Skip to content
November 27, 2013 / Vadim Kotov

The holiday season and ransomware

As we get into the holiday season, it is to be expected that attackers will come up with new forms of attacks against users – who’re likely to go online looking for deals.

There’s some chatter in the security community about Cryptolocker, one of the newest ransomware around the block. The idea of ransomware is very old and it has had a number of incarnations: persistent windows blocking view in browsers, “police” warnings requiring to pay some fee or simply relocating the files table or the bootloader.

Cryptolocker is much more dangerous because it encrypts your files using public key cryptography and gives around 2-3 days to pay to decrypt. If you do not pay – your files are gone forever because the private key is destroyed. The following picture shows the encryption scheme for one file.

File encryption scheme

We analyzed several samples and all of them were compiled in Fall 2013 (the earliest sample was made on September 7th):

  1. 180753f31b8295751aa3d5906a297511
  2. 04fb36199787f2e3e2135611a38321eb
  3. bbb445901d3ec280951ac12132afd87c
  4. a8e0d4771c1f71709ddb63d9a75dc895
  5. 0204332754da5975b6947294b2d64c92

The obfuscation scheme of the samples changes a little bit over time, which means that the authors keep updating the dropper in order to bypass malware scanners.

The dropper was written in C++ and is not very hard to unpack, but the actual malware has a couple of anti-analysis tricks. First, its workflow is obscure because of heavy usage of function pointers. Secondly it uses SSE XMM registers to complicate some debugging tools (like OllyDbg or ImmunityDebugger) and lightweight emulators.

Usage of SSE XMM

And finally all the strings are encrypted with quite simple substitution permutation cipher.

Obfuscated strings

The problem is that the key and the modulus are resolved at runtime, which makes static decryption nearly impossible.

Strings deobfuscation

With all these protections analyzing Cryptolocker can be time consuming.

When executed, Cryptolocker tries to contact one of its C&C server using domain name generation algorithm.

DNS Requests

When the working server is found, it sends a unique machine ID and receives the public key for file encryption. All the communications between client and server are encrypted as well.

Client Server Communication

At the time of analysis there were still active C&C servers and we were able to infect our test machines easily. Cryptolocker carefully checks disk space available and logical drives registered in the systems. The samples we have do not infect network shares, but reportedly some Cryptolocker specimen do.  Encryption and decryption functions are based on Windows API crypto functions, such as CryptImportKey, CryptEncrypt, CryptDecrypt etc.

Once files are encrypted – victim gets the message.

Cryptolocker Main Window

Cryptolocker user interface conveniently provides a list of encrypted files so you could verify they were indeed encrypted.

List of Files

It targets documents, images, presentations and even .PEM certificates. In other words target audience of this malware is quite wide – from home users to enterprises.

Cryptolocker offers two payment options – MoneyPak or BitCoin. The ransom is a flat fee of $300 for decryption. In both cases you enter a transaction ID, which is sent to the C&C server. According to the authors it may take up to 2 business days to process the payment and private key destruction is put on hold. However if you provide wrong number your time will be reduced in half.

Cryptolocker transaction

What happens if you pay? First, we strongly recommend not to, because it encourages bad guys. Secondly, well, there is a decryption routine and probably when you pay it will decrypt the files (provided the server storing your key is still alive, which is very unlikely since C&Cs generally tend to die out fast). But there’s a catch – cryptolocker registers itself in the autorun registry key, which means on the next login your files could get encrypted again.

These days we’re so dependent on digital data that Cryptolocker type attacks are a serious threat. Will the attack landscape shift towards ransomware in the near future? It’s hard to tell, but from the attacker perspective it is a quick way to make money. Ransomware is relatively easy to implement (as opposed to advanced distributed botnets with a ton of features) and it is capable of considerable, quick, visible damage. Encrypting crucial data could have direct financial impact to a company or user within mere hours, so, naturally in these circumstances there will be enough victims willing to take their chances and pay the ransom. This could be a good strategy for cybercriminals in response to the increasing security measures embedded into applications such as Chrome, Adobe Reader and Java. It is obvious that traditional antiviruses aren’t well equipped to deal with this sort of threat early enough and moreover, in this case cleaning the infection out will be of little help as user data would already be encrypted.

A good strategy against such crypto-ransomware is to isolate the infection and restrict the damage. For instance this can be done using micro-VM technology which would restrict Cryptolocker activities by a single task and discard all the changes made to the system once the container is destroyed. Below are the fragments of a threat analysis graph of one such instance of Cryptolocker that was isolated and profiled by Bromium LAVA.

DNS Requests and C&C Communication

Part of the graph showing DNS requests and C&C communication

File Encryption

Graph fragment showing files encryption. These actions do not affect real files and are discarded after the micro-VM is destroyed.

We urge users to take precaution against such attacks during this holiday season. Happy holidays and stay safe!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: