# 4.0 Another Brick In The CryptoWall

Introduction

For as long as there have been people using the World Wide Web, criminal groups have tried to extort money for performing or withholding some type of action. One of the earliest threats was an attacker compressing an unsuspecting user’s hard drive and demanding payment for the password to restore their data. What is old is new again, and criminals have found an easy and steady revenue stream with new variants of ransomware. Crypto ransomware has steadily gained momentum since 2013, starting with the CryptoLocker malware. This activity did not escape the notice of law enforcement, as the FBI and global CERTs took action to disrupt the GameOver Zeus botnet, which reportedly stole an estimated $100 million USD. GameOver Zeus delivered CryptoLocker as one of its payloads and within a week of its takedown, a new ransomware variant CryptoWall took its place. In theory, ransomware doesn’t represent a major issue for well patched corporate networks with advanced web filtering; however, the reality is quite different. Whether it is systems out of compliance or lack of a robust backup capability, ransomware always finds a way. This way might just simply be taking advantage of users who do not absorb security awareness training and frequently click on phishing emails. In classic form, it’s usually an executive or someone with large amounts of sensitive data on their computer who falls prey to ransomware. This puts a heavy burden on IT support staff and security personnel who investigate these incidents and sometimes are put in the unfortunate position of having to tell a user all their important files are gone for good. In this blog post, we will characterize the CryptoWall threat using the kill chain and outline practical approaches for disrupting it. Because post-incident visibility isn’t necessarily a problem, due to the user getting a large splash screen from the attacker, we will focus on earlier detection, prevention, and recovery. We will also highlight some of the changes that have occurred in the 4.0 version of CryptoWall. What’s New? The 4.0 version of CryptoWall shares many similarities with its predecessors. One of the most important distinctions is that filenames and extensions are now also encrypted. This is very nefarious, in the fact that most users will not be able to determine exactly what data they have lost. Ostensibly this increases the chances that they will pay up to decrypt their data. Additionally, the tell tale ransomware file extensions (.xxxx, .yyyy, .zzzz) are no longer present to aid in quick visual detection. Another distinction observed upon execution is the malware no longer attempts to leverage bcdedit to disable the Windows Startup Repair service . It now will first check to see if administrator privileges exist and then leverage API calls, namely SRRemoveRestorePoint, to delete system restore points directly. While some have reported that the new command and control routine was dramatically improved and difficult to detect, we have found no evidence of this. In fact infrastructure reuse was quite high, with the same clear text HTTP with an RC4 encrypted payload. Within 48 hours of first being seen in the wild, AntiVirus detection was very broad across the industry. Kill Chain Modeling Reconnaissance: Website drive-by, Email harvesting, Regional campaigns Disrupt: Web filtering, OSINT alerts, threat intelligence sharing When it comes to preventing Cryptowall infections, the first line of defense is a strong web security filtering solution. Because ransomware is typically conducted as a large campaign, vendors often have updated detections in place within 48 hours of the malicious websites going active. A key gap in most environments is the lack of web filtering for endpoints once they leave the corporate network. An agent on the endpoint or a proxy in the cloud solution can assist in closing this gap. Creating alerts based on either real or fake corporate email addresses found in Open Source Intelligence (OSINT) sources (i.e pastebin) can often provide early warning to email harvesting, or even worse, a data breach. Finally, threat intelligence sharing within your company vertical or geographic region can help aid your security team in early detection or blocking of a campaign. Weaponization: Malicious PDF/HTML file, Malicious JavaScript Disrupt: Restrict downloads & JavaScript While not always feasible to the business, restricting downloads from the Internet is a valuable control to consider. Blocking the download of an EXE is often much easier than business buy-in on blocking the download of PDF files. Either leveraging specific AD groups with Internet download rights or providing a click to continue prompt are often a more palatable solution. Similarly, limiting JavaScript execution from unknown or untrusted websites can prevent a considerable amount of commodity malware in addition to ransomware. Trying to manage this centrally for a large user base can be a significant workload. Browser add-ins like NoScript and QuikSet can give the user more control in the browsing experience, but still default to no active scripting. Delivery: Browser exploit kits, Email spam Disrupt: Exploit kit signatures, Email filtering Exploit kits are considered an essential tool for the majority of the less sophisticated cyber criminals targeting the public. Nuclear, Angler, SweetOrange and Magnitude exploit kits have picked up where the Blackhole exploit kit has faded away in recent years. Mila Parkour of Contagio Dump maintains a great list of exploit kit capabilities. Similarly, Emerging Threats has very good detection for popular exploit kits available in their Current_Events rule set. Email security products will often do an adequate job blocking ransomware emails, like those from the Cutwail botnet, however this doesn’t necessarily protect you when the email comes in private webmail or the end user decides to release it from quarantine. End user training on how to handle suspicious web links and emails should still be a pillar of your security awareness program. Exploitation: Adobe Flash/Reader, IE, Java, Silverlight, ActiveX Disrupt: Software patching, EMET 5.x A robust patching program can mitigate the threat posed by exploit kits. A majority of the exploits used are typically older than a year after a software patch was made available. The notable exception to this is Adobe Flash, which has been a major thorn in security practitioners’ side for quite some time. In addition, running older versions of Internet Explorer is quite common to support legacy applications. A great free control to address these gaps is Microsoft’s EMET tool. It is configurable using Group Policy and can prevent quite a few attack vectors used by adversaries. Limiting the ability to install software often will prevent rogue software installs that are not managed by the corporate patching process. Installation • Download • Javascript downloads and executes 10-digit EXE to %TEMP% • Runtime • Inject into Explorer.exe • Disable System Restore • Delete VSS copies • Inject into svchost.exe • File Persistence • Random Process Names (%AppData%, %AppDataLocal%, %AppDataRoaming%, %ProgramData%, %userprofile%, %Temp%, C:\<random>, %WinDir%, %AppDataRoaming%\Microsoft\Windows) • Registry Persistence • Current User Registry Hive ( Software\Microsoft\Windows\CurrentVersion\Run & RunOnce, Software\<RandomName>, <unique computer id>\<random id>, ControlPanel\Desktop\Wallpaper) Disrupt: Applocker, AntiVirus Microsoft’s AppLocker and its predecessor Software Restriction Policy (SRP) offer fairly good default protections for programs executing outside of approved paths or without an approved publisher. This does require a substantial amount of testing to introduce into production, however AppLocker does offer an audit feature to deploy without blocking initially. And while this may seem like dark sarcasm, AntiVirus with frequent updating will still provide some protections against older variants of ransomware. Command & Control: HTTP, Base64, RC4, Tor, l2P, Proxy unaware Disrupt: IPS, NGFW, DNS Sinkholing, Proxy Authentication, Web filtering Both IPS and NGFW devices have the ability to deploy detection based on a newly compromised client checking into the command and control server. It is important to note that encryption will not start on the endpoint until the client can check into the C2 and retrieve the public key. An example check in and rule updated with detection for CryptoWall 4.0 is listed below. POST /BMzH_7.php?c=dy8xua4ie5i5yjm HTTP/1.1 Accept: */* Content-Type: application/x-www-form-urlencoded Connection: Close Content-Length: 124 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: <removed> Cache-Control: no-cache m=31716334647368686636721ec65ae3288e319bccce2ff1750f3d13b78c1ad3d920009b3de9932cf1272e8b5744de1c21b7e72767c2f863e5a4c4c4f919 alert http$HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN CryptoWall? Check-in"; flow:established,to_server; urilen:<134; content:"="; offset:1; depth:1; http_client_body; content:" MSIE "; fast_pattern; http_user_agent; content:"Accept|3a 20|*/*|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; depth:62; http_header; content:!"|0d 0a|Accept-"; nocase; http_header; content:!"Referer|3a|"; http_header; pcre:"/[\/=][a-z0-9]{8,}$/U"; pcre:"/^[a-z]=[a-f0-9]{80,}$/P"; reference:md5,3c53c9f7ab32a09de89bb44e5f91f9af; classtype:trojan-activity; sid:2018452; rev:15;) Blocking the Tor protocol, .onion sites, and any traffic inbound from known Tor exit nodes is a very easy defense that will aid in other areas, specifically limiting adversarially reconnaissance options. Another great control is DNS Sinkholing, such as CrowdStrike’s FalconDNS, which will block any traffic to known malicious domains at the time of name resolution. Web filtering has another chance to block the initial check in, post exploitation. Lastly, proxy authentication, which is very much preferred over transparent proxying, can stop variants that are not proxy aware and rely on permissive firewall rules to egress the network. Actions on Target: • Download Public RSA Encryption Key • Encryption of files (Office Docs, Photos, Music, Source code, etc) • AES, RSA-2048, MS CryptoAPI • File extension renamed (older versions) • Filename and extension encrypted (new in 4.0) • EXEs, DLLs and other system related files and directories are excluded from encryption to maintain system stability • Includes Mapped Drives & Cloud Storage (dropbox, onedrive, googledrive, etc) • User Splash Screen once encryption is complete • Collect$ for private decryption key (Paypal, Bitcoin, litecoin, MoneyPak, prepaid cards)

