why are you still getting cryptolocker?
TRANSCRIPT
CryptoLocker:The persistent, ubiquitous threat
Aaron Lancaster, CISSP
FBI IC3Last June, the the FBI’s Internet Crime Complaint Center (IC3) identified CryptoWall as the most current and significant ransomware threat targeting U.S. individuals and businesses.
“CryptoWall and its variants have been used actively to target U.S. victims since April 2014. The financial impact to victims goes beyond the ransom fee itself, which is typically between $200 and $10,000.”
What is CryptoLocker ?• CryptoLocker is ransomware that encrypts your files and holds
them for ransom– Released September 2013
– Targets all versions of Windows including Windows XP, Windows Vista, Windows 7, and Windows 8
– Encrypt certain files using a mixture of encryption types
– When finished encrypting your files, displays a “ransom note”
– Demands payment of $500 (increased from original $100) in order to decrypt the files
– Provides a few days to pay the ransom or it will delete your encryption key and you will not have any way to decrypt your files.
– Must be paid using MoneyPak vouchers or Bitcoins (untraceable)
– Once you send the payment and it is verified, the program will (maybe, theoretically) decrypt the files that it encrypted.”
http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information
The Problem• Encrypts EVERYTHING
• “This thing hit like pretty much all the file extensions that are usable, from Mp3s
to [Microsoft] Word docs,” Kessel said. “About the only thing it didn’t touch were
system files and .exe’s, encrypting most everything else with 2048-bit RSA keys
that would take like a quadrillion years to decrypt. Once the infection happens, it
can even [spread] from someone on a home PC [using a VPN] to access their
work network, and for me that’s the most scary part.”
-Johnny Kessel, Computer Repair Consultant, KitRx San Diego
The Problem: By the Numbers• In 2014:
– CryptoLocker was infecting over 50,000 computers per month (peak)
– Infected over 336,000 computers in the U.S. alone
• Google search results for CryptoLocker are well over 210k per
month and rising quickly
– Indicates quantity of users affected
• Malvertizing (malicious ads containing CryptoLocker) up 325% in
Aug 2015
– http://www.scmagazine.com/spike-in-malvertising-attributed-to-zero-days-
emergence-of-new-tech/article/434796/
Source: http://www.whoishostingthis.com/blog/2015/05/25/ransomware/
Internet Pandemic• Research has shown approx. 1.3M malicious ads are being viewed everyday
• The probability of getting infected from malvertizement is twice as likely on a weekend
• 97% of Fortune 500 websites are at a high risk of getting infected with malware due to external partners
such as JavaScript widget providers, ad networks, and/or packaged software providers
• Fortune 500 websites have such a high risk because 69% of them use external javascript to render portions
of their sites and 64% of them are running outdated web applications.
• FBI issued a warning about increased activity in Jan. 2015
Source: http://www.zdnet.com/article/research-13-million-malicious-ads-viewed-daily/
The Motivation
• Money (Bitcoin, MoneyPak)
– According to the 2015 McAfee Internet Threats Predictions:
• A single instance of the CrytpoLocker ransomware made over $250,000 in one month
• The CryptoWall resulted in a total of over $1,000,000 in paid out ransoms
• Information
• It’s easy! (Lack of awareness and good practices)
A Threat by Many Names (Variants/Clones)• CryptoLocker
– v.1 ~5 Sept. 2013
– v.2.0 – a copycat
– v.3.0
• CryptoLocker.F Family
– CryptoWall (Sept. 2014)- Via email
• 2.0 & 3.0
• CTB Locker
• TeslaCrypt
• Alpha Crypt
– TorrentLocker (Sept. 2014)
– CryptoDefense
• Critroni
• Reveton
• Crowti (CryptoWall 3.0)
Crowti (CryptoWall 3.0 – “CW3”)• This threat is also detected as (Anti-virus product
vendor):
– Dropper/Win32.Necurs (AhnLab)
– Trojan-Ransom.Win32.Cryptodef.iu (Kaspersky)
– Trojan horse Inject2.AHNI (AVG)
– TR/Crypt.Xpack.64673 (Avira)
– Trojan.Encoder.514 (Dr.Web)
– W32/Cryptodef.AHIO!tr (Fortinet)
– PWSZbot-FBKQ!86B6EE398F44 (McAfee)
– Troj/Agent-AHIO (Sophos)
– TSPY_ZBOT.SMCC (Trend Micro)
– Cryptowall (other)
– Cryptodefense (other)
• Encrypts files
• Displays ransom or lock screen
Source: https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Crowti
CryptoWall version 3
Source: cyberthreatalliance.org
CryptoWall version 4
• Encrypts file names & type
• HTML ransom note file name change to “help_your_files.html”
• General taunting and arrogance to frustrate user
Source: http://www.bleepingcomputer.com/news/security/cryptowall-4-0-released-with-new-features-such-as-encrypted-file-names/
Trends
• “Ransomware using Remote Desktop to spread itself”
• New Andriod ransomware communicates over XMPP
• TOR switchers
• Sandbox Aware
• Browser Variants
• Mobile Variants
How can you get it?• Can be transmitted as link/attachment in phishing email
– .zip, .exe, .scr (sometimes disguised as .pdf or .doc)
• Other malware such as Trojan Downloaders (onkods, upatre)
• Slip-streamed torrent or download
• Drive-by download (malvertising, other iFrame EK goodness)
– Silverlight
– Flash
– Java
Phishing Email
Exploit Kits
Source: Cyber Threat Alliance – CryptoWall
Drive-by Downloads
Happy Clicker Syndrome
iFrame
Source: http://www.malware-traffic-analysis.net/2015/07/06/index.html
Malvertizing
• Malvertising is a silent killer because malicious ads do not require any type of
user interaction in order to execute their payload
• Simply browsing to a website that has ads (and most sites, if not all, do) is
enough to start the infection chain
• Complex online advertising economy makes it easy for malicious actors to
abuse the system and get away with it
• Necessitates industry partners working closely together to detect
suspicious patterns and react very quickly to halt rogue campaignsSource: https://blog.malwarebytes.org/malvertising-2/2015/08/large-malvertising-campaign-takes-on-yahoo/
File System Modifications
• Saves itself with a random file name
• Creates auto-start entries in the system
configuration (work even in safe mode)
• Hijacks .EXE extensions to delete
Shadow Vol. Copies that could be used
to restore files.
Source: http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information
How it Works – For The Techies
• Downloads encryption key
• Encrypts files
• Demands ransom
Pcap FTW!
Source: https://isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/
Encryption keys
• Command & Control (C2) server address
established through Domain Generation
Algorithm (DGA)
• Malware connects and downloads public
key to Windows system configuration
• Private key is saved to C2 serverRead more: http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information
What it Encrypts• CryptoLocker will then begin to scan all physical or mapped network drives on your computer for files
with the following extensions:– .3dm .3ds .3fr .3g2 .3gp .3pr .7z .ab4 .accdb .accde .accdr .accdt .ach .acr .act .adb .agdl .ai .ait .al .apj .arw
.asf .asm .asp .asx .avi .awg .back .backup .backupdb .bak .bank .bay .bdb .bgt .bik .bkp .blend .bpw .c .cdf
.cdr .cdr3 .cdr4 .cdr5 .cdr6 .cdrw .cdx .ce2 .cer .cfp .cgm .cib .class .cls .cpi .cpp .cr2 .craw .crt .crw .cs .csh
.csl .csv .dac .db .db_journal .db3 .dbf .dc2 .dcr .ddd .ddoc .ddrw .dds .der .des .design .dgc .djvu .dng .doc
.docm .docx .dot .dotx .drf .drw .dtd .dwg .dxb .dxf .dxg .eml .eps .erbsql .erf .exf .fdb .ffd .fff .fh .fhd .fla .flac
.fpx .fxg .gray .grey .gry .h .hbk .hpp .ibank .ibd .ibz .idx .iif .iiq .incpas .indd .java .jpe .jpeg .jpg .kc2 .kdbx .kdc
.key .kpdx .lua .m .m4v .max .mdb .mdc .mdf .mef .mfw .mmw .moneywell .mos .mp3 .mp4 .mpg .mrw .myd
.nd .ndd .nef .nk2 .nop .nrw .ns2 .ns3 .ns4 .nsd .nsf .nsg .nsh .nwb .nx2 .nxl .nyf .obj .ods .p7c .r3d .mov .flv
.wav .dcs .cmt .ce1 .odb .odc .odf .odg .odm .odp .ads .odt .oil .orf .otg .oth .otp .ots .ott .p12 .p7b .pages .pas
.pat .pcd .pct .pdb .pdd .pdf .pef .pem .pfx .php .pl .plus_muhd .plc .pot .potm .potx .ppam .pps .ppsm .ppsx
.ppt .pptm .pptx .prf .ps .psafe3 .psd .pspimage .ptx .py .qba .qbb .qbm .qbr .qbw .qbx .qby .raf .rar .rat .raw
.rdb .rm .rtf .rw2 .rwl .rwz .s3db .sas7bdat .say .sd0 .sda .sdf .sldm .sldx .sql .sqlite .sqlite3 .sqlitedb .sr2 .srf
.srt .srw .st4 .st5 .st6 .st7 .st8 .stc .std .sti .stw .stx .svg .swf .sxc .sxd .sxg .sxi .sxm .sxw .tex .tga .thm .tlg .txt
.vob .wallet .wb2 .wmv .wpd .wps .x11 .x3f .xis .xla .xlam .xlk .xlm .xlr .xls .xlsb .xlsm .xlsx .xlt .xltm .xltx .xlw
.ycbcra .yuv .zip (Source: Cyber Threat Alliance Cryptowall Report 2015)
– When it finds files that match one of these types, it will encrypt the file using the public encryption key and add the full path to the file and the filename as a value under the Windows System Registry key (HKEY_CURRENT_USER\Software\CryptoLocker_0388\Files).
• When it has finished encrypting your data files it will then show the CryptoLocker splash screen and demand a ransom of $500 dollars (or more) in order to decrypt your files.
• Most recently targeting Intellectual Property (IP) such as AutoCAD Drawing files (*.DWG, *.DXF)Source: http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information
Infection?
• Detection
• Prevention
• Remediation
Detection
• For most, you’ll see “The Screen”
• Security Information and Event Management
(SIEM)
• Local Files (not accessible)
• Server Files (not accessible)
Detection - SIEM
• Security Onion• EmergingThreats alert for Cryptowall Check-in• Ip-addr.es
Source: https://isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/
The Screen• When it has finished encrypting your data files
displays this CryptoLocker screen in web browser
demanding money
• $500 (this cost has gone up)
• Timed: (up to) 96 hours
• Private encryption key will be destroyed on the
developer's servers if not paid
• If you don’t pay on time the price doubles
Source: http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-informationhttp://blogs.technet.com/b/mmpc/archive/2015/01/13/crowti-update-cryptowall-3-0.aspx
Detection – SIEM• Log management could be used to detect malicious activity,
such as brute force attack from internally compromised host against internal servers, in this case directory traversal, high write speeds, file re-names, new executables
• Log monitoring & correlation services could be used to detect the malware attempting to send specifically crafted packets
• Log anomaly detection could be used to detect the malware attempting to contact a malicious remote host i.e. “phone home”
Detection - Local “Ransom Note” Files• Used to display the web-browser ransom note
• Creates files (listed in reverse chronological order): HELP_DECRYPT.PNG
HELP_DECRYPT.txt
HELP_DECRYPT.htmlHELP_DECRYPT.urlHOW_DECRYPT.HTMLHOW_DECRYPT.TXTHOW_DECRYPT.URLDECRYPT_INSTRUCTION.HTMLDECRYPT_INSTRUCTION.TXT
• Renames encrypted target files “.locked”
• Recommend Windows File Screen audit rule to alert on these & shutdown system until network is disconnected
Source: http://blogs.technet.com/b/mmpc/archive/2015/01/13/crowti-update-cryptowall-3-0.aspx
Detection - MS Recommendations (File Servers)
• Actively scan file shares using PowerShell script on a scheduled task (CryptoWall active alerter / scanner)– https://gallery.technet.microsoft.com/scriptcenter/Cryptowall-active-
file-ad91b701
– Could also be applied to desktops
• Implement Windows File Screening Management with audit rule to alert/shutdown server on “Ransom File” creation limiting scope of infection- http://technet.microsoft.com/en-us/library/cc732074.aspx
• Variants have gone undetected on files servers for over 5 days thereby infecting full backups as well
Prevention: Old-School Security
