The New Scourge of Ransomware 2: The Business Model Behind CryptoLocker

As the presentation continues, the researchers share their findings on the uniqueness of CryptoLocker ransomware and the reasons it was such a viable threat.

Emergence of CryptoLocker

Emergence of CryptoLocker

John Bambenek: In August 2013, CryptoLocker appears. I get a call from one of my clients – that’s how I first found it – from a local government agency. Their director told me that, basically, everything got encrypted. It stumped all over the disk, so there was no real forensic work to be done, but they called and said, “Hey, can you help us out?” I said, “Ransomware, all the stuff is encrypted – no, I can’t help you out.” Then they go, “Please, it would really mean a lot to us.” I said, “I can bill you but I’m not going to give you anything in return.” They insist, “Please…” I said, “Fine, I’ll do it, whatever.”

I never got the data back. Well, actually, they are getting the data back now, but we’ll talk about that later. But at the time, there wasn’t anything that I could do about it. But it captured my interest. There are lots of things that this did differently that captured the imagination.

Lance James: I’m going to share my side of how we came in to CryptoLocker and actually technically met, I believe. So, I get a call from a partner, a director at a company, a friend that was like a colleague, and he gets hit with it. And Mary Galligan, who is actually a Director of our company, came from the FBI, running the New York division for a very long time. So she gives our research group a call and asks us to take a look at it.

We start examining the crypto and everything, which we’ll go ahead and talk about in just a second, but the interesting part of it was that the person involved actually at first denied paying it and asked us for help. We started to look into it, trying to figure out how much it would cost them to pay versus do a forensics. As we all know, forensics is not a cheap process, nor is it a quick process.

At that time, Mary’s connections and some other stuff we work with, you know, she gave a call and we had sent our analysis over to her to open a case, actually, in New York. And then, from that point, the shifting stuff that goes on in law enforcement, it went over to D.C., because I believe they handle ransomware in general. And that kind of started the whole liaison of the FBI work and also with the UK’s NCA.

So, what happened then was John and I actually ended up being in certain circles together, kind of connected on this and both moved right about the same time on this. And we’re very diligent about moving forward quickly with this, and I think we both kind of synchronistically recognized the same issues need to happen: we’ve got to move on this, we’ve got to get the community going, so we started the working group.

How was CL unique?

How was CL unique?

John: Yeah, exactly. We met a lot of great people on the working group. We’ll talk about that a little bit more in a second. But CryptoLocker was the first, at least in my recollection, cryptography-based ransomware that did it right (see left-hand image). They were running C2 servers, or proxies, more accurately. They generated the public-private key pair, transmitted the public key to the victim, and everything got encrypted. The private key was never even on the proxy, it was on some backend server. But it never touched the victim.

They used a domain generation algorithm, generated a thousand domains a day, so there’s some resiliency in how they operated their command and control network. So they are thinking about things and they are like, okay, we are going to be able to move things fairly quickly. Gameover ZeuS was its sole delivery method. Initially it was some proof of concept stuff, but starting mid-August 2013, only Gameover ZeuS was how it was deployed.

Gameover ZeuS was its sole delivery method.

Lance: I was talking to David Dagon last night from Georgia Tech who did a lot of the assistance on this part of the research, the relationship between CryptoLocker and Gameover ZeuS. And I didn’t want to post in his slides without bringing him on the stage. But basically, I advise that you reach out and talk to Georgia Tech a little bit about some of this research, because they put together not a suspicion of only Gameover ZeuS, but actually through the DNS research he did he was able to push together – this is GoZ, this is CryptoLocker, here’s the relationship. Some great work from him as well.

John: Yeah, there’s a lot of good people who did a lot of things on this. And the other aspect of this is it used Bitcoin for payment. It also used some other paycard systems. So it had some electronic delivery methods. I mean, Bitcoin – many of you know – is anonymous. It’s not private, but it’s an anonymous way of transferring money back and forth. Some of the paycard systems, again, operated outside the conventional financial system. So they were able to get money, to get paid. So it’s kind of a novel and interesting thing for me.

Immaculate modus operandi

Immaculate modus operandi

But ultimately, this came down to the following: they had a viable business model (see right-hand image). I mean, we are talking about criminals, yes. But organized crime operates like a business, albeit one without morals.

Lance: Yeah. And one of the things in the highlighting from the previous slide as well as this business model – resiliency, if you haven’t noticed, is the theme in the last couple of years. Not only DGA, C2, all this stuff, but we saw a three-tier architecture. So, when we were looking at the C2, we called it “C2” but ended up calling it “C3”, because we had two layers of proxies, and then they were actually hiding the actual mothership for the data. So this actually took a lot of time extra for us security researchers and increased their business model efficiency quite well.

John: Absolutely. Maybe people don’t understand what I mean by “mob rules”, but these guys operate not in kind of your standard mob rules. The analogy I use is, for those of you who have watched “The Godfather” movie or anything involving the mafia, you know, you walk into usually a highly immigrant neighborhood and say, “Hey, you got a nice store here, it’d be a shame if anything happened to it. You pay us a little bit of money, we’ll take care of your business for you.”

So these guys – you pay them $300. I mean, prior to this, you may pay the ransom and you get nothing out of it. These guys made sure, as much as possible, you did.

Lance: You forgot the Russian accent there.

John: I was trying to do Italian.

Lance: Yes, but the point is … Russian mob. I’m just sayin’.

John: My accent sucks. But you smell great.

Lance: Thanks!

John: The other part of this business model you compare to credit card fraud or financial fraud. There’s an entire network that’s needed to really pull off credit card or financial fraud. You’ve got your kiddies in your watering hole stealing credit cards. You’ve got somebody buying them, people who are cloning them, you’ve got money mules – you’ve got all sorts of different roles involved in this.

With ransomware, all you need is a kit and somebody who’s walking to an ATM or whoever who can monetize Bitcoin. A very flat organization is necessary so that you’ve got high margins and low maintenance. So it’s something that really has ended capturing imagination of many other groups out there, which has led to the proliferation that we’re seeing.

Lance: I’ll bring up this – and it’s a speculation – but I feel that CryptoLocker, now that we’ve seen the success, if another returned, I can sense that the developer is going to be charging a lot more this time.

Tech sophistication

Tech sophistication

Okay, I’m going to cut through the tech details on CryptoLocker (see right-hand image). Let’s talk about the DGA for a second. I don’t want to rush into how the working group got together and all this stuff – but some of these little technical pieces we are going to kind of run to, but I’m going to fit them in between some of the stuff we’re talking about. There’s some funny stuff that comes up, for instance, the DGA that was used, which we’ll talk about as well later, is also a variant off of, if you look up domain generation algorithm on Wikipedia, minus a mod certain number is actually the one on Wikipedia as an example. There’s a little fast fact I wanted to give you.

Also, I’m going to kind of step into the relationship that occurred for us helping. The interesting piece with this was all the OPSEC involved in this. From the tier 1, tier 2 an tier 3 down to the public-key cryptography, down to the Win32 API – the crypto API was actually the native Windows system. So the architecture thought out with this was actually very clear. It wasn’t something that we just did overnight. The people working on this were really set down, architected and then engineered something actually.

It was going to impact high.

One of the biggest concerns we had was, when we saw this from a security perspective and the slowdown it took us, it took a lot more people and quality and quantity to do it than maybe a few researchers could do to some other ransomware out there. One of the big pieces was that we were concerned about this epidemic. It was going to impact high. We saw the money and the actual copycats.

But how do you prevent something that works so well from suddenly being the next thing in the future? This was a big concern for us, and so a lot of the technical stuff, including the reversing of the DGA, and also the demise of the DGA in the first place – it really cleans up your viable business model we’re talking about. And it kind of scared us, because the word “CryptoLocker” has become synonymous with ransomware as a brand name for just ransomware. And we’ve seen a lot of copycats as well.

Read previous: The New Scourge of Ransomware: A Study of CryptoLocker and Its Friends

Read next: The New Scourge of Ransomware 3: Recovery and Defenses

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: