I’m sure we’re all familiar with what encrypting ransomware is at this stage in 2015. Cryptolocker started it all in late 2013 and many copycats followed, improving regularly and reaping hundreds of millions in revenue in 2014. The “business model” hasn’t changed much since its debut – all current variants will infect, encrypt and then ransom as the standard procedure. The typical infection vector of attack is Zeus phishing because the average user has proven to be susceptible to this type of attack due to the immense amount of social engineering that goes into it. We’re going to actually look at what a user will see with Zeus-dropped malware, examining five of the most recent, malicious manifestations.
How Encrypting Ransomware Attacks Hook You with Phishing Emails:
The first step in encrypting ransomware attacks is a phishing email that has a zip file attachment. Phishing is one of the most common tactics of social engineering. Perpetrators will try any avenue to get you to click on the attachment.
A common example of a phishing email is one in which the recipient is asked to install an update. This is what we saw recently with Cryptowall 3.0, when attackers advised victims to update their Google Chrome by clicking on the email to download the newest version. Another phishing email scheme, targeting people's work email addresses, is meant to come from job applicants and has a malicious “resume attachment.”
Let's look at an example of phishing:
As demonstrated above, these attacks begin with a zip file email attachment. Inside the zip is what appears to the user as a PDF/doc/text attachment, but this is actually the initial dropper. Once launched, this will silently drop a polymorphed executable in a random temp or appdata. This will be what communicates to the command and control sever – which will then take information about your PC that's already been gathered and then based on that info, drop the appropriate ransomware, pre-built for your PC environment.
The only thing the user will notice is that through application binding, the dropper will also open a corresponding “fake” document with gibberish filler or “ERROR!” It might also be accompanied with a simple dialog pop up box with errors telling you to upgrade your Adobe Reader, .NET framework, Flash, ect. The virus will then delete the original malicious dropper and replace it with a harmless saved copy of the just opened “ERROR” PDF/doc/text file with the same name, making the user think it was just a harmless document the entire time. All of what I just explained takes place in less than a second.
If you notice, the left and right file comparison depicts the before and after keylogger deployment. The icons used on the dropper (left) are just barely off from how a legitimate document would appear in Windows (right). All of these social engineering tactics successfully establish legitimacy in the mind of the average user, transforming what would be an alert for malware concern to simple frustrations of random issues with common software. This is the goal of the malware author as it allows the ransomware to go by unnoticed and monitor/encrypt/transmit data until detected.
Unlike the original Cryptolocker, CryptoWall attacks don't have a graphical user interface. Instead, they just open a webpage after encryption and leave an instruction text file at every directory that had files that were encrypted. The instructions tell you how to get the key to decrypt your files. They have you install browsers like Onion, Tor, or other layered encryption browsers so you can pay them directly and securely via bitcoin. This is a key turning point in the progression of encrypting ransomware as it enables malware authors to circumvent a good portion of steps in the Zeus fraud. Perhaps most significantly, with CryptoWall, attackers avoid the need for money mules, thus increasing the percentage of profit.
Critroni doesn’t really bring anything new to the table, but it executes flawlessly. Always using anonymous Tor to connect and securely pay via bitcoin to avoid money mules, hackers delete the VSS and make sure the key is in no way retrievable without paying. This specific variant was the first to actually leave a very detailed log of the entire directory list of files that were encrypted and their locations. Historically, there had only been payment instructions at every encrypted directory. This upgraded detailed list is stored in your documents folder for your convenience come decryption time. This ransom was also the cheapest at just .2 bitcoins (roughly $120)
Cryptographic Locker has some new and scary features - this variant will actually delete your original files after encryption. Now, this doesn’t add any more intangibility since they were encrypted with military grade encryption anyway, but it does add a greater sense of loss and panic since all of your common data directories will appear to have been cleaned out. Another new variant feature is the absence of a price cap. It starts at around $100 and will increase by that amount every 24 hours until you either crack or make peace with the loss. This tactic, referred to as "the squeeze," puts a lot of pressure on the victim in a small amount of time and has proven successful for increasing payment. The first sample we encountered didn’t delete the VSS, which is a common mistake that I expect will get fixed once widespread distribution hits. This makes me consider the future of encrypting ransomware, and how we might expect to see changes in its distribution.
A new type of encrypting ransomware that looks to be of the Cryptographic Locker family, CoinVault employs the same method of encryption and has a very similar GUI (kills VSS, increases required payment every 24hr, uses bitcoin payment, etc.). What’s unique about this variant is that this is the first Encrypting Ransomware that I’ve seen that actually gives you a free decrypt. It will let you pick any single file that you need after encryption and will decrypt it for you. This is a really interesting feature, and it gives a good insight into what the actual decryption routine is like if you find yourself actually having to pay them. I suspect that this freebie will increase the number of people who will pay.
This latest variant not only encrypts the normal scope of valued files, but it now encrypts files required for your games – saves, mods, and profiles (like Day Z). It even encrypts game software components from the likes of Valve, Bethesda, Unreal engine and RPG Maker. This means many of the major games that users play will be rendered useless unless they pay the ransom if hit by the malware. Notice how it says “CryptoLocker-V3″ on the window and has an uncanny resemblance. However, TeslaCrypt is very different from the original Cryptolocker so don’t be fooled. Tools like decryptolocker.com are NOT going to work on this variant. It also features a “Click to Free Decryption on site" call-to-action. When we first saw this, we thought maybe it offered a free decryption similar to what we observed in the CoinVault example, but it’s just a lie. Bitcoin is the preferred method of payment as it is an untraceable secure method of receiving payment so they give you a better price of only $415. If you wish to use payment systems like PayPal My Cash Card, then the price increases to $1000 (this is because they lose a percentage through the middleman). The choice is very clear that they want the hefty discount to sway you into using bitcoin as currency.
- Preventative Tech Tips for Cryptolocker
- Cryptolocker Is Evolving...and It’s Getting Smarter
- The Threat the FBI’s Internet Crime Complaint Center (IC3) Wants You to Know About:
Are your clients protected with the right RMM?
By Lily Teplow
By Brian Downey
By Dave LeClair