CTB-locker will also run a set of commands to disable volume shadow copies (Windows automatic volume backups).

Overview

Distribution source(s) :
  • Exploit kits
  • Email
C&C communication scheme : Doesn’t need an internet connection to start file encryption. Due to its implementation it is able to encrypt files offline.
Cryptography scheme for files : AES
Targets network shares : Yes, enumerates all connected drives networked or not.

Targeted file types

Documents Photos Code Images Audio & Video Other
doc         docx

rtf           docm

xls           xlsx

txt          xlk

xlsb        xlsm

mdb       dwg

accdb    odb

odm       odp

ods         odt

odf         wb2

vsd         wpd

wps

 

kdc         nef

raw

cpp         c

php        js

cs            pas

bas         pl

py

3fr          dds

jpe         jpeg

jpg          cr2

rw2        psd ai             dd

rwl          dxf

dxg         arw

cdr          crw

eps         dcr

dng        indd

mrw       nrw

srw         ims

rgx

 

 

arp cer          crt

der         pem

7z            zip

rar          pwm

kwm      safe

groups  mdf

dbf         sql

md         bay

blend    erf

mef        p12

p12f       dbx

gdb        bsdr

bsdu      bdcr

bdcu      bpdr

bpdu     bsd

bdd        bdp

gsf          gsd

iss           rik

fdb         abu

config

 

Ransomware analysis: TorrentLocker

History

TorrentLocker was first documented in February 2014 when Turkish victims received emails from ‘Turkcell’, which is the leading mobile phone operator in Turkey. Users were lured onto a fake turkcell website where they had to download a document. This was the first documented attack from TorrentLocker who at the time didn’t have a name yet. It was named TorrentLocker to distinguish it from other ransomware threats based on the first registry key it used which contained ‘Torrent’:

HKCU\Software\Bit Torrent Application\

From that time on TorrentLocker has been evolving in how it shows the user the ransom demand messages and implementation of cryptography. Their method of spreading however hasn’t changed a bit, they impersonate local telecom providers or postal service websites sending users emails indicating a document is ready for them to download.

There have also been a few instances where malicious Word documents containing macros were used to infect systems with TorrentLocker.

The way the TorrentLocker group obtains the email addresses to send spam messages to is also interesting. They (most likely) started with an initial list of victims to started spamming and this list was extended by infecting victims. When TorrentLocker infects a machine it will harvest any possible email address from address books for Thunderbird, Outlook and Windows Live Mail present on the system. We’ve documented this process and their success in the past on our blog: Update on the TorrentLocker ransomware’. In our investigation of the run we saw back then they were able to obtain 2.6 million email addresses with this harvesting technique, a lot more possible victims to start sending their spam to.

TorrentLocker tries to impersonate CryptoLocker and uses this name on both the ransom messages shown to the user as well as the ransom payment website. This ransom payment website is hosted within the Tor network while the C&C used for communication with the malware from an infected machine is a server outside of the Tor network.

Network behavior

TorrentLocker communicates with a C&C server directly. With this server TorrentLocker speaks a small protocol in which it can send the encryption key, encrypted file count, stolen email information as well as possible (crash) logs. It will also obtain a ransom page from the C&C server.

The whole communication protocol is encapsulated in HTTPS.

File-system behavior

Besides encrypting all the files specified in its target file-types list, TorrentLocker also performs the following operations on the file-system of the infected system:

  • Make a copy of itself to a location in which it can make sure it will be present the next time the system starts.
  • Show a ransom instruction screen to the victim with information on how to pay the required ransom (in Bitcoins), where to get Bitcoins and where to send them. This screen does not give information on a possible deadline for the payment or the amount of affected files:
  • TorrentLocker lock screen

Overview

Distribution source(s) : Email
C&C communication scheme : Contacts a dedicated C&C server directly.
Cryptography scheme for files : AES-256
Targets network shares : Yes, enumerates all connected drives networked or not.

