MSS RANSOMWARE - IBM...Anti-malware software helps to identify threats. However, employing just one...

ii

©Copyright IBM Corporation 2015. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of IBM Corporation in the United States, other

countries or both. Other company, product or service names may be trademarks or service marks of others.

RESEARCH AND INTELLIGENCE REPORT

RELEASE DATE: MAY 11, 2015

BY: MICHELLE ALVAREZ, THREAT RESEARCHER AND EDITOR

IBM MSS RANSOMWARE

iii



TABLE OF CONTENTS

EXECUTIVE OVERVIEW/KEY FINDINGS ................................................................................................................ 1 RANSOMWARE: THEN AND NOW ....................................................................................................................... 1 ATTACK TECHNIQUES & FUNCTIONALITY ............................................................................................................ 3 MOBILE RANSOMWARE ..................................................................................................................................... 5 RECOMMENDATIONS/MITIGATION TECHNIQUES ............................................................................................... 5 REFERENCES ...................................................................................................................................................... 7 APPENDIX A: BEHAVIOR OF RANSOMWARE ........................................................................................................ 8 APPENDIX B: ANALYSIS OF ZEROLOCKER ........................................................................................................... 11 CONTRIBUTORS ............................................................................................................................................... 15 DISCLAIMER ..................................................................................................................................................... 15

1



EXECUTIVE OVERVIEW/KEY FINDINGS

IBM’s 2014 Chief Information Security Officer (CISO) study revealed that more than 80 percent of security leaders

believe the challenge posed by external threats is on the rise, to include financial and intellectual property theft.

However, until recently, ransomware wasn’t considered to be an enterprise threat. Many felt that this particular

type of malware was more relevant for consumers or smaller to mid-size businesses, which often lack the

sophisticated anti-malware tools of large businesses. This viewpoint is starting to shift as successful ransomware,

such as CryptoLocker and CryptoWall, cost organizations millions globally.

Ransomware is malware that encrypts files and deletes the original files thereby making access impossible unless a

ransom is paid. In other scenarios, the ransomware simply locks the whole system. Only after paying the ransom

will the user be given the password to unlock the files. Typically, users will pay the ransom by going to a Web site

devised by the hacker that asks them to enter a unique key.

Ransomware is only one type of malware amongst more than half a dozen classifications and therefore is not

something that organizations typically place a strategic security focus around. However, ransomware is a growing

and significant trend. The attackers behind ransomware are increasingly more organized and their attacks stealthier

- leveraging multiple forms of end user manipulation and extortion.

Most ransomware begins as a warning indicating that the user’s computer has been locked because it had been

used for illegal activities; payment, often via Bitcoins, e-gold or other electronic forms of payment, is necessary to

access files. Ransomware is sometimes called “scareware” because these attacks also employ fear and

embarrassment by telling victims the ransomware was caused by visiting inappropriate Web sites. Such

ransomware tactics can prevent end users from working with security teams to resolve the issues. Fortunately,

there are steps companies can take to prevent ransomware that include implementing an anti-malware solution

and keeping patches up to date. Additionally, a regularly updated backup is absolutely essential when efforts to

detect and stop ransomware fail.

RANSOMWARE: THEN AND NOW

While ransomware has increased in popularity amongst attackers in the last few years, its origins date all the way

back to the late ‘80s.i Aids Info Disk (also known as AIDS) or PC Cyborg Trojan, is the first known ransomware. This

Trojan encrypted files and prompted the user to 'renew the license' by providing payment to the fictitious PC

Cyborg Corporation. This involved sending US$189 to a post office box in Panama. Its use of symmetric

cryptography, which uses the same cryptographic keys for both encryption of plaintext and decryption of

ciphertext, made this ransomware rudimentary by today’s standards.

http://www-03.ibm.com/security/ciso/

2



Flash forward a few years, the first cryptovirus using public key cryptography or asymmetric cryptography, which

requires two separate keys (one private and one public), surfaces in the mid-‘90s. Over the next two decades

attackers developed ransomware using more sophisticated RSA encryption and by 2008, a variant of GPcode, also

known as PGPCoder, was detected using a 1024-bit RSA key. This made file recovery nearly impossible.1

The playing field for ransomware changed once again with the introduction of CryptoLocker in 2013, which uses

bitcoins, digital or virtual currency, to collect ransom money. This ransomware was made infamous with Operation

Tovar, a take-down of a large hacker-controlled network in Russia and Ukraine that was using the Gameover

platform to spread and infect systems with CryptoLocker. The FBI estimated $30 million in losses to organizations at

the time it shut down the organization.2

One of CryptoLocker’s copy-cat successor’s, Cryptowall, has surpassed its predecessor’s status in terms of infection

rate. Though not considered to be as sophisticated in terms of the malware and infrastructure, it is undeniably one

of the most destructive ransomware families circulating today. The most recent version, Cryptowall v3, uses the Tor

anonymity network for command and control (C&C) communications and is especially aggressive and malicious.

