Ransomware deployments after brute force RDP attack

Fox-IT has encountered various ways in which ransomware is being spread and activated. Many infections happen by sending spam e-mails and luring the receiver in opening the infected attachment. Another method is impersonating a well-known company in a spam e-mail stating an invoice or track&trace information is ready for download. By following the link provided in the e-mail, the receiver can download the file which contains the malware from a convincing looking website. Distributing ransomware through malvertising, an exploit kit being served on an advertisement network, is also a common way for criminals to infect systems.

In the past few months, Fox-IT’s incident response team, FoxCERT, was involved in several investigations where a different technique surfaced: activating ransomware from a compromised remote desktop server.

Getting access

Before we get to why this might be lucrative for the criminals, how do they get access in the first place? RDP, or Remote Desktop Protocol, is a propriety protocol developed by Microsoft to provide remote access to a system over the network. This can be the local network, but also the Internet. When a user successfully connects to a system running remote desktop services (formerly known as terminal services) over RDP, the user is presented with a graphical interface similar to that when working on the system itself. This is widely used by system administrators for managing various systems in the organization, by users working with thin clients, or for working remotely. Attackers mostly tend to abuse remote desktop services for lateral movement after getting foothold in the network. In this case however, RDP is their point of entry into the network.

Entries in the log files show the attackers got access to the servers by brute forcing usernames and passwords on remote desktop servers that are accessible from the internet. Day in, day out, failed login attempts are recorded coming from hundreds of unique IP-addresses trying hundreds of unique usernames. Connecting remote desktop servers directly to the internet is not recommended and brute forcing remote desktop services is nothing new. But without the proper controls in place to prevent or at least detect and respond to successful compromises, brute force RDP attacks are still relevant. And now with a ransomware twist as well.

Image 1: Example network with compromised RDP server and attacker deploying ransomware.

The impact

After brute forcing credentials to gain access to a remote desktop server, the attackers can do whatever the user account has permissions to on the server and network. So how could an attacker capitalize on this? Underground markets exist where RDP credentials can be sold for an easy cash-out for the attacker. A more creative attacker could attempt all kinds of privileged escalation techniques to ultimately become domain administrator (if not already), but most of the times this is not even necessary as the compromised user account might have access to all kinds of network shares with sensitive data. For example Personally identifiable information (PII) or Intellectual property (IP) which in its turn can be exfiltrated and sold on underground markets. The compromised user account and system could be added to a botnet, used as proxy server, or used for sending out spam e-mail messages. Plenty of possibilities, including taking the company data hostage by executing ransomware.

Depending on the segmentation and segregation of the network, the impact of ransomware being executed from a workstation in a client LAN might be limited to the network segments and file shares the workstation and affected user account can reach. From a server though, an attacker might be able to find and reach other servers and encrypt more critical company data to increase the impact.

The power lies in the amount of time the attackers can spend on reconnaissance if no proper detection controls are in place. For example, the attackers have time to analyze how and when back-ups are created of critical company data before executing the ransomware. This helps to make sure the back-ups are useless in restoring the encrypted data which in its turn increases the chances of a company actually paying the ransom. In the cases Fox-IT was involved in investigating the breaches, the attackers spend weeks actively exploring the network by scanning and lateral movement. As soon as the ransomware was activated, no fixed ransom was demanded but negotiation by e-mail was required. As the attackers have a lot of knowledge of the compromised network and company, their position in the negotiation is stronger than when infection took place through a drive-by download or infected e-mail attachment. The demanded ransom reflects this and could be significantly higher.

Image 2: Example ransomware wallpaper.

Prevention, detection, response

Connecting Remote Desktop Services to the Internet is a risk. Services like that, which are not essential, should be disabled. If remote access is necessary, user accounts with remote access should have hard to guess passwords and preferably a second factor for authentication (2FA) or second step in verification (2SV). To prevent eaves dropping on the remote connection, a strong encryption channel is recommended. Brute force attacks on remote desktop servers and ransomware infections can be prevented. Fox-IT can help to improve your company’s security posture and prevent attacks, for example by an architecture review, security audit or training.

If prevention fails, swift detection will reduce the impact. With verbose logging securely stored and analyzed, accompanied by 24/7 network and end point monitoring an ongoing breach or malware infection will be detected and remediated. The Cyber Threat Management platform can assist in detecting and preventing attacks. And if business continuity and reputation are at stake, our emergency response team is available 24/7.

Wouter Jansen, Senior Forensic IT Expert at Fox-IT





Large malvertising campaign hits popular Dutch websites

On Sunday April 10th the Fox-IT Security Operations Center (SOC) started to see an increase of exploit kit related incidents. The incidents originated from a large malvertising campaign hitting the Netherlands. The list of affected websites spreads across most of the popular Dutch websites. In total we’ve now seen at least 288 websites being affected. To give an impression of the impact, the list of affected websites includes:

  • nu.nl
  • marktplaats.nl
  • sbs6.nl
  • rtlnieuws.nl
  • rtlz.nl
  • startpagina.nl
  • buienradar.nl
  • kieskeurig.nl
  • veronicamagazine.nl
  • iculture.nl
  • panorama.nl

Note: Malvertising is caused by malicious content providers in the advertisement ecosystem, and not caused by the affected websites themselves (f.e those listed above).

We’ve been in contact with the affected advertisement provider who responded quickly to the incident and has filtered the listed IOCs in their advertisement platform. They will be tracking down the affected content provider as this issue has not been fully resolved, it has simply been filtered for now. More information on malvertising can be found here: [ Malvertising: Not all Java from java.com is legitimate ].

Details of the exploit kit redirect

The malvertising is occurring through an advertisement platform which is actively used on the above mentioned websites. From the websites, external scripts are loaded which in turn redirect further towards the exploit kit. We’ve observed the Angler Exploit Kit being active on these redirects during this campaign. We have not seen any successful infections at our customer yet.

One of the redirects towards the Angler exploit kit as observed by our monitoring platform:


Indicators of Compromise (IOCs)

The following two domains have been observed to redirect the users from the affected websites towards the exploit kits. Blocking these two domains will aid in stopping the redirects for now:

  • traffic-systems.biz (
  • medtronic.pw (

Website of security certification provider spreading ransomware

Since Monday the 21st of March the Fox-IT Security Operations Center (SOC) has been observing malicious redirects towards the Angler exploit kit coming from the security certification provider known as the EC-COUNCIL. As of writing this blog article on the Thursday the 24th of March the redirect is still present on the EC-COUNCIL iClass website for CEH certification located at iclass[dot]eccouncil[dot]org. We have reached out and notified the EC-COUNCIL but no corrective action has been taken yet.

Update 25-4-2016: EC-COUNCIL put out a publication regarding the malicious redirect. They’ve cleaned up and removed the malicious redirect, the publication was made on their Facebook page and linked to on their Twitter account.

Exploit kit details: Angler exploit kit

We first observed the redirect on Monday around 3pm GMT but we suspect it might have been there for a longer period of time. The redirect occurs only when specific conditions are met, these conditions are:

  • The visitor has to have Microsoft Internet Explorer as a browser (or at least the user-agent has to represent Internet Explorer)
  • The visitor comes from a search engine like Google or Bing
  • The visitor’s IP address is not blacklisted or belonging to a blocked geolocation. The inject avoids certain countries (possibly tied to a bad ‘ROI’ for the criminals running the ransomware that is being dropped)

Once a visitor meets all these requirements a redirect is embedded at the bottom of the page as seen in this screenshot:
EC-COUNCIL iClass Angler exploit kit injected script

Through this embedding the client is redirected a couple of times to avoid/frustrate/stop manual analysis and some automated systems. Once the user has jumped through all the redirects he/she ends up on the Angler exploit kit landing page from which the browser, flashplayer plugin or silverlight plugin will be exploited. The Angler exploit kit first starts the ‘Bedep’ loader on an exploited victim machine which will download the final payload.

The way the redirect occurs on the EC-COUNCIL website is through PHP code on the webserver which is injecting the redirect into the webpage. A vulnerability in the EC-COUNCIL website is most likely exploited as it runs the very popular WordPress CMS which has been a target through vulnerable plug-ins for years.

Payload details: TeslaCrypt

This specific campaign instance of the Angler exploit kit drops ‘TeslaCrypt’ on the exploited victim’s machine. TeslaCrypt is a piece of ransomware which takes a victim’s files hostage with the use of encryption. Once the victim’s files have been successfully encrypted a ransom note is presented to instruct the victim on ways to recover files:

TeslaCrypt 4.0 ransom notes

TeslaCrypt requires the victim to pay around 1.5 BTC to get their files back; this equals to approximately 622$ at the current conversion rate.

Indicators of Compromise (IOCs)

Bedep C&C servers:

  • / kjnoa9sdi3mrlsdnfi[.]com
  • / moregoodstafsforus[.]com
  • / jimmymorisonguitars[.]com
  • / bookersmartest[.]xyz

TeslaCrypt C&C servers:

  • / mkis[.]org
  • / tradinbow[.]com

Financial Crisis Exercise at RSA 2016

This year, at the RSA Conference, held in San Francisco from February 29 – March 4, Fox-IT was asked to host a financial cyber crisis table top exercise for the Learning Labs portion of the conference.

This was a great opportunity for us to showcase some of what Fox-IT does for companies:  training and aiding companies in incident response. Our exercise provided an opportunity to address a cyber threat scenario in an interactive and collaborative tabletop exercise.

Goliath National Bank

RSA_2The exercise took two hours to complete, tracking down discrepancies in the balance sheets of one Goliath National Bank (GNB), a prominent (fictitious) retail bank in the (fictitious) European country of Ramul. The exercise was designed to:

  • elicit constructive discussion as participants examine and resolve problems
  • identify where existing approaches need to be refined
  • establish relationships and share information with other organizations & partners
  • raise the awareness of the security community about challenges when dealing with a cyber crisis

The exercise was designed as a paper-based exercise with a facilitated discussion of a scripted scenario, where planners and players sit together in one room for the exercise execution.

Overall the session was very popular. There were a lot more people queuing up for the session than there was place for during the session. The attendees that did make it in, were very engaged.

Real life role playing

Each team distributed roles such as CIO, CISO, HR Director, PR Director, General Counsel or IT director. Reflecting the wide variety of attendees at RSA, we were delighted to discover that many of the roles were represented by players who had these roles in real life.

RSA_3Teams played in rounds where new information about an incident was revealed in every turn. The attendees had to pick their next steps and the closer they were with the ideal scenario, the more points they scored.

As crisis teams work through serious events, there is often partial information and there are unclear causes of events and unclear future effects. Therefore, war gaming and cyber crisis table top sessions are required on a regular basis for the crisis management team to gain experience in this field of expertise.

Restoring operations

The most difficult phase of the Learning Lab (as well as in a real life incidents) is the moment a crisis team receives the details about how the incident took place. From that moment in time the team has to switch from focusing on ‘identifying the root cause’ to ‘restoring operations’. They must find a healthy balance wherein the investigation continues, but the ‘restore operations’ priority becomes the most important. We can call this moment between investigation and mitigation an ‘impasse moment’. In order to make the right call, the crisis management team should be able to look at the incident from a helicopter view and come to a clear decision with regards to the next steps, by taking into account the investigation findings, business interests and potential future consequences related to the incident.

Fox-IT’s cyber crises exercises

Fox-IT regularly hosts cyber crisis exercises. Ranging from high-level tabletop sessions where an organizations’ crisis team is involved down to detailed, multi-day, technical challenges for computer emergency response teams and other IT personnel that is involved in a crisis. Whether you want a first introduction into crisis management, or want to train your crisis team periodically, our seasoned experts are able to help.

