1. CryptoLocker:
The persistent, ubiquitous threat
Aaron Lancaster, CISSP

2. FBI IC3
Last June, the the FBI’s Internet Crime Complaint Center
(IC3) identified CryptoWall as the most current and
significant ransomware threat targeting U.S. individuals
and businesses.
“CryptoWall and its variants have been used
actively to target U.S. victims since April 2014. The
financial impact to victims goes beyond the ransom
fee itself, which is typically between $200 and
$10,000.”

3. What is CryptoLocker ?
• CryptoLocker is ransomware that encrypts your files and holds
them for ransom
– Released September 2013
– Targets all versions of Windows including Windows XP, Windows Vista,
Windows 7, and Windows 8
– Encrypt certain files using a mixture of encryption types
– When finished encrypting your files, displays a “ransom note”
– Demands payment of $500 (increased from original $100) in order to
decrypt the files
– Provides a few days to pay the ransom or it will delete your encryption
key and you will not have any way to decrypt your files.
– Must be paid using MoneyPak vouchers or Bitcoins (untraceable)
– Once you send the payment and it is verified, the program will (maybe,
theoretically) decrypt the files that it encrypted.”
http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

4. The Problem
• Encrypts EVERYTHING
• “This thing hit like pretty much all the file extensions that are usable, from Mp3s
to [Microsoft] Word docs,” Kessel said. “About the only thing it didn’t touch were
system files and .exe’s, encrypting most everything else with 2048-bit RSA keys
that would take like a quadrillion years to decrypt. Once the infection happens, it
can even [spread] from someone on a home PC [using a VPN] to access their
work network, and for me that’s the most scary part.”
-Johnny Kessel, Computer Repair Consultant, KitRx San Diego

5. The Problem: By the Numbers
• In 2014:
– CryptoLocker was infecting over 50,000 computers per month (peak)
– Infected over 336,000 computers in the U.S. alone
• Google search results for CryptoLocker are well over 210k per
month and rising quickly
– Indicates quantity of users affected
• Malvertizing (malicious ads containing CryptoLocker) up 325% in
Aug 2015
– http://www.scmagazine.com/spike-in-malvertising-attributed-to-zero-days-
emergence-of-new-tech/article/434796/
Source: http://www.whoishostingthis.com/blog/2015/05/25/ransomware/

6. Internet Pandemic
• Research has shown approx. 1.3M malicious ads are being viewed everyday
• The probability of getting infected from malvertizement is twice as likely on a weekend
• 97% of Fortune 500 websites are at a high risk of getting infected with malware due to external partners
such as JavaScript widget providers, ad networks, and/or packaged software providers
• Fortune 500 websites have such a high risk because 69% of them use external javascript to render portions
of their sites and 64% of them are running outdated web applications.
• FBI issued a warning about increased activity in Jan. 2015
Source: http://www.zdnet.com/article/research-13-million-malicious-ads-viewed-daily/

7. The Motivation
• Money (Bitcoin, MoneyPak)
– According to the 2015 McAfee Internet Threats
Predictions:
• A single instance of the CrytpoLocker ransomware made
over $250,000 in one month
• The CryptoWall resulted in a total of over $1,000,000 in paid
out ransoms
• Information
• It’s easy! (Lack of awareness and good practices)

8. A Threat by Many Names (Variants/Clones)
• CryptoLocker
– v.1 ~5 Sept. 2013
– v.2.0 – a copycat
– v.3.0
• CryptoLocker.F Family
– CryptoWall (Sept. 2014)- Via email
• 2.0 & 3.0
• CTB Locker
• TeslaCrypt
• Alpha Crypt
– TorrentLocker (Sept. 2014)
– CryptoDefense
• Critroni
• Reveton
• Crowti (CryptoWall 3.0)

9. Crowti (CryptoWall 3.0 – “CW3”)
• This threat is also detected as (Anti-virus product
vendor):
– Dropper/Win32.Necurs (AhnLab)
– Trojan-Ransom.Win32.Cryptodef.iu (Kaspersky)
– Trojan horse Inject2.AHNI (AVG)
– TR/Crypt.Xpack.64673 (Avira)
– Trojan.Encoder.514 (Dr.Web)
– W32/Cryptodef.AHIO!tr (Fortinet)
– PWSZbot-FBKQ!86B6EE398F44 (McAfee)
– Troj/Agent-AHIO (Sophos)
– TSPY_ZBOT.SMCC (Trend Micro)
– Cryptowall (other)
– Cryptodefense (other)
• Encrypts files
• Displays ransom or lock screen
Source: https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Crowti

10. CryptoWall version 3
Source: cyberthreatalliance.org

11. CryptoWall version 4
• Encrypts file names &
type
• HTML ransom note file
name change to
“help_your_files.html”
• General taunting and
arrogance to frustrate
user
Source: http://www.bleepingcomputer.com/news/security/cryptowall-4-0-released-with-new-features-such-as-encrypted-
file-names/

12. Trends
• “Ransomware using Remote Desktop to
spread itself”
• New Andriod ransomware communicates over
XMPP
• TOR switchers
• Sandbox Aware
• Browser Variants
• Mobile Variants

13. How can you get it?
• Can be transmitted as link/attachment in phishing email
– .zip, .exe, .scr (sometimes disguised as .pdf or .doc)
• Other malware such as Trojan Downloaders (onkods, upatre)
• Slip-streamed torrent or download
• Drive-by download (malvertising, other iFrame EK goodness)
– Silverlight
– Flash
– Java

14. Phishing Email

15. Exploit Kits
Source: Cyber Threat Alliance – CryptoWall

16. Drive-by Downloads

17. Happy Clicker Syndrome

18. iFrame
Source: http://www.malware-traffic-analysis.net/2015/07/06/index.html

19. Malvertizing
• Malvertising is a silent killer because malicious ads do not require any type of
user interaction in order to execute their payload
• Simply browsing to a website that has ads (and most sites, if not all, do) is
enough to start the infection chain
• Complex online advertising economy makes it easy for malicious actors to
abuse the system and get away with it
• Necessitates industry partners working closely together to detect
suspicious patterns and react very quickly to halt rogue campaigns
Source: https://blog.malwarebytes.org/malvertising-2/2015/08/large-malvertising-campaign-takes-on-yahoo/

20. File System Modifications
• Saves itself with a random file name
• Creates auto-start entries in the system
configuration (work even in safe mode)
• Hijacks .EXE extensions to delete
Shadow Vol. Copies that could be used
to restore files.
Source: http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

21. How it Works – For The Techies
• Downloads encryption key
• Encrypts files
• Demands ransom

22. Pcap FTW!
Source: https://isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/

23. Encryption keys
• Command & Control (C2) server address
established through Domain Generation
Algorithm (DGA)
• Malware connects and downloads public
key to Windows system configuration
• Private key is saved to C2 server
Read more: http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