• Not running as local admin provides some protection for other
users’ data
• User Account Controls (UAC) doesn’t apply to %appdata%
• Antivirus is now using Domain Generation Algorithms to detect &
block via desktop firewall (Ex. Avast Free/Pro, MBAM Pro)
Prevention - MS RecommendationsSpecifically:
• Don’t pay the ransom
• Perform regular off-line backups/restore points
• Run A/V or antimalware software (FULL SCAN)
– Win Defender or Security Essentials
• Disable real-time scanning and run daily side-by-side with your 3rd party A/V
(controversial)
– MS Safety Scanner
• Enable MS Active Protection Service (MAPS)
• Prevent spam:
– Exchange online protection
– Office 365 Advanced Threat Protection
– Don’t open suspicious emails esp. from untrusted sources
– MS SmartScreen filter
Sources: https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Crowti, http://blogs.technet.com/b/mmpc/archive/2015/07/14/msrt-july-2015-crowti.aspx, https://www.microsoft.com/security/portal/mmpc/shared/prevention.aspx
Security Practices:• Awareness Training
• Run up-to-date
security software
• Get the latest software
updates
• Understand how
malware works
• Turn on your firewall
• Limit User Privileges
Prevention• DNS reputation web filtering (OpenDNS, etc.) or Install web filtering software
• Don’t give users admin access to their computers or at least don’t login to windows as admin for day-to-day
• Keep software up to date
• Install/enable a pop-up blocker
• Install CryptoLocker Prevention Kit (GPOs for Domain Members) – http://www.thirdtier.net/2013/10/cryptolocker-prevention-kit-updates/
– Uses Software Restriction Policies to block executables in specified folders (%AppData%)
– Alert on executable being blocked (Event ID 866)
• Disable JAVA/Flash/Silverlight; Install NoScript on Firefox browser (versions of JAVA and Flash)
• Install CryptoPrevent (workstations only)– https://www.foolishit.com/cryptoprevent-malware-prevention/
• Install BLADE (Block All Drive-by Download Exploits)Sources: http://krebsonsecurity.com/2013/11/how-to-avoid-cryptolocker-ransomware/http://www.cio.com/article/2448967/security0/6-ways-to-defend-against-drive-by-downloads.html
Professional Remediation• Restore from incremental backup
• Use utilities and regain access to your files:– RakhniDecryptor -
http://support.kaspersky.com/viruses/disinfection/10556
– XoristDecryptor -http://support.kaspersky.com/viruses/disinfection/2911
– RectorDecryptor -http://support.kaspersky.com/viruses/disinfection/4264
• Attempt to retrieve your keys from:– FireEye’s website http://www.decryptcryptolocker.com/
– Kaspersky’s Website: https://noransom.kaspersky.com/
Professional Remediation
• REBUILD FROM GOLD IMAGE!!!
• Cryptolocker comes with:
– BlackShades RAT
– Trojan Downloaders
Incident Response
• Early reaction is essential
1. Disconnecting from the network has been shown to halt the encryption process
2. Better yet… HARD Shutdown!
3. Mount HD externally and
4. Decrypt & salvage files
5. Re-image and restore files
Save It!
• As a last ditch effort keep your encrypted
files in off-line storage
• Cryptomalware rings are taken-down by
LEO and keys recovered/made available
on an on-going basis
Resources• IOCs https://github.com/CyberThreatAlliance/cryptowall_v3
• CoinVault and Bitcryptor keys & app: https://noransom.kaspersky.com/
• CryptoWall Dashboard: http://cyberthreatalliance.org/cryptowall-dashboard.html
• Scripts and Files related to the CyyptoWall v.3 threat: https://github.com/CyberThreatAlliance/cryptowall_v3
• CryptoLocker Scan Tool by Omnispear: http://omnispear.com/cryptolocker-scan-tool/
• Using PowerShell to Combat CryptoLocker: http://blog.varonis.com/using-powershell-combat-cryptolocker/
Questions?
Thanks for listening!
East Tennessee Chapter
of the
Information Systems Security
Association (ISSA)
@ISSA_ETENN
LinkedIn Group (Discussion, Events and more):
https://www.linkedin.com/groups/East-TN-ISSA-Chapter-8175959/about
