Understanding CryptoLocker (ransomware) with a Case Study
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Understanding CryptoLocker
(ransomware) with a Case Study
Who Am I..?
Forensics Investigator
M.Tech (Information Security) in 2014, IIIT – Delhi
Former Intern at CIRT-India.
Interest : Any type of Cyber Forensics
Email : [email protected]
LinkedIn : https://www.linkedin.com/in/adarshagarwal91
Disclaimer
• Entire analysis is done on individual basis.
• The information in this presentation and opinion are mine
alone and do not reflect those of my current employer.
Ransomware(CryptoLocker)
CryptoLocker a.k.a Ransomware
• CryptoLocker is a ransomware Trojan.
• Believed to have first been posted to the Internet on 5 September 2013.
• Smart enough to travel across your network and encrypt any files
located on shared network drives.
• Uses AES-265 or RSA public-key cryptography, with the private key
stored only on the malware's control servers.
CryptoLocker a.k.a Ransomware
• After Encryption, displays a message and popup which offers to
decrypt the data if payment is made within stated deadline, and
threatened to delete the private key if the deadline passes.
• Ransomwares generally has a 48-72 hour deadline which, once
passed, causes the ransom to increase or leads to key deletion.
• Most ransoms start in the $100-$500 area or 0.5 BTC to 4 BTC.
• 1 BTC = $ 430 (approx.) = 28600 INR.
Symptoms
• You suddenly cannot open normal files and get errors such as the file is corrupted or has the wrong extension.
• An alarming message has been set to your desktop background with instructions on how to pay to unlock your les.
• The program warns you that there is a countdown until the ransom increases or you will not be able to decrypt your les.
• A window has opened to a ransomware program and you cannot close it.
• You have files with names such as HOW TO DECRYPT FILES.TXT or DECRYPT_INSTRUCTIONS.HTML
SymptomsYou see a files similar to:
• %PUBLIC% \desktop\help_restore_files_<random text>.html
• %PUBLIC% \desktop\restore_files_<random text>.txt
• %PUBLIC% \documents\help_restore_files _<random text>.txt
• %PUBLIC% \documents\restore_files_<random text>.html
• %PUBLIC% \favorites\restore_files_<random text>.html
• %PUBLIC% \favorites\restore_files_<random text>.txt
• CryptoLocker.lnk
• HELP_TO_DECRYPT_YOUR_FILES.TXT
• HELP_TO_DECRYPT_YOUR_FILES.BMP
• HELP_TO_SAVE_FILES.bmp
• HELP_TO_SAVE_FILES.txt
• key.dat
• log.html
CryptoLocker Propagation
• Propagate via
phishing emails
unpatched programs
compromised websites
online advertising
free software downloads
Prior existing Botnet
Droppers file Path
• The file paths that have been used by this infection and its droppers are:• C:\Users\<User>\AppData\Local\<random>.exe (Vista/7/8)
• C:\Users\<User>\AppData\Local\<random>.exe (Vista/7/8)
• C:\Documents and Settings\<User>\Application Data\<random>.exe (XP)
• C:\Documents and Settings\<User>\Local Application Data\<random>.exe (XP)
This ransomware can search for files in all of the folders with the following extensions and then encrypt them
Excluded directories, filenames & extensions
Source: Sophos
Variants of CryptoLocker• TeslaCrypt
• Cryptowall
• Torrent Locker
• CTB-Locker
• CryptoVault
• PowerShell based
• Locky
• Ransom32 ( JavaScript based)
• Petya (Encrypts MBR)
• Many many more…
In 2016 (Jan to Mid April)
Week 2 – May, 2016 • May 9th 2016 - CryptXXX 2.0
• May 9th 2016 - The Enigma Ransomware (Russian)
• May 10th, 2016 - The Shujin Ransomware (Chinese)
• May 11th, 2016 - GNL Locker (German Netherlands Locker)
• May 12th, 2016 - CryptoHitman ( Jigsaw v2)
• May 12th, 2016 - Crypren Ransomware
• May 12th, 2016 - Mischa Ransomware (Petya variant)
• May 13th, 2016 - Offering Ransomware as a Service
• May 13th, 2016 - Decryptor for CryptXXX Version 2.0
May 9th 2016 - CryptXXX 2.0
May 9th 2016 - The Enigma Ransomware (Russian)
May 10th, 2016 - The Shujin Ransomware (Chinese)
May 11th, 2016 - GNL Locker (German Netherlands Locker)
May 12th, 2016 - CryptoHitman
Jigsaw CryptoHitman with Porno Extension
Jigsaw CryptoHitman with Porno Extension
May 12th, 2016 - Crypren Ransomware
May 12th, 2016 - Mischa Ransomware (Petya variant)
May 13th, 2016 - Offering Ransomware as a Service
May 13th, 2016 - Decryptor for CryptXXX Version 2.0
http://www.bleepingcomputer.com/news/security/teslacrypt-shuts-down-and-releases-master-decryption-key/
http://www.bleepingcomputer.com/news/security/teslacrypt-shuts-down-and-releases-master-decryption-key/
http://www.bleepingcomputer.com/news/security/emsisoft-releases-decryptors-for-the-xorist-and-777-ransomware/
I’m Infected, Now What?
• Disconnect Network, USB, Network Share
• Determine the Scope (Level of compromise or encryption)
• Determine type of infection
• Evaluate Your Responses
• Restore from a recent backup
• Decrypt your files using a 3rd party decryptor (this is a very slim chance)
• Do nothing (lose your data)
• Negotiate / Pay the ransom
Understanding CryptoLocker Working
Source: Sophos
Anatomy of CryptoLocker
Anatomy of CryptoLocker
CryptoLockerCase Study - Teslacrypt
Generic Questions
• The initial infection vector (how the malware got on the system).
• The propagation mechanism (how the malware moves between systems, if it does that).
• The persistence mechanism (how the malware remains on the system, and survives reboots and when the user logs out).
• Artifacts (what traces the malware leaves on a system as a result of its execution) that you can look for during an examination.
Case Study : TeslaCrypt• Malware sample extracted from malwr.com.
• Used all open source tool to preform analysis.
• Tools used
• Volatility Framework 2.4
• “VolDiff” (REMnux OS)
• Regshot
• Log2timeline (SIFT)
• Virustotal.com
• Process Explorer (Windows SysInternals)
Case Study : References• [1] Zorabedian, John “Anatomy of a ransomware attack” https://blogs.sophos.com/2015/03/03/anatomy-of-a-
ransomware-attack-cryptolocker-cryptowall-and-how-to-stay-safe-infographic/; Last accessed on Oct 25, 2015.
• [2] James, Lance & Bambenek, John “The New Scourge of Ransomware: A Study of CryptoLocker and Its Friends”
https://www.blackhat.com/us-14/archives.html#the-new-scourge-of-ransomware-a-study-of-cryptolocker-and-its-
friends ; Last accessed on Oct 25, 2015.
• [3] Mustaca, Sorin "Are your IT professionals prepared for the challenges to come?"Computer Fraud & Seurity 2014.3
(2014): 18-20.
• [4] Allievi, Andrea et al. “Threat Spotlight: TeslaCrypt – Decrypt It Yourself”
http://blogs.cisco.com/security/talos/teslacrypt ; Last accessed on Oct 25, 2015.
• [5] Malwr.com (https://goo.gl/psdf5e) and Virustotal.com (https://goo.gl/D0o78x) analysis.
Prevention Measures
• Backup your files.
• Apply windows and other software updates regularly.
• Avoid clicking untrusted e-mail links or opening unsolicited e-mail attachments.
• Disable ActiveX content in Microsoft Office applications such as Word, Excel etc.
• Install Firewall and block Tor and restrictions for specific ports.
• Disable remote desktop connections.
• Block binaries running from %APPDATA%, %TEMP% paths.
"I am your enemy, the first one you've ever had who was smarterthan you. There is no teacher but the enemy. No one but the enemywill tell you what the enemy is going to do. No one but the enemywill ever teach you how to destroy and conquer. Only the enemyshows you where you are weak. Only the enemy tells you where he isstrong. And the rules of the game are what you can do to him andwhat you can stop him from doing to you. I am your enemy fromnow on. From now on I am your teacher.”
Source : Ender’s Game
Conclusion
• Lots of googling
• Trendmicro blog
• Sophos
• Kaspersky Blog
• US – CERT
• http://www.bleepingcomputer.com/
• http://www.infoworld.com/
• https://blog.knowbe4.com/
References
Related Documents
