Quantcast

The New Scourge of Ransomware 5: Human Intelligence Findings on CryptoLocker

The security experts keep on providing CryptoLocker facts that they were able to discover, including HUMINT details, victim communication and HDD forensics.

Intel needs to be active

Intel needs to be active

Lance James: We’re also sending a message quickly, and we need to keep that message going. You even saw the FBI has been doing it lately, they’re sending a message. They’re getting progressive, they’re moving forward, they’re trying to say, “Hey, we’re here and we’re not stopping, we’re going after this.” And the interesting thing is, we’re also trying to say we’re not going to let this keep going, we’re going to take this back. A lot of people say “offensive” and imply hacking back, but it’s really taking back. That’s what I think this was, offensive meaning proactive maneuver to actually really aggressively get this shut down. I mean, it was less than a year that this thing lasted, which is kind of a record breaker there.

John Bambenek: Yeah, and I feel bad about it, because we should be able to deal with this in weeks, not years.

Lance: There were a lot more events than we anticipated, it took us by surprise. I think it forced a difference in how we did things. We didn’t just have single, lone wolves doing things. Everybody did work together on this. In some ways, you think it’s a miracle, because it’s tough when you have competition between all these different people, but that all disappeared, which I think was a remarkable part.

John: Yeah, absolutely. And one last point is that there’s only so much you can do with passive intelligence. Every now and then you need to poke the bunny and see what they do.

Lance: Please consult your lawyers and your local sheriffs.

This was something they were using to fund something else.

John: You know, and there are some things you can do without law enforcement. At one point, they were using a DNS registrar that was known for hosting APT. Somebody gave me the email contacts and I emailed over there, “Hey, these domains are hosting CryptoLocker. By any chance, do you have actual, real identifiable information for them?” They ended up just shutting the domains down. So, at that point, alright, how do they react to that? Well, they kept going back and kept going back. After a week of me shutting their domains down, they moved to another registrar, and then a month later they moved back to the other one in China. So, another contradictory indicator is saying, okay, what are these people doing? It didn’t make a whole lot of sense.

Human intelligence findings

Human intelligence findings

… Which kind of goes into some human intelligence of trying to get inside their heads, seeing what’s going on (see left-hand image). And ultimately, this was a very lucrative cash crop for them. They didn’t necessarily have this as their primary motivation. This was something they were using to fund something else. We know what that is, but we can’t tell you. But this is something that we were able to find in observation and poking the bunny.

Lance: It’s not personal, we just can’t tell you.

John: Yeah, strictly business. But they also had some good OPSEC skills to a degree, they made some mistakes. They had the framework for fast-flux and double-flux. Once we got our hands on their proxies, they spent a lot of efforts scrubbing things that we could otherwise use.

Attackers' modus operandi

Attackers’ modus operandi

Another thing, I believe they bought their DGA from another provider (see right-hand image). They never changed it, it’s really easy to change. I think they bought it, somebody plugged it in, they ran with it.

Lance: Wikipedia…

John: Yeah, exactly. And that Wikipedia article with that DGA example was posted about the same time, literally, as CryptoLocker emerged using that DGA. An individual outed himself as probably more involvement than he cared to, just by posting to Wikipedia. Thanks for that, buddy!

Lance: The code is clean and simple.

John: Exactly. Again, you paid your ransom – you got your files. Standard mob rules, you know. They’re crooks, but they’re honest crooks.

Lance: Well, I still have a debate on this. You get infected, you get your files unencrypted, but you’re still infected with ZeuS, which does something else like bank stealing and things like that. So, what do you do next? Those are the things that, in an environment, you have to ask yourself. If you’re at home, you probably don’t know ZeuS is still on your computer. There was always an interesting debate on that: well, they’ve got you there, but some other piece of it also has you. Obviously, the effectivity of shutting down the ZeuS piece with this was one of the agendas for us.

John: Absolutely. So, some other stuff, sitting there and searching out, finding the stream of communications of victims that they had with the attackers. You know, there were people reaching out, “Hey, let’s try to work something out,” they didn’t tend to show mercy, but they tended to do troubleshooting.

Interaction with infected users

Interaction with infected users

Lance: Yeah. I’m going to read this. Basically, we collected some of the communication that had gone on for the ransomware (see left-hand image). And one of them kind of hit me hard personally, it said, “I’m a single mother and we three live thanks to my work, and I can’t lose it.” But ransomware had infected her work computer. It continues, “There’s a lot of rich people but we aren’t, and I have to work 10 hours from Monday to Sunday to take care of my children. Need your help, tell me as soon as possible how to get my files without Bitcoin, please help.” And this was an issue with both the availability of Bitcoin to a layperson, and also people living at $300 can’t afford this, and it is their work, and it could cost them their jobs. I made my own opinion on this, and I think it was right, where these people are just the lowest of lows, and this kind of highlights why we got aggressive very quickly.

Domain Generation Algorithm details

Domain Generation Algorithm details

John: A couple of fast facts about the DGA (see right-hand image). It’s something that was seen before. It was actually used on a previous campaign dubbed Flashback, which was a Mac based malware. You know, Flashback, CryptoLocker, Windows stuff gave us the idea that this was bought and then just implemented, and this was not something that they developed.

DGA code

DGA code

Lance: It’s known as Taus88 randomness. There’s a lot of academic papers, actually, on the technique for this. Really simple, mostly modulus-based. This is the actual algorithm based off of Wikipedia. The actual modulus was slightly different, but this is just a tweak. That’s how they would do this (see left-hand image).

Map of infection

Map of infection

John: So, here’s the map of infection to give you an idea of the heat map (see right-hand image).

Lance: These were actually obtained through sinkholes. This is the importance of sinkholes. They are the things that gave us a lot of this information.

CL infections by country

CL infections by country

John: These are raw infection counts. But a really better intelligence indicator was doing this per capita, showing the infections per country (see left-hand image). And what we noticed was that for Canada, Britain and Australia, there were identical infections per country. Canada was about 75% of that, and that gave us an indicator that they were using the English language as being the primary language on the PC. That’s how they were doing their selection, because part of Canada is, obviously, French-speaking. There are plenty of other places that speak English, and that’s why you see the noise, kind of trail of other countries, like Thailand, France, whatever. There are some English-speaking expats, or whoever, there. So, that gave us some interesting information.

HDD forensics in a nutshell

HDD forensics in a nutshell

Lance: So, we were able to access seized drives and we did some hard drive stuff (see right-hand image). Given the time constraints and some of the details of continuing investigations, we can give you some highlights. The OPSEC was higher than was expected. I mean, we didn’t really not expect it, but in most situations when you find seized drives most people don’t think about the fact they are “seized” in that they’re removed from the computer and moved into another environment. So, for the tier 1 proxies it was all in memory configs. They had nginx going on and they would actually run the config and then delete that config. If this got removed off of it, that’s gone.

We were lucky to use memory analysis to actually find a lot of this separate information in bits and pieces. In tier 2 – same way. The mothership used dm-crypt to encrypt the drives. We also had to use memory analysis and tweaking of some mounting issues that it also had, because they were kind of trying to obfuscate some stuff. But we were able to pull some keys, IPs – the locale was Russian – and a bunch of other stuff. Hopefully, further on we will be able to give a lot more information about the entire thing, which can be its own talk. But it was very interesting stuff.

John: And the proxies may or may not have been vulnerable to Heartbleed at certain points in time. That’s unclear on that point.
 

Read previous: The New Scourge of Ransomware 4: CryptoLocker Study in Contradictions

Read next: The New Scourge of Ransomware 6: CryptoLocker Takedown

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: