When you combine cryptography with malware, you get a very dangerous mix of problems. This is a type of computer virus that goes by another name, “ransomware”. This type of virus is part of a field of study called “cryptovirology”. Through the use of techniques called phishing, a threat actor sends the ransomware file to an unknowing victim. If the file is opened it will execute the virus payload, which is malicious code. The ransomware runs the code that encrypts user data on the infected computer or host. The data are user files like documents, spreadsheets, photos, multimedia files and even confidential records. The ransomware targets your personal computer files and applies an encryption algorithm like RSA which makes the file unaccessible. The only way to access them is if the user pays a ransom to the threat actor by following instructions which appear encoded into the encrypted files. Thus it is called ransomware, because a form of payment is demanded in order to fix the problem.
The payment required must also be in cryptocurrency, in most cases Bitcoin. A more sinister type of ransomware will sometimes give users a deadline to complete the payment, otherwise the files could be lost forever. When the file is encrypted, the only way it can be recovered is with a decryption key or a powerful computer. The latter is not really available for most users so this makes attacks like this a very serious threat. The ransomware will also attempt to infect other computers on the network the infected host is connected to, so it also has worm like properties. It is also referred to as a “cryptoworm”. One of the earliest known ransomware to appear was Cryptolocker, which caused chaos between September 2013 to late May 2014. Ransomware is classified as a type of cybercrime that is sometimes mentioned under “Crime-as-a-Service” when used to extort money.
According to an IEEE Security and Privacy conference presentation in 1996 (Adam Young and Moti Yung), this is how ransomware works:
When the threat actors are one step ahead it becomes very important to be able to prevent these attacks and also find the ways to mitigate them. There are many variants now, and trying to keep up with the latest is becoming harder since these can be zero day attacks. I recently did my own analysis of ransomware using a lab to better understand how it works. I will provide the demo for informational purposes only, this should not be attempted at home unless you know what you are doing. These have grave consequences and if you are caught spreading an actual computer virus, that is punishable by law. I created a sandbox that is not connected to a production network, but rather isolated in its own environment. I then used a modified (less malicious) version of the ransomware for my analysis.
I have 4 computers for this lab using the TCP/IP protocol in a LAN setting. HOST1 running Kali Linux is configured to perform the attack against another computer called HOST2 which is running Windows 7. I also add a mail server with an AD domain running Windows Server 2012 called SERVER1. HOST1 connects to SERVER1, while HOST1 is a separate computer that is not a part of the domain. Finally there is a simple DNS server named DNS1 that provides name services and SMTP for the virtual environment’s network.
I use a static IP on all computers and created static DNS name entries to simplify this network, no firewall or router is between HOST1 and HOST2. These computers are running in their own network, not connected to any production environment. I won’t go into too much technical detail with the setup, but I have provided a network diagram below. There are other ways this setup could have been done which does not require a server. You can just open the infected message directly on a computer. The reason I setup the network is to observe how the ransomware tries to spread. (Note: No patches were applied and no Antivirus or third party security product has been installed for this demo)
Simple non-routed test environment. HOST1 will be the attacker and HOST2 is the victim computer.
Before I begin, let me discuss a ransomware called WannaCry aka WCry (May 2017) to give an example of a real ransomware attack. When this became news, I suppose it may have also been the first time many people have heard of Bitcoin, the cryptocurrency payment required by the ransomware. That must have shed some bad light on Bitcoin, as people will assume it is what criminals use for payments. For infected users who don’t know how to use cryptocurrency, this would have required a crash course. A user would have to make the payment using Bitcoin, which uses the BTC token. This would require users to go on a digital exchange and then buy a certain amount of Bitcoin. They must then make the payment to the public address provided by the ransomware. From that moment it is a waiting game, as anxious users await what happens next. The worst case is that the threat actors don’t send any decryption key and thus the data could be lost forever.
The reason threat actors use cryptocurrency for payments is to establish some anonymity, though by design Bitcoin is not designed for privacy. It is pseudonymous, which means that it can still be traced to a bank account or user on a digital exchange when cashing out is attempted. The problem is that there are many layers to uncover during an investigation because the Bitcoin can be passed from one address to another and then converted to another cryptocurrency. That is what makes tracking down ransomware payments much more difficult. This why preventing ransomware is very important to consider.
The WannaCry ransomware message.
WannaCry made use of an exploit on Windows operating systems that had a known vulnerability. Microsoft has a patch available for this vulnerability called MS17–010 (Microsoft security vulnerability affecting Microsoft Server Message Block 1.0 SMBv1) which can be downloaded from their website. This vulnerability exploits the Microsoft implementation of the Server Message Block (SMB) protocol. The ports 139 and 445 open on inbound connections on Windows computers running SMB will get infected if the patch is not applied. The NSA knew about this but did not share the information right away with Microsoft until after the leaks resulting from a compromised NSA server which contained the code that was the origin of this ransomware, courtesy of the Shadow Brokers.
The kill switch turns out to be an unregistered domain discovered as a flaw in the code which was supposed to unleash a payload that could do more damage. A researcher named “MalwareTech” who was investigating this, sink-holed the domain by registering it for $10.69 and that stopped the malware from spreading. How it started is not really known, but it appears to have been planted intentionally. Once the malware was planted, when executed it spread like a worm by propagating on vulnerable ports on unpatched Windows computers (from April 2017) and older versions of Windows without patches since April 2014, like XP and Server 2003 (Linux, Ubuntu, macOS and other Unix-variants were not much affected by this vulnerability).
The malware spreads by probing other computers running Windows on the same network, and beyond. Then like wildfire it spreads until a systems administrator will notice and immediately shut off firewalls or even turn off routers to prevent it from spreading. Now escalation is taken to another level with infected systems. This is because WCry encrypts the harddrive and all the data stored and requests a ransom of $300 to be paid in Bitcoin. Now this does not get any easier to ease the anxiety of the user because the ransom goes up if it is not paid within a certain amount of time. Paying in Bitcoin also increases the anxiety level since most users will not know much about cryptocurrency. There were an estimated 200,000 computers infected across 150 countries causing damages ranging from hundreds of millions to $4 Billion according to cyber risk firm Cyence.
I start from HOST1 to perform a phishing attack by sending an e-mail with the infected file. The infected file will be in Word format (DOCX file) and will be sent as an attachment from a bogus e-mail from HOST1 to the SERVER1 Exchange e-mail server on HOST2’s domain using an SMTP relay from DNS1. I did not configure any anti-relaying or anti-spam measures for this testing in order to work. I want HOST2 to receive the e-mail in its Outlook client by pulling the message from the Exchange server. So the message sent simulates a phishing attack. The message has the subject:
“URGENT: Please Open The File Attached To Fix Your Account”
The message is supposed to be from let’s say the victim’s hospital medical records department and in the message body we can write something like this:
========================================
Dear Valued Patient,
We recently detected strange activity from your account. Please open and read the file attached to fix the problem with your account.
Thank You,Customer Support
========================================
The message is made to appear urgent requiring a user to take immediate action. A threat actor or hacker will want the victim to open the message so they will try different tricks to make them open it. Messages like this would normally be blocked as spam by the company’s anti-spam filter or even quarantined by the antivirus because of suspicious attachments. All these are disabled for this testing, to simulate what could happen in the real world where security is sometimes not implemented properly. Without any protection from an AV or any other security product, the victim computer opens the message and double-clicks the e-mail attachment from Outlook. It then attempts to open the attachment in Microsoft Word.
The victim will get an error message trying to open the Word document that executes the ransomware code.
An error message appears and the victim will think the program has crashed. What is actually happening here is that the modified ransomware has executed code to release its payload, and this is where the fun begins.
At this point, the victim will probably assume the file attachment was corrupt and go about their day. In the background, the ransomware begins to unleash its code and starts to encrypt the victim’s personal files, beginning with the “Users” folder and then the contents in “My Documents”. The original files are not changed, but the encrypted copy is an entirely different file from the original, which is deleted.
Files are encrypted by the ransomware with a “+” sign enclosing a new file name.
The victim will then try opening a file on their folders and suddenly notice that the names have changed. All files were encrypted with the same name “+REcovER+dpyww+”, but retain their file type as can be seen from the screen capture. This naming convention actually was a modification of the original style for the purpose of study. You will also notice that the date modified will be the same for the encrypted files. In this case you can see there are 3 files with the same file name modified on 5/29/2018 at 3:59 PM. Time does vary, depending on how fast and how many files the ransomware enumerated and encrypted. The date modified will be consistent. Operating system and program files are not encrypted. When the victim opens the file, they will see the following message instead (see below).
The ransomware leaves a message for the infected victim. DISCLAIMER: DO NOT ATTEMPT to access the URL from the ransomware message. They are not trusted or verified safe. The links have been blurred for public safety.
As you can see this ransomware was based on “TeslaCrypt”. No matter what file the victim opens, it will be renamed to “+REcovER+dpyww+” and they all open up to the same message. In a real attack you can find several ransom notes dropped on the PC in different folder locations. These notes are titled RECOVER[random symbols].txt, Howto_Restore_FILES.txt or How_Recover+(random symbols).txt. They may also come in an HTML and PNG file format. The RSA encryption algorithm was used by this ransomware on the victim’s files. The way to recover the files requires a private key from the server that generated it. The server holds the public key as well which was generated from the private key. This actually secures data on confidential systems, but applied in ransomware it is quite sinister because it is a form of extortion to force victims to pay to have their data recovered. The victim will need the private key to decrypt the files, and that is provided if they pay the ransom.
Let’s analyze the message we get from the ransomware. You are going to read this line under “What happened to your files?”:
“All Of Your Files Were Protected By A Strong Encryption With RSA-4096”
This tells victims that their files have been encrypted using the RSA encryption algorithm which we briefly discussed. The 4096 refers to the number of bits used in the encryption also called the key length. This gives a total of 2⁴⁰⁹⁶ distinct numbers or 1,234 digits, so it is a very strong encryption technique. You are then told you will not be able to “work with them, read them or see them”. This is like losing them forever, so this does make a victim desperate to try and recover the files. The message then continues by informing the victim that there is a server with a secret key, the private key, which can decrypt the files. This means that the ransomware used a public key to encrypt the files on the computer. Now in order to recover these files, the victim will need the so called “secret key” which is actually the private key that is used for decrypting the files encrypted with the public key.
Ransomware uses a form of asymmetric Public Key Cryptography by encrypting a victim’s files using a public key generated from another computer. That computer holds the private key which is needed to decrypt the encrypted files, and it can only be easily decrypted using that private key.
The RSA algorithm involves 4 steps:
The threat actors have a key generation and distribution server which holds the private key. The problem is that the location of the server is hard to track because it can be in another country and its physical location remains a mystery unless there are clues.
The instructions then refer links to certain sites. I have not done this because I have no Internet connection, but in order to do this there is another requirement. Since the hackers want to keep things more under the radar they require the victim to install the TOR browser with a hyperlink to download. The TOR browser enables a more private connection which the hackers would need to avoid being easily tracked. There are more instructions to follow at the bottom of the message.
========================================
The server will destroy the key within 48 hours after encryption completed.
To retrieve the private key, you need to pay 2 bitcoins IMPORTANT YOU HAVE ONLY 48 HOURS IF U DON’T PAY ALL YOUR FILES WILL BE DELETED!
Bitcoins have to be sent to this address: (Bitcoin Address)
After you’ve sent the payment send us an email to : <e-mail address of hackers> with subject : DECRYPT-ID-<xxxxx>
========================================
It is easy to get caught up with the messages as the victim tries to find a solution. However another type of action might be taking place in the background. Certain ransomware attempt to spread the infection and it does this by probing ports on other Windows computers that are connected to the network. This variant and even the original did not have that behavior. Monitoring on ports 139 and 445 inbound on SERVER1 showed no signs of attack and there was no infection of files on the server either. There is a report that TeslaCrypt does attack network drives, but I was not able to create a network drive during this test. So it is still best practice to remove and isolate any infected system from the network as soon as possible.
Port connections on SERVER1(WIN-NUMCI79D3CL) show no established connection from the victim HOST2.
The best way to combat ransomware of any kind, is to have an antivirus or security software installed. It is also best practice to keep the operating system (Windows, Linux, macOS, etc.) updated with the latest software patches and updates from vendors. Microsoft allows users to run automatic updates on their systems. Perhaps the best method is prevention.
Remember the following (Source: TrendMicro):
Another very important thing to consider, and the right thing to do on production networks, is to remove computers running Windows XP. These legacy systems are no longer supported by Microsoft and the recommendation is to upgrade or retire these systems. They were one of the main reasons the ransomware spread so fast. These systems are outdated and very open not just to ransomware but other vulnerabilities, including zero day exploits. If they are still required because they are running a legacy software, then they must be isolated from the Internet as much as possible or secured by a firewall setting that blocks vulnerable ports going to the Windows XP system’s subnet. Even Windows 7 systems, which are no longer supported by Microsoft should be considered for upgrades. There is no guarantee of protection from newer variants of ransomware on older Windows systems.
For corporate networks with enterprise operations the spread of ransomware can have damaging results. It has happened with some banks e.g. Ukrainian banks. The threat actors could have been state sponsored with the intent of extorting money or in some cases just to encrypt files to prevent access to data (no ransom). Systems Administrators must have a defense against ransomware attacks by hardening ports with IPS/IDS and anomaly report monitoring with alerts should there be any detection. Virus definitions now can stop ransomware with installed antivirus products and there are other security solutions that can detect ransomware at the Network Layer. Other strategies include segmenting the network to prevent the spread of infected systems. That is a way to isolate the ransomware from further attacking the network.
Phishing techniques like the example used in the simulated attack, can be prevented by a sound IT policy that informs users to never open unverifiable attachments from untrusted sources. Sometimes the message appears legit with the spoofed e-mail address of a company manager. To further prevent these attacks spam filters with virus definitions can block the message when implemented on the e-mail server. The company e-mail server can also be configured to prevent using the domain address by using an anti-relay setting which will not allow other users to use their system to send e-mail unless they are a part of that organization. Some companies might also require a digital signature if the message was indeed sent from a higher up. There are different policies for each company that depends on their business rules.
Getting infected by ransomware is much different than a typical virus or malware. The infected computer’s files are encrypted and there will be a demand for a ransom to the victim in order to recover the files. Many make the mistake of paying the ransom, but in some cases they do not get the private key to decrypt the files. This can also be a scam by hackers in order to get cryptocurrency. In some cases the private key has been recovered by a cybersecurity company and made available for infected computers.
I don’t discuss the ways to clean an infected system, but there is good information available from the No More Ransom Project. Google is of course the best place to start looking for anti-ransomware tools and utilities, but for more serious infections contacting a professional computer service provider is the best way to solve the problem.
References:
Definition of Ransomware https://en.wikipedia.org/wiki/Ransomware
Cryptovirologyhttps://ieeexplore.ieee.org/document/502676/
WannaCry Ransomwarehttps://en.wikipedia.org/wiki/WannaCry_ransomware_attack
Encryption Methods Used in Ransomwarehttps://resources.infosecinstitute.com/a-brief-summary-of-encryption-method-used-in-widespread-ransomware/#gref
No More Ransom Project https://www.nomoreransom.org/en/index.html
Crime-as-a-Service, Threatens Businesshttps://www.entrepreneur.com/article/298727