One of the major and serious threats on the internet today is malicious software, often referred to as a Malware. Malware, short form of malicious software, is any software used to disrupt computer operations, gather sensitive information, gain access to private computer systems, or display unwanted advertising. The malware being designed by attackers are polymorphic and metamorphic which have the ability to change their code as they propagate. The variants of malware families share typical behavioral patterns reflecting their origin and purpose. One of them is Ransomware.
Ransomware is a type of malware that employs asymmetric encryption to take a victim’s information as hostage over a ransom. Asymmetric (which has public and private) encryption is cryptography in which a pair of keys is used to encrypt and decrypt a file. The public-private pair of keys is uniquely generated by the attacker for the victim with the private key to decrypt the files stored on the attacker’s server. The attacker makes the private key available to the victim only after the ransom is paid, though that is not always the case as seen in recent ransomware campaigns. Without access to the private key, it is next to impossible to decrypt the files that are being held for ransom.
CryptoLocker is a ransomware which targets computers running Microsoft Windows, believed to have first been posted to the Internet on 5 September 2013. CryptoLocker is propagated via infected email attachments, and via an Exploit kit(EK). Previously the attackers using Angler EK to distribute CryptoLocker is now moved to Neutrino EK. Neutrino Exploit Kit is a malicious code present on fraudulent websites or illegally injected on legitimate but hacked websites without the knowledge of the administrator. The intention behind these code injections is to detect and exploit vulnerabilities on applications installed on your computer to install malicious and unwanted software that compromise the security. When activated, the ransomware encrypts certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on server controlled by attacker. The ransomware pops up a message, which offers to decrypt the data if a ransom (through either bitcoin or a pre-paid cash voucher) is paid in a stated deadline, and threatened to delete the private key if ransom is not paid before the deadline. If victim does not pay ransom the attacker will delete the private key. In some case the attacker offer to decrypt data via an online service for a significantly higher price in bitcoin (current 1 bitcoin = INR 40335.59 | 604.93 US Dollar).
CryptoLocker uses multiple strategies to gain access to the victim’s system. Vulnerabilities in software applications provide an easy route for infecting systems with CryptoLocker. Many exploit kits include ransomware and are actively used to attack systems. Exploit kits are a type of malicious toolkit used to exploit security holes or vulnerabilities found in software applications (Java, Adobe Reader, Adobe Flash etc). These kits come with pre-written exploit code and target users running insecure or outdated software applications on their computers. Ransomware can also enter the system through lack of strict compliance rules within an organization. For example, not preventing auto-run option of USB drives can easily be exploited by perpetrators to execute Ransomware.
Another common strategy adopted by ransomware to gain access to systems via the e-mail. CryptoLocker Ransomware was distributed through spam emails targeting business professionals. The temptation was often a “consumer complaint” against the email recipient or their organization. Or an invoice of the purchase the victim which has never made, or a mail regarding salary hike from an HR. Attached to these emails was a ZIP archive with a random alphabetical filename containing 13 to 17 characters. Only the first character of the filename is capitalized. The archive contained a single executable with the same filename as the ZIP archive but with an EXE extension.
**Note : The file names will be random
Execution and persistence
CryptoLocker hides its presence from victims until it has successfully contacted a command and control (C & C) server and encrypted the files located on connected drives. Prior to these actions, the malware ensures that it remains running on infected systems and that it persists across reboots. When first executed, the malware creates a copy of itself in either %AppData% or %LocalAppData%. CryptoLocker then deletes the original executable file.
CryptoLocker then creates an “autorun” registry key:
The “Run” registry key is there to run EVERY time that specific user logs in in HKEY_CURRENT_USER (HKCU). It’s like an autoexec.bat or .profile for the machine or user.
Some versions of CryptoLocker create an additional registry entry:
The “RunOnce” registry key under HKCU is there to run ONCE when that user logs in and then the OS will remove it from the registry.
The asterisk at the beginning of the key name ensures that the malware executes even if the system is restarted in “safe mode.”
Additional configuration data is stored in the following registry key:
HKCU\SOFTWARE\CryptoLocker or HKCU\SOFTWARE\CryptoLocker_0388
The VersionInfo value stored within this key contains configuration data encoded with the XOR key 0x819C33AE. The PublicKey value contains the RSA public key received from the C&C server (command and control server) during the initial network connection.
