Ransom… what?

In Uncategorized

This post is not intend to be an state of the art about the different Ransomware variants, but just a review of the various techniques used by the most relevant cases we have seen in the Ecrime department of S21sec.

One of the most extended the last year was Urausy, better known as “The Police Virus”.

The malware main functionality, despite it makes use of some interesting anti-analysis tricks, is limited to create a new desktop, depending on the victim’s country show one of the previous images and block the entire system until the ransom is paid.

Luckily, the number samples detected by S21sec seems to be in obvious decline during the last months, this could mean that its end is close:

However in this world, the end of a threat is the starting point for others, as for example the variant we named RansomChild, because it makes use of child pornography images (which we are not going to show here) to boost the blackmail. Functionally it also blocks the system, but as distinctive feature it has a Domain Generation Algorithm (DGA) system, which generates C&C backup URLs from a hardcoded seed.

Cryptolocker was as well one of the most prominent during the last year:

In this case the ransom is not demanded for the infected system’s unlock, instead it is asked for to decrypt the multiple files irretrievably encrypted by the trojan. After installation, the malware is added to the Windows registry to survive reboot and starts to check C&C domains generated by a time based DGA, until one of them send back a positive reply. Then a file labelled as CryptoLockerID is sent to the server, from that file pair of unique for the infected machine keys (public and private) are generated.

Cryptolocker has been one of the most spread and harmful cryptographic Ransomwares in recent times. Although thanks to the prompt response from the sec community was possible to address it almost completely.

One that of the not so well known, but not less vicious for those who has been infected with it is the malware known as Anti-Child Porn SPAM Protection 2.0:

It also encrypts files, up to date, in an irretrievable manner and as peculiarity it is not distributed in a massive way. Instead, the attackers performs the infection “by hand”, they get access to the targeted systems (in this case Windows Server) through brute force attacks to the remote desktop service in the port 3389.

The Ransomware scheme is being so profitable, that they get out of their intended geographical scope, as one of our clients sadly realized:

In conclusion, as we have seen prevention is the best solution for this kind of malware, this is even more important in the case of the cryptographic variety, because we will not be always so lucky that the malware uses a weak encryption algorithm and some good folks have broken it, as they guys of Cassidian did with Bitcript.

So the recommendations are:

  • In first place: common sense. The social engineering plays a big role in the infection process.
  • To avoid the encryption of the files located in shared folders, it is important to restrict permissions for the users to access network drives. That could prevent that the infection of just one user with granted privileges outcomes in the fully encryption of all network drives within a company network.
  • It is strongly recommended to do scheduled and centralized backups, it should be done in a way such that the backup information is placed in a different and highly controled device.
  • Keep the system updated and harden the exposed services against brute force attacks with strong passwords.
  • In the case of the analysed Cryptolocker samples, the encryption is not performed until the trojan reaches the C&C panel, so a solution like LTI could mitigate the infection
Santiago Vicente
    Recommended Posts

    Leave a Comment