Overview of File-Encrypting Ransomware
January 16, 2017 | by Jim Rowland
Malware is an ongoing struggle for many organizations. Malware and Potentially Unwanted Programs (PUPs) are bad enough, but what if you find yourself in the unfortunate position of being infected with a File-Encrypting Ransomware / CryptoLocker type infection?
In our space, many of our customers are large K12 or Higher Education organizations, with enterprise size seat counts of 50,000+. With a varied user community consisting of teachers, students and staff, combined with the large number of mobile systems that now leave school campuses each day, it’s no wonder that several of our customers occasionally deal with File-Encrypting Ransomware / CryptoLocker type infections, be it on one or more client systems or on server(s).
Today I’ll share some background, tips, strategies and solutions that you can use to remediate CryptoLocker style attacks if you have been impacted, or to help prevent them in the first place. Of course, the best remediation is the one you never have to perform.
First, here is an overview on CryptoLocker and how it spreads, shortened from the full write up you can find here.
CryptoLocker is a new family of ransomware whose business model is based on extorting money from users. CryptoLocker hijacks users’ documents and asks them to pay a ransom (with a time limit to send the payment).
CryptoLocker uses social engineering techniques to trick the user into running it. More specifically, the victim receives an email with a password-protected ZIP file purporting to be from a logistics company.
The Trojan gets run when the user opens the attached ZIP file, by entering the password included in the message, and attempts to open the PDF it contains. CryptoLocker takes advantage of Windows’ default behavior of hiding the extension from file names to disguise the real .EXE extension of the malicious file.
As soon as the victim runs it, the Trojan goes memory resident on the computer and takes the following actions:
- Saves itself to a folder in the user’s profile (AppData, LocalAppData).
- Adds a key to the registry to make sure it runs every time the computer starts up.
- Spawns two processes of itself: One is the main process, whereas the other aims to protect the main process against termination.
The Trojan generates a random symmetric key for each file it encrypts, and encrypts the file’s content with the AES algorithm, using that key. Then, it encrypts the random key using an asymmetric public-private key encryption algorithm (RSA) and keys of over 1024 bits (we’ve seen samples that used 2048-bit keys), and adds it to the encrypted file. This way, the Trojan makes sure that only the owner of the private RSA key can obtain the random key used to encrypt the file. Also, as the computer files are overwritten, it is impossible to retrieve them using forensic methods.
Once run, the first thing the Trojan does is obtain the public key (PK) from its C&C server. To find an active C&C server, The Trojan incorporates a domain generation algorithm (DGA) known as ‘Mersenne twister’ to generate random domain names. This algorithm uses the current date as seed and can generate up to 1,000 different fixed-size domains every day.
After the Trojan has downloaded the PK, it saves it inside the following Windows registry key: HKCUSoftwareCryptoLockerPublic Key. Then, it starts encrypting files on the computer’s hard disk and every network drive the infected user has access to.
CryptoLocker doesn’t encrypt every file it finds, but only non-executable files with the extensions included in the malware’s code.
When the Trojan finishes encrypting every file that meets the aforementioned conditions, it displays the following message asking the user to make a ransom payment, with a time limit to send the payment before the private key kept by the malware writer is destroyed.
How to Avoid CryptoLocker
This malware spreads via email by using social engineering techniques. Therefore, our recommendation are:
- Being particularly wary ofemails from senders you don’t know, especially those with attached files.
- Disabling hiddenfile extensions in Windows will also help recognize this type of attack.
- We’d like to remind you of the importance of having a backup systemin place for your critical files. This will help mitigate the damage caused not only by malware infections, but hardware problems or any other incidents as well.
There are a number of additional preventive steps that we recommend can be taken by our customers:
- Ensure you have a proper email gateway in place with the proper security rules and scanning / filtering / reputation capabilities.
- Don’t open password protected zip files sent via email (or even better, consider having your IT department block/redirect them at the email gateway for inspection).
- Ensure you have a strong firewall (preferably next generation type), with security personnel monitoring and refining rules, mitigating attacks, etc.
- Run a good version of Antivirus /Anti-malware on your system, and ensure it is regularly updated.
- Patch your systems. Ensure that you are patching both Windows vulnerabilities, as well as key applications such as Microsoft Office, Adobe, Chrome, Firefox, etc.
Fortunately, since 2014, joint efforts by police and security companies (as detailed here) have rendered the original CryptoLocker ransomware less dangerous, if you have the knowledge. Several companies have created publicly accessible web sites with self-service information and/or tools to remove certain infections. Kaspersky is one such vendor, and has an excellent reference and tools site here. The bad news is that new variants of file-encrypting ransomware come out all the time.
Still, with so many distributed systems, and generally a significant portion of your fleet that can move off network and therefore no longer be behind your firewall, more prevention is needed. There are new solutions available that run alongside traditional antivirus solutions, which state they can block this and other types of exploits from fully executing if it gets past your other defenses. Solutions such as CrowdStrike, Palo Alto Traps and X by Invincea are several of the solutions that are considered Next Generation Endpoint Protection, and typically exist alongside your traditional antivirus solutions. These are another layer to a true defense in depth approach to protecting your data.
The X by Invincea solution appears to be a solid offering for our customer base with the combination of its capabilities and its price point. Daly is currently conducting a Proof of Value evaluation on this solution, and I’ll share our results in my next blog post.Tips, strategies, and solutions to combat #malware Click To Tweet