Anti-Malware , Fraud , Phishing

Ransomware Onslaught Continues: Old Foes, New Defenses

Why CryptoLocker Won't Die, and Some Ransomware Attackers Double-Zip
Ransomware Onslaught Continues: Old Foes, New Defenses
Crypt0L0cker ransom note

Ransomware variants never seem to die - only to get rewritten.

See Also: Balancing Fraud Detection & the Consumer Banking Experience

Indeed, the Crypt0L0cker ransomware - originally tied to the Gameover Zeus gang - has returned, researchers warn, and in some cases is digitally signed to make it appear legitimate. And various attack campaigns continue to spread other types of crypto-locking ransomware, for example fling Cerber and Sage Locker via emails sent from short-lived domain names.

Crypto-locking ransomware, which forcibly encrypts sensitive information on a system, then demands cryptocurrency for a promised decryption key, offers remote attackers a relatively low-cost, high-reward scheme, and they keep doubling down on related attacks. As the EU's law enforcement intelligence agency Europol noted in its Internet Organized Crime Assessment report last year, "cryptoware (encrypting ransomware) has become the most prominent malware threat, overshadowing data stealing malware and banking Trojans."

In 2016, security firm Trend Micro counted 247 new ransomware families, compared to just 29 in 2015. As of March 6, meanwhile, the free ID Ransomware service from the respected anti-malware researchers behind MalwareHunterTeam counted 319 different types of ransomware.

Ransomware variants cataloged by ID Ransomware.

Shotgun Attacks Most Prevalent

Everyone from hospitals to police agencies to hosting providers have been victims of ransomware, which many attackers blast out in untargeted, shotgun fashion, attached to spam emails (see Verizon: Most Breaches Trace to Phishing, Social Engineering).

Last week, even a Pennsylvania state senator's office was infected with ransomware, forcing the Pennsylvania Senate Democratic Caucus office to shut down. The ransomware infection, which hit systems in the office of Sen. Jay Costa, doesn't appear to have been targeted, news site PennLive reports, noting that the state attorney general's office and FBI are investigating.

Costa's office couldn't be immediately reached for comment about how the ransomware infection began, what variant was responsible or if his office has paid any ransom. As of early on March 6, the state senator's website was offline.

TorrentLocker is Back

Functionally speaking, much of today's ransomware is identical, aided in part by darknet ransomware generation tools. But some specific strains of ransomware just don't seem to die, such as Crypt0L0cker ransomware, aka TorrentLocker or Teerac.

The ransomware first appeared in 2013, before being knocked offline as part of the U.S. Department of Justice's takedown of the Gameover Zeus gang. The gang allegedly infected PCs not only with Gameover Zeus, to steal banking credentials, but also Cryptolocker to earn further revenues via ransom payments. Prosecutors estimated that in just the first two months that the gang's attacks were active - September and October 2013 - attackers earned $27 million.

Since then, Cryptolocker code has returned, with one recent campaign heavily targeting Italy, anti-ransomware site Bleeping Computer reports.

Microsoft says that the Teerac attack files typically get installed by a malware downloader such as Donoff or arrive as attachments to spam emails. If the ransomware gets executed on a system, it forcibly encrypts a range of file types, including Windows shadow files that might otherwise be used to restore a system, and adds ".encrypted" to the encrypted files' extension names. Some versions of Teerac seen in the wild have demanded $500 in bitcoins, with the demand doubling if the ransom hasn't been paid within 72 hours.

Some recent versions of Teerac have been digitally signed to make them appear to be legitimate, Microsoft says.

Peter Kruse, head of the security group at Danish IT security firm CSIS Security Group, says that localized versions of TorrentLocker are also targeting Denmark, in the form of spam emails carrying a malicious Microsoft Word document with an embedded macro. "If the victim enables the macro by clicking on "enable editing," a PowerShell code will be executed and it will download ransomware from the TorrentLocker family," according to a CSIS analysis.

Unlike previous versions of TorrentLocker, the version spotted by CSIS can harvest usernames and passwords from infected computers, as well as spread via Windows shared files.

Burner Domains Send Ransomware Spam

Some ransomware gangs regularly register a number of new domains and then distribute spam through the domains, before killing the domains and moving to new ones.

Such behavior has long been seen, for example, in the form of complex domain-generation algorithms, which malware might employ to reach a constantly changing list of command-and-control servers.

But some gangs register domains to use for distributing ransomware via spam emails. One such group, dubbed the "Blank Slate" gang by Palo Alto Network's Unit 42 threat-research group, registered 555 domains over a seven-month period. "These domains were active for a few days before they were taken off line," the Palo Alto researchers say in a blog post. "Then the criminals behind Blank Slate moved to newly registered domains, sometimes using the same hosting provider. This cycle has repeated itself over and over since July 2016."

From Jan. 29 to Feb 2, for example, the researchers counted at least eight domains that the group was using to distribute Cerber ransomware, ranging from adibas[.]top and guntergoner[.]top to ibm-technoligi[.]top and suzemodels[.]top.

Registering a new website requires only an email address, phone number and payment card, the researchers note, and all of these can be obtained relatively easily and inexpensively. "A new email account can be established for free. Burner phones are cheap, as low as $20 to $30 in the U.S. In the Russian underground, prices for a set of stolen credit card credentials are as low as $5," the researchers say. "The situation lends itself to a cycle of abuse as criminals establish new servers, those servers are reported, the hosting provider shuts them down, and the criminals establish new servers."

'Blank Slate' Double-Zips

The Palo Alto researchers say the same infrastructure has been used to distribute both Cerber ransomware as well as Sage 2.0, aka Sage Locker, which is a variant of CryLocker. In some cases, the ransomware - sometimes a Microsoft Word document with a malicious macro, other times a malicious JavaScript file - is contained in a zipped file, which is then zipped into another file.

"We believe the attackers chose to use a double-zip tactic as a countermeasure against anti-spam/anti-malware technologies," the Palo Alto researchers say. "With an additional layer of user interaction, some intended victims may become frustrated or distracted, and this might lead to an increased failure/abandon rate. However, we believe the attackers decided this was less of a risk than detection by [security] technologies."

RakhniDecryptor Updated

Thankfully, anti-ransomware defenses continue to improve. For example, the public-private partnership No More Ransom has released an updated version of the so-called RakhniDecryptor created by security firm Kaspersky Lab.

The tool now includes a decryptor for Dharma ransomware, after someone posted - to the forums of Bleeping Computer - a link to a Pastebin post that supposedly contained "master decryption keys for all 'dharma' variants."

Kaspersky Lab has confirmed that the keys are legitimate.

RakhniDecryptor can now decrypt 14 different types of ransomware, ranging from Dharma and Crysis to Chimera and Cryptokluchen, and it's only one of a number of free decryption tools now available (see Ransom Smackdown: Group Promises Decryption Tools).

Update: No More Ransom Effort

No More Ransom launched in July 2016 as a collaboration between Europol's European Cybercrime Center and the Dutch National High-Tech Crime unit, as well as Kaspersky Lab and Intel Security, as a way to help victims avoid funding cybercrime.

"The general advice is not to pay the ransom," the site notes. "By sending your money to cybercriminals you'll only confirm that ransomware works, and there's no guarantee you'll get the decryption key you need in return."

Raj Samani of Intel Security's McAfee unit says that since the initiative launched, more organizations have signed on. "We've had almost 20 police agencies now join, almost 20 additional private sector partners join," he says. "We've now prevented ... roughly $3 million going into the hands of criminals."

Obviously, decryption sites alone won't arrest ransomware outbreaks and the massive potential bitcoin profits attackers can earn. But for victims, every little bit helps.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network