Would you like to know how we can help you to improve your organization’s resiliency? Please contact Rombert Anjema from FoxAcademy, tel. +31 (0)15 284 79 99, e-mail fox@fox-it.com

Kevin Jonkers, Manager Forensics & Incident Response at Fox-IT, Sarah Brown, Principal Cyber Security Expert at Fox-IT and Krijn de Mik, Principal Cyber Security Expert at Fox-IT

RSA 2016: A Long Road Ahead for Security

We recently attended the RSA Conference, held in San Francisco from February 29 – March 4, to speak with our European clients. Does that surprise you? Far more Europeans visit this conference than you might think. The RSA Conference is the largest trade show for security in the world, yet its main attraction lies not so much in what can be seen on the main floor. Of even more interest are the meetings with security officers from a wide array of organizations that coincide with the trade show. This is where the real action takes place.

Importance of Integrating Solutions

Every year, I’m struck by the enormous gap that exists between the claims made out on the trade show floor and what is found to work in the field. Conversations at the trade show are the only way to find out whether the claims are true, and whether there is even a need for them in practice. As you navigate the trade stands, you encounter a myriad of solutions that are perfectly capable of fending off a specific type of attack — or at least claim to do so. Given that there are all manner of attacks, one should therefore deploy multiple solutions for effective, high-level security. Well, naturally CISOs are not going to go for that. Rather, for them, the challenge lies in integration: using the security solutions you already have in place and processing their results in such a way that you enable your team to efficiently and effectively counter a broad spectrum of attacks.

Costs Rising for Hackers

This focus on integration is evident in, for example, the growing attention paid to the economics of hacking. There are even CISOs who are held accountable for how successful they are at raising the costs for a hacker to mount an attack, and who therefore go so far as set a specified amount as a personal target. This means that CISOs need resources that allow them to block the paths that are the simplest — and therefore the cheapest — for hackers.

Intelligence Hype

The concept of threat intelligence has been on the rise for a long time. If you know who is targeting you and how they operate, you can find them more readily in your network or systems. Meanwhile, the number of suppliers that furnish intel feeds, often consisting of no more than lists of ‘bad’ IP addresses or file hashes, has proliferated. This all leads to market hype. CISOs are drowning in information; one feed after another issues a torrent of information that is too cumbersome for them to work with. What I’m hearing from CISOs is that they would prefer to receive far less technical information, and would instead like more context: Who are the attackers? What are their motives? What are they targeting?

First Aid for Panic

Another increasingly common need is to receive help once a data breach has been discovered. Panic usually breaks out first, especially in the Netherlands now that Meldplicht datalekken, a Dutch law concerning the mandatory notification of data breaches, is in force. To fulfil this notification obligation, everything has to be set in motion immediately: Involved parties (such as users and patients) must be informed, the Dutch Data Protection Authority must receive the necessary information, and numerous technical measures must be taken. Owing to the panic and time pressures, there is a pressing need for expertise and tools that can support an organization. Examples include ensuring that the breached company can demonstrate its conduction of a thorough investigation of the incident and helping it to supply the required information on time. This overarching need is consistent with the idea that it is not possible to set up 100% foolproof security. Even when things go wrong, organizations need to be able to mount a swift and adequate response.

Major Cloud Providers Serious About Data Storage Location

Rules and regulations are also an issue in other areas. Following the issue around Safe Harbor, several major cloud providers now take seriously the fact that Europe has a different stance on privacy than the United States. These cloud providers realize that they need to be able to deliver hard guarantees about where data is stored. This clearly goes against the ‘cloud mindset’ that data location no longer matters. But the awareness is slowly sinking in that there is no way to avoid European regulations.

No Silver Bullet

The RSA trade show floor teems with promises of, if you will, security ‘silver bullets’, whether these involve machine learning, threat intelligence, APT defense, or some other term that’s trendy at the moment. Despite this, I have yet to find at RSA the panacea that would give security professionals a distinct advantage over their attackers. This is perhaps unsurprising, given that RSA is ultimately a marketing extravaganza. It’s an excellent place to get a feel for what’s ‘hot’, but it’s not likely to provide the most reliable information for your next security purchase. Fortunately, the security community surrounding the trade fair appears to understand this. No one doubts the importance of technology, but it is only useful insofar as it supports your security operations team and the professional management of your security.

Jeremy_ButcherJeremy Butcher, Fox-IT Director of Operations

RSA 2016: security heeft nog een lange weg te gaan

Wij stonden op de RSA conferentie in San Francisco van 29 februari tot 4 maart om te praten met onze Europese klanten. Jawel, er komen veel meer bezoekers uit Europa dan je zou denken. De RSA is dan ook de belangrijkste securitybeurs ter wereld. Toch gaat het niet zozeer om wat er op de beursvloer allemaal te zien is. De meetings daaromheen met securityverantwoordelijken van de meest uiteenlopende organisaties zijn nog interessanter. Dáár gebeurt het.

Integratie van oplossingen belangrijk

Wat elk jaar opvalt is de enorme kloof tussen wat er op de beursvloer allemaal wordt geclaimd en wat daarvan in de praktijk werkt. Pas in gesprekken rondom de beurs kom je te weten of dat ook zo is en waar in de praktijk echt behoefte aan is. Zo kom je op de beursvloer talloze oplossingen tegen die perfect in staat zijn om één specifiek soort aanval tegen te houden (of in elk geval claimen dat te zijn). Maar aangezien er talloze soorten aanvallen bestaan, zou je dus ook meerdere van die oplossingen moeten inzetten voor een goede beveiliging. Tja, daar gaan CISO’s natuurlijk niet voor. Voor hen is de uitdaging eerder integratie: de securityoplossingen die je wél hebt op zo’n manier inzetten, en de resultaten ervan op zo’n manier bij elkaar brengen, dat je team efficiënt en effectief een breed spectrum aan aanvallen kan tegengaan.

Kosten voor de hacker omhoog

Die integrale focus uit zich bijvoorbeeld in toenemende aandacht voor de economische aspecten van het hacken. Er zijn zelfs CISO’s die zich laten afrekenen op de mate waarin zij erin slagen de kosten van een inbraak voor een hacker omhoog te brengen en die zelfs zo ver gaan dat ze daar een concreet bedrag als persoonlijk target aan verbinden. CISO’s hebben daarom belangstelling voor middelen om de voor hackers simpelste – en dus goedkoopste – paden te blokkeren.


Al een tijd is threat intelligence in opkomst: als je weet wie het op je gemunt heeft en hoe ze te werk gaan, dan zal je ze gemakkelijker vinden op je netwerk of in je systemen. Inmiddels is het aantal aanbieders van intel feeds – die in veel gevallen uit niet meer bestaan dan lijsten ‘foute’ IP adressen of file hashes – niet meer te tellen. Het gevolg is een hype-markt: de CISO verdrinkt in de inlichtingen, de ene feed na de ander zorgt voor een stortvloed waar niet meer mee te werken valt. Wat ik van de CISO’s hoor, is dat zij vooral veel minder technische informatie willen, maar juist méér context: wie zijn de mogelijke aanvallers, wat zijn hun drijfveren en waar hebben zij het op gemunt.

Eerste hulp bij paniek

Nog een behoefte die steeds meer partijen hebben, is hulp nadat een datalek is ontdekt. Meestal breekt eerst paniek uit, helemaal nu in Nederland de Meldplicht datalekken van kracht is. Er moet direct van alles in gang worden gezet: volgens de meldplicht moeten betrokkenen (bijvoorbeeld gebruikers of patiënten) worden ingelicht, de Autoriteit Persoonsgegevens moet de nodige informatie krijgen en ook technisch moet er van alles gebeuren. Door de paniek en de tijdsdruk is er grote behoefte aan expertise, maar ook aan tools die een organisatie hierbij ondersteunen, bijvoorbeeld door te zorgen dat zij kunnen aantonen dat het onderzoek van het incident volledig is en door te helpen alle informatie op tijd te verstrekken. Deze behoefte sluit ook aan op de gedachte dat 100% beveiliging niet mogelijk is. Ook als het mis gaat, moet de organisatie snel en adequaat kunnen reageren.

Grote cloudproviders serieus over datalocatie

Ook op andere vlakken is wet- en regelgeving een thema: na Safe Harbor neemt een aantal grote cloudproviders het nu serieus dat in Europa anders tegen privacy wordt aangekeken dan in de VS. Zij realiseren zich dat zij harde garanties moeten kunnen bieden over de locatie van de opgeslagen data. Nu gaat dit duidelijk in tegen de cloudgedachte dat locatie er niet meer toe doet, maar het besef daalt langzaam in dat er niet onder de Europese regelgeving is uit te komen.

Geen silver bullet

De RSA-beursvloer loopt over van beloftes van security ‘silver bullets’, of het nu machine learning, threat intelligence, APT defense of een andere hippe term is. Maar ik heb op deze RSA niet het wondermiddel gevonden waarmee beveiligers een grote voorsprong kunnen nemen op de aanvallers. Misschien niet verwonderlijk, want het is uiteindelijk een marketingfestijn: een uitstekende plek om de vibe mee te krijgen wat er ‘hot’ is, maar misschien niet direct de beste informatie voor je volgende security-aankoop. Gelukkig blijkt de securitycommunity rondom de beurs dat goed te begrijpen: natuurlijk is de techniek belangrijk, maar vooral voor zover die ondersteunend is voor je security operations team en professioneel management van je security.

Jeremy_ButcherJeremy Butcher, Director of Operations bij Fox-IT

Ponmocup – A giant hiding in the shadows

Ponmocup threat report cover pagePonmocup, first discovered in 2006 as Vundo or Virtumonde, is one of the most successful botnets of the past decade, in terms of spread and persistence. The reasons why this botnet is considered highly interesting are that it is sophisticated, underestimated and is currently largest in size and aimed at financial gain.

This underestimated botnet is still in active use and under continuous development. Having established that Ponmocup’s primary goal is likely financial gain, it is interesting to look at its size. Fox-IT has determined that it has infected a cumulative total of more than 15 million unique victims since 2009. At its peak, in July 2011, the botnet consisted of 2.4 million infected systems, which as far as botnets go, is huge. Since then, the botnet has shrunk in size and is currently stable at around 500,000 active infections, as shown below:

Ponmocup botnet global infections

Compared to other botnets, Ponmocup is one of the largest currently active and, with 9 consecutive years, also one of the longest running. Ponmocup is rarely noticed though, as the operators take care to keep it operating under the radar.

Ponmocup’s operators are technically sophisticated, their techniques suggest a deeper than regular knowledge of the Windows operating system. On top of that, the operators have close to 10 years of experience with malware development. Their framework was developed over time, quality tested and then improved in order to increase robustness and reduce the likelihood of discovery.

The operators are most likely Russian speaking and possibly of Russian origin. This is based on the fact that instructions to business partners and affiliates are written in Russian, and that historically, Ponmocup would not infect systems in some post-Soviet States.

Ponmocup is believed to be aimed at financial gain. Although it is difficult to quantify the exact amount of money earned with the Ponmocup botnet, it is likely that it has already been a multi-million dollar business for years now. There are multiple reasons to assume this is the case. Firstly, their infrastructure is complex, distributed and extensive, with servers for dedicated tasks. Secondly, they operate, maintain and monitor their comprehensive infrastructure with a group of operators and are quickly able to mitigate potential risks that are discovered. Thirdly, the malware itself is sophisticated and aimed at avoiding detection and analysis. Fox-IT believes, based on the earlier mentioned reasons, that they are protecting a very well run organization and infrastructure, for their main goal: financial gain.

Download the threat report ‘Ponmocup – a giant hiding in the shadows

The state of Ransomware in 2015


Ransomware has been a threat for quite some years, although the ransomware as its currently known, encrypting files, has only been around a few years. This change started with the initial 2013 CryptoLocker infections authored by the creator of the notorious Zeus banking malware, Slavik. Since CryptoLocker, many new variants as well as completely new families of ransomware have been appearing. Some stayed alive and ran successful operations for a long period of time which spanned years in some cases, while others disappeared as quickly as they appeared.

Takedowns in the world of ransomware are few and far between. Occasionally large operations with law enforcement result in successful takedowns as seen with the original CryptoLocker takedown; Operation Tovar in which Fox-IT InTELL played a key role and released a whitepaper about: GameOver Zeus: Backgrounds on the Badguys and Backends. Together with the joint effort takedown with law enforcement, Fox-IT InTELL was also able to support CryptoLocker victims in decrypting and recovering their files.

Sadly there is still a lot of ransomware going around. In this article we describe what we consider the top 3 of ransomware families currently active. We take a look at how and what they target for encryption as well as how we at Fox-IT combat them, looking at it in terms of detection and prevention.

Top 3 Ransomware families

We consider the following three ransomware families to be at the top of the ransomware threats alive right now:

  • CryptoWall
  • CTB-Locker
  • TorrentLocker

All three of these have been around for quite some time making a lot of victims along the way. Using a combination of exploit kits and faked emails, posing to be postal or financial agencies for example, they have been making victims all through-out the world.

In the case of TorrentLocker we were, in cooperation with the Dutch NCSC, able to fend them off which ended in them abandoning their campaigns against the Netherlands. We first documented a new variant being active on October 15, 2014 in a blog article. This however did not end their campaigns in other countries which are still ongoing as of writing this article.

In the following subsections we will give a brief analysis of the individual ransomware variants listed in the top 3. The analysis structure will be the same formal setup for all three families to keep it nicely standardized, straight forward and allow for easy comparison between the three. In this analysis we will be referring to the criminal’s command and control server from which they control the ransomware as the ‘C&C’ in short.


Ransomware analysis: CryptoWall


This Ransomware has been around since at least November 2013, although the operators were active developing and using this ransomware before it was officially dubbed ‘CryptoWall’.

CryptoWall has gone through a lot of changes on all aspects including, persistence, cryptography and C&C communication. Initially when it was still called ‘CryptoDefense’, CryptoWall would generate its encryption keys on the local machine which was proven to be flawed in a new article; which was read by the authors who fixed this ‘issue’. The encryption for the current version of CryptoWall, version 3.0, uses AES for file encryption while versions below that used RSA-2048 directly for the files. Version 3.0 receives a 2048 bit RSA key from the C&C, but doesn’t use it directly to encrypt files; an AES key is generated to encrypt a file with, this AES key is then encrypted with the obtainedRSA-2048.

Originally CryptoWall’s first versions communicated via proxy servers setup by the criminals which would forward traffic towards the C&C server residing in Tor. In a newer version of CryptoWall communication was directly over the Tor network, this was originally seen as test version by the authors but it was later also used as their main way of C&C communication. A few days after the Tor only version it changed back to non-direct Tor followed by a version using the I2P network, a lot of testing was going on. After all these tests the authors settled on a communication setup consisting of two layers of proxies, basically the first original setup for the initial CryptoWall, but with one extra layer of proxies. These proxies are setup on hacked websites. While these servers are cleaned up or taken offline quickly, it is workable for the CryptoWall authors as the ransomware needs to get one single connection out in order to be able to obtain a key and encrypt files, it doesn’t need a constant C&C connection as seen with other types of malware.

The spread of CryptoWall has only been increasing since its start with constant active campaigns mostly through the use of exploit kit services. The authors have an affiliate program running which makes it even more interesting and profitable for other criminals to spread CryptoWall to get a cut of the profit. This affiliate program has greatly improved their business income.

Network behavior

As said earlier, CryptoWall communicates via proxy servers to its real, hidden within the Tor network, command and control server. These proxies are hosted on compromised websites mainly consisting of outdated WordPress and Joomla instances although Drupal instances are also spotted at times. All communication is done via plain HTTP POST requests in which the POST data and response data being encrypted with RC4.

After getting on a victim’s PC, CryptoWall will start looking for a proxy server that is functioning. When it has found one it will start by sending the C&C server a few things to start of:

  • A unique campaign identifier (basically the source of the infection like spam or an exploit kit)
  • Its IP address (because the C&C runs inside Tor it needs to know the real IP address to be able to geolocate an infection)
  • Its unique identifier (identifier generated for an infected machine to be able to identify it from other infections)

The C&C server responds with:

  • The location of the ransom payment page (where victims can buy the decryption software)
  • The country the victim is originating from
  • An RSA-2048 public key used for file encryption

After receiving this information the client will start encrypting files on the machine. After it is finished encrypting the files, the ransomware reports the amount of encrypted files back to the C&C. The C&C responds with an image shown to the user indicating that CryptoWall encrypted all their files:

CryptoWall ransom note

File-system behavior

Besides encrypting all the files specified in its target file-types list, CryptoWall also performs the following operations on the file-system of the infected system:

  • Drop the lock screen image
  • Drop a TXT file containing the same instructions as seen on the image

CryptoWall will also run a set of commands to disable volume shadow copies (Windows automatic volume backups) and the Windows Error Recovery boot screen. It also disables Windows updates and if enabled various security services like Windows Defender.


Distribution source(s) :
  • Exploit kits
  • Email
C&C communication scheme : Traffic send through a proxy (usually a hacked website) towards a server (controlled by the criminals) that proxies the data further onto the C&C server hidden within the Tor network.
Cryptography scheme for files : AES
Targets network shares : Yes, enumerates all connected drives networked or not.

Targeted file types

Documents Photos Code Images Audio & Video Backup
odt         ppt         indd       oab        ods         pptx pct          nk2         odp       pptm     prf          eml odm       rtf           des       wb2       odc         msg

iif            pdd        odb

pages    nd           thm

doc         tex         qba

der         docx      txt

tlg           cer          docm

wpd       qbb        crt

wps        pdf         qbm

pem       xls           db

qbr         pfx         xlr

dbf         qbw       p12

xlsx        mdb       qby

p7b        xlsm       mdf

ach         p7c         xlsb

pst          key         xlk

sql          ost          wallet

pps         accdb    pab

3dm       kd

dxf         3ds

erf          dxg

max       mef

psd         obj

mrw       dds

ai             nef


eps         nrw

tga          ps

orf          yuv

svg         raf

dng        cdr

rwl          arw

rw2        srf

raw        sr2

r3d         bay

ptx         crw

pef         3fr

srw         cr2

x3f          dcr


pdb        c

cpp         hhpp

class       cs

dtd         fla

java        lua

m            pl

py           pas

jpe         jpg


3g2         3gp

asf          asx

avi          flv

m4v       mov

mp4       mpg

rm          srt

swf         vob

vmw      mp3

wav        flac




Ransomware analysis: CTB-Locker


CTB-Locker was first seen being sold in the underground communities back in the middle of June 2014. Researcher Kafeine wrote an article on this original sale by the author. The name CTB stands for Curve-Tor-Bitcoin, referring to items it utilizes: Curve refers to the elliptic curve encryption scheme used for file encryption, Tor refers to its usage of the Tor network to hide its C&C server and Bitcoin refers to the single ransom payment method available: Bitcoins.

CTB was originally only supporting Russian and English translations for its ransom demand message, but has been supporting more languages as it was being developed. It currently supports Russian, English, Italian, Dutch, German, Spanish, French and Latvian for its ransom message. In the Netherlands we’ve seen several waves of CTB-locker, mostly impersonating a financial institution normally involved with sending out payment forms which CTB fakes as attachments.

CTB’s command and control servers reside in the Tor network, but are not needed for the initial infection. A user’s files can be encrypted while the machine has no internet connectivity. This is possible due to the way the encryption and payment system of CTB works. The file encryption is a combination of SHA256 from Curve25519 operations, the exact details of this are explained in great detail by a researcher named Massimiliano Felici, who published an article on his blog named ‘CTB-Locker encryption/decryption scheme in details’.

Just like CryptoWall, CTB-locker has an affiliate program where other criminals can spread CTB-locker in order to get a cut of the profits. This affiliate program has been publicly exposed and researched by researcher Kafeine on his blog. This affiliate program has a website running inside the Tor network just like the C&C server. On this affiliate website the author of CTB-locker also keeps an updated log on the updates/extending in the functionality of CTB-locker.

Network behavior

As said earlier CTB-locker does not require an internet connection to be present on the infected client. Would it have internet connectivity, it does send the encryption information to the C&C within Tor. It does this by having the ability to talk to its server inside the Tor network via variants of the Tor2Web service, which act like a proxy into the Tor network.

Besides sending this information to the C&C it will also do an online lookup for its external IP address.

File-system behavior

Besides encrypting all the files specified in its target file-types list, CTB-locker also performs the following operations on the file-system of the infected system:

  • Drop the lock screen image and set it as a background; an example of this:
  • CTB Lock screen
  • Have an application pop-up with similar instructions as seen on the background image. This application is stored on the local machine. It contains a payment ID, a list of encrypted files, a countdown counter and instruction on how to pay the ransom amount to recover encrypted files. This example is the English translation, clicking any of the flags at the top of the application changes the language:
  • CTB Lock screen


Besides these graphical messages a copy of the text is also put on the file-system in the form of a text file as well as a copy of the background image.

CTB-locker will also run a set of commands to disable volume shadow copies (Windows automatic volume backups).


Distribution source(s) :
  • Exploit kits
  • Email
C&C communication scheme : Doesn’t need an internet connection to start file encryption. Due to its implementation it is able to encrypt files offline.
Cryptography scheme for files : AES
Targets network shares : Yes, enumerates all connected drives networked or not.

Targeted file types

Documents Photos Code Images Audio & Video Other
doc         docx

rtf           docm

xls           xlsx

txt          xlk

xlsb        xlsm

mdb       dwg

accdb    odb

odm       odp

ods         odt

odf         wb2

vsd         wpd



kdc         nef


cpp         c

php        js

cs            pas

bas         pl


3fr          dds

jpe         jpeg

jpg          cr2

rw2        psd ai             dd

rwl          dxf

dxg         arw

cdr          crw

eps         dcr

dng        indd

mrw       nrw

srw         ims




arp cer          crt

der         pem

7z            zip

rar          pwm

kwm      safe

groups  mdf

dbf         sql

md         bay

blend    erf

mef        p12

p12f       dbx

gdb        bsdr

bsdu      bdcr

bdcu      bpdr

bpdu     bsd

bdd        bdp

gsf          gsd

iss           rik

fdb         abu



Ransomware analysis: TorrentLocker


TorrentLocker was first documented in February 2014 when Turkish victims received emails from ‘Turkcell’, which is the leading mobile phone operator in Turkey. Users were lured onto a fake turkcell website where they had to download a document. This was the first documented attack from TorrentLocker who at the time didn’t have a name yet. It was named TorrentLocker to distinguish it from other ransomware threats based on the first registry key it used which contained ‘Torrent’:

HKCU\Software\Bit Torrent Application\

From that time on TorrentLocker has been evolving in how it shows the user the ransom demand messages and implementation of cryptography. Their method of spreading however hasn’t changed a bit, they impersonate local telecom providers or postal service websites sending users emails indicating a document is ready for them to download.

There have also been a few instances where malicious Word documents containing macros were used to infect systems with TorrentLocker.

The way the TorrentLocker group obtains the email addresses to send spam messages to is also interesting. They (most likely) started with an initial list of victims to started spamming and this list was extended by infecting victims. When TorrentLocker infects a machine it will harvest any possible email address from address books for Thunderbird, Outlook and Windows Live Mail present on the system. We’ve documented this process and their success in the past on our blog: Update on the TorrentLocker ransomware’. In our investigation of the run we saw back then they were able to obtain 2.6 million email addresses with this harvesting technique, a lot more possible victims to start sending their spam to.

TorrentLocker tries to impersonate CryptoLocker and uses this name on both the ransom messages shown to the user as well as the ransom payment website. This ransom payment website is hosted within the Tor network while the C&C used for communication with the malware from an infected machine is a server outside of the Tor network.

Network behavior

TorrentLocker communicates with a C&C server directly. With this server TorrentLocker speaks a small protocol in which it can send the encryption key, encrypted file count, stolen email information as well as possible (crash) logs. It will also obtain a ransom page from the C&C server.

The whole communication protocol is encapsulated in HTTPS.

File-system behavior

Besides encrypting all the files specified in its target file-types list, TorrentLocker also performs the following operations on the file-system of the infected system:

  • Make a copy of itself to a location in which it can make sure it will be present the next time the system starts.
  • Show a ransom instruction screen to the victim with information on how to pay the required ransom (in Bitcoins), where to get Bitcoins and where to send them. This screen does not give information on a possible deadline for the payment or the amount of affected files:
  • TorrentLocker lock screen


Distribution source(s) : Email
C&C communication scheme : Contacts a dedicated C&C server directly.
Cryptography scheme for files : AES-256
Targets network shares : Yes, enumerates all connected drives networked or not.

Targeted file types

Documents Photos Code Images Audio & Video Other
3ds         ab4

bgt         ac2

blend    cdf

cfp          csv

dbf         ddd

djvu       doc

docm     docx

dot         dotm

dotx       odb

odf         odg

odm       odp

ods         odt

otg         oth

otp         ots

ott          pdf

pot         potm

potx       ppam

pps         ppsx

ppsm     ppt

pptm     pptx

rtf           sldm

sldx        std

stw         scx

sxg         sxi

sxw        txt

wb2       xla

xlam      xll

xlm         xls

xlsb        xlsm

xlsx        xlt

xltm       xltx





cib          cmt

craw      crw

dc2         dcr

dng        mos

mrw       nef

orf          pcd

ra2          raf

raw        rw2

rwl          sd0

sd1         sr2

srf           srw

st4          st5

st6          st7

st8          x3f


asm        asp

c              cpp

css          h

erbsql   js

hpp        lua

php        pl


3fr          3pr

acr          agd1

ai             ait

arw        cdr

cdr3       cdr4

cdr5       cdr6

cdrw      ce1

ce2         cgm

cr2          csh

dcs         ddoc

ddrw               design

fpx         fxg

jpeg       jpg

psd         sda



al             bik

cpi          mpg


7z            accdb

accde    accdr

accdt     adb

apj          awg

backup               backupdb

bak         bdb

bgt         bkp

bpw       cdx

cer          cls

crt           csl

dac         db


db3        der

dgc         drf

drw        dwg

dxb        erf

exf         fdb

ffd          fff

fh            fhd

gray       grey

gry          hbk

ibank     ibd

ibz          idx

iiq           incpass

kc2         kdbx

kdc         kpdx

mdb       mdc

mef        mfw

mmw    myd


ndd        nop

nrw        ns2

ns3         ns4

nsd         nsf

nsg         nsh

nwb       nx1

nx2         nyf

p12         p7b

pat         p7c

pem       pfx

ps           psafe3

ptx         rdb

rwz         s3db


sav         sdf

sql          sqlite

sqlite3   sqlitedb

stc          sti

stx          sxm

xml         zip



The generic traits of Ransomware

While the different ransomware variants are unique in most behavior, file types they are after and in some cases cryptographic implementations are similar. When having to defend a client network on different levels, network and host based, there are quite some generic traits seen with all of these.

File-system behavior

Most ransomware will place payment instruction files in the directory of the files that it’s going to encrypt. These files are usually in the form of a text, image and/or URL. Usually it will also change the background wallpaper of the infected computer to these instructions including a popup window so the user knows his files are being held ransom and he can get them back by paying for it.

Network behavior

Most ransomware families will contact a C&C server in some form, either via Tor or via compromised WordPress websites. While the current state of ransomware does not yet look actively for shares, it does encrypt files on drives that are network mapped on the computer as a side effect. This highly impacts businesses that do not have proper backup protocols.

Because decryption instructions files are dropped, it can also be detected on a network level when this happens on a network share. Our Network Monitoring service has detection for this.

When you see encrypted files on a network share you can easily check which user was infected with the ransomware and started to encrypt the files. Just check the creator of the instruction files on the share. This can help the system administrator to disconnect the infected user as quickly as possible from the network to prevent any further damage.



Having looked at the ransomware variants described there’s a few things we can conclude in terms of security:

  1. Unlike normal malware, ransomware does not need an extended presence on the system in order to ‘do-its-thing’. Once the key has been sent to the criminals it is over as it is in most cases unrecoverable.
  2. On the networking side there are quite a lot of indicators to work with in order to detect the presence or the initial infection of these ransomware variants in most cases.
  3. As seen with CTB-Locker, ransomware doesn’t always need internet connectivity. This is where endpoint protection should be able to determine the ransomware.


Based on our findings in the ’ generic traits’ section, we can also say that in many cases we’re quite lucky in terms of detection. Many authors of ransomware have the same goal and perform the same actions.

Ransomware is (sadly) not a thing that will pass on some point, as seen with fake antiviruses for example. The past years ransomware threats have only grown in size and numbers. Where in the past lockers wouldn’t affect files but solely the users’ current session, ransomware has been a very effective threat as users are forced to take action in order to get their personal files back..

The usage of the Tor network only makes it harder to stop these threats and only continued operations where law enforcement and the private industry work together are an effective way of frustrating and/or wearing down these criminals.


–  Fox-IT Security Research Team

How a research project at Fox-IT enhances your security career

Internships are a great way to assess a student’s capabilities, Fox-IT is always looking for talented individuals, that have proven that they have what it takes to be ‘a foxer’.

At Fox-IT we hold our colleagues to the highest (technical) knowledge standard. If everyone is held to this high standard, we can insure the quality of our products and services, as well having capable colleagues in a challenging but foremost exciting environment.

Internships are an excellent method of engaging in research that can be futuristic or visionary. Not all research however leads to positive expected results, but that’s why it’s called research after all. Typically, a student will research, and then PoC (Proof of Concept) one of the many processes or technologies that we need. We introduce the student to the world of IT security, in a very focused manner.This usually involves a very narrow area of research that concentrates on only one problem. Supervision by ‘a foxer’ that knows the intricacies of the problems that we are trying to solve, allows us to get the best out of the student. “The more focused the research the better” is the motto here. Students usually spend 5 months on their project, which is quite short for research, testing and quality work, especially if you include all the documentation that is needed for the educational institutes as well.

How does one enrol for security research at Fox-IT?

