Ransomware – part 2: who are out there?


Ransomware – part 2: who are out there?

In my last article I wrote about ransomware and why you should look out for them, read the article here – link – , in this article I will zoom in on the active ones and what they do to become active. Of course it is never possible to capture all active ones, sure I will miss one or more as they change often.

WP_20160428_19_08_07_Pro

Active ransomware

There are several “families” out there but for this overview I will look at specific ones, I took the threat database of TrendMicro as a guidance. It’s a vast database of all current and past threats. Credits to them for this vast database.

Files on disk

Some of the ransomware out there drops files on disk, let me show you two of them.. there are hundreds but they all work alike.

Ransom_jigsaw.A

  • Discovery time : This variant is first detected in April 2016
  • Behaviour: encrypt and delete files
  • Type: EXE

This variant is either dropped by other malware or downloaded from malicious sites. It is an executable that you get, the filename is firefox.exe or drpbx.exe. The file is downloaded to %application data%\frfx or \Drpbx. Next to the executable the following files are also created;

  • %application data%\system32Work\Address.txt
  • %application data%\system32Work\EncryptedFileList.txt
  • %application data%\system32Work\dr

The address.txt file will have the information for the bitcoin payment, the encryptedFileList.txt will hold all the files it has encrypted. If the user doesn’t pay fast enough files will be deleted to put pressure on them. This is a very aggressive ransomware.

To make sure it can execute, it will add itself to the HKEY_CURRENT_USER\Software\Windows\CurrentVersion\run. I wil hide itself as a know applications, either firefox or dropbox with a link to the path as mentioned above, %application data%\frfx\firefox.exe or \Drpbx\drpbx.exe. If you are not aware of the actual paths you might be mistaken.

What kind of files does it encrypt?

It encrypts a vast number of files extensions, the list is so vast that I’m concluding it encrypts anything it can find. There is not a singel type it is after.

Can I protect my users?

Knowing what this one does makes it possible to find a solution for it. In my next article I will zoom in on some products out there to capture ransomware. This specific one is easily stopped with implementing a User Environment Management solution like RES ONE Workspace, AppSense or one of the others that have security options. What these solutions do is block the run key  (nothing stored there is ran at logon or boot) and they allow you to whitelist all the files that are allowed to start. With the right tools, this one is no threat.

Ransom.locky.Puy

  • Discovery time : This variant is first detected in April 2016
  • Behaviour: encrypt and delete files
  • Type: EXE

This ransomware uses a Adobe Flash Player vulnerability (CVE-2016-1019) or will be downloaded by another malware (TroJ_Locky.DLDRA) or downloaded as a gif. Anyway you will get infected. Adobe released a fix for the Adobe vulnerability – link -. This one drops the following files;

  • %desktop%\_Help_Instructions.txt
  • %desktop%\_Help_Instructions.bmp
  • {folder with encrypted files\_Help_instructions.txt
  • %user temp%\svchost.exe

The text files will contain a ransom note telling you what to do, the bitmap dropped on the desktop will show a graphic telling you you’re infected. To make sure it can execute, it will add itself to the HKEY_CURRENT_USER\Software\Windows\CurrentVersion\run. I wil hide itself as a know file svchost.exe is a basic Windows core executable. You will not expect this file to be the bad one.

Next to that it will add two registry keys;

  • HKEY_CURRENT_USER\Control Panel\Desktop\Wallpaper = %desktop%\_Help_instructions.bmp
  • HKEY_CURRENT_USER\Software\{random characters}

What kind of files does it encrypt?

It encrypts

a vast number of files extensions, the list is so vast that I’m concluding it encrypts anything it can find. There is not a singel type it is after.

Can I protect my users?

Knowing what this one does makes it possible to find a solution for it. In my next article I will zoom in on some products out there to capture ransomware. This specific one is easily stopped with implementing a User Environment Management solution like RES ONE Workspace, AppSense or one of the others that have security options. What these solutions do is block the run key  (nothing stored there is ran at logon or boot) and they allow you to whitelist all the files that are allowed to start. With the right tools, this one is no threat. The svchost.exe file which is of course a default Windows file is not hard to block for it is stored in the temp folder. Every file in any directory can be whitelisted so only the ones you trust are started.