The executable files in early CryptoLocker samples used a random filename formatted like a GUID:
On execution, CryptoLocker begins to scan mapped network drives that the host is connected (see affected file types), and then it renames and encrypts files and documents which has permission to modify by logged-in user. CryptoLocker uses an RSA 2048-bit key to encrypt the files and renames the files with an extension, such as, .encrypted or .cryptolocker or .[7-8 random characters], depending on the CryptoLocker variant. Finally, the malware creates a file in each infected directory linking to a web page with decryption instructions that require the user to pay ransom in terms of bitcoin. Instruction file names are typically DECRYPT_INSTRUCTION.txt or DECRYPT_INSTRUCTIONS.html.
For instance, a CryptoLocker malware creates an EXE file and executes to encrypt all the personal data. CryptoLocker uses strong third-party certified cryptography offered by Microsoft’s “CryptoAPI”. By using a sound implementation and following best practices, the malware authors have created a robust program that is difficult to bypass. The malware uses the “Microsoft Enhanced RSA and AES Cryptographic Provider” (MS_ENH_RSA_AES_PROV) to create keys and to encrypt data with the RSA (CALG_RSA_KEYX) and AES (CALG_AES_256) algorithms.
The encryption process begins after CryptoLocker has recognized its presence on the system and successfully located, connected to, and linked with an attacker-controlled C&C server. This communication offers the malware with the threat actors’ RSA public key, which is used during the course of the encryption process.
The malware begins the encryption process by using the GetLogicalDrives() API call to enumerate the disks on the system that have been assigned a drive letter (e.g., C:). CryptoLocker samples, the GetDriveType() API call then determines if the drives are local fixed disks or network drives (DRIVE_FIXED and DRIVE_REMOTE, respectively). Only those two types of drives are selected for file encryption in early samples. Samples also select removable drives (DRIVE_REMOVABLE), which can include USB thumb drives and external hard disks.
After selecting a list of disks to attack, the malware considers for encryption of all the files on those disks that match the 72 file patterns shown in the list below.
*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, *.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c.
All the files are encrypted with a unique AES key, which in turn is encrypted with the RSA public key received from the C&C server. The encrypted key, metadata, and the encrypted file contents are then written back to disk, replacing the original file. Encrypted files can only be recovered by obtaining the RSA private key held exclusively by the threat actors.
As a form of bookkeeping, the malware stores the location of every encrypted file in the following registry key HKCU\SOFTWARE\CryptoLocker(or CryptoLocker_0388)
After completing the file encryption process, CryptoLocker re-scans the system in regular intervals for new drives and files to encrypt.
The malware does not disclose its presence to the victim until all targeted files have been encrypted. Once all the files are encrypted CryptoLocker pop up’s with a splash screen containing instructions and an ominous countdown timer to a victim (as shown in the above picture).
Prevents you from accessing your desktop
As part of its payload, this threat displays a full-screen web page that covers all other windows, rendering your PC unusable. The warning asks you to pay a ransom to receive a randomly-generated key that will “unlock” your files and let you regain access to your PC. The ransomware displays a countdown clock counting down from 72 hours, and gives you the following payment options to pay the ransom:
The key that “unlocks” your PC is unique; you will not be able to use anyone else’s key. Note that these online payment systems are not associated with this threat in any way.
Based on its design, deployment method, and empirical observations of its distribution, CryptoLocker appears to target English-speakers, specifically those located in the United States. Malware authors are from Russia and Eastern Europe, where the CryptoLocker authors are thought to originate, commonly target victims in North America and Western Europe. Law enforcement cooperation between these regions is complicated by numerous factors, which often results in threat actors believing that they can operate with impunity.
Early infections occurred disproportionately at financial institutions, but untrustworthy reports suggest that early victims were in upright as diverse as hospitality and public utilities. There is no evidence the actors are targeting specific industries. The threat actors have also expanded their attacks to include home Internet users in addition to professionals.
SecPod Saner provides continuous visibility and control of all endpoints. It proactively remediates risks and detects and responds to threats. Saner combines endpoint vulnerability, patch and compliance management with endpoint threat detection and response into one easy to manage solution. Saner helps to detect these kind of dangerous ransomwares and Isolate the infected systems from creating more damage on the network drives connected to the affected computer
How Does Saner Prevent and Detect Ransomware?
Saner’s first level of defense is prevention. Saner remediates endpoint systems to remove all known vulnerabilities. Removal of vulnerabilities effectively blocks the ability of ransomware to exploit known vulnerabilities. Since known vulnerabilities provide a major gateway, this substantially reduces the entry point and opportunity for ransomware attacks.
Often ransomware use lack compliance with strict hardening rules to attack endpoint systems. Saner’s compliance management component ensures that endpoint systems are hardened and stay compliant with defined policies. Deviations are monitored and corrected in real time. This further reduces the risk of ransomware by eliminating potentially easy paths through which ransomware can enter the system.
Often ransomware enters systems as an attachment to an email or through a phishing attack or waterhole attack through exploit kits. The user clicks the attachment — which triggers the ransomware attack. The attachment is usually innocuous-looking – made to appear as a genuine artifact from a company or somebody he or she corresponds with regularly. However, the attachment is actually an executable that launches the ransomware.
When ransomware enters a system through this channel, it is of utmost importance to detect the launch immediately. Saner detects ransomware using an up-to-date threat intelligence database that contains the latest ransomware threat feed. If an attacker is successful in getting through with an email attachment, Saner uses the threat feed to detect the ransomware.
In addition to threat intelligence, Saner uses known behavioural patterns of ransomware to detect an ongoing attack. Such behaviour includes connecting to a server to procure the key for encryption, modifying certain registry keys, and creating new registry keys. Additionally, if the attack is actually in progress, a large number of files with specific extensions are updated. Some variants create files with a new extension. For example, Locky ransomware creates files with an extension .locky. Saner detects these events in real time.
With this multipronged approach, Saner reduces the risk of ransomware infecting a system or multiple systems connected in a network and helps contain damage.
Saner detects malware based on MD5, registry entries, files, process, network connection and many other artifacts created by the malwares are used to detect malware in real time and alert admin to take action.
Once cryptolocker executes, it creates following IoC’s.
The IoC’s (Indicator of Compromise) are captured by the Saner using Real Time Monitor and Saner upload’s the result to the Server. Based on the Threat feed the Saner will evaluates the uploaded IoC’s and displays matching IoC’s in the Viser screen stating that the system is been infected with CryptoLocker Ransomeware.
With this approach, Saner detects ongoing attack in real time and reduces the risk of CryptoLocker ransomware infecting a system or other systems in the network and containing the damage considerably. Once admin sees the ongoing attack, admin can take appropriate actions by using C&C section in Viser.
For the new variants of CryptoLocker, this detection strategy may not work and CryptoLocker may launch and execute. When this happens the damage caused by ransomware can go beyond the system. CryptoLocker Ransomware can wreak havoc by encrypting not only the files on the user’s disk but can encrypt files in the network drives connected to the system.
Saner provides an admin interface, Viser, where admin is quickly alerted to an ongoing ransomware attack and admin can take appropriate actions by using C&C section in Viser. Also admin can isolate the compromised system and prevent greater damage by isolating the system before the ransomware has a chance to encrypt contents of the network file systems. This will significantly reduce the damage that ransomware could cause by encrypting files on the network drives connected to the affected computer.
It is poised to become more than a billion dollars a year, crime in 2016. Ransomware can attack systems using vulnerabilities, weak configurations, non-compliant systems and phishing attacks. The damage caused by ransomware can be considerable.
Today ransomware is a sophisticated weapon used by cyber criminals, affecting users in many regions worldwide, targeting those living in developed and high-tech countries. While complete prevention of ransomware may not be possible today, Saner helps considerably reduce the risk of ransomware attack. Further, with its admin console, Saner can reduce the potential damage that can be caused by ransomware. We are aggressively improving the capability of Saner to handle such threats like ransomware.
“Saner’s first level of defense is prevention” Saner detects all potential vulnerabilities and patches all known vulnerabilities in that system and reduces the entry point and opportunity for cryptolocker or such ransomware attacks.