The New Scourge of Ransomware 3: Recovery and Defenses

The experts shift their focus over to CryptoLocker attack mitigation and touch upon the cooperation of law enforcement and security industry on this case.

Staying on the safe side

Staying on the safe side

John Bambenek: So, a little bit of recovery and defenses (see right-hand image). A lot of this is best practice stuff. If you get your files encrypted, well, if they are important you should have them backed up and you should be able to recover them. If you run Windows 7 and greater, there are shadow volumes, where you can restore previous versions, assuming you can do it in a reasonable time frame. There are some ninja forensics tricks that can be done.

Lance James: Right. For instance – and the probability of it was really low, so again, backups are the number one thing – there was a Temp file that was generated while it was actually encrypting your data. The problem with the NTFS journaling file system is that the overwrites are pretty quick. So we recommend people to shut their computers off the minute they know about this in hopes that we may be able to get still available “deleted” files. This was an off chance of getting some or getting not. And in some cases, memory analysis can recover some files that were in use at that time. So, these are some of the tricks.

John: You can prevent execution out of the updated directories. There are more precise path names you can use that you can look up online, but keeping things executing randomly out of there isn’t recommended. You know, a lot of email-based malware and the like would be executed out of there if you’re mindless enough to do it.

Could you save it to your desktop? Sure. And some spam campaigns actually tell you to do this: “Oh, here’s your shipping invoice. Please save this to your desktop before you try to run it.” But this provides at least one layer of defense that requires the user to do something else to override it. And then, obviously, you can block the C2 addresses with whatever is provided for intelligence.

Lance: This actually goes into that reversing DGA. The C2s in this case were over 1020 domains per day. Most of you guys understand the domain generation algorithm concept, right? I’m going to kind of break it down very simply. Basically, the idea is to be resilient and autonomous, very little hands on when it comes to opportunistic stuff, Gameover ZeuS also being like this. DGA generates domains every single day, the strings. Those are usually random strings. When the malware gets on an environment or on an asset, it will go out and scan, based on the timestamp, for 1020 domains out there. And it will go and look for the one that hits and actually says, “Hey, I’ve got this.” So they don’t register all the domains, they register a few, maybe one or two or three. Now, also we registered a bunch, including Georgia Tech, and registered most of them on purpose so that we actually have daily stats and a low minimum window here.

The C2s in this case were over 1020 domains per day.

In that case, though, when you want to look at prevention, one thing we did was we reversed the DGA and made sure that it was current and accurate. You did a lot of testing on those things, John. So we did this and we provided it in a feed, a different way. Some people threw it in their feeds. I think you had a free feed. We wanted to get it out to everybody. Once that feed hit in and you’ve got that in your proxy, if it blocked it then it could not get into those, because we were generating one day ahead every day. That was preemptive, you had detection – oh, there’s that box, it has Crypt0L0cker on it. But it can’t reach out. If it can’t reach out, it can’t get the key from the C2. So it’s a very important piece.

John: And something we noticed is that there were periods when they simply had no domains registered. CryptoLocker would keep scanning and keep scanning. They didn’t need to have domains registered. As soon as they popped up on the radar, you get your key, they get paid. For instance, the Russian New Year – there was nothing registered for about 8 days. We thought they just went away until somebody realized that’s a week when Russians pretty much drink non-stop. So they are just not worried about it.

Lance: Stereotypically, they drink non-stop. I want to say one thing, if you actually heard what was just described here, what John just described, whether it’s stop or not. Is everybody familiar with randomness and entropy, like we see this in passwords and things like that? Entropy, for anybody who doesn’t know, is the measurement of how random or pseudorandom something is on a computer. In this case, the strings here, your average domain, the properly used non-malicious domain is about 3.4 bits per byte in general, but it goes up to 3.7, and it can go down based on the string size.

In this case, these things were raised to over 4.0 bits per byte for each string case. Now, also what’s interesting is, as it’s getting none of those things during the Russian New Year, you would see NXDs, non-existent domain responses. So if you see an asset throwing 1020 DNS requests in less than a minute pretty much and get a ton of NXDs back, or non-existent domain responses, you might want to make a rule for that on your network and say, “Why is that even occurring?” Especially if you look at your cache and say, “I’ve never seen those domains in my life, they haven’t been on our network before.” So these are the kind of things that you would want to do for use cases, or prevention as well, preemptively, because it also might pop off other malware that you’re not aware of yet.

Threat intelligence response

Threat intelligence response

John: As I said, as a community we responded about a month late to this, but we eventually woke up and saw the threat for what it was (see left-hand image). Seeing police stations infected with this and getting news media coverage – that certainly helped, you know, that was certainly inflammatory. The sophistication got noticed. Ultimately, it was something novel and new. I mean, it was ransomware done right, this is something new. So we started paying attention to it.

And it also made a good case study on how to do threat intelligence. A lot of people talk about how to do it, but not much in the way of nitty-gritty of how to do it. This particular campaign – and we’ll go through some of the steps – made that very easy. I’ve spent time traveling around teaching people, using this as my case study of how to profile a threat actor and a threat to create an intelligence product and take action to disrupt it.

Combining the efforts

Combining the efforts

Eventually, as I said, we woke up, we saw the threat, and we created a working group specifically around it (see right-hand image). I don’t know how many people were on various kind of private intel sharing lists, but there are several of them where there’s an overlap to a degree, but not completely. So, while many of us are on all of the lists, some of us aren’t. So eventually, I just got frustrated because they all have their sharing rules, where one group can’t share with another unless authorized. It’s four different groups talking about it, and I got tired of trying to keep track of what lists I could talk about what on. And I just said, “You know what, one threat – everybody who’s interested, talk here,” and created a working group around it.

It was ransomware done right.

Ultimately, about 160 people worldwide took part in this group, and each brought their own special skillsets. When you talk about reversing a DGA, that’s a different skillset because that’s math. Then, reversing malware or tracking the infrastructure takes a lot of different skills to holistically go after one particular threat. And this provided a venue to do something.

Lance: And the industry to law enforcement relationship very quickly bidirectional for this on that working group. The industry and law enforcement really teamed up very quickly with this working group to work together. There would be phone calls left and right from different people to different people doing different pieces, still keeping it somewhat in the community and not everybody on the working group would know about every piece. But it actually encouraged law enforcement to be very much involved and utilized the industry very quickly, which is something that needs to be starting to happen, but with, obviously, some set expectations.

John: Absolutely. You know, the FBI is talking, “Oh, please, share data with us,” but there’s nothing in return, and that’s a frustration. That’s something that changed with this. I’m sure it happened in other threats. This is just the one I had visibility to.

Read previous: The New Scourge of Ransomware 2: The Business Model Behind CryptoLocker

Read next: The New Scourge of Ransomware 4: CryptoLocker Study in Contradictions

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: