Beruflich Dokumente
Kultur Dokumente
Ransomware is a type of malware that prevents or limits users from accessing their system. This type of malware forces its
victims to pay the ransom through certain online payment methods in order to grant access to their systems, or to get their
data back. Some ransomware encrypts files (called Cryptolocker). Other ransomware use TOR to hide C&C
communications (called CTB Locker).
The ransom prices vary, ranging from $USD 24 to more than $USD 600, or even its bitcoin equivalent. It is important to note,
however, that paying for the ransom does not guarantee that users can eventually access the infected system.
Users may encounter this threat through a variety of means. Ransomware can be downloaded by unwitting users by visiting
malicious or compromised websites. It can also arrive as a payload, either dropped or downloaded by other malware. Some
ransomware are delivered as attachments to spammed email.
Once executed in the system, a ransomware can either (1) lock the computer screen or (2) encrypt predetermined files with
a password. In the first scenario, a ransomware shows a full-screen image or notification, which prevents victims from using
their system. This also shows the instructions on how users can pay for the ransom. The second type of ransomware locks
files like documents, spreadsheets and other important files.
Ransomware is considered a "scareware" as it forces users to pay a fee (or ransom) by scaring or intimidating them. In this
sense, it is similar to the FAKEAV malware, though using a different tactic. Instead of capturing the infected system or
encrypting files, FAKEAV coax users into purchasing their bogus antimalware software by showing fake antimalware
scanning results.
HISTORY
Early Years
First cases of ransomware infection were seen between the years 2005 2006 in Russia. We first reported this incident
back in 2006, in which a ransomware variant (detected as TROJ_CRYZIP.A) zipped certain file types and overwrites these,
thus leaving only the password-protected zip files in the users system. It also created a notepad, which poses as the
ransom note to inform users that they can retrieve their files in exchange for $300.
During its initial phase, ransomware were typically files that encrypt particular file types (.DOC, .XL, .DLL, .EXE, just to name
a few).
By 2011, we first reported about SMS ransomware threat, in which users with infected systems were asked to dial a
premium SMS number. Detected as TROJ_RANSOM.QOWA, this variant also displays a ransomware page repeatedly to
users until they finally pay up the ransom via dialing a certain premium number.
To up the ante, we uncovered a ransomware that infects the Master Boot Record (MBR) of a vulnerable system. By targeting
the MBR, this variant prevents the operating system from loading. To do this, the malware copies the original MBR and
overwrites it with its own malicious code. After doing this routine, it automatically restarts the system for the infection to take
effect. When the system restarts, the ransomware displays its notification (in Russian).
in France and Japan (where the shop has a significant fan-base). Instead of the usual ransom
note, TROJ_RANSOM.BOVdisplays a fake notice from the French police agency Gendarmerie Nationale.
Although the ransom note in CryptoLocker only specifies RSA-2048 as the encryption used, our analysis shows that the
malware uses AES + RSA encryption.
RSA is asymmetric key cryptography, which means it uses two keys. One key is used to encrypt the data and another is
used to decrypt the data. (One key is made available to any outside party and is called the public key; the other is kept by
the user and is called the private key.) AES uses symmetric keys (i.e., the same key is used to encrypt and decrypt
information.)
The malware uses an AES key to encrypt files. The AES key for decryption is written in the files encrypted by the malware.
However, this key is encrypted with an RSA public key embedded in the malware, which means that a private key is needed
to decrypt it. Unfortunately, the said private key is not available.
Further research revealed that a spam campaign was behind the CryptoLocker infections. The spammed messages contain
malicious attachments belonging to TROJ_UPATRE, a malware family characterized by its having small file size and a
simple downloading function. It downloads a ZBOT variant which then downloads the CryptoLocker malware.
Near the end of 2013, a new variant of CryptoLocker emerged with propagation routines. This
variant, WORM_CRILOCK.A, can spread via removable drives, a routine unheard of in other CRILOCK variants. This means
that the malware can easily spread compared to other variants. This new variant doesnt rely on downloader malware like
CRILOCK to infect systems; rather, it pretends to be an activator for software in peer-to-peer (P2P) file sharing sites.
Technical differences have led some researchers to believe this malware is a product of a copycat.
Another file encrypting ransomware soon came into the picture. This malware, known as CryptoDefense or Cryptorbit, like
other encrypting ransomware, demands payment for its decryption services. Detected by Trend Micro
asTROJ_CRYPTRBIT.H, this variant encrypts database, web, Office, video, images, scripts, text, and other non-binary files.
It also deletes backup files to prevent restoration of encrypted files.
The Foray into Cryptocurrency Theft
Ransomware soon began to incorporate yet another element: cryptocurrency (e.g., Bitcoin) theft. We came across two
variants of this new malware, called BitCrypt , The first variant, TROJ_CRIBIT.A, appends .bitcrypt to any encrypted files
and uses an English-only ransom note. The second variant, TROJ_CRIBIT.B , appends .bitcrypt 2 and uses a multilingual
ransom note, with 10 languages included. CRIBIT variants use the encryption algorithms RSA(426)-AES and RSA(1024)AES to encrypt the files. This malware also requires that the payment for unlocking files come in the form of Bitcoins.
It was discovered that a variant of the FAREIT information stealing malware, TSPY_FAREIT.BB, downloads
TROJ_CRIBIT.B. This FAREIT variant can steal information from various cryptocurrency wallets,
including wallet.dat(Bitcoin), electrum.dat (Electrum), and .wallet (MultiBit). These files contain important information such as
transaction records, user preferences, and accounts.
POSHCODER: PowerShell Abuse
A new variant of Ransomware and Cryptolocker threats surfaced that leverages the Windows PowerShell feature to encrypt
files. Trend Micro detects this as TROJ_POSHCODER.A. Windows PowerShell is a built-in feature in Windows 7 and higher.
Cybercriminals often abuse this feature to make threats undetected on the system and/or network.
POSHCODER uses AES in encrypting the files and RSA 4096 public key in encrypting the said AES key. Once all files on
the infected system are encrypted, it displays the following image:
What makes this particular ransomware different from other police ransomware is that its infection vector is patched
malware. Patched malware is any legitimate file that has been modified (via addition or injection) with malicious code.
Modifying a legitimate file can be advantageous to cybercriminals as the rate of execution of malicious code will depend on
the infected files frequency of use.
Another distinction for this ransomware is that it infects user32.DLL, a known critical file. Infecting a critical file can be
considered an evasion technique as it can help prevent detection by behavioral monitoring tools. Additionally, cleaning
critical files such as user32.DLL requires extra care as one misstep can crash a system, which could be seen as a possible
obstacle for cleaning tools.
The infected user32.DLL will begin a chain of routines that ends with the ransomware being loaded. Included in the
ransomwares routines is locking the computers screen and projecting a ransom image, similar to previous police
ransomware messages.
Future of Ransomware
In our 2013 Security Predictions, we predicted that conventional threats like ransomware are likely to evolve gradually, as
cybercriminals will focus mainly on refining existing tools. This is partly propelled by the ongoing arms race between certain
cybercrime groups and security researchers. Because of the positive developments in catching these groups, like the arrests
of certain FAKEAV groups and ransomware key figure, we can expect ransomware variants to contain new functions and
other improvements in terms of stealth mechanism.
Critroni or Curve-Tor-Bitcoin (CTB) Locker came about in 2014. This type of ransomware uses the Tor network to mask its
C&C communications. Some variants of this ransomware asks for bitcoins as ransom. CTB Locker variants in 2015
introduced "freemium" - free decryption service. Also in 2015, TorrentLocker ransomware attacks were prevalent in the
Australia-New Zealand region. This particular ransomware adds CAPTCHA code and redirection to a spoofed site.
Within a couple of years, we have seen ransomware evolved from a threat targeting Russian users into an attack affecting
several European and North American countries. With profitable a business model and payment schemes affording
anonymity for its perpetrators, we may be seeing more of ransomware in the coming years. Thus, it is crucial for users to
know how ransomware works and how to best protect themselves from this threat.
Ransomware Families
Below are known ransomware families:
Family Name
Aliases
Description
First spotted early 2012; Encrypts files into a password-
ACCDFISA
Department of
Federal Internet
Security Agency
Ransom
ANDROIDOS_LOCKER
CRIBIT
BitCrypt
CRILOCK
CryptoLocker
CRILOCK
Uses advanced encryption standard (AES-128) cryptosystem; The
CRITOLOCK
Cryptographic
locker
CRYPAURA
CRYPCTB
Locker
CRYPDEF
CryptoDefense
CRYPTCOIN
CoinVault
CRYPWALL
CRYPTROLF
CryptoWall,
CryptWall,
CryptoWall 3.0
the ransom
batch file
ransomware
batch file
DOWNCRYPT
ransomware
VIRLOCK
VirLock, VirRansom Infects document files, archives, and media files such as images
CRYPTOR
PGPCODER
KOLLAH
KOVTER
MATSNU
RANSOM
REVETON
Police Ransom
VBUZKY
CRYPTOP
archiver
GULCRYPT
Ransomware
archiver
CRYPWEB
PHP ransomware
CRYPDIRT
Dirty Decrypt
CRYPTORBIT