Ransomware Part 2: Technical Analysis

The concept behind ransomware simple: an attacker finds a way to run file encryption software on a machine, and then demands payment in return for a decryption key. Though the implementation of ransomware varies, it follows similar infection vectors as other types of malware. These include malicious email attachments, malicious links and web browser exploits. In this respect implementation does not vary all that much from what we are used to seeing. 

Documents with malicious Microsoft Office macros have been a common vector for ransomware infection. This tactic has been widely used for ransomware since at least 2014 and includes one of the most prevalent strains through early 2016: Locky. Locky uses a document that tricks the user to enable macros to view the document properly but then the macro downloads ransomware. In March 2016 a new strain called Maktub Locker used a different tactic. It deployed an executable script that masqueraded as a text file, showed a readable document, but also executed ransomware.

Ransomware is also disseminated via JavaScript applications attached to emails. Ransom32 was a ransomware-as-a-service strain and was the first identified ransomware strain to use a standalone JavaScript application. Locky, though it originally emerged as a strain disseminated via document macros, quickly morphed its distribution to zip archives with malicious JavaScript inside.

Drive-by downloads also push ransomware via exploit kits to users running unpatched browsers and plugins. Last year, the Magnitude and Hanjuan kits distributed CryptoWall. The Angler exploit kit has peddled well known strains TeslaCrypt and CryptoWall 4.0. Radamant was detected in late 2015 being transmitted via the Rig exploit kit, but vulnerabilities in both version 1 and version 2 have allowed researchers to write and release decryptors. 

Some ransomware effectively uses malicious web download links. For example one of the newest strains, Petya, entices users with a link claiming to be a resume on Dropbox. The link instead contains a self-extracting Petya executable.

Other attackers take a more direct approach. Recent Samas ransomware campaigns exploit vulnerable versions of JBoss and WildFly application servers. Attackers use a scanning and exploitation tool called JexBoss to identify targets and then install Samas.

Ransomware has also expanded to Linux and Macintosh. In November 2015, a strain called Linux.Encoder.1 was discovered. In March of 2016, KeRanger targeted Macintosh machines via a Trojanized version of Transmission BitTorrent Client. Optiv’s Global Threat Intelligence Center has seen KeRanger in the wild.

Finally, a more recent trend in ransomware involves encrypting open SMB shares, not just individual users’ files. This makes sense for an attacker because encrypting an entire share makes enterprises more motivated to pay the ransom. File share ransomware has been seen since at least March 2015, with TorrentLocker and CryptoFortress, and multiple strains now take this approach. For example Locky has been reported to encrypt unmapped network shares. It is worth noting that the Samas strain also aggressively targets network shares.

In our next blog post, we will look into some practical, field-tested solutions for what enterprises can do to defend against the ransomware threat.