Introduction
Ransomware has been a threat for quite some years, although the ransomware as its currently known, encrypting files, has only been around a few years. This change started with the initial 2013 CryptoLocker infections authored by the creator of the notorious Zeus banking malware, Slavik. Since CryptoLocker, many new variants as well as completely new families of ransomware have been appearing. Some stayed alive and ran successful operations for a long period of time which spanned years in some cases, while others disappeared as quickly as they appeared.
Takedowns in the world of ransomware are few and far between. Occasionally large operations with law enforcement result in successful takedowns as seen with the original CryptoLocker takedown; Operation Tovar in which Fox-IT InTELL played a key role and released a whitepaper about: ‘GameOver Zeus: Backgrounds on the Badguys and Backends’. Together with the joint effort takedown with law enforcement, Fox-IT InTELL was also able to support CryptoLocker victims in decrypting and recovering their files.
Sadly there is still a lot of ransomware going around. In this article we describe what we consider the top 3 of ransomware families currently active. We take a look at how and what they target for encryption as well as how we at Fox-IT combat them, looking at it in terms of detection and prevention.
Top 3 Ransomware families
We consider the following three ransomware families to be at the top of the ransomware threats alive right now:
- CryptoWall
- CTB-Locker
- TorrentLocker
All three of these have been around for quite some time making a lot of victims along the way. Using a combination of exploit kits and faked emails, posing to be postal or financial agencies for example, they have been making victims all through-out the world.
In the case of TorrentLocker we were, in cooperation with the Dutch NCSC, able to fend them off which ended in them abandoning their campaigns against the Netherlands. We first documented a new variant being active on October 15, 2014 in a blog article. This however did not end their campaigns in other countries which are still ongoing as of writing this article.
In the following subsections we will give a brief analysis of the individual ransomware variants listed in the top 3. The analysis structure will be the same formal setup for all three families to keep it nicely standardized, straight forward and allow for easy comparison between the three. In this analysis we will be referring to the criminal’s command and control server from which they control the ransomware as the ‘C&C’ in short.
Ransomware analysis: CryptoWall
History
This Ransomware has been around since at least November 2013, although the operators were active developing and using this ransomware before it was officially dubbed ‘CryptoWall’.
CryptoWall has gone through a lot of changes on all aspects including, persistence, cryptography and C&C communication. Initially when it was still called ‘CryptoDefense’, CryptoWall would generate its encryption keys on the local machine which was proven to be flawed in a new article; which was read by the authors who fixed this ‘issue’. The encryption for the current version of CryptoWall, version 3.0, uses AES for file encryption while versions below that used RSA-2048 directly for the files. Version 3.0 receives a 2048 bit RSA key from the C&C, but doesn’t use it directly to encrypt files; an AES key is generated to encrypt a file with, this AES key is then encrypted with the obtainedRSA-2048.
Originally CryptoWall’s first versions communicated via proxy servers setup by the criminals which would forward traffic towards the C&C server residing in Tor. In a newer version of CryptoWall communication was directly over the Tor network, this was originally seen as test version by the authors but it was later also used as their main way of C&C communication. A few days after the Tor only version it changed back to non-direct Tor followed by a version using the I2P network, a lot of testing was going on. After all these tests the authors settled on a communication setup consisting of two layers of proxies, basically the first original setup for the initial CryptoWall, but with one extra layer of proxies. These proxies are setup on hacked websites. While these servers are cleaned up or taken offline quickly, it is workable for the CryptoWall authors as the ransomware needs to get one single connection out in order to be able to obtain a key and encrypt files, it doesn’t need a constant C&C connection as seen with other types of malware.
The spread of CryptoWall has only been increasing since its start with constant active campaigns mostly through the use of exploit kit services. The authors have an affiliate program running which makes it even more interesting and profitable for other criminals to spread CryptoWall to get a cut of the profit. This affiliate program has greatly improved their business income.
Network behavior
As said earlier, CryptoWall communicates via proxy servers to its real, hidden within the Tor network, command and control server. These proxies are hosted on compromised websites mainly consisting of outdated WordPress and Joomla instances although Drupal instances are also spotted at times. All communication is done via plain HTTP POST requests in which the POST data and response data being encrypted with RC4.
After getting on a victim’s PC, CryptoWall will start looking for a proxy server that is functioning. When it has found one it will start by sending the C&C server a few things to start of:
- A unique campaign identifier (basically the source of the infection like spam or an exploit kit)
- Its IP address (because the C&C runs inside Tor it needs to know the real IP address to be able to geolocate an infection)
- Its unique identifier (identifier generated for an infected machine to be able to identify it from other infections)
The C&C server responds with:
- The location of the ransom payment page (where victims can buy the decryption software)
- The country the victim is originating from
- An RSA-2048 public key used for file encryption
After receiving this information the client will start encrypting files on the machine. After it is finished encrypting the files, the ransomware reports the amount of encrypted files back to the C&C. The C&C responds with an image shown to the user indicating that CryptoWall encrypted all their files:
File-system behavior
Besides encrypting all the files specified in its target file-types list, CryptoWall also performs the following operations on the file-system of the infected system:
- Drop the lock screen image
- Drop a TXT file containing the same instructions as seen on the image
CryptoWall will also run a set of commands to disable volume shadow copies (Windows automatic volume backups) and the Windows Error Recovery boot screen. It also disables Windows updates and if enabled various security services like Windows Defender.
Overview
| Distribution source(s) : |
|
| C&C communication scheme : |
Traffic send through a proxy (usually a hacked website) towards a server (controlled by the criminals) that proxies the data further onto the C&C server hidden within the Tor network. |
| Cryptography scheme for files : |
AES |
| Targets network shares : |
Yes, enumerates all connected drives networked or not. |
Targeted file types
| Documents |
Photos |
Code |
Images |
Audio & Video |
Backup |
| odt ppt indd oab ods pptx pct nk2 odp pptm prf eml odm rtf des wb2 odc msg
iif pdd odb
pages nd thm
doc tex qba
der docx txt
tlg cer docm
wpd qbb crt
wps pdf qbm
pem xls db
qbr pfx xlr
dbf qbw p12
xlsx mdb qby
p7b xlsm mdf
ach p7c xlsb
pst key xlk
sql ost wallet
pps accdb pab |
3dm kd
dxf 3ds
erf dxg
max mef
psd obj
mrw dds
ai nef
pspimage
eps nrw
tga ps
orf yuv
svg raf
dng cdr
rwl arw
rw2 srf
raw sr2
r3d bay
ptx crw
pef 3fr
srw cr2
x3f dcr
dwg |
pdb c
cpp hhpp
class cs
dtd fla
java lua
m pl
py pas |
jpe jpg
jpeg |
3g2 3gp
asf asx
avi flv
m4v mov
mp4 mpg
rm srt
swf vob
vmw mp3
wav flac |
Bak
back |
Ransomware analysis: CTB-Locker
History
CTB-Locker was first seen being sold in the underground communities back in the middle of June 2014. Researcher Kafeine wrote an article on this original sale by the author. The name CTB stands for Curve-Tor-Bitcoin, referring to items it utilizes: Curve refers to the elliptic curve encryption scheme used for file encryption, Tor refers to its usage of the Tor network to hide its C&C server and Bitcoin refers to the single ransom payment method available: Bitcoins.
CTB was originally only supporting Russian and English translations for its ransom demand message, but has been supporting more languages as it was being developed. It currently supports Russian, English, Italian, Dutch, German, Spanish, French and Latvian for its ransom message. In the Netherlands we’ve seen several waves of CTB-locker, mostly impersonating a financial institution normally involved with sending out payment forms which CTB fakes as attachments.
CTB’s command and control servers reside in the Tor network, but are not needed for the initial infection. A user’s files can be encrypted while the machine has no internet connectivity. This is possible due to the way the encryption and payment system of CTB works. The file encryption is a combination of SHA256 from Curve25519 operations, the exact details of this are explained in great detail by a researcher named Massimiliano Felici, who published an article on his blog named ‘CTB-Locker encryption/decryption scheme in details’.
Just like CryptoWall, CTB-locker has an affiliate program where other criminals can spread CTB-locker in order to get a cut of the profits. This affiliate program has been publicly exposed and researched by researcher Kafeine on his blog. This affiliate program has a website running inside the Tor network just like the C&C server. On this affiliate website the author of CTB-locker also keeps an updated log on the updates/extending in the functionality of CTB-locker.
Network behavior
As said earlier CTB-locker does not require an internet connection to be present on the infected client. Would it have internet connectivity, it does send the encryption information to the C&C within Tor. It does this by having the ability to talk to its server inside the Tor network via variants of the Tor2Web service, which act like a proxy into the Tor network.
Besides sending this information to the C&C it will also do an online lookup for its external IP address.
File-system behavior
Besides encrypting all the files specified in its target file-types list, CTB-locker also performs the following operations on the file-system of the infected system:
- Drop the lock screen image and set it as a background; an example of this:
- Have an application pop-up with similar instructions as seen on the background image. This application is stored on the local machine. It contains a payment ID, a list of encrypted files, a countdown counter and instruction on how to pay the ransom amount to recover encrypted files. This example is the English translation, clicking any of the flags at the top of the application changes the language:
Besides these graphical messages a copy of the text is also put on the file-system in the form of a text file as well as a copy of the background image.
CTB-locker will also run a set of commands to disable volume shadow copies (Windows automatic volume backups).
Overview
| Distribution source(s) : |
|
| C&C communication scheme : |
Doesn’t need an internet connection to start file encryption. Due to its implementation it is able to encrypt files offline. |
| Cryptography scheme for files : |
AES |
| Targets network shares : |
Yes, enumerates all connected drives networked or not. |
Targeted file types
| Documents |
Photos |
Code |
Images |
Audio & Video |
Other |
| doc docx
rtf docm
xls xlsx
txt xlk
xlsb xlsm
mdb dwg
accdb odb
odm odp
ods odt
odf wb2
vsd wpd
wps
|
kdc nef
raw |
cpp c
php js
cs pas
bas pl
py |
3fr dds
jpe jpeg
jpg cr2
rw2 psd ai dd
rwl dxf
dxg arw
cdr crw
eps dcr
dng indd
mrw nrw
srw ims
rgx
|
arp |
cer crt
der pem
7z zip
rar pwm
kwm safe
groups mdf
dbf sql
md bay
blend erf
mef p12
p12f dbx
gdb bsdr
bsdu bdcr
bdcu bpdr
bpdu bsd
bdd bdp
gsf gsd
iss rik
fdb abu
config |
Ransomware analysis: TorrentLocker
History
TorrentLocker was first documented in February 2014 when Turkish victims received emails from ‘Turkcell’, which is the leading mobile phone operator in Turkey. Users were lured onto a fake turkcell website where they had to download a document. This was the first documented attack from TorrentLocker who at the time didn’t have a name yet. It was named TorrentLocker to distinguish it from other ransomware threats based on the first registry key it used which contained ‘Torrent’:
HKCU\Software\Bit Torrent Application\
From that time on TorrentLocker has been evolving in how it shows the user the ransom demand messages and implementation of cryptography. Their method of spreading however hasn’t changed a bit, they impersonate local telecom providers or postal service websites sending users emails indicating a document is ready for them to download.
There have also been a few instances where malicious Word documents containing macros were used to infect systems with TorrentLocker.
The way the TorrentLocker group obtains the email addresses to send spam messages to is also interesting. They (most likely) started with an initial list of victims to started spamming and this list was extended by infecting victims. When TorrentLocker infects a machine it will harvest any possible email address from address books for Thunderbird, Outlook and Windows Live Mail present on the system. We’ve documented this process and their success in the past on our blog: ‘ Update on the TorrentLocker ransomware’. In our investigation of the run we saw back then they were able to obtain 2.6 million email addresses with this harvesting technique, a lot more possible victims to start sending their spam to.
TorrentLocker tries to impersonate CryptoLocker and uses this name on both the ransom messages shown to the user as well as the ransom payment website. This ransom payment website is hosted within the Tor network while the C&C used for communication with the malware from an infected machine is a server outside of the Tor network.
Network behavior
TorrentLocker communicates with a C&C server directly. With this server TorrentLocker speaks a small protocol in which it can send the encryption key, encrypted file count, stolen email information as well as possible (crash) logs. It will also obtain a ransom page from the C&C server.
The whole communication protocol is encapsulated in HTTPS.
File-system behavior
Besides encrypting all the files specified in its target file-types list, TorrentLocker also performs the following operations on the file-system of the infected system:
- Make a copy of itself to a location in which it can make sure it will be present the next time the system starts.
- Show a ransom instruction screen to the victim with information on how to pay the required ransom (in Bitcoins), where to get Bitcoins and where to send them. This screen does not give information on a possible deadline for the payment or the amount of affected files:
Overview
| Distribution source(s) : |
Email |
| C&C communication scheme : |
Contacts a dedicated C&C server directly. |
| Cryptography scheme for files : |
AES-256 |
| Targets network shares : |
Yes, enumerates all connected drives networked or not. |
Targeted file types
| Documents |
Photos |
Code |
Images |
Audio & Video |
Other |
| 3ds ab4
bgt ac2
blend cdf
cfp csv
dbf ddd
djvu doc
docm docx
dot dotm
dotx odb
odf odg
odm odp
ods odt
otg oth
otp ots
ott pdf
pot potm
potx ppam
pps ppsx
ppsm ppt
pptm pptx
rtf sldm
sldx std
stw scx
sxg sxi
sxw txt
wb2 xla
xlam xll
xlm xls
xlsb xlsm
xlsx xlt
xltm xltx
xlw
|
cib cmt
craw crw
dc2 dcr
dng mos
mrw nef
orf pcd
ra2 raf
raw rw2
rwl sd0
sd1 sr2
srf srw
st4 st5
st6 st7
st8 x3f
|
asm asp
c cpp
css h
erbsql js
hpp lua
php pl
py |
3fr 3pr
acr agd1
ai ait
arw cdr
cdr3 cdr4
cdr5 cdr6
cdrw ce1
ce2 cgm
cr2 csh
dcs ddoc
ddrw design
fpx fxg
jpeg jpg
psd sda
sxd
|
al bik
cpi mpg
ycbcra |
7z accdb
accde accdr
accdt adb
apj awg
backup backupdb
bak bdb
bgt bkp
bpw cdx
cer cls
crt csl
dac db
db-journal
db3 der
dgc drf
drw dwg
dxb erf
exf fdb
ffd fff
fh fhd
gray grey
gry hbk
ibank ibd
ibz idx
iiq incpass
kc2 kdbx
kdc kpdx
mdb mdc
mef mfw
mmw myd
moneywell
ndd nop
nrw ns2
ns3 ns4
nsd nsf
nsg nsh
nwb nx1
nx2 nyf
p12 p7b
pat p7c
pem pfx
ps psafe3
ptx rdb
rwz s3db
sas7bdat
sav sdf
sql sqlite
sqlite3 sqlitedb
stc sti
stx sxm
xml zip |
The generic traits of Ransomware
While the different ransomware variants are unique in most behavior, file types they are after and in some cases cryptographic implementations are similar. When having to defend a client network on different levels, network and host based, there are quite some generic traits seen with all of these.
File-system behavior
Most ransomware will place payment instruction files in the directory of the files that it’s going to encrypt. These files are usually in the form of a text, image and/or URL. Usually it will also change the background wallpaper of the infected computer to these instructions including a popup window so the user knows his files are being held ransom and he can get them back by paying for it.
Network behavior
Most ransomware families will contact a C&C server in some form, either via Tor or via compromised WordPress websites. While the current state of ransomware does not yet look actively for shares, it does encrypt files on drives that are network mapped on the computer as a side effect. This highly impacts businesses that do not have proper backup protocols.
Because decryption instructions files are dropped, it can also be detected on a network level when this happens on a network share. Our Network Monitoring service has detection for this.
When you see encrypted files on a network share you can easily check which user was infected with the ransomware and started to encrypt the files. Just check the creator of the instruction files on the share. This can help the system administrator to disconnect the infected user as quickly as possible from the network to prevent any further damage.
Conclusions
Having looked at the ransomware variants described there’s a few things we can conclude in terms of security:
- Unlike normal malware, ransomware does not need an extended presence on the system in order to ‘do-its-thing’. Once the key has been sent to the criminals it is over as it is in most cases unrecoverable.
- On the networking side there are quite a lot of indicators to work with in order to detect the presence or the initial infection of these ransomware variants in most cases.
- As seen with CTB-Locker, ransomware doesn’t always need internet connectivity. This is where endpoint protection should be able to determine the ransomware.
Based on our findings in the ’ generic traits’ section, we can also say that in many cases we’re quite lucky in terms of detection. Many authors of ransomware have the same goal and perform the same actions.
Ransomware is (sadly) not a thing that will pass on some point, as seen with fake antiviruses for example. The past years ransomware threats have only grown in size and numbers. Where in the past lockers wouldn’t affect files but solely the users’ current session, ransomware has been a very effective threat as users are forced to take action in order to get their personal files back..
The usage of the Tor network only makes it harder to stop these threats and only continued operations where law enforcement and the private industry work together are an effective way of frustrating and/or wearing down these criminals.
– Fox-IT Security Research Team
Mofang (模仿, Mófa ̌ng, to imitate) is a threat actor that almost certainly operates out of China and is probably government-affiliated. It is highly likely that Mofang’s targets are selected based on involvement with investments, or technological advances that could be perceived as a threat to the Chinese sphere of influence. This is most clearly the case in a campaign focusing on government and critical infrastructure of Myanmar that is described in this report. Chances are about even, though, that Mofang is a relevant threat actor to any organization that invests in Myanmar or is otherwise politically involved. In addition to the campaign in Myanmar, Mofang has been observed to attack targets across multiple sectors (government, military, critical infrastructure and the automotive and weapon industries) in multiple countries.
The exercise took two hours to complete, tracking down discrepancies in the balance sheets of one Goliath National Bank (GNB), a prominent (fictitious) retail bank in the (fictitious) European country of Ramul. The exercise was designed to:
Teams played in rounds where new information about an incident was revealed in every turn. The attendees had to pick their next steps and the closer they were with the ideal scenario, the more points they scored.
Jeremy Butcher, Fox-IT Director of Operations
Ponmocup, first discovered in 2006 as Vundo or Virtumonde, is one of the most successful botnets of the past decade, in terms of spread and persistence. The reasons why this botnet is considered highly interesting are that it is sophisticated, underestimated and is currently largest in size and aimed at financial gain.
