Analysis of a Cryptolocker

F r a n c e s c o S c h i f i l l it i

Seminario IISFA
23 Ottobre 2015
ROMA
Agenda
Tutto quello che ho salvato prima che Cryptolocker mi abbia cifrato I file…

2
Introduction Malware Definition(s)

“Malware, also known as malicious code and malicious

software, refers to a program that is inserted into a system,
usually covertly, with the intent of compromising the
confidentiality, integrity, or availability of the victim’s data,
applications, or operating system or otherwise annoying or
disrupting the victim.”

NIST Guide to Malware Incident Prevention and Handling, SP 800-83

“Malware is a code that is used to perform

malicious actions. This definition  implies that
whether a program is malware depends not so
much on its capabilities but, instead, on how the
attacker uses it.”
Definition by Lenny Zeltser

3
 Malware Malware Classification

Crimeware code which is designed with the

intent of collecting information on the end-user
RAT in order to steal those users’ credentials.

ROOTKIT Advanced Persistent Threat (APT) are highly

VIRUS
sophisticated and advanced malware which
typically use technology for which there are
currently little or no defensive capabilities. The
goal of an APT is to minimize the risk of
detection for long periods of time allowing the
WORM KEYLOGGER APT long-term access to the compromised
network.

RANSOMWARE

Ransomware is malware that prevents you

from using your files or your computer, and
then extorts money from you in exchange for
a promise to unlock them.

4
 Ransomware Timeline

Malicious Cryptography
Exposing Cryptovirology

Adam Young, Moti Yung

Wiley, 2004

Cryptolocker ver. 1.0 Cryptolocker ver. 3.0

moneypak, ucash, cashu, bitcoin bitcoin only

Cryptolocker ver. 2.0

bitcoin only

2005 2012 2013 2014 2015

TeslaCrypt

GPCode Trojan Reveton CTB-Locker

5
Ransomware Stats (Global)

!  Dell SecureWorks estimates that CryptoLocker has infected 250,000 victims. The average

payout is $300 each
!  1 million dollars a day.
!  $27 million in ransom in first 2 months (FBI)

6
 infrastructure. CTB Locker offers its victims a selection of to typical R
neatly in a single Gameover Zeus botnet, the infrastructure for which was also
language options to be extorted in and provides the option to deny access
ily a RAT but has used to distribute the CryptoLocker malware7. At the time
ks; many banking the botnet consisted of up to one million infected machines decrypt a “test” file for free. Although not as widespread as the capabili

Ransomware
her malware onto worldwide. The operation involved cooperation amongst CryptoLocker, CTB Locker was noted as a significant and growing “marketplac
multiple jurisdictions, the private sector and academia. Tools Stats (EU)
threat by a number of EU Member States. This is supported by Blackshades
to decrypt encrypted files are now also freely available from industry reporting which indicates that up to 35% of CTB Locker
Internet security companies8. victims reside within Europe 9
.
CTB-Locker In May 20
and Europ
Cryptlocker
orcement. Almost countries w
ing investigations of the Bla
omware accounts this, the m
nts, however this use is in de
ctim reporting or
ise and describe.
the ransomware
hically in Europe,

CRYPTOLOCKER CTB-LOCKER

6 Europol Press Release, International Action against Gameover Zeus Botnet KEY THREATS – REMOTE ACCESS TOOLS (RATS)
and Cryptolocker Ransomware, http://www.europol.europa.eu/content/
international-action-against-gameover-Zeus-botnet-and-cryptolocker-
ransomware, 2015 Remote Access Tools exist as legitimate tools used to access a third
7 Europol Press Release, International Action against Gameover Zeus Botnet
party system, typically for technical support or administrative
and Cryptolocker Ransomware, http://www.europol.europa.eu/content/
7
wnload/7/1/ international-action-against-gameover-Zeus-botnet-and-cryptolocker- reasons. These tools can give a user remote access and control
osoft_Security_ ransomware, 2015
8 Decryptolocker, https://www.decryptcryptolocker.com/, 2014 over a system, the level of which is usually determined by the
Ransomware Type of Ransomware

Scareware This type of virus looks like a bogus anti-virus message, but it
can also appear as a clean up tool. You’ll get a message that tells you
that this clean up tool has found hundreds if not thousands of issues on
your operating system. You could get alerted with pop-ups that ask you
for information or to download software to help you fix the issue. While
these are “scary”, these are quite easy to remove.

Ransomware
Lock-screen These viruses can have a bitter impact in that they literally
lock your screen. When they lock up your system they forbid you from
using your computer in any way. This spells trouble, and is a bit closer to
a more dangerous malware. This is a scary virus, and somewhat easy to
resolve.

Encrypting malware This type of malware is what first reared it’s ugly
head as CryptoLocker. This virus is what encrypts your files and locks
them until the given ransom has been paid. Most recently the uptick in
requests was for $300 in Bitcoin. This virus demands a ransom, but law
enforcement says that you shouldn’t pay it because there are no
guarantees that you’ll get your files back.

Crypto-Ransomware Over Time

Source Symantec, Symantec Intelligence Report Sep., 2015

8
 Ransomware Stages of a Ransomware

Handshake
C&C
Installation and Keys with Encryption Extortion
Contacting
C&C

After a computer is Before Ransomware can The Ransomware client With the cryptographic The Ransomware
infected, the attack the computer and server identify each keys established, the displays a screen giving
Ransomware installs victim, it contacts the other through a carefully Ransomware on your you a time limit to pay
C&C server operated by handshake, and the computer starts up before the criminals
itself, and sets keys
the criminal server generates encrypting every file it
and persistent destroy the key to
two cryptographic keys. finds with any of
mechanisms decrypt
One key is kept on dozens of common file
your files.
victim’s computer, the extensions
second key is stored
securely on the criminals’
server

Ransom Sent

Locked Files
C&C
Server

Unlocked Files

Private Key Sent

9
Ransomware Delivery/Installation Stage

Spear-Phishing
Attack

eMail-based Attack

Web-based Attack

Victim Drive by Drive by

Download Cache

Exploit Pack

10
Ransomware Delivery/Installation Stage
Spear-Phishing Attack
Phishing is a way of attempting to acquire information (and sometimes, indirectly, money) such as usernames, passwords,
and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting
to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the
unsuspecting public.
Phishing is typically carried out by e-mail spoofing or instant messaging, and it often directs users to enter details at a fake website
whose look and feel are almost identical to the legitimate one. Phishing is an example of social engineering techniques used to
deceive users, and exploits the poor usability of current web security technologies.

Spear phishing may be defined as “highly targeted phishing aimed at specific

individuals or groups within an organization.”
“Spear-Phishing Email: Most Favored APT Attack Bait” - Trend Micro, 2012

Attacker

Email with PC’s info of

Victim and Private Key
1
6
Downloader
“Ransomware
2 3 4
Support Tools”

Victims Malicious 5
•  Deleting Shadow copy
Script •  Set up registry Keys •  Generating crypt Keys
•  Grabbing many PC’s •  Generating a list of
information of Victim and send file to infect
them by email to Attacker •  File Encrypting
•  Deleting Setup file created by
ransowmware
•  …
•  Displaying displaying ransom
note with Notepad

11
Ransomware Sample of attachment

12
Ransomware Delivery/Installation Stage
Drive by Download
Attacker

1
3

Victim Compromised Malicious Trojan Payload

Website Script

A Browser loads a URL

B Browser starts to execute shellcode that came with the exploit

C Browser calls “URLDownloadToFile”, which downloads and writes to disk some file from some URL

D Browser executes the created file

13
Ransomware Delivery/Installation Stage
Exploit Kit (EK) - 1/2
Exploit Kits are toolkits used to exploit security holes primarily to spread malware. These toolkits come packaged
with exploit codes. These exploit kits target software such as Adobe Flash, Java, Microsoft Silverlight, Internet
Explorer - software that are commonly installed and used in most PCs. Computers using outdated software/
applications are at high risk.

Attacker

1 Ransomware

Trojan Banking

Victim Compromised Malicious Exploit Kit Server

Website Script
4
Malware

14
which were Fiesta, Nuclear, SweetOrange, Styx, FlashPack, Neutrino,
Magnitude, Angler, and Rig. [10–12]
iesta is the newer version of eo ploit identified in . uclear was
identified in but was upgraded to version with new e ploits in

Ransomware
. weet range, ty , and lash ac were first used in attac s in
. eutrino, agnitude, and Angler were identified in
first seen in April .
ig was
Delivery/Installation Stage
CURRENT TRENDS IN EXPLOIT KITS Exploit Kit (EK) - 2/2

Top Exploit Kits

CVE (Common
One can say that Blackhole Exploit KitVulnerabilities andinExposures)
took a back seat identifiers enable data exchange between security
underground
products and provide a baseline index point
markets when its creator, Paunch, was arrested. Several exploit kits then for evaluating coverage of tools and services.
emerged and took its place in the spotlight, so to speak. Figure 3 shows
the distribution of exploit kit attacks seen in 2014.

Top Exploit Kit (2014)

Mostly used
by Cryptolocker
Distribution of exploit kit attacks

3 | Page © 2015 Trend Micro Incorporated

15
Ransomware Delivery/Installation Stage

16
 Ransomware Persistence

! Drops copy of itself in %APPDATA%\{random}.exe

! It creates the following autorun key:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "CryptoLocker":<random>.exe
or
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce "*CryptoLocker":<random>.exe

! It creates two processes of itself. The other acts as a watchdog.

! It searches in all local and remote drives for files to encrypt. All files that are encrypted are also saved in the
following registry for record:
HKEY_CURRENT_USER\Software\CryptoLocker\Files

Titolo presentazione 17
Ransomware C&C Communication Stage

EK Server

Compromised
Website

Victim

Ransomware C&C

Ransomware
Proxy Server

18
Ransomware C&C Communication Stage
Network Traffic of Angler EK with CW3

Packets reader

Network Sec.
Monitoring
IP Address and Domain
Name used by the EK

Compromised website that

caused the EK traffic

19
Ransomware C&C Communication Stage

Domains and IP Addresses

from the CW3

20
Ransomware Encryption Stage
Cryptolocker performs the following tasks

A Searches in all local and remote drives for files to encrypt.

B All files that are encrypted are also saved in the registry HKEY_CURRENT_USER\Software

\CryptoLocker\Files

C Generate a unique 256 bit AES key

D Encrypt the file using the generated key

E Encrypt the key using the RSA PK exchangend with C&C

F Store this encrypted key to the header of the encrypted file using a schema rely on the version

G A final message to the C&C reports the amount of encrypted files to the server:

{7|CAMPAIGN_IDENTIFIER|PC’s Victim ID|3|all=###}

Filename and Extensions Encrypted by CryptoLocker:

21
Ransomware Extortion Stage

Bitcoin Addresses for the

Ransom payment

22
Sample 1/3

23
 Sample 2/3

Unuseful code to increase the complexity of analysis

Heavy use of obfuscated code (function)

24
Sample 3/3

Host Address Host Port Host Protocol Host Details

23.61.69.163 80 TCP United States

23.61.75.27 80 TCP United States

184.29.104.232 80 TCP United States

188.165.164.184 80 TCP France

Contacted Hosts

25
Methodology Proposition 1/2

Disk Acquisition

Memory Acquisition

Network Acquisition

Mobile Acquisition

Malware Intelligence

Reporting Examination

Malware Identification

Forensic Analysis

Malware Analysis

26
Methodology Proposition 2/2

Cyber Threat
Intelligence

Network Acquisition

Network
On-site
Forensics Analysis Malware Analysis

Live Acquisition Dead Acquisition

Disk Disk

Memory

Network

Mobile

27
ANY QUESTIONS?
THANKS FOR WATCHING
See You Next Time

+39 328 8251955 fschifilliti@gmail.com

fschifilliti@forensictech.it