Understanding CryptoKiller
By Buzz Hillestad
With the recent incident at Hollywood Presbyterian Medical Center in Los Angeles where medical records were ransomed for $17,000 by hackers, it is easy to see why the most recent variants of CryptoWall are a valid business model for organized crime.
Background
The original CryptoLocker debuted sometime in 2013. While CryptoLocker is what most people refer to today, it’s the variant CryptoWall that has garnered much of the fearsome reputation that so many of us know today.
CryptoWall 3.0 debuted in early 2015. According to Dell SecureWorks, there were 625,000 infections worldwide the first 6 months after its discovery while not long after that, in October, the number spiked to nearly 1 million infections.
The truth is that security firms and the authorities have not been able to slow the infection rate because the $325 million dollar extortion total (Cyber Threat Alliance’s calculation) has not drawn the massive attention needed to confront such a threat.
A company called Imperva stated it found Bitcoin Wallets from 670 victims who paid a total of $337,607, which was only a small subset of the actual number. Security Firm PhishMe has found similar results.
Based on the fact that 2 security firms have been able to peel back the layers of the financial business of the threat, they suggest that if the proper authorities got involved, they could be successful in hurting the business model extensively. More attention is certainly needed.
How It Works
The most common vector of infection of this ransomware is through an infected email attachment. In this case, the user has to open the attachment, usually a zip file, and execute the file within.
Another common attack vector of this ransomware is through what is called a drive-by-download. That is when a user visits an infected website or web ad and downloads the executable into the browser cache. The executable is then run as the user using the computer. Another attack vector that is used to a lesser extent is the ransomware can be downloaded to the computer by another piece of malware.
In all cases, the ransomware uses what is called a dropper to “unpack” itself and start its nefarious purpose. The dropper has 3 phases in which it decrypts itself using various API calls to memory. It is then injected into the SVCHOST.exe. Once it is in that process, it acquires a lot of system information like computer name, processor speed and type, etc. It uses this information to generate a global MD5 hash, which it uses as the victim’s ID for encrypting the files.
Then the ransomware generates its I2P or TOR network proxy and URL list. These networks are used to anonymize the traffic back to the attacker’s command and control servers. They do this so law enforcement can’t trace the attack back to the attacker.
At this time, the main CryptoWall thread uses the Windows “Cryptographic Services” service to create the registry keys public encryption key. The same service is then used to crawl the user’s computer and network drives that are connected to that computer.
Protection and Mitigation
In information security we have several goals. Those include protection, detection, and response.
Protection
First let’s look at the attack vectors and how to protect against those. We discussed email attachments and drive-by-downloads. The following protections can decrease the risk of getting infected in the first place.
● Only allow email attachments to certain people in the organization that need them. This decreases the possible attack surface.
● Restrict the types of attachments that can be downloaded. Encrypted zip files should be automatically filtered out. If there is a true business need, take it on a case-by-case basis or use an email encryption software that you can upload legitimate attachments to and from email users.
● Reputation based web filtering decreases your risk of drive-by-downloads. It’s not 100% proof positive but gives enough risk mitigation to be a very valuable tool to help prevent the infections from happening in the first place.
● Website whitelisting is very effective in combating drive-by-downloads but can be an IT nightmare and resource intensive. It can also delay business processes in some cases so the risk mitigation is not always worth the cost of implementing the solution. Smaller organizations with dedicated IT staff usually are the most successful at this type of security control.
Once the email infection or drive-by download is on a system, there a few protections that you can employ too. CryptoWall uses a system of activities to achieve its goal. If any one of the system of activities is broken, you can stop the goal of the ransomware.
● In the “How It Works” section we discussed how it calls back to I2P and TOR networks to anonymize the traffic back to the command and control servers. Make sure you are blocking all traffic from your network to the I2P and TOR networks. Is there a business need for this traffic? If not, block it. At the very least, you can change your DNS on your network to loopback when those DNS entries are queried.
● We also discussed how dependent the ransomware was on the Windows “Cyptographic Services” service. That service runs as a network service and provides three management services: Catalog Database Service, which confirms the signatures of Windows files and allows new programs to be installed; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Automatic Root Certificate Update Service, which retrieves root certificates from Windows Update and enable scenarios such as SSL. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. The only service that is dependent on it is the Windows “Application Identity” service. This service determines and verifies the identity of an application. Disabling this service will prevent AppLocker from being enforced. So, as long as your workstation users do not need to install applications, accept trusted root certificates, or secure RDP connections, you might be able to get away with disabling the service and hence breaking CryptoWall’s ability to achieve its goal.
● Another clever way to fight the spread of CryptoWall to your share drives from a workstation that is infected is to use shortcuts for the drive shares instead of UNC drive connections. The ransomware cannot find the shares and hence does not spread to shared resources.
Detection
Several great ways to detect CryptoWall activity, if you don’t have an anti-malware solution that can detect the activity is to alert on “Cryptographic Services” activity on your systems. Other great methods for detecting it are
● Alert of file system activity on workstations above a certain benchmark. There may be some false positives but if you have a workstation and several servers screaming alerts at you, this might be a good indicator of the encryption activity.
● Alert of attempts to access I2P and TOR networks coming from your network. These applications rarely have a business need and can also key you into to other potentially nefarious activities happening on your network.
Mitigation
Unfortunately there aren’t many ways to mitigate this ransomware once it’s on your network and has encrypted your files. The known ways are as follows.
● Older variants use private cryptographic keys that have been published. This is pretty rare now days.
● Pay the ransom and hope you have a decent criminal on your hands that will follow the business model. – Not ever recommended unless you have no other options!
● Restore your files form a separate backup system that is not a sync cloud drive or UNC path on a spate server, as those backup solutions are susceptible to CryptoWall. This requires good backups, backup process, and recent backups. If you did this, you’ll just need to find the infected workstation(s) and delete the executable from the Startup folder and the following registry keys.
o HKCU\Software\Microsoft\Windows\CurrentVersion\Run
o HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Knowing is Half The Battle
Now that you know how CrytpoWall works and how to exploit its processes, you should be able to thwart an incident with this ransomware. We suggest implementing as many of these protects, detections, and mitigations (if necessary) to form a thorough layered security approach and preventing this kind of ransomware from causing you an IT nightmare.