Introduction

Ransomware has been a threat for quite some years, although the ransomware as its currently known, encrypting files, has only been around a few years. This change started with the initial 2013 CryptoLocker infections authored by the creator of the notorious Zeus banking malware, Slavik. Since CryptoLocker, many new variants as well as completely new families of ransomware have been appearing. Some stayed alive and ran successful operations for a long period of time which spanned years in some cases, while others disappeared as quickly as they appeared.

Takedowns in the world of ransomware are few and far between. Occasionally large operations with law enforcement result in successful takedowns as seen with the original CryptoLocker takedown; Operation Tovar in which Fox-IT InTELL played a key role and released a whitepaper about: ‘GameOver Zeus: Backgrounds on the Badguys and Backends’. Together with the joint effort takedown with law enforcement, Fox-IT InTELL was also able to support CryptoLocker victims in decrypting and recovering their files.

Sadly there is still a lot of ransomware going around. In this article we describe what we consider the top 3 of ransomware families currently active. We take a look at how and what they target for encryption as well as how we at Fox-IT combat them, looking at it in terms of detection and prevention.

Top 3 Ransomware families

We consider the following three ransomware families to be at the top of the ransomware threats alive right now:

CryptoWall

CTB-Locker

TorrentLocker

All three of these have been around for quite some time making a lot of victims along the way. Using a combination of exploit kits and faked emails, posing to be postal or financial agencies for example, they have been making victims all through-out the world.

In the case of TorrentLocker we were, in cooperation with the Dutch NCSC, able to fend them off which ended in them abandoning their campaigns against the Netherlands. We first documented a new variant being active on October 15, 2014 in a blog article. This however did not end their campaigns in other countries which are still ongoing as of writing this article.

In the following subsections we will give a brief analysis of the individual ransomware variants listed in the top 3. The analysis structure will be the same formal setup for all three families to keep it nicely standardized, straight forward and allow for easy comparison between the three. In this analysis we will be referring to the criminal’s command and control server from which they control the ransomware as the ‘C&C’ in short.

Ransomware analysis: CryptoWall

History

This Ransomware has been around since at least November 2013, although the operators were active developing and using this ransomware before it was officially dubbed ‘CryptoWall’.

CryptoWall has gone through a lot of changes on all aspects including, persistence, cryptography and C&C communication. Initially when it was still called ‘CryptoDefense’, CryptoWall would generate its encryption keys on the local machine which was proven to be flawed in a new article; which was read by the authors who fixed this ‘issue’. The encryption for the current version of CryptoWall, version 3.0, uses AES for file encryption while versions below that used RSA-2048 directly for the files. Version 3.0 receives a 2048 bit RSA key from the C&C, but doesn’t use it directly to encrypt files; an AES key is generated to encrypt a file with, this AES key is then encrypted with the obtainedRSA-2048.

Originally CryptoWall’s first versions communicated via proxy servers setup by the criminals which would forward traffic towards the C&C server residing in Tor. In a newer version of CryptoWall communication was directly over the Tor network, this was originally seen as test version by the authors but it was later also used as their main way of C&C communication. A few days after the Tor only version it changed back to non-direct Tor followed by a version using the I2P network, a lot of testing was going on. After all these tests the authors settled on a communication setup consisting of two layers of proxies, basically the first original setup for the initial CryptoWall, but with one extra layer of proxies. These proxies are setup on hacked websites. While these servers are cleaned up or taken offline quickly, it is workable for the CryptoWall authors as the ransomware needs to get one single connection out in order to be able to obtain a key and encrypt files, it doesn’t need a constant C&C connection as seen with other types of malware.

The spread of CryptoWall has only been increasing since its start with constant active campaigns mostly through the use of exploit kit services. The authors have an affiliate program running which makes it even more interesting and profitable for other criminals to spread CryptoWall to get a cut of the profit. This affiliate program has greatly improved their business income.

Network behavior

As said earlier, CryptoWall communicates via proxy servers to its real, hidden within the Tor network, command and control server. These proxies are hosted on compromised websites mainly consisting of outdated WordPress and Joomla instances although Drupal instances are also spotted at times. All communication is done via plain HTTP POST requests in which the POST data and response data being encrypted with RC4.

After getting on a victim’s PC, CryptoWall will start looking for a proxy server that is functioning. When it has found one it will start by sending the C&C server a few things to start of:

A unique campaign identifier (basically the source of the infection like spam or an exploit kit)

Its IP address (because the C&C runs inside Tor it needs to know the real IP address to be able to geolocate an infection)

Its unique identifier (identifier generated for an infected machine to be able to identify it from other infections)

The C&C server responds with:

The location of the ransom payment page (where victims can buy the decryption software)

The country the victim is originating from

An RSA-2048 public key used for file encryption

After receiving this information the client will start encrypting files on the machine. After it is finished encrypting the files, the ransomware reports the amount of encrypted files back to the C&C. The C&C responds with an image shown to the user indicating that CryptoWall encrypted all their files:

File-system behavior

Besides encrypting all the files specified in its target file-types list, CryptoWall also performs the following operations on the file-system of the infected system:

Drop the lock screen image

Drop a TXT file containing the same instructions as seen on the image

CryptoWall will also run a set of commands to disable volume shadow copies (Windows automatic volume backups) and the Windows Error Recovery boot screen. It also disables Windows updates and if enabled various security services like Windows Defender.

Overview

Distribution source(s) : Exploit kits

Email C&C communication scheme : Traffic send through a proxy (usually a hacked website) towards a server (controlled by the criminals) that proxies the data further onto the C&C server hidden within the Tor network. Cryptography scheme for files : AES Targets network shares : Yes, enumerates all connected drives networked or not.

Targeted file types

Documents Photos Code Images Audio & Video Backup odt ppt indd oab ods pptx pct nk2 odp pptm prf eml odm rtf des wb2 odc msg iif pdd odb pages nd thm doc tex qba der docx txt tlg cer docm wpd qbb crt wps pdf qbm pem xls db qbr pfx xlr dbf qbw p12 xlsx mdb qby p7b xlsm mdf ach p7c xlsb pst key xlk sql ost wallet pps accdb pab 3dm kd dxf 3ds erf dxg max mef psd obj mrw dds ai nef pspimage eps nrw tga ps orf yuv svg raf dng cdr rwl arw rw2 srf raw sr2 r3d bay ptx crw pef 3fr srw cr2 x3f dcr dwg pdb c cpp hhpp class cs dtd fla java lua m pl py pas jpe jpg jpeg 3g2 3gp asf asx avi flv m4v mov mp4 mpg rm srt swf vob vmw mp3 wav flac Bak back

Ransomware analysis: CTB-Locker

History

CTB-Locker was first seen being sold in the underground communities back in the middle of June 2014. Researcher Kafeine wrote an article on this original sale by the author. The name CTB stands for Curve-Tor-Bitcoin, referring to items it utilizes: Curve refers to the elliptic curve encryption scheme used for file encryption, Tor refers to its usage of the Tor network to hide its C&C server and Bitcoin refers to the single ransom payment method available: Bitcoins.

CTB was originally only supporting Russian and English translations for its ransom demand message, but has been supporting more languages as it was being developed. It currently supports Russian, English, Italian, Dutch, German, Spanish, French and Latvian for its ransom message. In the Netherlands we’ve seen several waves of CTB-locker, mostly impersonating a financial institution normally involved with sending out payment forms which CTB fakes as attachments.

CTB’s command and control servers reside in the Tor network, but are not needed for the initial infection. A user’s files can be encrypted while the machine has no internet connectivity. This is possible due to the way the encryption and payment system of CTB works. The file encryption is a combination of SHA256 from Curve25519 operations, the exact details of this are explained in great detail by a researcher named Massimiliano Felici, who published an article on his blog named ‘CTB-Locker encryption/decryption scheme in details’.

Just like CryptoWall, CTB-locker has an affiliate program where other criminals can spread CTB-locker in order to get a cut of the profits. This affiliate program has been publicly exposed and researched by researcher Kafeine on his blog. This affiliate program has a website running inside the Tor network just like the C&C server. On this affiliate website the author of CTB-locker also keeps an updated log on the updates/extending in the functionality of CTB-locker.

Network behavior

As said earlier CTB-locker does not require an internet connection to be present on the infected client. Would it have internet connectivity, it does send the encryption information to the C&C within Tor. It does this by having the ability to talk to its server inside the Tor network via variants of the Tor2Web service, which act like a proxy into the Tor network.

Besides sending this information to the C&C it will also do an online lookup for its external IP address.

File-system behavior

Besides encrypting all the files specified in its target file-types list, CTB-locker also performs the following operations on the file-system of the infected system:

Drop the lock screen image and set it as a background; an example of this:



Have an application pop-up with similar instructions as seen on the background image. This application is stored on the local machine. It contains a payment ID, a list of encrypted files, a countdown counter and instruction on how to pay the ransom amount to recover encrypted files. This example is the English translation, clicking any of the flags at the top of the application changes the language:



Besides these graphical messages a copy of the text is also put on the file-system in the form of a text file as well as a copy of the background image.

CTB-locker will also run a set of commands to disable volume shadow copies (Windows automatic volume backups).

Overview

Distribution source(s) : Exploit kits

Email C&C communication scheme : Doesn’t need an internet connection to start file encryption. Due to its implementation it is able to encrypt files offline. Cryptography scheme for files : AES Targets network shares : Yes, enumerates all connected drives networked or not.

Targeted file types

Documents Photos Code Images Audio & Video Other doc docx rtf docm xls xlsx txt xlk xlsb xlsm mdb dwg accdb odb odm odp ods odt odf wb2 vsd wpd wps kdc nef raw cpp c php js cs pas bas pl py 3fr dds jpe jpeg jpg cr2 rw2 psd ai dd rwl dxf dxg arw cdr crw eps dcr dng indd mrw nrw srw ims rgx arp cer crt der pem 7z zip rar pwm kwm safe groups mdf dbf sql md bay blend erf mef p12 p12f dbx gdb bsdr bsdu bdcr bdcu bpdr bpdu bsd bdd bdp gsf gsd iss rik fdb abu config

Ransomware analysis: TorrentLocker

History

TorrentLocker was first documented in February 2014 when Turkish victims received emails from ‘Turkcell’, which is the leading mobile phone operator in Turkey. Users were lured onto a fake turkcell website where they had to download a document. This was the first documented attack from TorrentLocker who at the time didn’t have a name yet. It was named TorrentLocker to distinguish it from other ransomware threats based on the first registry key it used which contained ‘Torrent’:

HKCU\Software\Bit Torrent Application\

From that time on TorrentLocker has been evolving in how it shows the user the ransom demand messages and implementation of cryptography. Their method of spreading however hasn’t changed a bit, they impersonate local telecom providers or postal service websites sending users emails indicating a document is ready for them to download.

There have also been a few instances where malicious Word documents containing macros were used to infect systems with TorrentLocker.

The way the TorrentLocker group obtains the email addresses to send spam messages to is also interesting. They (most likely) started with an initial list of victims to started spamming and this list was extended by infecting victims. When TorrentLocker infects a machine it will harvest any possible email address from address books for Thunderbird, Outlook and Windows Live Mail present on the system. We’ve documented this process and their success in the past on our blog: ‘ Update on the TorrentLocker ransomware’. In our investigation of the run we saw back then they were able to obtain 2.6 million email addresses with this harvesting technique, a lot more possible victims to start sending their spam to.

TorrentLocker tries to impersonate CryptoLocker and uses this name on both the ransom messages shown to the user as well as the ransom payment website. This ransom payment website is hosted within the Tor network while the C&C used for communication with the malware from an infected machine is a server outside of the Tor network.

Network behavior

TorrentLocker communicates with a C&C server directly. With this server TorrentLocker speaks a small protocol in which it can send the encryption key, encrypted file count, stolen email information as well as possible (crash) logs. It will also obtain a ransom page from the C&C server.

The whole communication protocol is encapsulated in HTTPS.

File-system behavior

Besides encrypting all the files specified in its target file-types list, TorrentLocker also performs the following operations on the file-system of the infected system:

Make a copy of itself to a location in which it can make sure it will be present the next time the system starts.

Show a ransom instruction screen to the victim with information on how to pay the required ransom (in Bitcoins), where to get Bitcoins and where to send them. This screen does not give information on a possible deadline for the payment or the amount of affected files:



Overview

Distribution source(s) : Email C&C communication scheme : Contacts a dedicated C&C server directly. Cryptography scheme for files : AES-256 Targets network shares : Yes, enumerates all connected drives networked or not.

Targeted file types

Documents Photos Code Images Audio & Video Other 3ds ab4 bgt ac2 blend cdf cfp csv dbf ddd djvu doc docm docx dot dotm dotx odb odf odg odm odp ods odt otg oth otp ots ott pdf pot potm potx ppam pps ppsx ppsm ppt pptm pptx rtf sldm sldx std stw scx sxg sxi sxw txt wb2 xla xlam xll xlm xls xlsb xlsm xlsx xlt xltm xltx xlw cib cmt craw crw dc2 dcr dng mos mrw nef orf pcd ra2 raf raw rw2 rwl sd0 sd1 sr2 srf srw st4 st5 st6 st7 st8 x3f asm asp c cpp css h erbsql js hpp lua php pl py 3fr 3pr acr agd1 ai ait arw cdr cdr3 cdr4 cdr5 cdr6 cdrw ce1 ce2 cgm cr2 csh dcs ddoc ddrw design fpx fxg jpeg jpg psd sda sxd al bik cpi mpg ycbcra 7z accdb accde accdr accdt adb apj awg backup backupdb bak bdb bgt bkp bpw cdx cer cls crt csl dac db db-journal db3 der dgc drf drw dwg dxb erf exf fdb ffd fff fh fhd gray grey gry hbk ibank ibd ibz idx iiq incpass kc2 kdbx kdc kpdx mdb mdc mef mfw mmw myd moneywell ndd nop nrw ns2 ns3 ns4 nsd nsf nsg nsh nwb nx1 nx2 nyf p12 p7b pat p7c pem pfx ps psafe3 ptx rdb rwz s3db sas7bdat sav sdf sql sqlite sqlite3 sqlitedb stc sti stx sxm xml zip

The generic traits of Ransomware

While the different ransomware variants are unique in most behavior, file types they are after and in some cases cryptographic implementations are similar. When having to defend a client network on different levels, network and host based, there are quite some generic traits seen with all of these.

File-system behavior

Most ransomware will place payment instruction files in the directory of the files that it’s going to encrypt. These files are usually in the form of a text, image and/or URL. Usually it will also change the background wallpaper of the infected computer to these instructions including a popup window so the user knows his files are being held ransom and he can get them back by paying for it.

Network behavior

Most ransomware families will contact a C&C server in some form, either via Tor or via compromised WordPress websites. While the current state of ransomware does not yet look actively for shares, it does encrypt files on drives that are network mapped on the computer as a side effect. This highly impacts businesses that do not have proper backup protocols.

Because decryption instructions files are dropped, it can also be detected on a network level when this happens on a network share. Our Network Monitoring service has detection for this.

When you see encrypted files on a network share you can easily check which user was infected with the ransomware and started to encrypt the files. Just check the creator of the instruction files on the share. This can help the system administrator to disconnect the infected user as quickly as possible from the network to prevent any further damage.

Conclusions

Having looked at the ransomware variants described there’s a few things we can conclude in terms of security:

Unlike normal malware, ransomware does not need an extended presence on the system in order to ‘do-its-thing’. Once the key has been sent to the criminals it is over as it is in most cases unrecoverable. On the networking side there are quite a lot of indicators to work with in order to detect the presence or the initial infection of these ransomware variants in most cases. As seen with CTB-Locker, ransomware doesn’t always need internet connectivity. This is where endpoint protection should be able to determine the ransomware.

Based on our findings in the ’ generic traits’ section, we can also say that in many cases we’re quite lucky in terms of detection. Many authors of ransomware have the same goal and perform the same actions.

Ransomware is (sadly) not a thing that will pass on some point, as seen with fake antiviruses for example. The past years ransomware threats have only grown in size and numbers. Where in the past lockers wouldn’t affect files but solely the users’ current session, ransomware has been a very effective threat as users are forced to take action in order to get their personal files back..

The usage of the Tor network only makes it harder to stop these threats and only continued operations where law enforcement and the private industry work together are an effective way of frustrating and/or wearing down these criminals.

– Fox-IT Security Research Team