MSS RANSOMWARE - IBM...Anti-malware software helps to identify threats. However, employing just one...
Transcript of MSS RANSOMWARE - IBM...Anti-malware software helps to identify threats. However, employing just one...
ii
©Copyright IBM Corporation 2015. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of IBM Corporation in the United States, other
countries or both. Other company, product or service names may be trademarks or service marks of others.
RESEARCH AND INTELLIGENCE REPORT
RELEASE DATE: MAY 11, 2015
BY: MICHELLE ALVAREZ, THREAT RESEARCHER AND EDITOR
IBM MSS RANSOMWARE
iii
©Copyright IBM Corporation 2015. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of IBM Corporation in the United States, other
countries or both. Other company, product or service names may be trademarks or service marks of others.
TABLE OF CONTENTS
EXECUTIVE OVERVIEW/KEY FINDINGS ................................................................................................................ 1 RANSOMWARE: THEN AND NOW ....................................................................................................................... 1 ATTACK TECHNIQUES & FUNCTIONALITY ............................................................................................................ 3 MOBILE RANSOMWARE ..................................................................................................................................... 5 RECOMMENDATIONS/MITIGATION TECHNIQUES ............................................................................................... 5 REFERENCES ...................................................................................................................................................... 7 APPENDIX A: BEHAVIOR OF RANSOMWARE ........................................................................................................ 8 APPENDIX B: ANALYSIS OF ZEROLOCKER ........................................................................................................... 11 CONTRIBUTORS ............................................................................................................................................... 15 DISCLAIMER ..................................................................................................................................................... 15
1
©Copyright IBM Corporation 2015. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of IBM Corporation in the United States, other
countries or both. Other company, product or service names may be trademarks or service marks of others.
EXECUTIVE OVERVIEW/KEY FINDINGS
IBM’s 2014 Chief Information Security Officer (CISO) study revealed that more than 80 percent of security leaders
believe the challenge posed by external threats is on the rise, to include financial and intellectual property theft.
However, until recently, ransomware wasn’t considered to be an enterprise threat. Many felt that this particular
type of malware was more relevant for consumers or smaller to mid-size businesses, which often lack the
sophisticated anti-malware tools of large businesses. This viewpoint is starting to shift as successful ransomware,
such as CryptoLocker and CryptoWall, cost organizations millions globally.
Ransomware is malware that encrypts files and deletes the original files thereby making access impossible unless a
ransom is paid. In other scenarios, the ransomware simply locks the whole system. Only after paying the ransom
will the user be given the password to unlock the files. Typically, users will pay the ransom by going to a Web site
devised by the hacker that asks them to enter a unique key.
Ransomware is only one type of malware amongst more than half a dozen classifications and therefore is not
something that organizations typically place a strategic security focus around. However, ransomware is a growing
and significant trend. The attackers behind ransomware are increasingly more organized and their attacks stealthier
- leveraging multiple forms of end user manipulation and extortion.
Most ransomware begins as a warning indicating that the user’s computer has been locked because it had been
used for illegal activities; payment, often via Bitcoins, e-gold or other electronic forms of payment, is necessary to
access files. Ransomware is sometimes called “scareware” because these attacks also employ fear and
embarrassment by telling victims the ransomware was caused by visiting inappropriate Web sites. Such
ransomware tactics can prevent end users from working with security teams to resolve the issues. Fortunately,
there are steps companies can take to prevent ransomware that include implementing an anti-malware solution
and keeping patches up to date. Additionally, a regularly updated backup is absolutely essential when efforts to
detect and stop ransomware fail.
RANSOMWARE: THEN AND NOW
While ransomware has increased in popularity amongst attackers in the last few years, its origins date all the way
back to the late ‘80s.i Aids Info Disk (also known as AIDS) or PC Cyborg Trojan, is the first known ransomware. This
Trojan encrypted files and prompted the user to 'renew the license' by providing payment to the fictitious PC
Cyborg Corporation. This involved sending US$189 to a post office box in Panama. Its use of symmetric
cryptography, which uses the same cryptographic keys for both encryption of plaintext and decryption of
ciphertext, made this ransomware rudimentary by today’s standards.
2
©Copyright IBM Corporation 2015. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of IBM Corporation in the United States, other
countries or both. Other company, product or service names may be trademarks or service marks of others.
Flash forward a few years, the first cryptovirus using public key cryptography or asymmetric cryptography, which
requires two separate keys (one private and one public), surfaces in the mid-‘90s. Over the next two decades
attackers developed ransomware using more sophisticated RSA encryption and by 2008, a variant of GPcode, also
known as PGPCoder, was detected using a 1024-bit RSA key. This made file recovery nearly impossible.1
The playing field for ransomware changed once again with the introduction of CryptoLocker in 2013, which uses
bitcoins, digital or virtual currency, to collect ransom money. This ransomware was made infamous with Operation
Tovar, a take-down of a large hacker-controlled network in Russia and Ukraine that was using the Gameover
platform to spread and infect systems with CryptoLocker. The FBI estimated $30 million in losses to organizations at
the time it shut down the organization.2
One of CryptoLocker’s copy-cat successor’s, Cryptowall, has surpassed its predecessor’s status in terms of infection
rate. Though not considered to be as sophisticated in terms of the malware and infrastructure, it is undeniably one
of the most destructive ransomware families circulating today. The most recent version, Cryptowall v3, uses the Tor
anonymity network for command and control (C&C) communications and is especially aggressive and malicious.
Infections for this specific version have been on the rise.
1 Who's behind the GPcode ransomware? http://www.zdnet.com/article/whos-behind-the-gpcode-ransomware/
2 Crime pays very well: Cryptolocker grosses up to $30 million in ransom http://www.pcworld.com/article/2082204/crime-
pays-very-well-cryptolocker-grosses-up-to-30-million-in-ransom.html
3
©Copyright IBM Corporation 2015. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of IBM Corporation in the United States, other
countries or both. Other company, product or service names may be trademarks or service marks of others.
Figure 1: Notable ransomware that has surfaced in the last few years. Source: IBM Security.
ATTACK TECHNIQUES & FUNCTIONALITY
Ransomware is often delivered through spam and phishing campaigns. The e-mail message contains a malicious
attachment or a link to a malicious file. It may place the victim under certain time constraints (i.e. 24 hours) in
which to provide the ransom.
This malware can also be delivered by exploit kits on compromised web pages and malicious sites. When a user
visits a compromised site serving exploit kit code, the code tries to identify potential vulnerabilities on the user’s
system and serves exploits accordingly. Another infection vector is via drive-by downloads.
Attackers can attempt to illicit payment by one of two methods. Though the more popular and newer method is to
encrypt files on the system's hard drive, some may simply lock the system and display messages intended to coax
the user into paying.
4
©Copyright IBM Corporation 2015. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of IBM Corporation in the United States, other
countries or both. Other company, product or service names may be trademarks or service marks of others.
Ransomware may include the following functionality:
• Encrypt files with RSA encryption
• Keylogging
• Generate list of C&C servers using Domain Generation Algorithm (DGA)
• Small network footprint
• Ability to kill multiple running processes
• Inclusion of a bank Trojan as a payload
• Communicate with Command & Control servers
• Utilization of Tor to place the malicious server, which is very difficult to take down
• Payment by Bitcoin, avoiding normal payment systems that can lead back to online criminals;
Ransomware has been known to target the financial services sector. Attackers access this sector via the individual,
en masse, to overcome most traditional protection methods. Another popular target are companies and others
who are thought to have the means to pay and, potentially, a lack of awareness of said scams. “Federal police
extortion” attacks targeting consumers and businesses have surfaced in many regions, including the United States,
South America, Australia and Europe. This scam involves the victim receiving an email claiming the Federal Police
has detected illegal or suspicious web browsing activities and demands the payment of a “fine” to decrypt the
locked files.3
In an ironic twist on this scam, several police departments in the United States have been targeted by ransomware
campaigns recently. Many were unable to decrypt the files and succumbed to paying the ransom.4 Unfortunately,
this scenario is all too common. Many organizations place a higher importance on recovering their valuable data
when faced with the decision to negotiate or to not negotiate with criminals. In a recent survey, 30 percent of
security professionals are willing to negotiate with cyber criminals to retrieve encrypted files. This figure rises to 55
percent amongst organizations that have already fallen victim to cyber criminals.5
3 Fake-police ransomware reaches Australia
http://www.cso.com.au/article/437757/fake-police_ransomware_reaches_australia/ 4 Police Department Pays Cybercriminals Following Ransomware Infection
http://www.esecurityplanet.com/malware/police-department-pays-cybercriminals-following-ransomware-infection.html
5 Negotiating with Cybercriminals: 30% of Security Professionals Say They Would Pay for the Return of Their Data
http://www.threattracksecurity.com/resources/white-papers/mid-market-cyber-extortion-report.aspx
5
©Copyright IBM Corporation 2015. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of IBM Corporation in the United States, other
countries or both. Other company, product or service names may be trademarks or service marks of others.
MOBILE RANSOMWARE
Most cyber threats eventually make their way over to the mobile arena. Ransomware is no exception. Phones using
the Android operating system, in particular, are being plagued by ransomware. In early 2014, the mobile banking
malware Svpeng introduced ransomware capabilities as seen in the above timeline. This malware attempts to block
the user's phone and display a message demanding payment of a $500 "fee" for alleged criminal activity.
Following this development, it didn’t take long for a dedicated mobile ransomware to appear and in May of last
year, Pletor began circulating. Infections spanned multiple countries and numerous modifications of the malware
have since surfaced. Soon numerous families of mobile ransomware plagued mobile devices over the next several
months to include ScarePakage, ScareMeNot, ColdBrother, and Koler. Ransomware had such an impact on the
mobile malware landscape in 2014 that ScareMeNot and ScarePakage made it to the top five most-prevalent
mobile threats in countries such as the U.S., U.K., and Germany, according to one study.6
RECOMMENDATIONS/MITIGATION TECHNIQUES
If you have protection in place for malware, chances are it also covers many ransomware families. Anti-malware
software helps to identify threats. However, employing just one anti-spyware program may not rid one's system of
all malicious programs. Since updates by vendor vary, some companies may want to layer detection by using a
combination of two or three anti-spyware programs for better protection.
There are a few helpful ways to mitigate ransomware from a network perspective as there is a predictable pattern
that can be identified with some variants of ransomware and enabled in an IDS/IPS device. Some make predictable
network GET requests or use DGA domains. Therefore, there are some general IDS/IPS rules that could be put into
place that would provide some coverage for some of the variants, but not all. This is where host based restrictions
help since malware authors are always changing their tactics and the malware needs to be prevented at various
levels.
At the host level, there are some execution policies that can be helpful to block the execution from certain paths
that are known with particular ransomware. A large portion of malware in general, and especially ransomware, do
some specific behavior on the host when detonated. One of the most effective countermeasures is to prohibit any
.exe file from running from the \temp folder. The risk is that there are a few legitimate applications that run from
this folder.
6Lookout 2014 Mobile Threat Report
https://www.lookout.com/static/ee_images/Consumer_Threat_Report_Final_ENGLISH_1.14.pdf
6
©Copyright IBM Corporation 2015. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of IBM Corporation in the United States, other
countries or both. Other company, product or service names may be trademarks or service marks of others.
Attackers take advantage of users running outdated software with known vulnerabilities that could provide a
window of opportunity for ransomware to sneak by. Perform regularly scheduled software updates with the latest
security patches on PCs, as well as mobile devices.
Ransomware can be delivered to your PC or mobile device in any number of ways, but a good preventive measure
is to avoid questionable websites, searches, and downloads. Additionally, there are quite a number of programs
available on the Internet that purport to be “malware-removal” programs, but actually are spyware programs
themselves. End-user education should play a role in disseminating this information.
New ransomware releases materialize each day and antivirus software alone can't keep up with the numerous one-
off malwares developed. Most anti-spyware programs are reactive in nature — protection only exists once a
signature update is applied. Even a fully-patched updated system remains vulnerable to many types of
ransomware. Only software that uses behavioral analysis techniques is able to provide preemptive detection and
blocking of malicious code successfully.
To effectively protect your organization's critical information and resources requires a preemptive multi-layered
strategy at the gateway, network and host level. Your ransomware intrusion prevention solution should incorporate
technologies that deliver the following:
• Stops incoming ransomware before impacting network resources
• Prevents existing ransomware from propagating or sending outbound data on the network
• Blocks access to Web sites with unwanted content
• Protects the host from malware installation, execution and communication
Other precautions one could take to mitigate the threat of malware include:
• Modify browser security settings to detect unauthorized downloads
• Do not install unknown programs
• Prior to downloading software, be sure to review any associated license agreements or privacy
statements
• Do not click on a link within pop-up windows; close pop-ups by clicking the “x” in the upper right-hand
corner of the window, not by clicking the buttons located within the window
Efforts should clearly be made to detect and stop ransomware. However, if ransomware defeats your protection
strategy and your data is encrypted and unrecoverable, then the next best strategy is to have a regularly updated
backup. You’re still bound to lose some data depending on the time of the last backup, but the loss would be far
less devastating than if there were no backup at all. It is not enough though to simply have a backup. Organizations
7
©Copyright IBM Corporation 2015. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of IBM Corporation in the United States, other
countries or both. Other company, product or service names may be trademarks or service marks of others.
must test them as well. In several of the cases seen by IBM Emergency Response Services (ERS), companies had
never tested their backups and when they attempted to restore the data, they found that it was not working.
Although ransomware is on the rise7, organizations that implement the aforementioned security recommendations
will be better prepared to safeguard their critical assets against this threat.
