Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows

Author: Aaron ND Sawmadal, MSc. Digital Forensics

Investigation of CryptoLocker Ransomware Trojans -

Microsoft Windows

Author: Aaron ND Sawmadal, MSc. Digital Forensics

Contents

Introduction ............................................................................................................................................ 3

How Does CryptoLocker Infect a Machine on a Network ...................................................................... 3

The Best Approach in Defending Against Cryptolocker in Corporate Network Resources .................... 4

Machines and/or Software Resources that can Help Defend the Network ........................................... 4

How to Eliminate CryptoLocker and the Strategy of Mitigation in a Post Incident Review ................... 5

Conclusion ............................................................................................................................................... 5

References .............................................................................................................................................. 6

Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows

Author name: Aaron ND Sawmadal – MSc. Digital Forensics

Introduction The threats of CryptoLocker (ransomware) is real and this malware is frequently been used by

malicious individuals to extort money from users both private and government agencies. If the

user’s system is infected and the user refuses to pay the ransom they will lose their files on the

affected systems and other subsequent devices connected to the same network. Unfortunately, the

threat is increasing exponentially, ‘1 in 30 have been hit by CryptoLocker and 40% pay the ransom’;

with 2014 been recorded the worst year for CryptoLocker attacks from

https://nakedsecurity.sophos.com/2014/03/07/1-in-30-have-been-hit-by-cryptolocker-and-40-

pay-the-ransom-says-study/

How Does CryptoLocker Infect a Machine on a Network CryptoLocker is a malicious encryption software which uses Trojan scramble to encrypt all files

and folders on a computer network. The Trojan gets hold of the file systems on the network

resources and redirects the victim to a payment system. This malicious method is referred to as

ransomware. The victim’s network resources or devices will be under the control of the malicious

codes.

The CryptoLocker installs itself either by the faking the end user to install or execute codes. Once

the codes have been executed on the user’s system (my documents, desktop, download folder,

etc.); by using randomly generated names, it adds the names into the windows registry by random-

looking server .biz, .co.uk, .com, .info, .net, .org.au, .ru (Destructive malware “CryptoLocker” on the

loose – here’s what to do) from https://nakedsecurity.sophos.com/2013/10/12/destructive-

malware-cryptolocker-on-the-loose/.

The CryptoLocker uses the random-generated web server extensions installed on the user’s device

to make connections to the intruder’s server(s) with the extensions that have been installed on the

victim’s device; and once a successful respond is found, it uploads a small file called the

“CryptoLocker ID”. Upon the successful upload of the ID the server generates public-private key

unique to the user’s CryptoLocker ID and then send the “public key part” back to user’s device.

At a successful reception of this public-private key back to the user’s device; the Trojan malware

uses the public key to encrypt all the files it finds that matches the list of extensions on the victim’s

device. Below are extensions with files that can be exploited on the victim’s device.

From https://nakedsecurity.sophos.com/2013/10/12/destructive-malware-cryptolocker-on-the-loose/

Additionally, the malware searches and encrypt all files and all folders it can access on the victim’s

device or network. Unfortunately, if the victim’s device is on a workgroup or domain environment,

the malware will also encrypt all network resources with same extension as the victim’s.

In most instances the malware will redirect the victim to a payment option, giving the victim a

timeframe to pay the ransom, else lose all the data on the device.

The Best Approach in Defending Against Cryptolocker in Corporate Network Resources The first and foremost strategy to defend any network has been clearly stipulated by the Australian

Signals Directorate from www.asd.gov.au.

i. The first principle states do not allow end users to execute codes. This can be

implemented by applications whitelisting. This prevent end users from installing any

applications with extensions .dll, .exe, .msi, etc.

ii. User or administrator whitelisting – Specify administrator users by level of privileges;

not all administrators should have rights to install programs on all workstations and

servers.

iii. Implementation of AppLocker policy – this is a default setting called Application

Identity which was first introduced in windows server 2008. This policy can be

deployed to all Windows 7/8/10 workstations. Within the AppLocker policy all the

extensions end users should not installed must be explicitly denied and also implement

deny policy of any unknown extensions and configure the policy to send alert emails

to the administrator of any unknown applications or extensions; with the details of the

host – includes the hostname, IP address, user login to the host, date and time the

unknown application was detected.

iv. Devices running Windows XP and Vista implement group policy to block executable

and payload packages. Apply the policy by: %appdata%\*.exe;

%appdata%\*\*.exe; %localappdata%\*.exe; %localappdata%\*\*.exe.

Implement via Group policy within a domain environment or add the policy to the

standard operating environment (SOE) image for all devices.

v. Install software by versioning and review board. Any new software to be introduced

within the network must go through review and approval process.

vi. Remove domain users from administrator user groups in computer management >>

groups>> administrator settings.

vii. Ensure all default administrator and guest accounts are disabled in workgroup or

domain environment.

Machines and/or Software Resources that can Help Defend the Network

i. In a windows environment install Enhanced Mitigation Experience Toolkit (EMET). This

utility helps prevent vulnerabilities in software from https://support.microsoft.com/en-

au/kb/2458544 . EMET supports windows Vista service pack 1 and service pack 2, up to

Windows 10.

ii. Installed intrusion detection and prevention software like Sophos, Microsoft EndPoint

Protections among other software.

iii. Firewall (Intrusion detection System/Intrusion Prevention System); this will detect stateful

connections of all applications and users on the network; checks against known databases

to determine if the applications is free of malicious codes. The firewall will mitigate

transmission of the malicious into the network.

Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows

Author name: Aaron ND Sawmadal – MSc. Digital Forensics

How to Eliminate CryptoLocker and the Strategy of Mitigation in a Post Incident Review The threat to network resources are real and should never be under-estimated. There is no such

thing as a small threat. Every threat can have significant impact if no adequate actions are taken.

For this reason the Australian Information Security Advice Cyber Security Operation Centre highly

recommends; ‘application whitelisting, patching of applications and operating systems, updated

versions of the software in deployment, and minimising administrative privileges’; from

http://asd.gov.au/publications/protect/top_4_mitigations.htm.

Other technical mitigation strategies includes but not limited to Loggings, File tracing and

auditing and or backups/restore server.

In the event whereby the worst case of CryptoLocker has been observed; the host that is

responsible for spreading vulnerability should be physically isolated from the network and ensure

to restore from backup is available. However, it is important to know if there’s no backups do not

to delay to respond to the intruder request.

Another non-technical strategy is to create an effective user awareness training and security policy.

From security perspective it is important to articulate in a document to indicate if there’s a

CryptoLocker breach should there be ransom pay or not? Security lead must get approval of the

executive managers and every incident must be dealt on a case by case basis.

Conclusion In this day and age the best protection any security expert should adopt is an in-depth security

policy which encompasses all the security protection and mitigation strategies. This should be

adopted at all levels because legacy (antivirus and spyware) mitigation strategies cannot stop the

current threat of CryptoLocker. Ransomware will continue to grow because this is a lucrative

market. The bad guys always require users to execute their codes. With effective security strategies

one can detect the bad guys beforehand.

Security experts should implement logging, file tracing, auditing, patching rule and backup/restore

server. With these in mind, do not give loopholes to the bad guys to infiltrate the network.

Restriction of user privileges and the implementation of AppLocker policies will help to mitigate

many of the CryptoLocker emerging.

References

How CryptoLocker works and how it can be mitigated;

https://nakedsecurity.sophos.com/2013/10/18/cryptolocker-ransomware-see-how-it-works-

learn-about-prevention-cleanup-and-recovery/

Destructive malware “CryptoLocker” on the loose – here’s what to do;

https://nakedsecurity.sophos.com/2013/10/12/destructive-malware-cryptolocker-on-the-

loose/

Cryptolocker Mitigation Strategies Explained; http://www.windowsecurity.com/articles-

tutorials/misc_network_security/cryptolocker-mitigation-strategies-explained.html

Enhanced Mitigation Experience Toolkit (EMET); https://support.microsoft.com/en-

au/kb/2458544

How to prevent user to install software on windows 10;

https://www.youtube.com/watch?v=N5GoNzgkm14m

Top 4 Mitigation Strategies to Protect Your ICT System;

http://asd.gov.au/publications/protect/top_4_mitigations.htm

Cryptolocker virus: Australians forced to pay as latest encryption virus is 'unbreakable', security

expert says; http://www.abc.net.au/news/2015-08-09/australians-paying-thousands-after-

ransomware-virus-infection/6683618