The Anatomy of Cryptolocker Ransomware

Cryptolocker Ransomware : The concept of holding your data for ransom is new but it’s been fledgling nevertheless. Millions of dollars have been raked in by attackers across the world. Traditional methods, which typically include breaching the security layer, penetrating the system, taking over it, and selling the data, is done away. Instead the data is encrypted using public key infrastructure. The files from mapped, removable and locally installed drives are listed and certain files are encrypted-typically documents like Office, PDF, CSV, etc. The private key to the encrypted files is held by the attacker and victim is coerced into paying a ransom in exchange for it. A ransom note is presented to the victim, when he/she tries to access any of the files.

Attacks are usually three-pronged. The first part is where the compromised site or a file has an exploit kit-either Angler or Nuclear-which redirects victims to download a malware from a shady site. Post which, the malware executes and encrypts the files. Simultaneously, ransom notes are written in each folder. Often, a randomly generated registry key is created to keep track of the encrypted files.

A user is left with four options:

  1. Pay the ransom
  2. Restore from backup
  3. Lose the files
  4. Brute force the key

Should the victim agree to pay, attacker usually demands the payment averaging between $500-700 USD using Bitcoin. The value of the ransom varies with the number of encrypted files. And if the victim fails to pay within the asked time, ransom is doubled or tripled.

How it happens

Email is still the vector for several attacks. Because it is the ease with which the attacks succeed makes email a viable vector. The common malicious documents are office documents and drive-by downloads. They are sent to the victims claiming to be an invoice or a fax. When opened, it is protected. And the user must open another document for instructions to enable it. Once the user follows the steps, the macro is executed, payload is delivered, and the infection will commence. Typically, the actual filename-.docm-is masked with the.doc extension. Domain shadowing is another way to infect the users. The actual malware is delivered from a randomly generated subdomain of a legitimate domain. It involves compromising the DNS account for a domain and registering various subdomains, then using those for attack.

This financial success has likely led to a proliferation of ransomware variants. In 2013, more destructive and lucrative ransomware variants were introduced, including Xorist, CryptorBit, and CryptoLocker. In early 2016, a destructive ransomware variant, Locky, was observed infecting computers belonging to healthcare facilities and hospitals in the United States, New Zealand, and Germany. Samas, another variant of destructive ransomware, was used to compromise the networks of healthcare facilities in 2016. Unlike Locky, Samas propagates through vulnerable Web servers.

True cost of the attack

Attackers never reveal the ransom that is being collected. So, investigations usually hit a dead-end leaving the investigating agencies rely on speculation. According to FBI, about $18 million of losses have been reported by the victims between April 2014 and June 2015. The actual ransom paid may be a negligible, but the associated cost-both monetary and reputational-could be colossal. Downtime costs, financial cost, data loss, and loss of life (compromised patient records) are the true impact an organization takes following an attack. While the initial impact may be considerable, the long-term effects of an attack may be far costlier.

Who’s doing it

Gameover Zeus botnet, peer-to-peer botnet based on the components of Zeus trojan, was responsible for most of the attacks. Russian cybercriminal Evgeniy Mikhailovich Bogachev, having online aliases: <<Slavik>>, <<lucky12345>>, <<Pollingsoon>>, <<Monstr>>, <<IOO>>, and <<Nu11>>, was reportedly associated with Gameover Zeus. On February 24, 2015, the FBI announced a reward of $3 million in exchange for information regarding the alleged mastermind.

What’s the solution

Adopting a multi-layered approach to security minimizes the chance of infection. Symantec has a strategy that protects against ransomware in three stages:

Prevent – Preventing the attacks is by far the best measure. Email and exploit kit are the most common infection vectors for ransomware. Adopting a robust defence will curtail any unwarranted events. Backing your data regularly is more important than one would like to think. Use of email-filtering services, intrusion prevention, browser protection, and exploit protection are some of the preventive actions to be taken.

Contain – In the event of an infection, the imminent action to perform is to contain the spread of infection. Advanced anti-virus software, machine learning, and emulator contain the virus from affecting your entire system.

Respond – Organizations can take steps to tactically handle the predicament. Determining primary attack to understand the intention of the attacker is essential. Focusing on ransomware alone won’t get you the complete scenario. In many cases malware writer leaves the loopholes unattended, an expert malware analyst can reverse engineer the ransomware and find a way to recover the data.