REFERENCES
Trojan.Cryptolocker http://www.symantec.com/security_response/writeup.jsp?docid=2013-091122-3112-99 Analysis of ‘TorrentLocker’ – A New Strain of Ransomware Using Components of CryptoLocker and CryptoWall http://www.isightpartners.com/2014/08/analysis-torrentlocker-new-strain-malware-using-components-cryptolocker-cryptowall/ CryptoWall surpasses CryptoLocker in infection rates http://www.scmagazine.com/cryptowall-surpasses-cryptolocker-in-infection-rates/article/368920/ CryptoWall ransomware is back with new version after two months of silence http://www.pcworld.com/article/2868972/cryptowall-ransomware-is-back-with-new-version-after-two-months-of-silence.html All You Need to Know About CTB Locker, the Latest Ransomware Generation https://heimdalsecurity.com/blog/ctb-locker-ransomware/ Police Department Pays Cybercriminals Following Ransomware Infection http://www.esecurityplanet.com/malware/police-department-pays-cybercriminals-following-ransomware-infection.html U.S. targeted by coercive mobile ransomware impersonating the FBI https://blog.lookout.com/blog/2014/07/16/scarepakage/ Ransomware http://en.wikipedia.org/wiki/Ransomware Fake-police ransomware reaches Australia http://www.cso.com.au/article/437757/fake-police_ransomware_reaches_australia/ The first mobile encryptor Trojan
7 IBM X-Force Threat Intelligence Quarterly – 1Q 2015
https://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swg-
WW_Security_Organic&S_PKG=ov33510&S_TACT=C327017W&dynform=18101
8
©Copyright IBM Corporation 2015. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of IBM Corporation in the United States, other
countries or both. Other company, product or service names may be trademarks or service marks of others.
http://securelist.com/blog/mobile/63767/the-first-mobile-encryptor-trojan/ Latest version of Svpeng targets users in US http://securelist.com/blog/incidents/63746/latest-version-of-svpeng-targets-users-in-us/
APPENDIX A: BEHAVIOR OF RANSOMWARE
The next few screen shots exhibit some of the anomalous or malicious behavior or ransomware, specifically,
Cryptowall v3 and Cryptolocker.
Figure 1. Registry changes disable security and system restore.
Figure 2a. Windows Explorer launches the process, but the stack shows that this must be coming from injected code. Note the difference when there is a process creation from non-injected explorer code in Figure 2b below.
9
©Copyright IBM Corporation 2015. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of IBM Corporation in the United States, other
countries or both. Other company, product or service names may be trademarks or service marks of others.
Figure 2b. Process creation from non-injected explorer code.
Figure 3. Svchost.exe is running as a separate process.
10
©Copyright IBM Corporation 2015. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of IBM Corporation in the United States, other
countries or both. Other company, product or service names may be trademarks or service marks of others.
Figure 4. The process tree from Cryptolocker.
Figure 5. Process command lines from Cryptolocker showing how it disables recovery at boot.
Figure 6. Fraudulent “Security Notification” that disables system once clicked. This message pops up when malware disables protection and can be a sign of something wrong with the system.
11
©Copyright IBM Corporation 2015. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of IBM Corporation in the United States, other
countries or both. Other company, product or service names may be trademarks or service marks of others.
Figure 7. Cryptowall changes registry and proxy changes.
APPENDIX B: ANALYSIS OF ZEROLOCKER
The next several screen shots illustrate various steps in the ZeroLocker infection process.
Figure 1. ZeroLocker calls sub processes including the system to shut down. Here the cipher.exe process is being
executed, which is a Microsoft tool that permanently deletes all the deleted files. The malware takes this measure to avoid file retrieval.
12
©Copyright IBM Corporation 2015. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of IBM Corporation in the United States, other
countries or both. Other company, product or service names may be trademarks or service marks of others.
Figure 2. ZeroLocker icon.
13
©Copyright IBM Corporation 2015. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of IBM Corporation in the United States, other
countries or both. Other company, product or service names may be trademarks or service marks of others.
Figure 3. ZeroLocker will decrypt files for a fee, payable with bitcoins.
14
©Copyright IBM Corporation 2015. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of IBM Corporation in the United States, other
countries or both. Other company, product or service names may be trademarks or service marks of others.
Figure 4. ZeroLocker makes changes to the registry.
Figure 5. ZeroLocker deleting files, after having encrypted versions of these files.
15
©Copyright IBM Corporation 2015. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of IBM Corporation in the United States, other
countries or both. Other company, product or service names may be trademarks or service marks of others.
Figure 6. File operations in a ZeroLocker folder.
CONTRIBUTORS
Zubair Ashraf, Team Lead and Security Researcher – IBM X-Force Advanced Research
Lance Mueller, Senior Incident Response Analyst – Emergency Response Services (ERS)
DISCLAIMER
This document is intended to inform clients of IBM Security Services of a threat or discovery by IBM Managed
Security Services and measures undertaken or suggested by IBM Security Service Teams to remediate the threat.
This information is provided “AS IS,” and without warranty of any kind.
i Information about the PC CYBORG (AIDS) trojan horse
http://www.securityfocus.com/advisories/700