Targeted file types

Documents Photos Code Images Audio & Video Other
3ds         ab4

bgt         ac2

blend    cdf

cfp          csv

dbf         ddd

djvu       doc

docm     docx

dot         dotm

dotx       odb

odf         odg

odm       odp

ods         odt

otg         oth

otp         ots

ott          pdf

pot         potm

potx       ppam

pps         ppsx

ppsm     ppt

pptm     pptx

rtf           sldm

sldx        std

stw         scx

sxg         sxi

sxw        txt

wb2       xla

xlam      xll

xlm         xls

xlsb        xlsm

xlsx        xlt

xltm       xltx

xlw

 

 

 

cib          cmt

craw      crw

dc2         dcr

dng        mos

mrw       nef

orf          pcd

ra2          raf

raw        rw2

rwl          sd0

sd1         sr2

srf           srw

st4          st5

st6          st7

st8          x3f

 

asm        asp

c              cpp

css          h

erbsql   js

hpp        lua

php        pl

py

3fr          3pr

acr          agd1

ai             ait

arw        cdr

cdr3       cdr4

cdr5       cdr6

cdrw      ce1

ce2         cgm

cr2          csh

dcs         ddoc

ddrw               design

fpx         fxg

jpeg       jpg

psd         sda

sxd

 

al             bik

cpi          mpg

ycbcra

7z            accdb

accde    accdr

accdt     adb

apj          awg

backup               backupdb

bak         bdb

bgt         bkp

bpw       cdx

cer          cls

crt           csl

dac         db

db-journal

db3        der

dgc         drf

drw        dwg

dxb        erf

exf         fdb

ffd          fff

fh            fhd

gray       grey

gry          hbk

ibank     ibd

ibz          idx

iiq           incpass

kc2         kdbx

kdc         kpdx

mdb       mdc

mef        mfw

mmw    myd

moneywell

ndd        nop

nrw        ns2

ns3         ns4

nsd         nsf

nsg         nsh

nwb       nx1

nx2         nyf

p12         p7b

pat         p7c

pem       pfx

ps           psafe3

ptx         rdb

rwz         s3db

sas7bdat

sav         sdf

sql          sqlite

sqlite3   sqlitedb

stc          sti

stx          sxm

xml         zip

 

 

The generic traits of Ransomware

While the different ransomware variants are unique in most behavior, file types they are after and in some cases cryptographic implementations are similar. When having to defend a client network on different levels, network and host based, there are quite some generic traits seen with all of these.

File-system behavior

Most ransomware will place payment instruction files in the directory of the files that it’s going to encrypt. These files are usually in the form of a text, image and/or URL. Usually it will also change the background wallpaper of the infected computer to these instructions including a popup window so the user knows his files are being held ransom and he can get them back by paying for it.

Network behavior

Most ransomware families will contact a C&C server in some form, either via Tor or via compromised WordPress websites. While the current state of ransomware does not yet look actively for shares, it does encrypt files on drives that are network mapped on the computer as a side effect. This highly impacts businesses that do not have proper backup protocols.

Because decryption instructions files are dropped, it can also be detected on a network level when this happens on a network share. Our Network Monitoring service has detection for this.

When you see encrypted files on a network share you can easily check which user was infected with the ransomware and started to encrypt the files. Just check the creator of the instruction files on the share. This can help the system administrator to disconnect the infected user as quickly as possible from the network to prevent any further damage.

 

Conclusions

Having looked at the ransomware variants described there’s a few things we can conclude in terms of security:

  1. Unlike normal malware, ransomware does not need an extended presence on the system in order to ‘do-its-thing’. Once the key has been sent to the criminals it is over as it is in most cases unrecoverable.
  2. On the networking side there are quite a lot of indicators to work with in order to detect the presence or the initial infection of these ransomware variants in most cases.
  3. As seen with CTB-Locker, ransomware doesn’t always need internet connectivity. This is where endpoint protection should be able to determine the ransomware.

 

Based on our findings in the ’ generic traits’ section, we can also say that in many cases we’re quite lucky in terms of detection. Many authors of ransomware have the same goal and perform the same actions.

Ransomware is (sadly) not a thing that will pass on some point, as seen with fake antiviruses for example. The past years ransomware threats have only grown in size and numbers. Where in the past lockers wouldn’t affect files but solely the users’ current session, ransomware has been a very effective threat as users are forced to take action in order to get their personal files back..

The usage of the Tor network only makes it harder to stop these threats and only continued operations where law enforcement and the private industry work together are an effective way of frustrating and/or wearing down these criminals.

 

–  Fox-IT Security Research Team