CryptoLocker Spawns Endless, Awful Variants
CryptoLocker is the granddaddy of ransomware, and thieves are developing new and more dangerous variants of it.
Developers who create ransomware are nothing if not ingenious. They are constantly developing new techniques for distributing their malware, making it harder to detect and strengthening the encryption they use to take files "hostage." Their ingenuity is a huge challenge for enterprise security teams, given how prevalent ransomware is.
The latest Threats Report from Intel Security McAfee Labs, which looked at the threat landscape for the second quarter of 2015, saw a 58 percent increase in ransomware samples detected by McAfee.
Ransomware locks down a victim’s files and encrypts them, then gives the victim a short amount of time to pay a ransom to obtain a password to retrieve their files.
Ransomware can possibly encrypt shared files from servers, networks and connected devices as well as encrypting local files, noted Aamir Lakhani, a senior cyber security researcher and practitioner at Fortinet. "Organizations that have been affected by ransomware have been forced to pay the ransom because they had their central files on servers and storage systems encrypted and did not have appropriate backups," he said.
Two-year-old CryptoLocker is an especially feared variant of ransomware because of its effectiveness. CryptoLocker installs itself into an infected computer's Documents and Settings folder using a randomly-generated name and adds itself to the Windows registry. It then contacts a long list of domains, uploads a file to the first one that responds, generates a public-private encryption key pair unique to the machine and sends the public key part back to the computer.
The malware on the machine uses this public key to encrypt all the files it can find that match a list of extensions covering file types such as images, documents and spreadsheets. Decrypting the files is impossible unless a user has the private key stored on the cybercriminals’ server.
CryptoLocker made ransomware viable and lucrative through its use of encryption, said Craig Williams, senior technical leader and security outreach manager, Cisco Talos. "Before that, we saw things that pretended to hold files for ransom. But they were just fake pop-ups that would lock up your browser. There was no actual encryption involved."
Although security pros have learned how to mitigate and stop earlier versions of CryptoLocker, attackers continue to modify its code, make advances to evade security software and improve on the encryption’s implementation. CryptoLocker has spawned several spinoffs, several of which were mentioned by security researchers when eSecurity Planet asked them to name some especially nefarious variants of ransomware.
CryptoWall and Other CryptoLocker Clones
Christiaan Beek, director of Threat Intelligence at McAfee Labs, tapped CryptoLocker clone CryptoWall – especially the current version, 3.0 – as a particularly dangerous family of ransomware.
McAfee Labs has seen several campaigns that were spreading CryptoWall 3.0 via phishing or distributing it using the "Angler" exploit kit, Beek said, noting that four characteristics make this malware family a formidable threat:
- Once files are encrypted, only payment will recover the files unless the victim has a remote offline backup
- CryptoWall 3 will delete volume shadow copies or take actions that will prevent the user from restoring files from backup copies of the machine or restoring to a known good configuration
- CryptoWall 3 disables services that involve backup, security, updating and error reporting
- The infrastructure used for the payment and affiliate program are served in the Tor network, which shields the identity of the culprits and makes it difficult to track them down
Ryan Olson, director of Threat Intelligence, Unit 42, Palo Alto Networks, said CryptoWall 3 is especially dangerous because of its wide distribution, its speed and the breadth of data it is capable of encrypting.
"The CryptoWall 3 operators know that they have to encrypt the files that the users value most to ensure their ransom is paid," Olson said. "Far beyond the documents and photos that most people assume are their main targets, CW3 targets source code, backups and databases. These are files they know are relied upon by businesses and professionals, those who are most willing to pay to get their data back. "
Fortinet's Lakhani mentioned CryptorBit, a variant of CryptoLocker that specifically targets Microsoft Office documents, PDF files and some picture type files.
"In many cases it is distributed along with CryptoLocker variants," Lakhani said. "What this means for a victim is, if CryptoLocker malware is caught sometimes CryptorBit is not, and the victim still has their files held for ransom. In extreme cases, the victim will have to pay two ransoms to get their files back."
CTB-Locker and the Windows 10 Scam
Cisco Talos researchers a few months ago saw an especially insidious form of distribution for ransomware called CTB-Locker. "When Windows 10 came out, Microsoft did a staggered release to help identify potential bugs. Unfortunately, it also created an opportunity for malicious actors to take advantage of the Microsoft user base," said Williams, noting that the bad guys sent out a "surprisingly effective" campaign that involved a fake email that, he said, "looked pretty legit."
Not only did the cyber criminals spoof the address so it appeared to come from Microsoft, they also used a color scheme similar to Microsoft's, an authentic-looking disclaimer message and a message saying the attachment had been scanned by an antivirus program.
The ransomware also displayed a list showing users the specific files that were being held for ransom, Williams said, and even offered a "test decryption page" that would allow users to decrypt five randomly selected files for free.
"They are trying to build a brand," much like the creators of CryptoLocker did, Williams said. "CryptoLocker spent a while building a solid reputation. Security analysts looked at it and said it was pretty strong from a security perspective. And when people started paying, they did get their files returned. So CryptoLocker got a reputation."
CryptoLocker's reputation was so strong, in fact, that other cyber thieves are trying to ride on its coattails, Williams said. Creators of ransomware called TeslaCrypt tried to make it seem as if they were using the same asymmetric encryption algorithm as CryptoLocker, he said, although Cisco Talos researchers discovered they actually used a symmetric encryption method, meaning the same key used to encrypt files can also be used to decrypt them.
Cisco Talos researchers designed a free open source tool that can be used to detect the TeslaCrypt master key, stop the malware and also attempt to decrypt files, Williams said.
While researchers quickly identified that it was possible to recover the key used to encrypt files and allow a user to decrypt them without paying the ransom, Palo Alto Networks' Olson said the latest version of TeslaCrypt, released earlier this year, resolved that issue.
In another interesting twist, Olson said TeslaCrypt not only encrypts all of the traditional document files commonly targeted by ransomware but also encrypts files related to video games, betting that gamers will be willing to pay to access their saved progress in games.
Ransomware has "evolved the malware market," Williams said. "It improved the business model by allowing people to monetize the malware economy in an unprecedented way. Instead of making a couple of dollars off each machine, now thieves can make $500 or $600 per machine, per user."
In addition, he said, it's now common practice for attackers to have their victims transfer money over Tor to a Bitcoin wallet controlled by the attackers. "There is no longer a middleman or splitting the money with unnecessary parties; it all goes directly into the developer's pocket."
Due to ransomware's lucrative nature, he said, "We will continue to see innovation in the ransomware space until something better comes along."
Ann All is the editor of Enterprise Apps Today and eSecurity Planet. She has covered business and technology for more than a decade, writing about everything from business intelligence to virtualization.
By Jeff Goldman
October 08, 2015
The researchers found that 'an inordinate number of proxy servers' used by the Angler Exploit Kit were on servers belonging to Limestone Networks.