Send money or we’ll brick your PC
Insecure networks remain vulnerable to the evolving threat of ransomware
by Matt Meltzer, Raytheon Foreground Security
Ransomware, the invasive software that infects victim computers and encrypts files before demanding payment to free them, continues to be a prevalent threat in 2017. As ransomware profits increase, the techniques, tactics and procedures behind the malware inevitably evolve.
New ransomware variants use unique approaches such as tiered payment options, Ransomware as a Service models, and even “affiliate programs,” encouraging victims to infect their friends to receive a decryption key.
Established ransomware strains, such as Locky, a variant that scrambles and renames victim files, also has evolved, adopting varying delivery methods and frequently updated command-and-control patterns. A recent Locky ransomware sample analyzed by Raytheon Foreground Security’ analysts showcases an interesting functionality of this malware, as well as the impact it can have on insecure networks.
On Jan. 16, the IT security company Check Point recorded an 81 percent decrease in Locky ransomware spam in December. Two days later, the Cisco threat intelligence group Talos published a blog post attributing a decline in these spam messages to a disruption of the Necurs botnet, a main driving force behind the malicious emails delivering the ransomware.
Although there has been a decrease in quantity, cyber experts are still observing ongoing malware spam campaigns. One example is an Osiris variant of Locky delivered through malspam emails containing FedEx- and USPS-themed lures. This campaign downloads the ransomware in tandem with a Trojan called Kovter.
Until recently, this trojan’s primary focus was ad fraud, though it has been reported to also ship with the proxy software ProxyGate. This software is not inherently malicious, but allows the operators of the Trojan to add infected machines to the ProxyGate service, cashing in on each additional infected host.
Once the trojan is installed and begins operating in the background, the Locky portion of the infection will begin. Command and control traffic is typically initiated after a successful infection.
Next, the extensions on the encrypted files will be changed to “.Osiris,” and the user’s background image altered to display a ransom message.
Then an HTML page opens, showing the same information as the user’s new background image. Once the files on the local host have been encrypted, the malware then identify additional network hosts. The malware then connects to these hosts, performs a query to enumerate all shared network drives for each host.
Connection are then be made for all non-administrative shares identified. The files on each share will be searched for specific file types, and if the initial infected host has write access, it will continue the encryption process on these files as well
Locky, as well as other ransomware variants, has the ability to encrypt network shares mapped to an infected host. However, in this instance, if there are any available client drives shared, the malware will identify those client drives and then determine whether any files have write permissions and can be encrypted.
Once the malware determines the target files, it continues the encryption process over a Server Message Block connection. Because of this capability it gives the appearance of the malware “spreading” through the network, and “infecting” more hosts.
In a scenario where careless network administration or file sharing is taking place, and client drives are shared publicly within the local network, the impact of such a ransomware attack increases drastically. Any workstations or servers sharing drives are vulnerable to ransomware infections which otherwise could have been contained to the initial host.
Allowing drives to be publically shared leaves a local network insecure and at risk. Although this is poor security practice, it is still far too common. Is your network secure from such threats?
Matt Meltzer is a Virtual-Security Operations Center analyst with Raytheon Foreground Security.
This document does not contain Technical Data or Technology controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations. E17-YJJK.