Ransomware is a form of malware that, once a machine is compromised, starts to seek out certain file extensions, usually Microsoft, AutoCAD, Adobe, or any other file type that might be deemed valuable, and wraps it with an encryption process as to make it unusable by the user until a fee is paid. Currently it seems to be the malware-de-jour. It should be noted that not all ransomware is created equal, nor do they all act in the same way, but they all tend to leave (for the most part) a bit of a footprint that can be used to track and locate where it currently lives on the Internet. Gathering steam a few years ago, ransomware used to work by installing itself, rebooting the system, and displaying an image similar to this one:
Scary tactic right? While it might have been frightening to some, all was not really as bad as it appeared to be. It’s unknown how many people actually payed the ransom for this campaign, but one can assume there were quite a few. The simplest way to circumvent this lock down was to boot into safe mode, and clean up the infection using any one of various means.
However, as time moved forward, and the income from some of the bigger pharma schemes (real money makers at the time) started to falter, nefarious actors started to work on new and better means to generate revenue. The next real advancement in the ransomware family came in the form of CryptoLocker. CryptoLocker was dispersed through malicious email attachments by the Gameover Zeus (G0Z) botnet and used RSA public-key encryption to make files(both locally and on mapped drives) impossible to use unless a ransom was paid in the form of Bitcoin or pre-paid cards, which usually cost about $300- $500 USD/Euro.
CryptoLocker left a footprint in the way of using a Domain Generated Algorithm (DGA). This DGA was used so that it would produce thousands of domains at a time, with only a couple or so of the domains actually being live. This tactic was used to make locating the Command & Control servers harder for researchers and law enforcement. Yet, once a sample was able to be reversed, and the seed (a seed is what is used to produce the DGA, usually based on a time/date schema) was found, it was easy to determine which domains would be generated in forthcoming days and weeks, and one could block these domains from the network even before they had a chance to become live (something OpenDNS did with great success).
With the take down of GoZ in mid-2014, this also helped eradicate CryptoLocker greatly, yet, this would not be the end of ransomware. In all reality, there have been many competitors entering the ring, as well as a couple that have been around for a while. These include:
- Alpha Crypt
- Azazel Locker
- CryptoLocker 2.0
- CryptoLocker 3.0
- CryptoWall 2.0
- CryptoWall 3.0 (Cowti)
- HowDecrypt (Cryptorbit)
- PrisonLocker (PowerLocker)
While some of these used the CryptoLocker name, they were mostly just the same in that way only. Most of these copycat versions used either much weaker encryption processes, or made the mistake of leaving the keys easily recoverable. Yet, for every one that didn’t play up to par, there were a couple that stick out.
This particular ransomware used geo-location based services to target individuals in only a certain parts of the world. While it was seen quite largely in the Australian and New Zealand areas, with some European countries included as well, there was little to no sign of it being used in the United States. The delivery mechanism mostly centered around use of email that referred to messages about unpaid invoices, traffic citations, or missed deliveries. Once opened, there were usually one of two paths taken. There would either be a malicious .zip file attached, or there would be a link to a web site where the user had to complete a captcha. These sites usually were in the form of *(aus|nsw)-(post|gov).(top-level domain), with some minor variations along the way. This format made the tracking of these domains a bit easier, as just about any domain that was seen in that format proved to be malicious and provided little difficulty in figuring out what the next domains that could prove to be malicious in the future might be. The below screenshot from Investigate shows that database-nsw-gov.net is blocked by OpenDNS. This particular domain was blocked in February of 2015, when it was fairly active, and still shows continued activity today:
This particular variant has a couple of names, but was really the same ransomware, just renamed from TeslaCrypt over to AlphaCrypt. The format AlphaCrypt uses for it’s domains also comes to us in the form of a DGA. An example of the domains tends to look like fsoreij38wje2d.fkos650er4wf[.]com, where there is a both a domain and sub-domain that are both in the form of nonsensical patterns. These tend to be easy to spot using algorithms based on lexical analysis. This particular domain was blocked by OpenDNS back in May of 2015 after being spotted by the aforementioned algorithm.
CryptoWall is probably the most formidable runner-up for taking over the legacy CryptoLocker left behind. Unlike CryptoLocker, CryptoWall, and its newer versions 2.0 and 3.0, came out of the gate swinging in late 2014. Also unlike it’s predecessor, CryptoWall did not implement the use of DGA’s, but instead used a combination of compromised sites, TOR (The Onion Router) and I2P (Invisible Internet Project). Throughout the renditions of the malware, it morphed from exploiting the system itself using various vulnerabilities, to employing the use of Exploit Kits, most recently, and noticeably, the use of the Angler Exploit Kit to drop the malware. There are a couple of ways that can be used to track down CryptoWall. Without getting into to much detail, for what I hope are obvious reasons, we can take a look at some of the simpler ones.
What we can look at first though, is the use of Angler. Angler currently uses an evasion technique where nefarious actors compromise legitimate registrant accounts, and create a rotating set of sub-domains appended to the legitimate domains (2LDs). These sub-domains generally point to a completely different location (IP, ASN, Registrar, etc) that is hosting the Exploit kit landing page. Our research team covered this trend at BSides Raleigh 2013 and wrote a blog with more details in 2014, and we subsequently discussed this technique at BlackHat, Def Con, and Virus Bulletin of last year. In March of this year, Cisco put out a blog and called the technique ‘Domain Shadowing’. By looking for this Indicators of Compromise, one can start to access which domains have been taken over, and blocked quickly. Yet, one can not rely on the use of Angler alone, albeit a good indicator. CryptoWall tends to make use of compromised domains, and has largely been seen to use outdated WordPress plugins to compromise the legitimate domains (this is not the only way, but is one of the most seen). We can also look for related domains that are associated, that is, domains that are requested in rapid succession to known bad domains, and start to pivot around off of those to find other CryptoWall domains. Attempting to pattern match against requested URL’s is yet another way, but these can change often and rapidly and does not appear to give the same consistent results.
The more that malware develops and morphs, the more that detection and prevention has to change. With the high profile of ransomware, and it’s ever continuing transformations, researchers will always be nose to the ground to be out in front of these changes. OpenDNS is committed to this process, and is always striving to improve and revise its procedures and methods to stay one step ahead of these threats.