![Case Study : References
• [1] Zorabedian, John “Anatomy of a ransomware attack” https://blogs.sophos.com/2015/03/03/anatomy-of-a-
ransomware-attack-cryptolocker-cryptowall-and-how-to-stay-safe-infographic/; Last accessed on Oct 25, 2015.
• [2] James, Lance & Bambenek, John “The New Scourge of Ransomware: A Study of CryptoLocker and Its Friends”
https://www.blackhat.com/us-14/archives.html#the-new-scourge-of-ransomware-a-study-of-cryptolocker-and-its-
friends ; Last accessed on Oct 25, 2015.
• [3] Mustaca, Sorin "Are your IT professionals prepared for the challenges to come?"Computer Fraud & Seurity 2014.3
(2014): 18-20.
• [4] Allievi, Andrea et al. “Threat Spotlight: TeslaCrypt – Decrypt It Yourself”
http://blogs.cisco.com/security/talos/teslacrypt ; Last accessed on Oct 25, 2015.
• [5] Malwr.com (https://goo.gl/psdf5e) and Virustotal.com (https://goo.gl/D0o78x) analysis.](https://image.slidesharecdn.com/wpo2zpstue45hiyixh8g-signature-fa17ef08645a3cce9ed98bc960f7e89b419197b8ab9318d2a54057ce7f634710-poli-160709185308/85/Cryptolocker-62-320.jpg)
Cryptolocker
- 2. Who Am I..? Forensics Investigator M.Tech (Information Security) in 2014, IIIT – Delhi Former Intern at CIRT-India. Interest : Any type of Cyber Forensics Email : adarshagarwal91@gmail.com LinkedIn : https://www.linkedin.com/in/adarshagarwal91
- 3. Disclaimer • Entire analysis is done on individual basis. • The information in this presentation and opinion are mine alone and do not reflect those of my current employer.
- 18. CryptoLocker a.k.a Ransomware • CryptoLocker is a ransomware Trojan. • Believed to have first been posted to the Internet on 5 September 2013. • Smart enough to travel across your network and encrypt any files located on shared network drives. • Uses AES-265 or RSA public-key cryptography, with the private key stored only on the malware's control servers.
- 19. CryptoLocker a.k.a Ransomware • After Encryption, displays a message and popup which offers to decrypt the data if payment is made within stated deadline, and threatened to delete the private key if the deadline passes. • Ransomwares generally has a 48-72 hour deadline which, once passed, causes the ransom to increase or leads to key deletion. • Most ransoms start in the $100-$500 area or 0.5 BTC to 4 BTC. • 1 BTC = $ 430 (approx.) = 28600 INR.
- 20. Symptoms • You suddenly cannot open normal files and get errors such as the file is corrupted or has the wrong extension. • An alarming message has been set to your desktop background with instructions on how to pay to unlock your les. • The program warns you that there is a countdown until the ransom increases or you will not be able to decrypt your les. • A window has opened to a ransomware program and you cannot close it. • You have files with names such as HOW TO DECRYPT FILES.TXT or DECRYPT_INSTRUCTIONS.HTML
- 21. Symptoms You see a files similar to: • %PUBLIC% desktophelp_restore_files_<random text>.html • %PUBLIC% desktoprestore_files_<random text>.txt • %PUBLIC% documentshelp_restore_files _<random text>.txt • %PUBLIC% documentsrestore_files_<random text>.html • %PUBLIC% favoritesrestore_files_<random text>.html • %PUBLIC% favoritesrestore_files_<random text>.txt • CryptoLocker.lnk • HELP_TO_DECRYPT_YOUR_FILES.TXT • HELP_TO_DECRYPT_YOUR_FILES.BMP • HELP_TO_SAVE_FILES.bmp • HELP_TO_SAVE_FILES.txt • key.dat • log.html
- 28. CryptoLocker Propagation • Propagate via phishing emails unpatched programs compromised websites online advertising free software downloads Prior existing Botnet
- 29. Droppers file Path • The file paths that have been used by this infection and its droppers are: • C:Users<User>AppDataLocal<random>.exe (Vista/7/8) • C:Users<User>AppDataLocal<random>.exe (Vista/7/8) • C:Documents and Settings<User>Application Data<random>.exe (XP) • C:Documents and Settings<User>Local Application Data<random>.exe (XP)
- 30. This ransomware can search for files in all of the folders with the following extensions and then encrypt them
- 31. Excluded directories, filenames & extensions Source: Sophos
- 32. Variants of CryptoLocker • TeslaCrypt • Cryptowall • Torrent Locker • CTB-Locker • CryptoVault • PowerShell based • Locky • Ransom32 ( JavaScript based) • Petya (Encrypts MBR) • Many many more…
- 34. In 2016 (Jan to Mid April)
- 35. Week 2 – May, 2016 • May 9th 2016 - CryptXXX 2.0 • May 9th 2016 - The Enigma Ransomware (Russian) • May 10th, 2016 - The Shujin Ransomware (Chinese) • May 11th, 2016 - GNL Locker (German Netherlands Locker) • May 12th, 2016 - CryptoHitman ( Jigsaw v2) • May 12th, 2016 - Crypren Ransomware • May 12th, 2016 - Mischa Ransomware (Petya variant) • May 13th, 2016 - Offering Ransomware as a Service • May 13th, 2016 - Decryptor for CryptXXX Version 2.0
- 36. May 9th 2016 - CryptXXX 2.0
- 37. May 9th 2016 - The Enigma Ransomware (Russian)
- 38. May 10th, 2016 - The Shujin Ransomware (Chinese)
- 39. May 11th, 2016 - GNL Locker (German Netherlands Locker)
- 40. May 12th, 2016 - CryptoHitman
- 41. Jigsaw CryptoHitman with Porno Extension
- 42. Jigsaw CryptoHitman with Porno Extension
- 43. May 12th, 2016 - Crypren Ransomware
- 44. May 12th, 2016 - Mischa Ransomware (Petya variant)
- 45. May 13th, 2016 - Offering Ransomware as a Service
- 46. May 13th, 2016 - Decryptor for CryptXXX Version 2.0
- 50. I’m Infected, Now What? • Disconnect Network, USB, Network Share • Determine the Scope (Level of compromise or encryption) • Determine type of infection • Evaluate Your Responses • Restore from a recent backup • Decrypt your files using a 3rd party decryptor (this is a very slim chance) • Do nothing (lose your data) • Negotiate / Pay the ransom
- 52. Source: Sophos Anatomy of CryptoLocker
- 58. CryptoLocker Case Study - Teslacrypt
- 59. Generic Questions • The initial infection vector (how the malware got on the system). • The propagation mechanism (how the malware moves between systems, if it does that). • The persistence mechanism (how the malware remains on the system, and survives reboots and when the user logs out). • Artifacts (what traces the malware leaves on a system as a result of its execution) that you can look for during an examination.
- 60. Case Study : TeslaCrypt • Malware sample extracted from malwr.com. • Used all open source tool to preform analysis. • Tools used • Volatility Framework 2.4 • “VolDiff” (REMnux OS) • Regshot • Log2timeline (SIFT) • Virustotal.com • Process Explorer (Windows SysInternals)
- 62. Case Study : References • [1] Zorabedian, John “Anatomy of a ransomware attack” https://blogs.sophos.com/2015/03/03/anatomy-of-a- ransomware-attack-cryptolocker-cryptowall-and-how-to-stay-safe-infographic/; Last accessed on Oct 25, 2015. • [2] James, Lance & Bambenek, John “The New Scourge of Ransomware: A Study of CryptoLocker and Its Friends” https://www.blackhat.com/us-14/archives.html#the-new-scourge-of-ransomware-a-study-of-cryptolocker-and-its- friends ; Last accessed on Oct 25, 2015. • [3] Mustaca, Sorin "Are your IT professionals prepared for the challenges to come?"Computer Fraud & Seurity 2014.3 (2014): 18-20. • [4] Allievi, Andrea et al. “Threat Spotlight: TeslaCrypt – Decrypt It Yourself” http://blogs.cisco.com/security/talos/teslacrypt ; Last accessed on Oct 25, 2015. • [5] Malwr.com (https://goo.gl/psdf5e) and Virustotal.com (https://goo.gl/D0o78x) analysis.
- 63. Prevention Measures • Backup your files. • Apply windows and other software updates regularly. • Avoid clicking untrusted e-mail links or opening unsolicited e-mail attachments. • Disable ActiveX content in Microsoft Office applications such as Word, Excel etc. • Install Firewall and block Tor and restrictions for specific ports. • Disable remote desktop connections. • Block binaries running from %APPDATA%, %TEMP% paths.
- 64. "I am your enemy, the first one you've ever had who was smarter than you. There is no teacher but the enemy. No one but the enemy will tell you what the enemy is going to do. No one but the enemy will ever teach you how to destroy and conquer. Only the enemy shows you where you are weak. Only the enemy tells you where he is strong. And the rules of the game are what you can do to him and what you can stop him from doing to you. I am your enemy from now on. From now on I am your teacher.” Source : Ender’s Game Conclusion
- 65. • Lots of googling • Trendmicro blog • Sophos • Kaspersky Blog • US – CERT • http://www.bleepingcomputer.com/ • http://www.infoworld.com/ • https://blog.knowbe4.com/ References