The New Scourge of Ransomware:A Case Study of CryptoLocker and its Friends

John Bambenek / jcb@bambenekconsulting,Lance James / lancejames@deloitte.com

• What exactly is ransomware?• Pre-Cryptolocker (CL) ransomware tactics• A study on CL• The intelligence response to CL• How to do takedowns right• What does the future hold?

Agenda

• Lance James, Head of Cyber Intelligence with Deloitte

• John Bambenek, President of Bambenek Consulting

Who are we?

• In short, any attack that relies on extortion…

What exactly is ransomware?

• “Cop” ransomware– Generally you get it because you’ve

done something naughty

• Cryptography/Locker ransomware– You are locked out of your data until you

pay a ransom

Generally two types

• Ransomware is not really new– First generally accepted ransomware malware

was in 1989 with the AIDS virus.– Replaced autoexec.bat and after 90 boots

would encrypt files unless you sent money to a PO Box.

– Used symmetric encryption.– Spread by floppy disk.

A history

• In the early 21st century the web provides a new means for ransomware to grow:– Electronic delivery via network– Naughty websites (Romanian example)–Means of electronic payment– Encryption is still generally unsophisticated

A History (cont.)

• While ransomware was a growing threat, almost all were largely unsophisticated.– Encryption is hard– “Cop” ransomware can usually be ignored– Usually was a way to recover files without paying– Examples: Krotten, Cryzip, Gpcode, Reveton

The state of play pre-CL

Courtesy of @AdvancedThreat

How I viewed ransomware before CL

• I get a call from a local government agency infected by ransomware. (Aug 2013)– Had backups… on a portable USB drive using

the drag-and-drop protocol.– They tried to hire me to do forensics to recover

the files… I tried to turn down the work.

Cryptolocker appears…

• Cryptolocker was the first major ransomware campaign that got cryptography right.– C2 servers generated public-private keypair and gave

public key to victim for encryption.– Used DGA to provide resiliency to C2 hosts.– Gameover Zeus was sole delivery method (after PoC

stage).– Usage of bitcoin for payment (and other paycard

systems).

What Made CL Different

• These guys operated on standard mob rules… you pay them, they keep their word.

• Compare to credit card fraud: you need skiddies, cloners, mules… an entire criminal network.

• Ransomware: you need one guy with viable malware.

• High margins, low maintenance.

A Viable Business Model

• Infection chain: Cutwail -> Upatre -> GOZ -> CL

• Used DGA to reach out to C2 to get public key for encryption.

• Used native Windows API for crypto.• Would use some DGA to retrieve private

key once paid.

Technical Details

• Keep backups.• Shadow volume copies can be retrieved

potentially.• There are some ninja forensics tricks that

could be used. • Prevent execution of binaries in %AppData%.• Using OSINT feeds to block C2s (more later)

Recovery & Defenses

• Eventually, we “woke” up and saw CL for the threat it is. (Sep 2013)– High-profile victims helped (i.e. police)– The sophistication got noticed.– Connection to GOZ drew in others.– Ultimately it was novel and “new”.

• Made for an excellent case study in threat intel.

The Intel Response to CL

• There are many different lists with a different occasionally overlapping subset of researchers.

• Each list has sharing restrictions so direct sharing between lists is not generally allowed.

• This was frustrating, so I formed a group just to deal with cryptolocker and put it all in one place.– Approximately 160 people worldwide took part.

A Working Group is Born

• Many aspects of CL had contradictory indicators:– Sole delivery was GOZ that had incentive to be

quite, nothing is subtle about CL– DGA and 300 TTLs on domains suggest thoughts

of resiliency, but had very persistent IP addresses

• Figuring out the contradictions is where the real intel value is.

A Study in Contradictions

• Many victims refused to cooperate out of fear.• The MoneyPaks that were tracked all

correlated to the same place.• Bitcoin tracking also proved fruitful

(anonymous but not private).– We saw “seed” money come in.– This is how we derived the number of victims.

Following the Money

• Once the DGA was cracked, it was easy to track.

• You could simply RPZ all 1000 domains.• You could register sinkholes– We were out of control on this. 125:1 sinkhole

to C2 ratio, but did the bad guys even notice?

• Or you could surveil the infrastructure.

Tracking CL with its own DGA

• Given list of domains, you could do a for loop… if you like slow scripts.

• Or you could use asynchronous DNS– adns-tools in Debian packaging

• parallel -j1 --max-lines=500 --pipe adnshost -a -f < $DOMAINS

• If you do this, consider setting up a passive DNS sensor (i.e. dnsdb.info)

Surveillance Scripting

Feed sample

• The way I generated my feeds is to strip sinkholes… my intelligence objective is disruption, not protection.

• If your motivation is protection, you’d like RPZ all the domains, alert even on sinkholes– You care if a client machine is infected

A Note about Intelligence Bias

Bitcoin value over life of CL

• “We don’t need another white paper or blog post… what we need is bodies in the street.”

• The problem is intelligence “sufficiency”.– We get enough to satisfy short-term objectives and

tolerate the continued existence of the threat who continues to adapt.

– The people most in need of protection are the least likely to pay for “our services”.

A Note about Intelligence Bias

• There is only so much you can get with passive intelligence gathering.

• To understand the enemy you need to interact with them and see how they respond.

• What do they do if I get their domains suspended?

• What do they do when almost the entire DGA is sinkholed?

Active Intelligence

• This was a lucrative cash crop for them… but it was not their primary business driver.– They’d go days with having no domains up,

they spent little effort on maintaining their infrastructure

– But they had some OPSEC skills, framework for double-flux was there, systems had no logging once seized or other attributable fingerprints.

Some HUMINT findings

• I believe they bought the DGA from another party.– Re-used same DGA as Flashback OSX.– Never changed DGA.

• If you paid ransom, they got you your files… some evidence they paid attention to forums to fix problems.

Some HUMINT findings (cont.)

• I´m a single mother and we three live thanks to my work, and I cant lose it. Please, there´s a lot of rich people but we aren´t, and I have to work 10 hours from Monday to Sunday to take care of my children. Need your help, tell me as soon as possible how to get my files without bitcoin, please, help

• I´ve just sent you a message and I forgot to tell that I´m from Spain.

• I need to know another payment sistem that bitcoin. You must be morex needed than I to do things like this.

• Please, help me, I can´t lose my work.

• Hi again, I need to recuperate my work as soon as possible to stay in my job. I´m from Spain and I need do payment from alternative method that bit coin.

Victim Communication

• DGA known as Taus88• Example found on Wikipedia• Reversed DGA• Provided 1 year worth to clients• Blocked Domains = Unsuccessful CL

Fast Facts

Top 10 Cryptolocker Infections by Country

United States- 54262 infections

Canada- 2832 infections India- 2075 infectionsIran- 1281 infectionsThailand- 1209 infectionsIndonesia- 970 infections

Australia- 2310 infections

United Kingdom- 9682 infectionsFrance- 908 infections

Brazil- 862 infections

Source: CryptoLocker Working Group - “Roy Arends, Nominet UK” Sinkhole data collected Date: October 15 2013 – January 27 2014

US GB CA AU IN IR TH ID FR BR0

10000

20000

30000

40000

50000

6000054262

9686

2832 2310 2075 1281 1209 970 908 862

Top 10 Cryptolocker Infections by Country

Infections

Based on Infections Recorded Since October 15 2013Source: CryptoLocker Working Group - “Roy Arends, Nominet UK” Sinkhole data collected Date: October 15 2013 – January 27 2014

• Seized Drives• OPSEC– Tier 1 In Memory Proxy Configs– Tier 2 “”– Mothership

• Dm-crypt Drives• Memory Analysis Required• Keys, IP’s, Locale (Russian)

Hard Drive Forensics

• Operation Tovar was LE operation to seize all domains of Gameover Zeus and CL on June 2, 2014.

• LE from 13 nations and a variety of private sector partners and individuals participated.

• Evgeniy Mikhailovich Bogachev, 30, from Anapa in Russia was indicted as figurehead behind GOZ.

The End of Cryptolocker

• As of this writing, CL is dead and gone and has yet to remerge.

• As of this writing, there is a ptGOZ variant out there with its own DGA.– It’s being surveiled in near-time similar to method

above.– Unclear if there are any victims at this point.– Domain takedowns happen fairly rapidly when they pop

up.

Was it Successful?

• Law enforcement was involved, there are things they can do that we cannot.

• Private sector was involved, they can do things LE cannot.– i.e. work with foreign companies in less-than-

cooperative areas

• Intelligence footwork was done to see what collateral damage would be and what the likely counter-moves would be.

Why did it work?

• We waiting on CL takedown to merge with GOZ takedown.

• We spent some time talking about impact of permanently taking ability to pay ransom away (no C2s, no private keys to decrypt).

• It was a slower process than desired, but unlike other takedowns, this one stuck.

Why did it work?

• An entity goes it alone without any coordination with others.

• They do no evaluation of collateral damage.• There is no LE involvement.• “In the absense of the rule of law, all you have left is

tribal justice.”• This also ends up making it harder for well-thought

takedowns to occur as people get risk averse.

How takedowns fail?

• In the wake of CL being dead, others have filled the void…– In reality, CL captured the imagination and

others have developed their own… some indication “kits” have been developed.

• Increasing usage of tor services to add resiliency

The Future of Ransomware

• Powerlocker…• Cryptodefense / Cryptowall• Onion / Citroni (Uses ECDH)• AU Post Ransomware• iPhone Locker• Cloud Services / Code Spaces

New Ransomware

• DGAs will continue to be used but less common.

• Tor and bitcoin will be mainstay features.• Latest versions implement their own crypto.• Eventually will encrypt via UNC instead of

just mapped.• Disabling shadow volume copies.

New Ransomware Techniques

• The Cryptolocker Working Group has been rebranded to fight ransomware generally.

• Focused collaboration on specific threats with a variety of players from a variety of companies works.

• Many of the intel tools developed to deal with CL are easily repurposed.

The Future of Fighting Ransomware

• To do list:– Ability to take malware feeds of particular

families of malware and script out intelligence (ideally without sandboxing)

– Build up our HUMINT capabilities for OSINT.–We need to shorten cycle of

detection/reporting to disruptive activites.

The Future of Fighting Ransomware

• There are more problems than there are people to solve them.

• CL takedown works because many organizations and individuals shared information and skills.

• Short-term actions don’t yield long-term results.• If you want to join the fight, get in touch with one

of us.

Call to Action

• “Technology is risky and people don’t like you.”

– Quote from Regional FI summarizing every security talk ever.

Conclusion

– The members of the Ransomware Working Group

– The FBI, NCCA and the Operation Tovar LE partners

– Joel Lathrop and Sophia Haase of Deloitte

– Polo Blue

Thanks to…

• John Bambenek / jcb@bambenekconsulting.com

• Lance James /lancejames@deloitte.com

Questions?