• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
    • Get the 2022 Cloud Scurity Comparison Guide
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
      • Cyber Threat Categories and Definitions
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Threats

Tracking the Footprints of Ransomware

By Kevin Bottomley
Posted on August 20, 2015
Updated on July 24, 2020

Share

FacebookTweetLinkedIn
black-labrador-retriever-following-scent-in-snow
(image courtesy of wuppenif.files.wordpress.com)

Ransomware is a form of malware that, once a machine is compromised, starts to seek out certain file extensions, usually Microsoft, AutoCAD, Adobe, or any other file type that might be deemed valuable, and wraps it with an encryption process as to make it unusable by the user until a fee is paid. Currently it seems to be the malware-de-jour. It should be noted that not all ransomware is created equal, nor do they all act in the same way, but they all tend to leave (for the most part) a bit of a footprint that can be used to track and locate where it currently lives on the Internet. Gathering steam a few years ago, ransomware used to work by installing itself, rebooting the system, and displaying an image similar to this one:

Fake FBI Ransom Message
(image courtesy of bleepingcomputer.com)

Scary tactic right? While it might have been frightening to some, all was not really as bad as it appeared to be. It’s unknown how many people actually payed the ransom for this campaign, but one can assume there were quite a few. The simplest way to circumvent this lock down was to boot into safe mode, and clean up the infection using any one of various means.

However, as time moved forward, and the income from some of the bigger pharma schemes (real money makers at the time) started to falter, nefarious actors started to work on new and better means to generate revenue. The next real advancement in the ransomware family came in the form of CryptoLocker. CryptoLocker was dispersed through malicious email attachments by the Gameover Zeus (G0Z) botnet and used RSA public-key encryption to make files(both locally and on mapped drives) impossible to use unless a ransom was paid in the form of Bitcoin or pre-paid cards, which usually cost about $300- $500 USD/Euro.

CryptoLocker

CryptoLocker left a footprint in the way of using a Domain Generated Algorithm (DGA). This DGA was used so that it would produce thousands of domains at a time, with only a couple or so of the domains actually being live. This tactic was used to make locating the Command & Control servers harder for researchers and law enforcement. Yet, once a sample was able to be reversed, and the seed (a seed is what is used to produce the DGA, usually based on a time/date schema) was found, it was easy to determine which domains would be generated in forthcoming days and weeks, and one could block these domains from the network even before they had a chance to become live (something OpenDNS did with great success).

With the take down of GoZ in mid-2014, this also helped eradicate CryptoLocker greatly, yet, this would not be the end of ransomware. In all reality, there have been many competitors entering the ring, as well as a couple that have been around for a while. These include:

  • Alpha Crypt
  • Azazel Locker
  • BitCrypt
  • CRYPVAULT
  • CTB-Locker
  • CoinVault
  • CryptoLocker 2.0
  • CryptoLocker 3.0
  • CryptoWall
  • CryptoWall 2.0
  • CryptoWall 3.0 (Cowti)
  • Cryptodefense
  • Harasom.A
  • HowDecrypt (Cryptorbit)
  • PrisonLocker (PowerLocker)
  • Ransomcrypt
  • Reveton
  • Teslacrypt
  • TorrentLocker

While some of these used the CryptoLocker name, they were mostly just the same in that way only. Most of these copycat versions used either much weaker encryption processes, or made the mistake of leaving the keys easily recoverable. Yet, for every one that didn’t play up to par, there were a couple that stick out.

TorrentLocker

Screen Shot 2015-08-17 at 2.07.58 PM

This particular ransomware used geo-location based services to target individuals in only a certain parts of the world. While it was seen quite largely in the Australian and New Zealand areas, with some European countries included as well, there was little to no sign of it being used in the United States. The delivery mechanism mostly centered around use of email that referred to messages about unpaid invoices, traffic citations, or missed deliveries. Once opened, there were usually one of two paths taken. There would either be a malicious .zip file attached, or there would be a link to a web site where the user had to complete a captcha. These sites usually were in the form of *(aus|nsw)-(post|gov).(top-level domain), with some minor variations along the way. This format made the tracking of these domains a bit easier, as just about any domain that was seen in that format proved to be malicious and provided little difficulty in figuring out what the next domains that could prove to be malicious in the future might be. The below screenshot from Investigate shows that database-nsw-gov.net is blocked by OpenDNS. This particular domain was blocked in February of 2015, when it was fairly active, and still shows continued activity today:

Tesla/AlphaCrypt

Screen Shot 2015-08-17 at 2.43.55 PM

This particular variant has a couple of names, but was really the same ransomware, just renamed from TeslaCrypt over to AlphaCrypt. The format AlphaCrypt uses for it’s domains also comes to us in the form of a DGA. An example of the domains tends to look like fsoreij38wje2d.fkos650er4wf[.]com, where there is a both a domain and sub-domain that are both in the form of nonsensical patterns. These tend to be easy to spot using algorithms based on lexical analysis. This particular domain was blocked by OpenDNS back in May of 2015 after being spotted by the aforementioned algorithm.

CryptoWall

CryptoWall is probably the most formidable runner-up for taking over the legacy CryptoLocker left behind. Unlike CryptoLocker, CryptoWall, and its newer versions 2.0 and 3.0, came out of the gate swinging in late 2014. Also unlike it’s predecessor, CryptoWall did not implement the use of DGA’s, but instead used a combination of compromised sites, TOR (The Onion Router) and I2P (Invisible Internet Project). Throughout the renditions of the malware, it morphed from exploiting the system itself using various vulnerabilities, to employing the use of Exploit Kits, most recently, and noticeably, the use of the Angler Exploit Kit to drop the malware. There are a couple of ways that can be used to track down CryptoWall. Without getting into to much detail, for what I hope are obvious reasons, we can take a look at some of the simpler ones.

CryptoWall decryption instructions
(CryptoWall decryption instructions. Image courtesy of bleepingcomputer.com)

What we can look at first though, is the use of Angler. Angler currently uses an evasion technique where nefarious actors compromise legitimate registrant accounts, and create a rotating set of sub-domains appended to the legitimate domains (2LDs). These sub-domains generally point to a completely different location (IP, ASN, Registrar, etc) that is hosting the Exploit kit landing page. Our research team covered this trend at BSides Raleigh 2013 and wrote a blog with more details in 2014, and we subsequently discussed this technique at BlackHat, Def Con, and Virus Bulletin of last year. In March of this year, Cisco put out a blog and called the technique ‘Domain Shadowing’. By looking for this Indicators of Compromise, one can start to access which domains have been taken over, and blocked quickly. Yet, one can not rely on the use of Angler alone, albeit a good indicator. CryptoWall tends to make use of compromised domains, and has largely been seen to use outdated WordPress plugins to compromise the legitimate domains (this is not the only way, but is one of the most seen). We can also look for related domains that are associated, that is, domains that are requested in rapid succession to known bad domains, and start to pivot around off of those to find other CryptoWall domains. Attempting to pattern match against requested URL’s is yet another way, but these can change often and rapidly and does not appear to give the same consistent results.

The more that malware develops and morphs, the more that detection and prevention has to change. With the high profile of ransomware, and it’s ever continuing transformations, researchers will always be nose to the ground to be out in front of these changes. OpenDNS is committed to this process, and is always striving to improve and revise its procedures and methods to stay one step ahead of these threats.

Previous Post:

Previous Article

Next Post:

Next Article

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella