Ransomware - No Sign of Relief, Especially for Australians
Posted by Carl Leonard on 25 February 2015 01:20 PM
Websense® Security Labs™ researchers observed that ransomware was a plague in 2014 and this threat type shows no sign of relief in 2015. In this blog we profile the user experience for a Torrentlocker variant focusing on the Australian region.
Ransomware is an umbrella name for a type of cybercrime in which the attackers restrict access to a computer until a ransom is paid to restore system access and function. Crypto Ransomware is a form of ransomware in which access to data is blocked by encrypting the data and withholding an encryption key until a ransom is paid to the cyber criminals. (Authors' note: We do not recommend that a ransom is paid to the cyber criminals).
We have seen that Torrentlocker rotates through many themes/lures/targets and tends to be low volume and targeted.
In the latter half of 2014 we observed fake Royal Mail lures (targeting UK end-users) and Australia Post lures, but then Torrentlocker moved on to Turkish-themed lures (Turk Telekom, TTNET) and then New South Wales Government lures, of which we see a repeat in our current case study. There have also been Czech Post lures, TESA Telecom (Brazilian-themed) lures, Italian lures and others too. The lure tend to be fake ‘eFax’ or ‘penalty’ download pages.
Our case study, the Australian-themed ransomware, exhibits the typical process from lure to infection.
Ransomware is most often distributed via email lures or compromised websites (specifically malvertising). Today's case study used an initial email lure with a topic of penalties induced by speed cameras. A typical subject is "Penalty id number - <random number> / Fixed by speed camera".
The lure email contains a URL (in this case a compromised wordpress host). The end user is sent through to a website that makes a call to action:
In this case we see a Penalty Notice claiming to be from the New South Wales Office Of State Revenue. For the avoidance of doubt the OSR is a legitimate organization and their website is hosted at http://www.osr.nsw.gov.au/. Social Engineering is needed to convince the end user to perform an action. Note the use of a legitimate-looking logo as well as a CAPTCHA entry form to add a degree of legitimacy on the fraudulent website, and to encourage a further click action. Hosts of the fraudalent website rotate, but include hxxp://nsw.gov.yourpenalty.com/ and hxxp://osr.nsw.mypenalty.org/ Similar variants on the theme will likely occur in the future.
Once the end user has been duped into clicking through, they are presented with a warning notice:
Decrypt instructions are provided via an HTML document installed on the user's machine. This points the user to yet another website where they are encouraged to perform a transaction:
As is typical, the decrypter service website offers two prices for decryption. If the end user pays promptly they have to pay 2.4 bitcoins, (approximately) 499 USD. If they pay after 3 days they would have to pay approximately 998 USD.
A timer is shown to encourage urgent action. The malicious website also reveals the number of files that have been encrypted. Instructions are provided if the user is unsure how to trade in Bitcoins.
As before, we do not recommend paying the cyber-criminals to decrypt the files. Success is not guaranteed. If you fear you may have encountered a ransomware website (at any stage of the threat lifecycle) you can check our view on that by submitting the site to our online CyberSecurity Intelligence website analysis tool at http://csi.websense.com/
This variant of Torrentlocker cycles through hosts with various country code Top Level Domains (ccTLDs). We observed .com, .at (Austria), .lt (Lithuania) and .ru (Russia). Variants included:
As mentioned above the fraudalent OSR-themed websites also change frequently to make detection difficult without real-time detection technologies.
The Financial Services sector was the one most targeted by this particular campaign.
Protecting from Ransomware
Websense customers were protected at the time of this Australian-themed ransomware attack via real-time analytics within ACE, our Advanced Classification Engine. Protection is offered at the different stages of the attack detailed below:
Our File Sandboxing tool classifies the ransomware payload as Malicious in the report here.
At the time of writing (25 February 2015) the file sample has a detection rate of only 3 out of 57 anti-virus vendors in VirusTotal.
Ransomware will continue to evolve as we progress through to 2015. Once a machine has become infected and files encrypted there is a little that an end user can do to counter it. To strengthen your overall security posture we recommend that you raise awareness within your employee base of the dangers and signs of ransomware, and adopt suitable technologies to identify and protect from the threat in the early stages of the threat lifecycle.
Blog Contributors: Mark Haffenden, Nicholas Griffin, Carl Leonard.