Disrupt: Monitor file shares, Alert for VSS deletion, Web filtering

Having a thoroughly tested backup solution on your file servers is key to recovering from an incident. While having an endpoint backup solution is also desired, redirecting user data to folders on servers that are backed up can work as well. Web filtering can be applied to block payment sites, however PayPal could be a notable exception. Traditionally, the most common point of detection for corporations is when files residing on a group file server start getting encrypted. Detection could take a couple different forms, such as presence of anomalous file extensions that are common to ransomware. Creating threshold alerts for the total amount of file modifications within a fixed time periods offers good detection. This can be achieved by enabling auditing of object access on your Windows file shares and forwarding the logs to a SEIM for baselining and alerting. To reduce attack surface, user permission audits should be performed regularly on file shares to ensure least privilege is being applied. Finally, there is generally no reason for Volume Shadow Service copies to be deleted, so if you have a tool that can alert and/or block on suspicious command line activity this is an excellent disruption point.

Recovery

The most frustrating part of CryptoWall for many organizations is that recovery is reliant on backups and there is not much else you can do. This is due to the fact that the private decryption key is never downloaded or access by the compromised endpoint. Also, because the files are technically overwritten with a new encrypted version, as opposed to the first version of CryptoWall which left a copy of the original file in slack space, options are very limited. To be thorough, it is still prudent to check the VSS copies in case the delete routine failed or even try unallocated file carving to recover what you can. As mentioned above, if you do not have a cloud backup agent on your endpoints, it is a good idea to redirect user data to folders residing on a backed-up server. While we don’t recommend paying for recovery, there could be some circumstances where business need is so great for a critical document that it becomes your only option. Then immediately spend time and money on a fielding a solid backup solution, so that it doesn’t happen again.

Future & Conclusions

As evidenced by the rapid growth of ransomware variants, this particular threat is here to stay. Ransomware has even gone cross platform with Linux.Encoder.1, which takes advantage of unpatched web software running under Linux. A new tactic recently employed by the Chimera variant was to actually publish the encrypted documents to somehow embarrass the victim into paying. While early entry ToxCrypt has folded, there also appears to be a market for ransomware as a service for the lazy criminals.

As a defender of a corporate network, this is just one of the many threats you will be facing in 2016. Organized crime will continue to assault you with wire fraud schemes, fake virus removal scams, banking credential theft, and traditional social engineering.

Applying the controls detailed above with a focus on the combination of essentials of patching, backups, and web filtering will help mitigate the ransomed are threat; however, more can be done. CrowdStrike’s Falcon Host uses behavioral Indicators of Attack (IOAs) to detect and prevent CryptoWall infections. These IOAs detect the activities that ransomware has to undertake in order to accomplish it’s ultimate objective of encrypting user’s data and preventing recovery without payment of ransom, making it very difficult for CryptoWall to avoid detection even when new polymorphic versions are released. Unlike approaches that use only signatures or machine learning algorithms that can only examine the contents of a malware binary, something that is easy for an attacker to bypass, Falcon Host IOAs examine and correlate the runtime effects of CryptoWall malware family by leveraging the CrowdStrike Threat Graph and can take automatic detection and prevention actions before the encryption of data can take effect.  Please click to find out more about Falcon Host.