Cisco Umbrella

Enterprise network security

Research

Ransomware and the "Dark Web"

By OpenDNS Security Research

The Back Story
From infected hospitals to utilizing new platforms, we have seen a recent uptick in media coverage of ransomware attacks. By now we assume most of you are familiar with ransomware but we have published a primer in the past.
At OpenDNS and Cisco we have published numerous blogs, papers, and webcasts on the subject. We’ve also presented on ransomware since early 2012 — most recently on the emergence of Ransomware as a Service. If you want a refresh on some of our content, here are links to our most read materials:
Easy, Cheap and Costly: Ransomware is Growing Exponentially
Tracking the Footprints of Ransomware
Cryptolocker
Bedep Lurking in Angler’s Shadows
Sophistication Increases
With ransomware attacks, we have seen a plethora of techniques that range from infecting users through email lures to piggybacking on exploits and other infections such as Angler. Equally as sophisticated, attackers have built resilient infrastructures for their platforms. We have seen several techniques over the years, including the use of Domain Generated Algorithms (DGA), infecting good web properties, and using TLDs, CCTLDs, and GTLDs.
With the most recent Apple OS X version of ransomware, attackers infected the Transmission clients software with their own code to avoid detection and get installs. Although this attack was not prevalent for a variety of reasons, it does highlight the rise in sophistication.
The Dark Web
As mentioned above, in this particular version the attackers infected a client that utilized the Tor network for routing their users. While the Tor network is a powerful tool that allows users to avoid eavesdropping and possible surveillance for lawful citizens, unfortunately, it is also sometimes abused by criminal enterprises — such as the ransomware folks — to avoid detection. In this case the IP address we outlined in our video is the IP of a Tor proxy. It’s important to note that this is *not* the location of the hosting service but a location that acts as a gateway to the information. The IP addresses that the domains resolve to are simply proxies that take you to the ultimate destination.
After some investigation of the indicators from a recent Palo Alto Networks article on a piece of malware coined “KeRanger,” we noticed the attackers are using the TOR network. What we found particularly interesting is what lurked on the same infrastructure that the attackers were using to host their data.
Among other items on the same network — as Palo Alto’s blog outlined — we discovered: Ransomware as a Service (RaaS) sites, instructions for end-users on how to pay for decryption, credit card and other credentials for sale, online black hat carding forums, hacker training contents, and illegal drugs for sale. We have included some screenshots of these sites below along with some screenshots of the Tor proxy pages:
Screen Shot 2016-03-07 at 2.07.31 PM
Screen Shot 2016-03-07 at 2.16.38 PM
Screen Shot 2016-03-07 at 2.27.12 PM
Screen Shot 2016-03-07 at 3.08.57 PM
Screen Shot 2016-03-07 at 3.11.42 PM
Screen Shot 2016-03-07 at 3.19.25 PM
Screen Shot 2016-03-07 at 2.22.58 PM
Screen Shot 2016-03-09 at 10.53.36 AM
Screen Shot 2016-03-09 at 10.52.38 AM

Protecting your Enterprise: Effectively Simple
Throughout the years OpenDNS has done an amazing job at protecting customers from the various versions of ransomware by detecting the infrastructure that the attacks utilize to connect, control, and transfer the keys to evoke the encryption. Arguably the simplest and most effective way to prevent your files from being encrypted is to configure your recursive DNS to our infrastructure. Additionally, our Investigate product allows you to not only pivot through the infrastructure to validate the context of an Indicator of Compromise (IOC).
Below is a quick screen share video of our Investigative product looking at the most recent version of KeRanger.

Protecting against Encryption
The most sophisticated criminals are continually testing new infection methods and evasion techniques. One example of this is the use of encryption on the network. In this particular case the addition of an endpoint is critical in defense. In the above example, if the encryption was invoked then Cisco’s AMP for Endpoint product works as a great additional layer of both visibility, retrospection, and enforcement for ransomware. For the particular case of OS X, AMP had endpoint protection for customers, as evident by this screenshot:
Screen Shot 2016-03-08 at 6.36.36 AM
Moving Forward
With the advent of Ransomware as a Service it is likely we will see more groups involved in this technique of extorting money from companies, and a rise in the sophistication of their infection vectors,  infrastructure, and business models. Items such as trickling or selective encryption, data awareness, and target awareness are all likely to surface. With that, no company should be without a strategy to prevent, detect, and respond to these attacks as they are the combination of sophisticated and well-resourced adversaries, and are impactful to running your business.