Read more »
Posted by ngriffin on 03 June 2014 10:06 PM
Zeus is a malware family that we encounter frequently, due to its popularity with cyber-criminal groups. Ever since the Zeus source code was leaked in 2011, there have been many new variants. One such variant is dubbed ‘GameOver’, which recently made a mark in the media after its infrastructure was seized by authorities.
The Websense® ThreatSeeker® Intelligence Cloud actively monitors this specific type of threat. In this blog, we illustrate some key metrics about Zeus GameOver.
Contributors: Nick Griffin, Elad Sharf, Ran Mosessco
Update: Do you have 3 minutes? See how Zeus Gameover steals your data in our new video. Better still; find out how to protect.
(Please visit the site to view this media)
Update 2 [July 14 , 2014]: As we expected to see, Zeus GameOver has returned and evolved. The new variant has replaced the old peer-to-peer networking in favour of a Fast-Flux based infrastructure. In addition, the new domain generation algorithm (DGA) now generates domains using digits as well as letters, but no longer uses the .info or .ru TLDs. Websense customers continue to be protected from this threat at the same stages of the threat lifecycle as listed at the foot of this blog.
Background & Information
Zeus GameOver was first seen in 2011 and is very similar to the original Zeus malware. Its main use is for Crimeware purposes, such as seeking financial gain by stealing credentials and even transferring funds from victims accounts. We have also seen GameOver subsequently download malware such as Cryptolocker.
There is an important difference between GameOver and other Zeus variants, though. In a typical Zeus (or Zbot) malware, a central Command and Control (C&C) point is used to send out data and receive commands. In GameOver, however, the infrastructure is decentralized and instead relies on peer-to-peer (P2P) technology for its C&C capabilities.
This change in C&C infrastructure has become a big challenge for the security industry, because there is no single point of failure, such as the ability to take down a single command and control node. The Websense® ThreatSeeker® Intelligence Cloud is actively aware of this network and defends against it across the majority of the 7 stages of advanced threats model.
It's very important to note that Zeus GameOver is not directly sent to a potential victim. Instead, a downloader is involved in the initial infection, such as Pony Loader, and more recently, Upatre. Historically, the attack vectors have been mostly emails, usually sent by the Cutwail spam botnet. In the past, a mix of direct attachments, as well as URLs leading to exploit kits, would drop downloaders onto a victim's computer. More recently, with Upatre gaining momentum due to its ability to evade AV detection, the focus has been mostly on attachments, but in the past few weeks we have seen email lures containing URLs using sites such as Dropbox to serve Zip files containing Upatre. What's particularly nasty about Upatre is that it downloads Zeus GameOver in an encrypted form that bypasses most firewall and intrusion prevention system file-type detection. Another artifact that often gets bundled is the Necrus rootkit trojan, which helps to keep the infection persistent.
In the last two months we have seen increasing activity in the GameOver malware downloads via Upatre, with the last week being particularly active. The next table shows the top 10 affected countries we have seen affected by Zeus GameOver. While the United States has been the most targeted country of this campaign, the threat has moved toward a wider global reach recently.
The next heatmap video shows how dominant the GameOver variant has been in April and May of this year.
(Please visit the site to view this media)
Interestingly (and you might say very much expected), the main target of Zeus GameOver campaigns has been the financial industry, with a trend towards targeting victims at companies in the pension management sector of the financial industry. The next table shows the top 5 industries that Zeus GameOver targets:
Here's a recent example of an email attack stopped by Websense Cloud Email Security (CES). The attack tried to entice victims to open a ZIP attachment containing the Upatre downloader on their computer, which would later infect the users with Zeus GameOver.
Websense ThreatScope behavioral analysis recognizes Upatre as malicious:
The target URL containing the encrypted binary is categorized as MWS, therefore stopping the infection before Zeus GameOver even gets to the victim's computer:
Websense customers are protected with ACE™, our Advanced Classification Engine, at the stages detailed below:
GameOver has been around for several years, and since its inception has been a challenge for the security industry to defend against, because different variants have appeared, and also because its source code was leaked. Websense researchers recommend utilizing a strong email security product, which will proactively block campaigns and prevent infection from GameOver from ever happening. The Websense® ThreatSeeker® Intelligence Cloud has seen a notable increase in its activity over the last two months leading up to the takedown of GameOver, and continue to monitor closely.
Read more »