Sub-conclusion

I can go on but these ransomware types are easy to block, no one should need to be infected and harmed by these. companies can take enough measures to block this. UEM is so far enhanced today that that is a piece of cake. If all sorts of ransomware were like this the issues was gone, it’s not unfortunately.

In memory

But what if the code is not executed on disk, the code is executed in memory. How will we be able to stop the ransomware there? In the recent past several different codes have been detected hidden in advertisement on popular website. People are lured in clicking on that advertisement and once they do they are taken to a fake temporary domain where the code is waiting. From there the code is executed in memory and will call a local file to execute.  Because it’s executing in memory and most of the time not doing anything on disk before it’s to late it’s  hard to detect it.

There are some versions that do execute a local file and those can be stopped but the versions that stay in memory for most of the time will be hard to stop with desktop based products. Of course they have to land at some point and we have to analyse many versions to understand how they land and what they execute. Perhaps we can stop them by setting up the system the right way. Of course you’re wondering if I didn’t click on a link, didn’t open a dodgy attachment, how did I get infected? I have not found any that didn’t download anything to disk, I’m looking around to see if I can find any.

Where do they come from?

You’ve seen this one go around and many more like these, a funny video on one of those sites that host all the funny ones.. simply can’t resist to click on them, have a laugh. Well Fessleak was a code that was hidden in the funny granddad video.

grand

If you clicked this video you would be taken to a different site, a temporary site where the malicious code was waiting for you. If you want to learn more on how this was detected and so on, visit Invincea.com, they’ve done an amazing job analysing this, the link to their investigation is right here. – link – Don’t want to take credits for this, I’m still at the front door when it comes to this, learning as we get further and further.

But it goes further, what if the video of a ad is started automatically. Don’t say you never saw that happen, CNN even does it with news items. I open te site to read the news and there goes the video, never clicked never asked them to run it. They just do. What if that video has a malicious code behind it that installs itself automatically with the start of the video.. installing while you’re watching and when the video is done you can pay the ransom. So through what are they ran?

Flash and Silverlight

I’ve been reading many sites that investigate exploits, ransomware and other damaging thing living on the Internet. From what I gather the most dangerous ones out there use vulnerabilities in Flash or Silverlight. Flash and Silverlight are the most used software products for displaying ad’s on websites. Flash for one is known for it’s many vulnerabilities and many say you should not install it at all.

The exploits are never a threat unless you click on the ad itself, looking at a new site with a lot of ad’s on there (always wondered why they are there) is not dangerous. It get’s dangerous when you searched for a nice camera on google and the next day all ad’s of camera’s are shown next to your news items, and one of them is your ticket to trouble… can you resist to click on the ad’s or do we have to help you?

Ad-blocker

One way to handle this is to take away to goodies, it’s like having no booze in the house when someone used to be a alcoholic. Let’s take away the ad’s from the site. I know the news sites and many others won’t like it but if they can’t make sure the ad’s are safe we need to make sure you guys are. I use and ad blocker already for a long time, I don’t care about what I searched for yesterday, if I want to find something I go look for it again, don’t be like my wife, don’t keep reminding me 🙂

On my site, this one, you see four ad’s there. I control the ad’s, they redirect to the website of the vendor directly and are not generated automatically. Most news sites work with a bidding system, ad providers can offer a price and if they win their ad is shown on the site. The good thing is that you can have your ad on the site for a nice price, the bad thing is that anyone with an ad no matter what is behind it can participate. This for me is bad website management, you are opening the door for criminals knowingly. If owners of websites would be serious about security this would not happen, you have to know who you do business with, if you don’t you help the criminals hurt others.

So now we know our urge not to miss anything, is helping them.

So what is next, next we look at products to might stop these things before they harm us…. until then stay save, install an ad blocker and don’t click on those cool video’s. Here a few ad blocker links to help you out.

  • For Chrome – link
  • For Mozilla – link
  • AdBlock Plus – link

It’s just one step and it won’t stop ransomware alone, it’s a small step that YOU can take. I’ll continue with products to help you detect it in my next article and look at where those products help, pro-active, prevent on the desktop or in other areas. Stay tuned

 


Leave a Reply

https://tracking.cirrusinsight.com/869c29e2-3a9b-48c5-9232-0b95e7993ae8/controlup-com-pixel-php