Anatomy of a Ransomware Attack CryptoLocker - Part 1: CryptoWall How to Stay Safe

ABSTRACT

Ransomware is malware that prevents you from using your files or your computer, and then extorts money from you in exchange for a promise to unlock them. This type of malware is responsible for tens of millions of dollars in extortion annually. Worse still, developing new variants is trivial, facilitating the evasion of many antivirus and intrusion detection systems. Ransomware, it’s everywhere. We had hoped that the notorious file-encrypting ransomware called CryptoLocker was defeated after law enforcement knocked out its infrastructure last year, but CryptoLocker and its close cousin CryptoWall have come back stronger than ever. We’d like to show you more about the newest kinds of ransomware, how they work, and what you as an organization or individual can do to stay safe.

1.      INTRODUCTION

Encrypting ransomware (a.k.a. crypto ransomware) at-tempts to extort users by holding their files hostage. Such ransomware differs from other types of malware in that its effects are reversible only via the cryptographic keys held by a remote adversary. Users can only regain access to their files through the use of anonymous payment mechanisms (e.g., Bit-coin), further frustrating efforts to take down these campaigns. While this class of malware has existed for well over a decade, its increasingly widespread use now causes tens of millions of dollars in consumer losses annually [2]. Compounding this problem, an increasing number of law enforcement agencies have also been the victim of Ransomware [4], [1], losing valuable case files and forcing these organizations to ignore their own advice and pay the attackers. As such, ransomware represents one of the most visible threats to all users.

Combating ransomware is difficult for a number of reasons. First, this malware is easy to obtain or create [48] and elicits immediate returns, creating lucrative opportunities for attackers. Second, the operations performed by such malware are often difficult to distinguish from those of benign software. Finally, ransomware often intentionally targets unsophisticated users who are unlikely to follow best practices such as regular data backups. Accordingly, a solution to automatically protect such users even in the face of previously unknown samples is critical.

1.1 RANSOMWARE BRIEF HISTORY

Ransomware and fake-antivirus have been around for many years, relying on social engineering to trick computer users into paying the cybercriminals, so their phony warnings claim, to avoid fines from police for supposed crimes, or to clean up “viruses” on their computers that don’t actually exist.

But CryptoLocker and CryptoWall – variations of the malware we sometimes call crypto-ransomware or Cryptoware – don’t bother with that sort of trickery. The attackers tell victims up-front that their files have been encrypted by the crooks. Unless you pay for the encryption key held by the attackers, the crooks destroy the private encryption key, making it impossible to recover your files.

In November 2014, Dickson County Sheriff’s Office USA opted to pay a ransom of $572 to recover files. Later the Sheriff said, “I am thankful that is all they asked for.” In a similar case, the Durham, N.H. Police Department (USA) was infected in June 2015. They recovered the files from a backup, choosing not to pay the ransom. However, they paid $3000 to a contractor for a file clean up afterward.

[1]     B. Fraga. Swansea police pay $750 “ransom” after        computer virus strikes. The Herald News, 2013.

[2]     G. O’Gorman and G. McDonald. Ransomware: A growing   menace. Technical report, Symantec Corporation, 2012.

[3]     Anatomy of a Crypto Ransomware Attack   https://blogs.sophos.com/2015/03/03/anatomy-of-a-ransomware- attack-cryptolocker-cryptowall-and-how-to-stay-safe-infographic/

[4]     E. Arnold. Tennessee sheriff pays ransom to cybercriminals ,in bitcoin. https://www.bizjournals.com/memphis/blog/2014/11/tennessee-sheriff-pays-ransom-to-cybercriminals-in.html, 2014.

[5]     Common type of Ransomware http://securityjar.com/types-of-ransomware-attacks/

[6]     N. Andronio, S. Zanero, and F. Maggi. HelDroid: Dissecting and detecting mobile ransomware. In Proceedings of the International Symposium on Research in Attacks, Intrusion and Detection (RAID), 2015.

[7]     A. Viswanathan, K. Tan, and C. Neuman. Deconstructing the assessment of anomaly-based intrusion detectors. In Proceedings of the International Symposium on Research in Attacks, Intrusion and Detection (RAID), 2013.

[8]     R. Perdisci, A. Lanzi, and W. Lee. Classification of packed executables for accurate computer virus detection. Pattern recognition letters, 29(14), 2008.

[9]     V. Roussev. Data fingerprinting with similarity digests. In Advances in Digital Forensics VI, IFIP Advances in Information and Communication Technology.Springer Berlin Heidelberg, 2010.

[10]  N. Scaife, H. Carter, and P. Traynor. OnionDNS: A seizure-resistant top-level domain. In In IEEE Conference on Communications and Network Security (CNS), 2015.

A. Tang, S. Sethumadhavan, and S. Stolfo. Unsupervised Anomaly-based Malware Detection using Hardware Features. In Proceedings of the International Symposium on Research in Attacks, Intrusion and Detection (RAID)