Anatomy of a Ransomware Attack - Part 3

3. COMMON TYPES OF RANSOMWARE3.1 CryptoLockerRansomware has been around in some form for over a decade, but came to prominence in 2013, with the rise of the original CryptoLocker malware. While the original was shut down in 2014, the approach has been widely copied. So much so, in fact, that the word CryptoLocker has become nearly synonymous with ransomware.3.2 CerberCerber targets cloud-based Office 365 users and is assumed to have impacted millions of users using an elaborate phishing campaign. This type of malware emphasizes the growing need for SaaS backup in addition to on-premises.3.3 CryptoWallCryptoWall first appeared in early 2014, and variants have appeared with a variety of names, including Cryptorbit, CryptoDefense, CryptoWall 2.0 and CryptoWall 3.0, among others.3.4 CrysisCrysis can encrypt files on fixed, removable, and network drives and it uses strong encryption algorithms and a scheme that makes it difficult to crack within a reasonable amount of time.3.5 CTB-LockerThe criminals behind this strain take a different approach to virus distribution, outsourcing the infection process to partners in exchange for a cut of the profits. This strategy allows the malware to achieve large volumes of infections and generate huge profits for the hackers.3.6 JigsawJigsaw encrypts then progressively deletes files until ransom is paid. The ransomware deletes a single file after the first hour, then deletes more and more per hour until the 72-hour mark, when all remaining files are deleted.3.7 KeRangerKeRanger is not widely distributed at this point, but it is worth noting because it is known as the first fully functioning ransomware designed to lock Mac OS X applications.3.8 LeChiffre“Le Chiffre”, which comes from the French noun “chiffrement” meaning “encryption”, is the main villain from James Bond’s Casino Royale novel who kidnaps Bond’s love interest to lure him into a trap and steal his money. GREAT name. Unlike other variants, LeChiffre needs to be run manually on the compromised system. Cyber criminals automatically scan networks in search of poorly secured remote desktops, logging into them remotely and manually running an instance of the virus.3.9 LockyLocky is typically spread via an email message disguised as an invoice. When opened, the invoice is scrambled, and the victim is instructed to enable macros to read the document. When macros are enabled, Locky begins encrypting a large array of file types using AES encryption. The spam campaigns spreading Locky are operating on a massive scale. One company reported blocking 5 million emails associated with Locky campaigns over the course of two days.3.10 TeslaCryptTeslaCrypt also uses an AES algorithm to encrypt files.Typically distributed via the Angler exploit kit, this ransomware targets Adobe vulnerabilities. TeslaCrypt installs itself in the Microsoft temp folder. When the time comes for victims to pay up, victims are given options for payment: Bitcoin, PaySafeCard and Ukash. And who doesn’t love options?3.11 TorrentLockerTorrentLocker isn’t new to the malware scene but the 2016 version is more destructive than ever. Like the mononucleosis of ransomware, TorrentLocker, in addition to encrypting files, collects email addresses from the victim’s address book to spread malware beyond the initially infected computer/ network.3.12 ZCryptorZCryptor is a self-propagating malware strain that exhibits worm-like behavior, encrypting files and also infecting external drives and flash drives so it can be distributed to other computers.3.13 RevetonReveton was introduced in 2012. This ransomware sends a warning that is supposed to emanate from a known law enforcement agency. The warning will claim that the victim is guilty of child pornography or has broken the Copyrights law of some company when he or she downloaded unlicensed software.Hackers to present the attack as legitimate from a law enforcement agency. To achieve this, the hackers require that the user pays a fine via anonymous prepaid service like Ukash. The hackers also display their IP address to convince victims of the attack the credibility of their claims.

---

References:[1]     B. Fraga. Swansea police pay $750 “ransom” after        computer virus strikes. The Herald News, 2013.[2]     G. O’Gorman and G. McDonald. Ransomware: A growing   menace. Technical report, Symantec Corporation, 2012.[3]     Anatomy of a Crypto Ransomware Attack   https://blogs.sophos.com/2015/03/03/anatomy-of-a-ransomware- attack-cryptolocker-cryptowall-and-how-to-stay-safe-infographic/[4]     E. Arnold. Tennessee sheriff pays ransom to cybercriminals ,in bitcoin. https://www.bizjournals.com/memphis/blog/2014/11/tennessee-sheriff-pays-ransom-to-cybercriminals-in.html, 2014.[5]     Common type of Ransomware http://securityjar.com/types-of-ransomware-attacks/[6]     N. Andronio, S. Zanero, and F. Maggi. HelDroid: Dissecting and detecting mobile ransomware. In Proceedings of the International Symposium on Research in Attacks, Intrusion and Detection (RAID), 2015.[7]     A. Viswanathan, K. Tan, and C. Neuman. Deconstructing the assessment of anomaly-based intrusion detectors. In Proceedings of the International Symposium on Research in Attacks, Intrusion and Detection (RAID), 2013.[8]     R. Perdisci, A. Lanzi, and W. Lee. Classification of packed executables for accurate computer virus detection. Pattern recognition letters, 29(14), 2008.[9]     V. Roussev. Data fingerprinting with similarity digests. In Advances in Digital Forensics VI, IFIP Advances in Information and Communication Technology.Springer Berlin Heidelberg, 2010.[10]  N. Scaife, H. Carter, and P. Traynor. OnionDNS: A seizure-resistant top-level domain. In In IEEE Conference on Communications and Network Security (CNS), 2015.

1. Tang, S. Sethumadhavan, and S. Stolfo. Unsupervised Anomaly-based Malware Detection using Hardware Features. In Proceedings of the International Symposium on Research in Attacks, Intrusion and Detection (RAID)