Understanding CryptoLocker

(ransomware) with a Case Study

Who Am I..?

Forensics Investigator

M.Tech (Information Security) in 2014, IIIT – Delhi

Former Intern at CIRT-India.

Interest : Any type of Cyber Forensics

Email : adarshagarwal91@gmail.com

LinkedIn : https://www.linkedin.com/in/adarshagarwal91

Disclaimer

• Entire analysis is done on individual basis.

• The information in this presentation and opinion are mine

alone and do not reflect those of my current employer.

Ransomware(CryptoLocker)

CryptoLocker a.k.a Ransomware

• CryptoLocker is a ransomware Trojan.

• Believed to have first been posted to the Internet on 5 September 2013.

• Smart enough to travel across your network and encrypt any files

located on shared network drives.

• Uses AES-265 or RSA public-key cryptography, with the private key

stored only on the malware's control servers.

CryptoLocker a.k.a Ransomware

• After Encryption, displays a message and popup which offers to

decrypt the data if payment is made within stated deadline, and

threatened to delete the private key if the deadline passes.

• Ransomwares generally has a 48-72 hour deadline which, once

passed, causes the ransom to increase or leads to key deletion.

• Most ransoms start in the $100-$500 area or 0.5 BTC to 4 BTC.

• 1 BTC = $ 430 (approx.) = 28600 INR.

Symptoms

• You suddenly cannot open normal files and get errors such as the file is corrupted or has the wrong extension.

• An alarming message has been set to your desktop background with instructions on how to pay to unlock your les.

• The program warns you that there is a countdown until the ransom increases or you will not be able to decrypt your les.

• A window has opened to a ransomware program and you cannot close it.

• You have files with names such as HOW TO DECRYPT FILES.TXT or DECRYPT_INSTRUCTIONS.HTML

SymptomsYou see a files similar to:

• %PUBLIC% \desktop\help_restore_files_<random text>.html

• %PUBLIC% \desktop\restore_files_<random text>.txt

• %PUBLIC% \documents\help_restore_files _<random text>.txt

• %PUBLIC% \documents\restore_files_<random text>.html

• %PUBLIC% \favorites\restore_files_<random text>.html

• %PUBLIC% \favorites\restore_files_<random text>.txt

• CryptoLocker.lnk

• HELP_TO_DECRYPT_YOUR_FILES.TXT

• HELP_TO_DECRYPT_YOUR_FILES.BMP

• HELP_TO_SAVE_FILES.bmp

• HELP_TO_SAVE_FILES.txt

• key.dat

• log.html

CryptoLocker Propagation

• Propagate via

phishing emails

unpatched programs

compromised websites

online advertising

free software downloads

Prior existing Botnet

Droppers file Path

• The file paths that have been used by this infection and its droppers are:• C:\Users\<User>\AppData\Local\<random>.exe (Vista/7/8)

• C:\Users\<User>\AppData\Local\<random>.exe (Vista/7/8)

• C:\Documents and Settings\<User>\Application Data\<random>.exe (XP)

• C:\Documents and Settings\<User>\Local Application Data\<random>.exe (XP)

This ransomware can search for files in all of the folders with the following extensions and then encrypt them

Excluded directories, filenames & extensions

Source: Sophos

Variants of CryptoLocker• TeslaCrypt

• Cryptowall

• Torrent Locker

• CTB-Locker

• CryptoVault

• PowerShell based

• Locky

• Ransom32 ( JavaScript based)

• Petya (Encrypts MBR)

• Many many more…

In 2016 (Jan to Mid April)

Week 2 – May, 2016 • May 9th 2016 - CryptXXX 2.0

• May 9th 2016 - The Enigma Ransomware (Russian)

• May 10th, 2016 - The Shujin Ransomware (Chinese)

• May 11th, 2016 - GNL Locker (German Netherlands Locker)

• May 12th, 2016 - CryptoHitman ( Jigsaw v2)

• May 12th, 2016 - Crypren Ransomware

• May 12th, 2016 - Mischa Ransomware (Petya variant)

• May 13th, 2016 - Offering Ransomware as a Service

• May 13th, 2016 - Decryptor for CryptXXX Version 2.0

May 9th 2016 - CryptXXX 2.0

May 9th 2016 - The Enigma Ransomware (Russian)

May 10th, 2016 - The Shujin Ransomware (Chinese)

May 11th, 2016 - GNL Locker (German Netherlands Locker)

May 12th, 2016 - CryptoHitman

Jigsaw CryptoHitman with Porno Extension

Jigsaw CryptoHitman with Porno Extension

May 12th, 2016 - Crypren Ransomware

May 12th, 2016 - Mischa Ransomware (Petya variant)

May 13th, 2016 - Offering Ransomware as a Service

May 13th, 2016 - Decryptor for CryptXXX Version 2.0

http://www.bleepingcomputer.com/news/security/teslacrypt-shuts-down-and-releases-master-decryption-key/

http://www.bleepingcomputer.com/news/security/teslacrypt-shuts-down-and-releases-master-decryption-key/

http://www.bleepingcomputer.com/news/security/emsisoft-releases-decryptors-for-the-xorist-and-777-ransomware/

I’m Infected, Now What?

• Disconnect Network, USB, Network Share

• Determine the Scope (Level of compromise or encryption)

• Determine type of infection

• Evaluate Your Responses

• Restore from a recent backup

• Decrypt your files using a 3rd party decryptor (this is a very slim chance)

• Do nothing (lose your data)

• Negotiate / Pay the ransom

Understanding CryptoLocker Working

Source: Sophos

Anatomy of CryptoLocker

Anatomy of CryptoLocker

CryptoLockerCase Study - Teslacrypt

Generic Questions

• The initial infection vector (how the malware got on the system).

• The propagation mechanism (how the malware moves between systems, if it does that).

• The persistence mechanism (how the malware remains on the system, and survives reboots and when the user logs out).

• Artifacts (what traces the malware leaves on a system as a result of its execution) that you can look for during an examination.

Case Study : TeslaCrypt• Malware sample extracted from malwr.com.

• Used all open source tool to preform analysis.

• Tools used

• Volatility Framework 2.4

• “VolDiff” (REMnux OS)

• Regshot

• Log2timeline (SIFT)

• Virustotal.com

• Process Explorer (Windows SysInternals)

Case Study : References• [1] Zorabedian, John “Anatomy of a ransomware attack” https://blogs.sophos.com/2015/03/03/anatomy-of-a-

ransomware-attack-cryptolocker-cryptowall-and-how-to-stay-safe-infographic/; Last accessed on Oct 25, 2015.

• [2] James, Lance & Bambenek, John “The New Scourge of Ransomware: A Study of CryptoLocker and Its Friends”

https://www.blackhat.com/us-14/archives.html#the-new-scourge-of-ransomware-a-study-of-cryptolocker-and-its-

friends ; Last accessed on Oct 25, 2015.

• [3] Mustaca, Sorin "Are your IT professionals prepared for the challenges to come?"Computer Fraud & Seurity 2014.3

(2014): 18-20.

• [4] Allievi, Andrea et al. “Threat Spotlight: TeslaCrypt – Decrypt It Yourself”

http://blogs.cisco.com/security/talos/teslacrypt ; Last accessed on Oct 25, 2015.

• [5] Malwr.com (https://goo.gl/psdf5e) and Virustotal.com (https://goo.gl/D0o78x) analysis.

Prevention Measures

• Backup your files.

• Apply windows and other software updates regularly.

• Avoid clicking untrusted e-mail links or opening unsolicited e-mail attachments.

• Disable ActiveX content in Microsoft Office applications such as Word, Excel etc.

• Install Firewall and block Tor and restrictions for specific ports.

• Disable remote desktop connections.

• Block binaries running from %APPDATA%, %TEMP% paths.

"I am your enemy, the first one you've ever had who was smarterthan you. There is no teacher but the enemy. No one but the enemywill tell you what the enemy is going to do. No one but the enemywill ever teach you how to destroy and conquer. Only the enemyshows you where you are weak. Only the enemy tells you where he isstrong. And the rules of the game are what you can do to him andwhat you can stop him from doing to you. I am your enemy fromnow on. From now on I am your teacher.”

Source : Ender’s Game

Conclusion

• Lots of googling

• Trendmicro blog

• Sophos

• Kaspersky Blog

• US – CERT

• http://www.bleepingcomputer.com/

• http://www.infoworld.com/

• https://blog.knowbe4.com/

References