Over the last few months, the Phishing Intelligence team has observed a huge increase of ransomware. Many attackers are starting to experiment with ransomware as an alternative to quickly monetize. Dridex has employed a new family of ransomware named Locky, which is a pretty drastic shift in what this group is known for doing. We’re even seeing attackers go after OSX with ransomware, something that was once thought to be immune from malware, however there were nearly 6,500 users who downloaded the compromised BitTorrent client.

Follow along with us as we deconstruct a recent ransomware attack and hack the hackers behind the attempt.

Criakl, Round 1

In many ransomware attacks, including Dridex, attackers employ a very wide “spray and pray” in the hopes that people will pay the ransom. Criakl is yet another ransomware sample, however the lure and targeting was quite different. Here, a small group of Russian and Ukrainian hackers sent a phishing email to our co-founder and CTO with one phishing email to his inbox. He reported it using Reporter, and we analyzed it in Triage. Here’s a screenshot of the phishing email.

Once infected, the victim’s machine will beacon out to let the attackers know that the system is infected. We can also see the referral to calipsoeng as the sender for this specific file.

Next, the entire desktop wallpaper changes, showing an image to send an email to the user calipso.god@aol.com.

Following the Breadcrumbs

For the image, our attackers used Photoshop CS on a Windows system with the time zone offset of GMT+2, and added the text to the image with the layer name of the text. Note that the GMT offset for the Ukraine is GMT+2.

Being a distressed user, we responded back, asking for help, since there were no other instructions other than emailing our attacker. When they responded back, our attackers said we needed to pay $500, however they came from a TOR IP address. Also note they sent the email using AOL webmail.

When we didn’t respond back, our attacker was rather persistent, trying to get our “infected” user to click on the email.

When looking at the headers, the attackers sent the original phishing email from 82.211.30.242. With most attackers, they choose to use either fake accounts or compromised accounts, we strongly believe these are accounts that the attackers own. We observed three accounts used by this gang, anastasiya8183, andry.volk, and aste2006 from kollectors[d]xyz. We confirmed the presence of these accounts by using Netcat to connect to port 587 on the remote system, and initiating an SMTP exchange with the server:

We receive quite a few phishing attempts and we blogged about dismantling these attempts for all to see. Clearly attackers are not reading our blog so let’s rip this one apart too.

For our attackers, they slipped up by using personas that tie back to them. By performing OSINT on our attacker handles, we were able to find many things that our attackers have done in the past, as well as when.

1990-2001 – Anastasiya attended school #12 in Berdichev, Ukraine

6/18/2009 – Aste2006 attempts to sell a Mercedes ML55 in Moscow with 139000km on it for 750,000 Rubles, or 10,000 USD

10/30/2009 – Aste2006 posts that he is trying to sell hats and jeans at a jeans expo in Moscow.

12/9/2009 – Anastasiya is selling a 2-in-1 Adamex stroller

2010 – Aste2006 has an account on “Echo of Moscow”, and is using the name “Ivan Ivanov”

4/10/10 – Anastasiya is selling a girls Velour sports coat in Kiev

5/25/2010 – Aste2006 asks for help troubleshooting a plasma TV

9/7/10 – Aste2006 is discussing and posting pictures of their children with other parents. The child is two and a half months old.

6/25/2011 – Aste2006 comments on a forum, interested in about building a square log house

3/27/2012 – Aste2006 joins pet forum where users can discuss pets in the house

2/2/2014 – Anastasiya mentions mail.ru API on her mail.ru profile

4/13/2014 – Anastasiya updated her mail.ru profile picture, from her 10/15/2010 profile picture

3/5/2015 – Anastasiya commenting on adult related websites

Based on other OSINT, two of the hackers frequent dating websites, however these websites look like may have been compromised, hosting fake comments by our attackers. Our attackers were also communicating on Russian pornographic websites, and based on the overlap of locations and frequenting of similar websites, we can safely assume that our Russian and Ukrainian hackers are in fact from Russia and Ukraine, and may have been collaborating on different projects for the last year.

In trying to find out more information about the attackers, we asked them what their favorite food was. (Figure 8) It turns out, their favorite food is Russian vodka, and they are Russian and Ukrainian hackers. (Figure 9)

Once the “transaction” went through, we sent them a link to the confirmation. However, this wasn’t the transaction, but a link to our Simulator platform which isn’t designed to troll attackers but we can use it to track the IP address they click from. This IP address is a confirmed proxy.

We were able to determine that our attackers were using Firefox 38, configured using Russian as the default language. Yet another piece of evidence supporting our belief the hackers are Ukranian and Russian.

Criakl, Round 2

We extracted the metadata (EXIF date) from the Criakl ransomware image. Our attackers are using Photoshop to edit their pictures. Figure 11 shows the attacker’s email account, and Figure 12 shows the EXIF data from the image.

We responded back to the attackers and were instructed how to go about paying the ransom. Quick payment receives a discount. How nice of them, eh?

For the bitcoin transactions, the two accounts have had 11.3 and 2.25 BTC transferred to them, totaling ~5546 USD at current exchange rates. For a majority of the transactions to both addresses, each transaction out of the wallet has a larger and a smaller amount (figure 14) then potentially tossed through a tumbler service to clean and launder the bitcoins. (Figure 15)

The distribution of the second attack is wider, showing that the attackers are experimenting even more with larger distribution channels.

Maintaining operational discipline to remain anonymous, is difficult for most attackers. Especially in high volume ransomware phishing scams. If a hacker uses new infrastructure every time, new accounts each time, and new everything…then it’s possible. In the case of the first Criakl attack, even though they were hiding behind TOR, they made a very basic mistake in this case by re-using a persona, and that’s how we were able to track them. These are not A-players, C- at best. Yet they are still showing some success.

Over the last few months, the Phishing Intelligence team has observed a huge increase of ransomware. This graph looks at TeslaCrypt, CryptoWall, Locky, Criakl, Cerber, Troldesh, and CTB-Locker.

When we break out this same graph out by malware families, we can see that CryptoWall was once king, this role is is quickly being overtaken by Locky.

With the success of CryptoWall and Locky, we’re going to see more copycats trying to cut into profits, such as Criakl. The good news is, there are a few things you can do to prevent these attacks from being successful:

If you receive a suspicious email at home, don’t open it. Delete it. If you receive a suspicious email at work, report it! Because this email was rapidly reported, we were able to neutralize it enterprise wide even though at the time of receipt not a single anti-virus vendor had a signature for it. Don’t wait until something happens to make a back up! Make a backup now, and make sure it’s disconnected from the computer. Some malware will encrypt network and USB drives. Seriously, do #3. Backups will save you the hassle of finding bitcoin to pay the ransom. By having a backup and recovery plan, this is one more victim who won’t need to pay the attacker, successfully cutting into their profit margins.

For signatures, Triage customers already have this, but others can download it from here. The malware hashes are here and here.