{"id":21024,"date":"2017-03-02T23:37:13","date_gmt":"2017-03-03T06:37:13","guid":{"rendered":"https://www.webroot.com/blog/?p=21024"},"modified":"2018-01-30T11:11:53","modified_gmt":"2018-01-30T18:11:53","slug":"behind-the-scenes-ransomware","status":"publish","type":"post","link":"https://www.webroot.com/blog/2017\/03\/02\/behind-the-scenes-ransomware\/","title":{"rendered":"Behind the Scenes with Ransomware"},"content":{"rendered":"
Locky (.osiris)<\/strong><\/h5>\n

O Locky, Locky! Wherefore art thou, Locky?<\/p>\n

Alas, could Locky be no more? At the beginning of 2017, data from the field suggested potential Locky infections had decreased dramatically, so we were hoping it was on its way out. Unfortunately, Locky returned with a vengeance, though it had changed its methods somewhat. Upon further investigation, we located a number of binaries in %temp%, \u201ca1.exe\u201d and \u201ca2.exe \u201c, instantly seeing a connection to Nemucod; a name given to a family of Javascript droppers.<\/p>\n

After additional research and decompiling several scripts, we\u2019ve come to the conclusion that the same scripts used in previous months to distribute the .crypted \u201cNemucod\u201d ransomware were suddenly downloading Locky and Kovter instead. Why the change?<\/p>\n

Various online reports suggest that Necurs\u2014a set of rootkit\/botnet control servers\u2014had gone offline. These were the same servers that sent out massive amounts of spam containing Locky droppers. Based on the information available, we think the bad guys changed their delivery method when these servers fell out of commission. (Incidentally, blocking the %temp% files blocks the infection, so we\u2019re in a good position here!)<\/p>\n

Nemucod<\/strong><\/h5>\n

The Nemucod script developer used a simple script that runs another script which is then hosted on a compromised website. Those websites then randomize the contents of the script every few minutes. This means that security solutions that still use static signatures are often laughably ineffective at stopping these threats. The randomized website script is not part of the initial script, and is only readable via attachment to the WSCRIPT.exe process.<\/p>\n

Initial script received via email:<\/em><\/p>\n

\"ransomware1\"<\/p>\n

As you can see, the script above uses \u201cGET\u201d to grab the response text from 1 of 5 compromised websites (var x) and evals that response text.<\/p>\n

Sample response text from a compromised site:<\/em><\/p>\n

\"Ransomware2\"<\/p>\n

When de-obfuscating scripts, I find it simpler to reverse the function used to evaluate the obfuscated content. I de-obfuscated this response script by using the initial script above with the previous function for the variable z2, which is actually eval, as follows:<\/p>\n

\"Ransomware3\"<\/p>\n

 <\/p>\n

was modified to<\/p>\n

\"Ransomware4\"<\/p>\n

 <\/p>\n

Here\u2019s the final script, which downloads and runs the files (a1.exe and a2.exe).<\/p>\n

\"Ransomware5\"<\/p>\n

 <\/p>\n

Below is an example of the network traffic from this script, where the &r parameter is the downloaded payload.<\/p>\n

\"Ransomware6\"<\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n


\n<\/u><\/p>\n

\u00a0<\/u><\/p>\n

CRYSIS<\/strong><\/h5>\n

This ransomware is still only being distributed via compromised user accounts on RDP enabled machines. The most recently used extension is \u201c.wallet\u201d and it\u2019s very common to see the ransom note email as *@india.com<\/a>.<\/p>\n

Below is a ransom note example:<\/p>\n

\"Ransomware7\"<\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

Samples:<\/p>\n

https:\/\/www.virustotal.com\/en\/file\/31fc83f5e70515777fb4919cf249e3d2208895b96060f68a270f97377944b362\/analysis\/
\n<\/a>https:\/\/virustotal.com\/en\/file\/79b08105bbe4b7b407be42656f43c1533c725f951bc4f73c3aa9f3e68d2b3a15\/analysis\/<\/a><\/p>\n

Spora<\/strong><\/h5>\n

We discovered Spora last month, but data from the field suggests it isn\u2019t too prevalent. The most common infection vector for Spora is Google Installer messages, which are displayed from third party advertisers while browsing the web. The total cost of all services is $120, which is significantly less costly than other ransomware variants, many of which demand at least 2 Bitcoins.<\/p>\n

The image below illustrates the different prices for various services.<\/p>\n

\"Ransomware8\"<\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

It also attempts to clear shadow copies via vssadmin.<\/p>\n

\"Ransomware11\"<\/p>\n

 <\/p>\n

SAMAS<\/strong><\/h5>\n

This ransomware is distributed via compromised JBOSS servers and usually propagates to every system on a network. The most recently used extension is an ironic \u201c.weareyourfriends\u201d. It usually installs in %System32%, since it is typically runs with administrative rights.<\/p>\n

Ransomware Staging Tool<\/strong><\/h5>\n

Script kiddies looking to make some money need look no further. This ransomware staging tool is exactly what it sounds like: a utility where you just enter your information, browse the folders you want to encrypt, and wait for the money to roll in! We\u2019ve seen a number of variants similar to the binary below. This is so new that it doesn\u2019t yet have its own name, but all variants have been found on compromised RDP systems.<\/p>\n

\"ransomware9\"<\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

Statistics<\/strong><\/h5>\n

Over the last couple of months, the data we\u2019ve seen underscores how important it is for system admins to secure RDP. Unsecured RDP essentially leaves the front door open for cybercriminals. And since modern criminals can just encrypt your data, instead of having to go through the trouble of stealing it, we shouldn\u2019t make it any easier for them to get what they want.<\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

Locky (.osiris) O Locky, Locky! Wherefore art thou, Locky? Alas, could Locky be no more? At the beginning of 2017, data from the field suggested potential Locky infections had decreased dramatically, so we were hoping it was on its way out. Unfortunately, Locky returned with a vengeance, though it had changed its methods somewhat. Upon […]<\/p>\n","protected":false},"author":65,"featured_media":21104,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[20629,10621,3769,20623,20631,20625,6329,20637,19929,3937,20633,20621,20197,19145,20627,3895,5953,4417,20635,3471],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/21024"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=21024"}],"version-history":[{"count":18,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/21024\/revisions"}],"predecessor-version":[{"id":21142,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/21024\/revisions\/21142"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/21104"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=21024"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=21024"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=21024"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=21024"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}