Infections for this specific version have been on the rise.

1 Who's behind the GPcode ransomware? http://www.zdnet.com/article/whos-behind-the-gpcode-ransomware/

2 Crime pays very well: Cryptolocker grosses up to $30 million in ransom http://www.pcworld.com/article/2082204/crime-

pays-very-well-cryptolocker-grosses-up-to-30-million-in-ransom.html

http://www.zdnet.com/article/whos-behind-the-gpcode-ransomware/

http://www.pcworld.com/article/2082204/crime-pays-very-well-cryptolocker-grosses-up-to-30-million-in-ransom.html

http://www.pcworld.com/article/2082204/crime-pays-very-well-cryptolocker-grosses-up-to-30-million-in-ransom.html

3



Figure 1: Notable ransomware that has surfaced in the last few years. Source: IBM Security.

ATTACK TECHNIQUES & FUNCTIONALITY

Ransomware is often delivered through spam and phishing campaigns. The e-mail message contains a malicious

attachment or a link to a malicious file. It may place the victim under certain time constraints (i.e. 24 hours) in

which to provide the ransom.

This malware can also be delivered by exploit kits on compromised web pages and malicious sites. When a user

visits a compromised site serving exploit kit code, the code tries to identify potential vulnerabilities on the user’s

system and serves exploits accordingly. Another infection vector is via drive-by downloads.

Attackers can attempt to illicit payment by one of two methods. Though the more popular and newer method is to

encrypt files on the system's hard drive, some may simply lock the system and display messages intended to coax

the user into paying.

4



Ransomware may include the following functionality:

• Encrypt files with RSA encryption

• Keylogging

• Generate list of C&C servers using Domain Generation Algorithm (DGA)

• Small network footprint

• Ability to kill multiple running processes

• Inclusion of a bank Trojan as a payload

• Communicate with Command & Control servers

• Utilization of Tor to place the malicious server, which is very difficult to take down

• Payment by Bitcoin, avoiding normal payment systems that can lead back to online criminals;

Ransomware has been known to target the financial services sector. Attackers access this sector via the individual,

en masse, to overcome most traditional protection methods. Another popular target are companies and others

who are thought to have the means to pay and, potentially, a lack of awareness of said scams. “Federal police

extortion” attacks targeting consumers and businesses have surfaced in many regions, including the United States,

South America, Australia and Europe. This scam involves the victim receiving an email claiming the Federal Police

has detected illegal or suspicious web browsing activities and demands the payment of a “fine” to decrypt the

locked files.3

In an ironic twist on this scam, several police departments in the United States have been targeted by ransomware

campaigns recently. Many were unable to decrypt the files and succumbed to paying the ransom.4 Unfortunately,

this scenario is all too common. Many organizations place a higher importance on recovering their valuable data

when faced with the decision to negotiate or to not negotiate with criminals. In a recent survey, 30 percent of

security professionals are willing to negotiate with cyber criminals to retrieve encrypted files. This figure rises to 55

percent amongst organizations that have already fallen victim to cyber criminals.5

3 Fake-police ransomware reaches Australia

http://www.cso.com.au/article/437757/fake-police_ransomware_reaches_australia/ 4 Police Department Pays Cybercriminals Following Ransomware Infection

http://www.esecurityplanet.com/malware/police-department-pays-cybercriminals-following-ransomware-infection.html

5 Negotiating with Cybercriminals: 30% of Security Professionals Say They Would Pay for the Return of Their Data

http://www.threattracksecurity.com/resources/white-papers/mid-market-cyber-extortion-report.aspx

http://www.cso.com.au/article/437757/fake-police_ransomware_reaches_australia/


http://www.threattracksecurity.com/resources/white-papers/mid-market-cyber-extortion-report.aspx

5



MOBILE RANSOMWARE

Most cyber threats eventually make their way over to the mobile arena. Ransomware is no exception. Phones using

the Android operating system, in particular, are being plagued by ransomware. In early 2014, the mobile banking

malware Svpeng introduced ransomware capabilities as seen in the above timeline. This malware attempts to block

the user's phone and display a message demanding payment of a $500 "fee" for alleged criminal activity.

Following this development, it didn’t take long for a dedicated mobile ransomware to appear and in May of last

year, Pletor began circulating. Infections spanned multiple countries and numerous modifications of the malware

have since surfaced. Soon numerous families of mobile ransomware plagued mobile devices over the next several

months to include ScarePakage, ScareMeNot, ColdBrother, and Koler. Ransomware had such an impact on the

mobile malware landscape in 2014 that ScareMeNot and ScarePakage made it to the top five most-prevalent

mobile threats in countries such as the U.S., U.K., and Germany, according to one study.6

RECOMMENDATIONS/MITIGATION TECHNIQUES

If you have protection in place for malware, chances are it also covers many ransomware families. Anti-malware

software helps to identify threats. However, employing just one anti-spyware program may not rid one's system of

all malicious programs. Since updates by vendor vary, some companies may want to layer detection by using a

combination of two or three anti-spyware programs for better protection.

There are a few helpful ways to mitigate ransomware from a network perspective as there is a predictable pattern

that can be identified with some variants of ransomware and enabled in an IDS/IPS device. Some make predictable

network GET requests or use DGA domains. Therefore, there are some general IDS/IPS rules that could be put into

place that would provide some coverage for some of the variants, but not all. This is where host based restrictions

help since malware authors are always changing their tactics and the malware needs to be prevented at various

levels.

At the host level, there are some execution policies that can be helpful to block the execution from certain paths

that are known with particular ransomware. A large portion of malware in general, and especially ransomware, do

some specific behavior on the host when detonated. One of the most effective countermeasures is to prohibit any

.exe file from running from the \temp folder. The risk is that there are a few legitimate applications that run from

this folder.

6Lookout 2014 Mobile Threat Report

https://www.lookout.com/static/ee_images/Consumer_Threat_Report_Final_ENGLISH_1.14.pdf

https://www.lookout.com/static/ee_images/Consumer_Threat_Report_Final_ENGLISH_1.14.pdf

6



Attackers take advantage of users running outdated software with known vulnerabilities that could provide a

window of opportunity for ransomware to sneak by. Perform regularly scheduled software updates with the latest

security patches on PCs, as well as mobile devices.

Ransomware can be delivered to your PC or mobile device in any number of ways, but a good preventive measure

is to avoid questionable websites, searches, and downloads. Additionally, there are quite a number of programs

available on the Internet that purport to be “malware-removal” programs, but actually are spyware programs

themselves. End-user education should play a role in disseminating this information.

New ransomware releases materialize each day and antivirus software alone can't keep up with the numerous one-

off malwares developed. Most anti-spyware programs are reactive in nature — protection only exists once a

signature update is applied. Even a fully-patched updated system remains vulnerable to many types of

ransomware. Only software that uses behavioral analysis techniques is able to provide preemptive detection and

blocking of malicious code successfully.

To effectively protect your organization's critical information and resources requires a preemptive multi-layered

strategy at the gateway, network and host level. Your ransomware intrusion prevention solution should incorporate

technologies that deliver the following:

• Stops incoming ransomware before impacting network resources

• Prevents existing ransomware from propagating or sending outbound data on the network

• Blocks access to Web sites with unwanted content

• Protects the host from malware installation, execution and communication

Other precautions one could take to mitigate the threat of malware include:

• Modify browser security settings to detect unauthorized downloads

• Do not install unknown programs

• Prior to downloading software, be sure to review any associated license agreements or privacy

statements

• Do not click on a link within pop-up windows; close pop-ups by clicking the “x” in the upper right-hand

corner of the window, not by clicking the buttons located within the window

Efforts should clearly be made to detect and stop ransomware. However, if ransomware defeats your protection

strategy and your data is encrypted and unrecoverable, then the next best strategy is to have a regularly updated

backup. You’re still bound to lose some data depending on the time of the last backup, but the loss would be far

less devastating than if there were no backup at all. It is not enough though to simply have a backup. Organizations

7



must test them as well. In several of the cases seen by IBM Emergency Response Services (ERS), companies had

never tested their backups and when they attempted to restore the data, they found that it was not working.

Although ransomware is on the rise7, organizations that implement the aforementioned security recommendations

will be better prepared to safeguard their critical assets against this threat.

REFERENCES

Trojan.Cryptolocker http://www.symantec.com/security_response/writeup.jsp?docid=2013-091122-3112-99 Analysis of ‘TorrentLocker’ – A New Strain of Ransomware Using Components of CryptoLocker and CryptoWall http://www.isightpartners.com/2014/08/analysis-torrentlocker-new-strain-malware-using-components-cryptolocker-cryptowall/ CryptoWall surpasses CryptoLocker in infection rates http://www.scmagazine.com/cryptowall-surpasses-cryptolocker-in-infection-rates/article/368920/ CryptoWall ransomware is back with new version after two months of silence http://www.pcworld.com/article/2868972/cryptowall-ransomware-is-back-with-new-version-after-two-months-of-silence.html All You Need to Know About CTB Locker, the Latest Ransomware Generation https://heimdalsecurity.com/blog/ctb-locker-ransomware/ Police Department Pays Cybercriminals Following Ransomware Infection http://www.esecurityplanet.com/malware/police-department-pays-cybercriminals-following-ransomware-infection.html U.S. targeted by coercive mobile ransomware impersonating the FBI https://blog.lookout.com/blog/2014/07/16/scarepakage/ Ransomware http://en.wikipedia.org/wiki/Ransomware Fake-police ransomware reaches Australia http://www.cso.com.au/article/437757/fake-police_ransomware_reaches_australia/ The first mobile encryptor Trojan

7 IBM X-Force Threat Intelligence Quarterly – 1Q 2015

https://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swg-

WW_Security_Organic&S_PKG=ov33510&S_TACT=C327017W&dynform=18101

http://www.symantec.com/security_response/writeup.jsp?docid=2013-091122-3112-99

http://www.isightpartners.com/2014/08/analysis-torrentlocker-new-strain-malware-using-components-cryptolocker-cryptowall/

http://www.isightpartners.com/2014/08/analysis-torrentlocker-new-strain-malware-using-components-cryptolocker-cryptowall/

http://www.scmagazine.com/cryptowall-surpasses-cryptolocker-in-infection-rates/article/368920/

http://www.pcworld.com/article/2868972/cryptowall-ransomware-is-back-with-new-version-after-two-months-of-silence.html

http://www.pcworld.com/article/2868972/cryptowall-ransomware-is-back-with-new-version-after-two-months-of-silence.html

https://heimdalsecurity.com/blog/ctb-locker-ransomware/


https://blog.lookout.com/blog/2014/07/16/scarepakage/

http://en.wikipedia.org/wiki/Ransomware

http://www.cso.com.au/article/437757/fake-police_ransomware_reaches_australia/

https://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swg-WW_Security_Organic&S_PKG=ov33510&S_TACT=C327017W&dynform=18101

https://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swg-WW_Security_Organic&S_PKG=ov33510&S_TACT=C327017W&dynform=18101

8



http://securelist.com/blog/mobile/63767/the-first-mobile-encryptor-trojan/ Latest version of Svpeng targets users in US http://securelist.com/blog/incidents/63746/latest-version-of-svpeng-targets-users-in-us/

APPENDIX A: BEHAVIOR OF RANSOMWARE

The next few screen shots exhibit some of the anomalous or malicious behavior or ransomware, specifically,

Cryptowall v3 and Cryptolocker.

Figure 1. Registry changes disable security and system restore.

Figure 2a. Windows Explorer launches the process, but the stack shows that this must be coming from injected code. Note the difference when there is a process creation from non-injected explorer code in Figure 2b below.

http://securelist.com/blog/mobile/63767/the-first-mobile-encryptor-trojan/

http://securelist.com/blog/incidents/63746/latest-version-of-svpeng-targets-users-in-us/

9



Figure 2b. Process creation from non-injected explorer code.

Figure 3. Svchost.exe is running as a separate process.

10



Figure 4. The process tree from Cryptolocker.

Figure 5. Process command lines from Cryptolocker showing how it disables recovery at boot.

Figure 6. Fraudulent “Security Notification” that disables system once clicked. This message pops up when malware disables protection and can be a sign of something wrong with the system.

11



Figure 7. Cryptowall changes registry and proxy changes.

APPENDIX B: ANALYSIS OF ZEROLOCKER

The next several screen shots illustrate various steps in the ZeroLocker infection process.

Figure 1. ZeroLocker calls sub processes including the system to shut down. Here the cipher.exe process is being

executed, which is a Microsoft tool that permanently deletes all the deleted files. The malware takes this measure to avoid file retrieval.

12



Figure 2. ZeroLocker icon.

13



Figure 3. ZeroLocker will decrypt files for a fee, payable with bitcoins.

14



Figure 4. ZeroLocker makes changes to the registry.

Figure 5. ZeroLocker deleting files, after having encrypted versions of these files.

15



Figure 6. File operations in a ZeroLocker folder.

CONTRIBUTORS

Zubair Ashraf, Team Lead and Security Researcher – IBM X-Force Advanced Research

Lance Mueller, Senior Incident Response Analyst – Emergency Response Services (ERS)

DISCLAIMER

This document is intended to inform clients of IBM Security Services of a threat or discovery by IBM Managed

Security Services and measures undertaken or suggested by IBM Security Service Teams to remediate the threat.

This information is provided “AS IS,” and without warranty of any kind.

i Information about the PC CYBORG (AIDS) trojan horse

http://www.securityfocus.com/advisories/700

MSS RANSOMWARE - IBM...Anti-malware software helps to identify threats. However, employing just one...

Documents

Transcript of MSS RANSOMWARE - IBM...Anti-malware software helps to identify threats. However, employing just one...