Tuesday, February 16, 2016

Ransomware: a general view after field experiences

Even if Ransomware is not one of my favorite topics, since are simple Malware without specific targets (at least util today), I am currently observing a huge increment of this threat in companies, agencies and in private users as well. For such a reason I decided to write a little bit about them in my personal 'CyberSecurity Timeline' (.. well... my blog :). I am not going to describe a specific kind of Ransomware or to show you out spectacular code or reverse techniques, in this "post" I just want to wrap many experiences on this topoc and to make more general though and memories.

According to Netfort and TrendMicro ransomware is not a real news in  cyber securiy, indeed:
it was1989, the year of the “AIDS” trojan, aka. “Aids Info Disk” or “PC Cyborg Trojan” which replaced the AUTOEXEC.BAT file and it would then count the number of times the machine had booted, once it reached 90 days it would then hide directories and encrypt the names of all the files on the C: drive and rendered the system to be unusable. It would then display a message to the user asking them to “renew the license” and contact PC Cyborg Corporation for payment, this involved sending $189 to a post office box in Panama!
  During the past decade two main kinds of Ransomware were observed:
  1. Locker Ransomware. Aim of these threats is to deny the access of an entire victims' machine. One of the most famous exponent of this cathegory is the FBI Locker.
  2. Data Ransomware. Aim of these threats is to deny the access of victims's data. One of the most famous exponent of this cathegory is the CryptoLocker.



Both of the threats tamper with the user need of getting access to something she desires (like for example: PC, or Data) exploiting the 'attack momentum' by asking few money. The user might be fooled because she believes to get the data/machine back by simply pay few bucks and she prefix to be more careful in the next future.

What kind of platform do they infect ?

Nowadays are known Rasomware for: Microsoft Windows (not care versions), MAC OSX, Linux (mostly Debian and RedHat based) and Android. Mostly of the infected systems belong to Personal Computers and Mobile Deices but Servers (such as: FTP, Domain Controls and Http) are affected to.

Another interesting (at least on my personal point of view) question is how do they get into my device ?

Understanding how they propagate through machines is a foundamental step to prevent them ! Unfortunately they do not use a favorite propagation vector. From the victim perspective I observed many propagation vectors based on eMAIL and Social Engineering tricks. But many of the most known ransomware such as (but not limited to): NanoLocker, Crypt0L0ker, CryptoWall and TeslaCrypt are spread over Exploit Kits (mainly malvertisement, watering hole) and Downloaders as well.

What are the most common payment methods ?

A key point in Ransomware economy is the 'payment method', the most used and spread one -- which I see nowadays -- is by using the  BitCoin or LiteCoin channls.  If associated with a laudry service could guarantee a reasonable anonymity level.  A total different topic is the decision to pay or not to pay the attacker. It is not easy for victims to decide whether or not to pay the ransom demand to get their files back. With data now being essential to many organizations, not paying the demands and losing data could have catastrophic effects, such as closing a business down. On the other hand, paying the ransom demand only encourages even more crypto ransomware campaigns.  Some Ransomware such as (but not limited to) CTBLocker offer a "try and buy" capability in order to goad the customer ... hem.. the victm. 

How do the ransomware writers earn money ?

In 2009 a Symantec report found that almost the 3% of victims paid the ransom demand. The report also found that one of the smaller ransomware players managed to infect 68,000 computers in just one month, which could have resulted in victims being defrauded of up to US$400,000 in total.In March 2014, Symantec found that Trojan.Cryptowall earned at least US$34,000 in its first month of operations. A further study of Cryptowall by other information security researchers found that by August 2014, Cryptowall had earned more than US$1.1 million. In June 2015, data from the FBI’s Internet Crime Complaint Center (IC3) showed that between April 2014 and June 2015, it had received 992 Cryptowall-related complaints. The victims were a mix of end users and businesses, and the resulting losses from these cases amounted to more than US$18 million.

While all ransomware are designed to extort money they can do quite different in both techniques and technologies.

What technique do ransomware use to infect the target system ?

Encryption as far I observed is the most used technique: 
Old ransomware (such as SimpleLocker) have got symmetric key inside the code. They used that key (typically AES256) to encrypt data.This technique makes the malware 'orthogonal' by meaning they do not need interaction with external sources to start their job, so they are "ready to encrypt" as soon as they reach the target. On the other hand this technique is weak if a reverse engineer take over it. Once an Cyber Analyst detects the used encryption key he will be able to write the right "decryptor" program freeing the victims without paying the ransom. 

Modern ransomware use to dowload a public RSA/DSA key to encrypt the victim's file. Only the attacker will be able to decrypt the victims files since the used asymmetric encryption technique.  On one hand this technique is much more "safe" for the attacker perspective which he does not need to worry about key discovery; but on the other hand it is slower in encryption, if compared to the symetric key technique. Encryption speed is foundamental topic for ransomware writers, since increasing the encryption time means increasing the probability of being detected and stopped. 

Current ransomware implements a mixed technology (for example CryptoDefence) in where they use asymmetric keys techniques to exchange symmetric key which will be used to encrypt target data. In this way ransomware need internet connection to communicate through their Command and Control System in order to download keys and to communicate the 'end of encryption' once done their job. Both C&C and network communication introduce two more identification factors that might be used agains the ransomware's writers to detect and block his Malware.

Encryption strategies:

What to encrypt first is a mandatory question that every ransomware writer should be aware of. Indeed if the ransomware encrypts randomly it might get into big files which will take more resource and time to get encrypted. This will surprisingly increasing the probability to be identified and to be blocked.
Old ransomware did not care about file size, at that time the ransomware threat was not so spread and they could afford the risk to be identified and blocked.

Most recent ransomware they first order the target folder and start the encryption phase from the smallest file. In this scenario the ransomware increases the probability to encrypt much more files before being identified, which proportionaly increases the probability to get cash from victim!

Recently I observed some variants of TeslaCrypt and TorrentLocker which use to encrypt only the first 1024 Bytes of a file and then move to the next one. This hybrid technique is used in order to increase the probability to encrypt files for what victim will pay for even if on the target machine are found big files (VM, Image file, ISO, etc.).


How do they communicate to the victim ?

Usually ransomware implement 3 different victim communication channls:
  1. Broswer channel. Ransomware replace your browser home page and/or inject themselves into the broswer process and respond to every internet request their own ransom page.
  2. File channel. Ransomware write a lot of "README" files which happen to be the only one the victim might read.
  3. Messages Box. Ransomware writers might decide to communicate to the victime the  request by opening up MessageBox directly from OS'syscall.
How do they communicate to C&C to unlock files once rasom has been payed ?

There are many different scenarios aobut back communications to the attacker. Some Ransomware does not need to comunicate to thier own command and control at all, the attacker knows about the payment through a covert channel into bitcoin blockchain. On the other hand the communcation might happen through simple HTTP protocol or even through UDP single packets. Again, it is very aleatory, some communication methods are more sophysticated then other, but each one works pretty well and will be not complex to implement. CyberIntelligence.org realised a nice tool to monitor one of the most spread Rasomware Cryptowall. On the web site you will appreciate the C&C tracker, the spreading URLS and even new samples, but it's not going to be enough. Rasomware are sold as a service like Tox and many others, it will be super difficult being able to trace all of them.

I do not have conclusions on this specific topic but only a pesonal view of the threat. Ransomware is a mature threat (so many incarnations out there): you can easily find library and kits for built Ransomware on average price of 150 bucks (or even less on Dark Markets) ! Usually once a technology reaches this grade of maturity it became "local". On my personal point of view we will see the increase of Localized Ransomware threats, starting from languages ending up to targeting specific organizations.

No comments: