Decoding Ransomware- Part 1
Dr. Peter Stephenson
You'll pardon, perhaps, my absence over the past week. As it happens, I have been involved with some very interesting ransomware (no, not on any of my computers) and it occurred to me that this might make a great topic.
As I research various types of malware threats I find that there are some very poor, once-over-lightly, discussions and some excellent, very deep and technical treatments but almost nothing in between. There are some good reasons for this. For the deep technical discussions I have found that often they assume a skill level that most security professionals simply do not have. The lightweight ones are largely - or appear largely - the product of the mainstream or popular security press. But to my surprise - and occasional frustration - I could not find a middle road that would help the typical, but on the technical side, information security professional act rapidly - or, hopefully, proactively - when trouble hits and hits hard. Over the next few postings I'm going to try to give you that.
I am not going to start, as many bloggers do, with the history, makeup and lineage of various ransomware families. There are plenty of really good bloggers who have done and likely will continue to do a very good job of that. If I start out a little over your head, do a little research and catch up with me. If you are way ahead of me, you have some choices... you can take a nap until I get to your level or - and I hope you'll do this - join in and add to the discussion. Let's get started.
My most recent brush with ransomware is TeslaCrypt 3.0 with the .mp3 extension. That's less than a month on the market and there is not a lot about it out there. Over the course of this blog we'll look at the TeslaCrypt family, the CryptoWall family, Locky, and, perhaps, a couple of others that are currently raising havoc. This is not a blog with how-tos that tell you what to do to protect yourself but in this case a repeat of just about everyone's warning is in order: only three things will save you if you get hit: backups, backups and backups. 'Nuff said.
I want to thank three great organizations for making this set of blog postings possible. First, our friends at Cylance. They are a very creative next generation anti-malware developer and, to my great pleasure, they had just detonated the TeslaCrypt 3.0 .mp3 a few days before and they kindly provided the Cuckoo sandbox files. Also, one of my research sponsors, Logix Federal Credit Union, dug into their quarantines and brought out a copy of the TeslaCrypt 3.0 .mp3 executable. If you study malware you already know how valuable the quarantines are. You may not even know what treasures are in there until you look. Finally, I highly recommend visiting AlienVault's OTX (Open Threat Exchange) for indicators of compromise. There is a fairly new entry relating to ransomware at https://otx.alienvault.com/pulse/56d9db3f4637f2499b6171d7/.
I have a line on a copy of Locky as well but if you have one and want to share, email me: firstname.lastname@example.org. There are multiple strains of all of these and the more we share the closer we'll come to putting speed bumps in the paths of the bad guys. Back to TeslaCrypt.
There have been at least four versions of TeslaCrypt. The most recent - 3.0 in January and 3.0 with the .mp3 extension almost exactly a month later in February - and these last two are particularly nasty. I did some searching for disassemblies of the .mp3 extension version and was not particularly successful. There were some - including good indicators - for the plain vanilla 3.0 so that was to be my starting point. I love reversing but I am not a fan of re-inventing the wheel so if there are good reverses available I usually start there. What I tend to be more interested in are the indicators that relate to the bug's behavior.
I got a good sample with the cuckoo files from Cylance and I started comparing what I saw with what has been reported for 3.0. There are lots of differences. True, perhaps, most of the code in the .mp3 version is the same as the 3.0 version but dynamic indicators - URLs, domains, etc. - are different. That led me to compare what I had with a sample I got from Logix Credit Union's quarantine and there are still more differences. So the obvious conclusion is that this ransomware is in fairly broad use and is changed by new users to fit their distribution channels.
That said, there are some consistencies in the dynamic analysis, although I don't expect them to hang around long. My advice here is to follow this flavor of ransomware on AlienVault's OTX. Collect the indicators and block/analyze accordingly. OTX is crowd-sourced so you'll get some really good stuff there.
Pulling an IP - 220.127.116.11 - from one of my sets of indicators got me a couple of things quickly. First, OpenDNS Investigate told me that the address had hosted 11 malicious domains over the past week. So I did two things with that. First I put the IP into the Malware Domain List and second I started digging through the forensics of a compromised hard drive to see if I had any hits on any of the domains. No luck so I started digging through the compromised computer and found the executable. It analyzed as TeslaCrypt 3.0 with the .mp3 extension. That was consistent with the naming convention that the bug uses for encrypted files. However, when I started looking for its md5 signature at VirusTotal I got an entirely different set of indicators.
Finally I ran the four IPs that I got on Malware Domain List when I did a search on TeslaCrypt from their database and I got four IPs and domains, one of which was the one I was looking through. Running each of those IPs through OpenDNS Investigate showed four entirely different operators supporting the theory that there are multiple variants of this bug in the wild already. The Malware Domain List search results are shown in Figure 1. The problem, of course, is that we know this is a set of TeslaCrypt command & control servers but we don't know which version of TeslaCrypt they are feeding.
Figure 1- Results of Malware Domain List Search for TeslaCrypt
So how do you find/protect against this bug in your enterprise? That and some additional details on the TeslaCrypt threat hunt will be my topics for the next installment of this series. We'll start digging more deeply into the indicators of compromise and give you some solid starting points for your own threat hunt.
Now, here are this week's new malware domains.
Figure 2 - This Week's New Malicious Domains from Malware Domain List
So… until next time….
If you use Flipboard, you can find my pages at http://tinyurl.com/FlipThreats. Here I flip the interesting threat-related stories of the day – focused on technical, all interesting stories and definitely on target.