Cyber Managed Services, CSC

Version 1.0

CRYPTOLOCKER – CONTINUES TO EVOLVE Friday, June 19, 2015 Synopsis Since the first reports of a Trojan that would encrypt files on a windows computer were published in September of 2013, many have experienced some level of data or monetary loss.1 As this threat has continued to evolve, it has demonstrated advanced evasion techniques and encryption methodologies. In addition, it has become network aware and capable of searching for specific file types to encrypt on infected systems and shares. While removing the threat is relatively simple, the path of destruction that may lie in its wake can be enormous. There are numerous products that will detect and mitigate this threat, unfortunately usually only after specific indicators are flagged, and some files have already been encrypted. The information that follows provides some background on the threat, as well as some examples of recent changes that have allowed the threat to remain effective.

Background When people first heard of a Trojan that had the ability to encrypt files on their systems and hold them for ransom, some may have chalked it up to social engineering or a tall computer tale. Unfortunately, many began to learn that this was in fact very real and had started to make its way around the Internet in the latter half of 2013. We began to see screen captures and horror stories of administrators attempting to recover files that had been encrypted with a ticker that was quickly approaching zero, at which time the files would no longer be recoverable. Some tempted fate while others were torn in deciding to pay or not. Some that paid never received the decryption key or a key that actually worked. Others restored backups and ran virus scans only to find that systems just recently restored had been hit again. The image below is a sample of the message that every administrator or system owner hoped to never see.

CYBER INTELLIGENCE THREAT ADVISORY GLOBAL THREAT ANALYSIS CENTERS

CYBER MANAGED SERVICES, CSC

Cyber Managed Services, CSC

Version 1.0

www.coindesk.com

During the first phases of this infection, damage was usually limited to the system that received and opened the email attachment. The first iterations also proved to have a weakness of generating and saving a copy of the encryption keys on the infected system, making removal and decryption of the files possible when done in the appropriate sequence. As the threat evolved, other banners would be generated, either depicting an official government operation or takedown of systems being operated illegally.

www.spiare.com

Just when we believed the threat was mitigated and everything was under control a new variant would be introduced to the world with more functionality and, in some cases, higher ransoms. We began to see variants that were network aware begin to search any shares the infected system had access to and begin to encrypt them as well. As with many threats, once a detection mechanism was found, the attacker made small changes and it started over.

Cyber Managed Services, CSC

Version 1.0

How Does it Infect The primary infection mechanism is an email containing a file with a .zip extension. This has been shown to be the most common method and, while well known, still very effective in many environments. The attachment will usually be named something that attracts attention or would be common in the targeted environment. Once the attachment is opened the process begins. The Trojan is known to generate several files on the system that will provide the instructions for payment or the threatening pop-up about misuse of systems etc. As these files are being created and saved on the local machine or share, the malware begins searching the contents of the local machine and all mapped drives for files with specific extensions that it will then begin to encrypt. Later in the document we will explain how these indicators of compromise are used to stop the threat and halt the encryption process.

Current Detection/Prevention As we learn more about the threat, detection mechanisms were introduced through anti-virus protection and Host Intrusion Prevention Systems (HIPS) rules. We were also able to block inbound messages that contained the Trojan based on hashes and content. In the HIPS arena we would look for the execution of files, or the creation of specific tag files associated with the threat. In some cases the encryption mechanism was known, and people were publishing the decryption keys, thwarting the attackers’ attempts for ransom. As progress is made in stopping or limiting the effectiveness of this threat, a new variant is introduced that differs slightly from the previous iteration, and a new indicator must be found to key on. Targets The primary targets for this threat are personal files on systems and shares; it does not customarily go after systems. The most common extensions searched for once infected are:2

cdr crt dbf doc docm docx dwg jpg kdc mdb

odb p12 p7b ppt pptm pptx pst raw rtf wpd

wps xlk xls xlsb xlsm xlsx

While the extensions listed above are the most common, they are not the only files that are targeted. As each iteration has advanced, so has the number of file types that it will search for and encrypt. One critical point to remember is that the threat looks for files that are valuable to the victim, something they would consider paying the ransom to recover. Systems files may be impacted as a staging or storage location for the infector, but they will not customarily be encrypted, that would defeat the purpose.

Cyber Managed Services, CSC

Version 1.0

New Variants and Behaviors As the idea of Ransomware has flourished, it has spawned many imitators and variants that have proven to be troublesome and destructive. Two of the most common issues are after paying the ransom, decryption keys are not provided, and the instability of the malware may cause system crashes. Now there is a new kit named Tox – Virus.

The idea of the Tox - Virus kit is simply to provide an easy to use out of the box solution to create Ransomware.3 As stated in the McAfee blog, the user registers the product, enters the amount required for ransom, enters a “cause”, and finally submits the captcha provided to ensure that the user is not a machine.3 While there are certain dependencies associated with the use of this kit, such as the use of TOR and Bitcoin, for example. The use of this kit is relatively simplistic and straightforward.

Another variant that has made the news is CTB-Locker. In this case it infects the same way via a .zip and searches for personal/important files to encrypt.4 The payment must be made through Bitcoin and the victim will be required to install a Tor instance to communicate with the attackers. It has the typical countdown timer and customary banners that previous versions have provided to explain what is happening to your system and what you need to do to fix it. In this case the malware provides a feature that will allow you to decrypt a file, proving that it works prior to payment. If a system is infected the user can expect to see a banner like the one shown below.

www.techrepublic.com

Cyber Managed Services, CSC

Version 1.0

Recommendations/Potential Mitigation Global Threat Intelligence recommends the following:

1. Update Anti-Virus engine and definitions as feasible in the environment.

2. Use caution when opening attachments and never open an attachment you aren’t expecting.

3. Consider implementing a least privilege posture for access to corporate/sensitive information.

4. Perform regular backups and ensure those backups are stored off of the network in case a compromise occurs.

5. Utilize mail/spam firewalls to filter all content destined for users on your network.

6. Block all .zip files unless there is a business case to receive them.

7. Educate users regarding the dangers of phishing emails and spam.

We advise that all users evaluate the above mentioned mitigation strategies carefully and assess the potential impact to the environment. Testing and a controlled implementation will limit potential service disruptions.

CSC Available Services The CSC Global Threat Intelligence team will continue to research and monitor this situation and provide updates as feasible. If any additional indicators become available, we will forward information specific to the threat, and provide a means to monitor/mitigate potential infections. As we gain knowledge of this threat, we will advise our clients of additional safeguards and items to monitor in their environments. Our team of skilled analysts is on duty 24 hours a day 7 days a week to ensure that we escalate any issues that may arise in conjunction with this threat directly to our customers. Conclusion Ransomware in personal and professional environments has had a definitive impact. While it is know how the threat initially infects, and many of the indicators once an infection occurs, it still manages to infect systems and extort money from its victims. There are several steps that can be taken to avoid infection by this threat, first and foremost not opening messages that are not expected that contain attachments. Blocking files with a .zip extension is another means of minimizing the potential impact of this malware.

There are different schools of thought about paying the ransom; some would say that as a last resort it should be paid to avoid total loss of the data. The downside to this argument is that you are now a known target, and it is also known that you are willing to pay. Using backups is a very good way to limit the damage that may occur during an infection. It is critical that once an indication of a compromise has occurred, the entry system and all infected hosts be isolated as quickly as possible while remediation is completed. With appropriate protection and user training the potential of this threat can be minimized, but if an infection occurs there are ways to recover the information if steps are taken prior to the infection to avoid paying the ransom.

Cyber Managed Services, CSC

Version 1.0

1 http://en.wikipedia.org/wiki/CryptoLocker 2 https://blog.malwarebytes.org/intelligence/2013/10/cryptolocker-ransomware-what-you-need-to-know/ 3 https://blogs.mcafee.com/mcafee-labs/meet-tox-ransomware-for-the-rest-of-us 4 http://www.techrepublic.com/article/ctb-locker-virus-how-to-protect-your-systems-and-what-to-do-if-infected/