I’ll start with an example of how our enrolment process works. A student will look at the list of available projects that we have on our website: https://www.fox-it.com/nl/werken-bij-fox-it/stage-afstuderen/. They register by sending an email to vacature@fox-it.com, with their CV, which projects interest them, and why. This email is then forwarded to the responsible division student coordinators for processing. Let me just say that there are always custom projects for capable motivated students. This online list can never be considered complete or extensive. If you have a brilliant idea of your own, do not hesitate to submit that as a proposal.

I will get the students details that relate to MSS (Managed Security Monitoring), send them an email or ring them for a time for an interview at Fox-IT HQ. As part of the process, I will interview the candidate. This will allow me to get to know them, their capabilities and guide them towards projects that best suit their skills (that they already have). At this stage, we will figure out the best course of action. In the end, we have a research proposal that describes what will be done during the internship.

Different types of Internships
There are three types of interns inside Fox-IT. The first is what I would call a standard internship, which involves working inside our dedicated intern room, focusing on the research and producing results. The second type is external or very short internships. These internships are done externally without the student coming to Fox-IT every day. I’m personally not a big fan of these internships, and they are rare. The third type of internship is MSS specific, as the intern is also tested for acceptance into the SOC excellence program, otherwise they can always be a standard intern. See https://www.fox-it.com/nl/vacancies/7384/. Their research projects are enriched by the front line experience that they gain working in our SOC (Security Operations Center) on a part-time basis.

Over the years we have gotten interns from many different countries and educational institutes. Most are from inside the EU (such as myself), but also from other places such as Mexico, India or Jamaica. For these students or others to far away from Delft, we offer a temporary place to rent, we very originally call the ‘Fox House’.

The difference between Fox-IT and others
I frankly can only speak for how it is at MSS, and how we do things, but everyday is guaranteed to be different. New exploits needing to be analysed, new interesting incidents to investigate or new detection methods to develop are the norm. As a principle of Fox-IT, technical creativity is encouraged. Giving us the room for cutting edge innovation, such as Quantum Insert detection (https://github.com/fox-it/quantuminsert) that allows us to make a difference for not only our customers but also the wider community. So if you want to participate in our continuous innovation, consider a Fox-IT internship.

As a side note, a substantial minority of the staff are international and many of our processes are in English. So I wouldn’t call Fox-IT your typical Dutch company. In short, Fox-IT offers students a friendly, technically competent and international environment to do their research, and progress their career.

Barry Weymes
Senior Security Expert at MSS

Finding the hidden attacker in your network

Imagine the following scenario: you are the CIO of an organization and receive a phone call from an external party, informing you that suspicious traffic has been observed between your company network and a remote server. The incident response turns up that an attacker has been present in your network for over 6 months, and has had a free reign in moving through all the end-points and data that it deemed interesting. Apparently, your up-to-date security measures did not detect the presence of this attacker.

This is a real-life scenario that we have encountered in many forms over the past years when helping clients in their incident response. Often, 0-day exploits and advanced malware are involved, that do not trigger existing security measures like anti-virus or an Intrusion Detection System. So how do you actually detect such (often advanced) attacks?

Due diligence for your IT infrastructure

One of the hardest things is that the attacks we are discussing here, are not detected by most traditional detection measures. Secondly, once an attacker has gained sufficient access, he will often be able to use existing user accounts to move further through your network. This type of legitimately looking behavior is even harder to detect or prevent against (your actual users still need to be able to work, right?).

A proven approach here is to investigate your IT infrastructure for traces of a breach, without having any indications of such a breach. Although this is much harder to do than when you have an actual indicator of an ongoing attack, you could perform a due diligence type of analysis where you look for traces of advanced attacks. What is essential in such an approach is to have the knowledge and experience present that go beyond your existing prevention and detection measures. Specifically, you are looking for a team of experienced incident responders and forensic analysts that know what types of traces and behavior they have to look for. In addition, the team should have access to the latest intelligence on past and current threats and modus operandi.

Fox-IT Compromise Assessment

Fox-IT’s Compromise Assessment service is used to thoroughly analyze an organization’s IT infrastructure for traces that might indicate a past or ongoing compromise of systems and/or data. Typically, the assessment involves the forensic analysis of a wide variety of data sources, being network traffic, system / application logs and end point behavior. The threats that are relevant to your organization will determine the scope and focus of the assessment.

The assessment itself consists of three parallel tracks:

  • Network forensics
  • Log file forensics
  • End-point forensics

Each track may require the deployment of some technology in the infrastructure under investigation, such as devices for network traffic recording and analysis (probes) and digital forensic analysis software. Each track consists of a combination of automated analysis and human expertise. By applying Fox-IT’s world-class threat intelligence, combined with the years of experience of our incident response and forensics team, we are able to add a unique layer of expertise on top of our automated analyses.

The focus is mostly on catching lateral movement of an attacker through the network, while also catching low-hanging fruit like malware infections or other less targeted attacks.

A typical compromise assessment will take between 5 and 7 weeks. The first few weeks are spent by deploying network probes and other data collectors that will record relevant data for a couple of weeks. This data, along with other relevant information (forensic disk images, log files, etc.), will then be analyzed by a team of Fox-IT experts. This usually takes around 2 to 3 weeks of full-time work, optionally executed on-site at the client. The Fox-IT experts will work closely with the client’s IT staff, to follow up on leads and indications of malicious activity that come up during the assessment.

Results and benefits

The main result of a compromise assessment is obviously an answer to the question whether traces were found of a past or ongoing breach. However, the benefits of performing a compromise assessment extend beyond just this one question. By gathering so much forensic information, analyzing it and discussing results with your IT staff, Fox-IT experts will get an insight into various aspects of your IT security. The final report will therefore also contain recommendations in the fields of general security, preventive, detective and responsive/readiness measures. The recommendations are structured according to the SANS Critical Security Controls.

A compromise assessment can also quite easily be extended by adding forensic readiness and/or security maturity assessments. That way, an organization can use the compromise assessment as a starting point in designing a new IT security strategy or in validating and strengthening an existing one.

Contact and more information

If you are interested in a compromise assessment and would like to further discuss the possibilities for your organization, please contact Kevin Jonkers via e-mail fox@fox-it.com or by phone +31 (0) 15 284 79 99.