24. What it Encrypts
• CryptoLocker will then begin to scan all physical or mapped network drives on your computer for files
with the following extensions:
– .3dm .3ds .3fr .3g2 .3gp .3pr .7z .ab4 .accdb .accde .accdr .accdt .ach .acr .act .adb .agdl .ai .ait .al .apj .arw
.asf .asm .asp .asx .avi .awg .back .backup .backupdb .bak .bank .bay .bdb .bgt .bik .bkp .blend .bpw .c .cdf
.cdr .cdr3 .cdr4 .cdr5 .cdr6 .cdrw .cdx .ce2 .cer .cfp .cgm .cib .class .cls .cpi .cpp .cr2 .craw .crt .crw .cs .csh
.csl .csv .dac .db .db_journal .db3 .dbf .dc2 .dcr .ddd .ddoc .ddrw .dds .der .des .design .dgc .djvu .dng .doc
.docm .docx .dot .dotx .drf .drw .dtd .dwg .dxb .dxf .dxg .eml .eps .erbsql .erf .exf .fdb .ffd .fff .fh .fhd .fla .flac
.fpx .fxg .gray .grey .gry .h .hbk .hpp .ibank .ibd .ibz .idx .iif .iiq .incpas .indd .java .jpe .jpeg .jpg .kc2 .kdbx .kdc
.key .kpdx .lua .m .m4v .max .mdb .mdc .mdf .mef .mfw .mmw .moneywell .mos .mp3 .mp4 .mpg .mrw .myd
.nd .ndd .nef .nk2 .nop .nrw .ns2 .ns3 .ns4 .nsd .nsf .nsg .nsh .nwb .nx2 .nxl .nyf .obj .ods .p7c .r3d .mov .flv
.wav .dcs .cmt .ce1 .odb .odc .odf .odg .odm .odp .ads .odt .oil .orf .otg .oth .otp .ots .ott .p12 .p7b .pages .pas
.pat .pcd .pct .pdb .pdd .pdf .pef .pem .pfx .php .pl .plus_muhd .plc .pot .potm .potx .ppam .pps .ppsm .ppsx
.ppt .pptm .pptx .prf .ps .psafe3 .psd .pspimage .ptx .py .qba .qbb .qbm .qbr .qbw .qbx .qby .raf .rar .rat .raw
.rdb .rm .rtf .rw2 .rwl .rwz .s3db .sas7bdat .say .sd0 .sda .sdf .sldm .sldx .sql .sqlite .sqlite3 .sqlitedb .sr2 .srf
.srt .srw .st4 .st5 .st6 .st7 .st8 .stc .std .sti .stw .stx .svg .swf .sxc .sxd .sxg .sxi .sxm .sxw .tex .tga .thm .tlg .txt
.vob .wallet .wb2 .wmv .wpd .wps .x11 .x3f .xis .xla .xlam .xlk .xlm .xlr .xls .xlsb .xlsm .xlsx .xlt .xltm .xltx .xlw
.ycbcra .yuv .zip (Source: Cyber Threat Alliance Cryptowall Report 2015)
– When it finds files that match one of these types, it will encrypt the file using the public encryption key and add
the full path to the file and the filename as a value under the Windows System Registry key
(HKEY_CURRENT_USERSoftwareCryptoLocker_0388Files).
• When it has finished encrypting your data files it will then show the CryptoLocker splash screen and
demand a ransom of $500 dollars (or more) in order to decrypt your files.
• Most recently targeting Intellectual Property (IP) such as AutoCAD Drawing files (*.DWG, *.DXF)
Source: http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

25. Infection?
• Detection
• Prevention
• Remediation

26. Detection
• For most, you’ll see “The Screen”
• Security Information and Event Management
(SIEM)
• Local Files (not accessible)
• Server Files (not accessible)

27. Detection - SIEM
• Security Onion
• EmergingThreats alert for Cryptowall Check-in
• Ip-addr.es
Source: https://isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/

28. The Screen
• When it has finished encrypting your data files
displays this CryptoLocker screen in web browser
demanding money
• $500 (this cost has gone up)
• Timed: (up to) 96 hours
• Private encryption key will be destroyed on the
developer's servers if not paid
• If you don’t pay on time the price doubles
Source: http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information
http://blogs.technet.com/b/mmpc/archive/2015/01/13/crowti-update-cryptowall-3-0.aspx

29. Detection – SIEM
• Log management could be used to detect malicious activity,
such as brute force attack from internally compromised host
against internal servers, in this case directory traversal, high
write speeds, file re-names, new executables
• Log monitoring & correlation services could be used to detect
the malware attempting to send specifically crafted packets
• Log anomaly detection could be used to detect the malware
attempting to contact a malicious remote host i.e. “phone
home”

30. Detection - Local “Ransom Note” Files
• Used to display the web-browser ransom note
• Creates files (listed in reverse chronological order):
HELP_DECRYPT.PNG
HELP_DECRYPT.txt
HELP_DECRYPT.html
HELP_DECRYPT.url
HOW_DECRYPT.HTML
HOW_DECRYPT.TXT
HOW_DECRYPT.URL
DECRYPT_INSTRUCTION.HTML
DECRYPT_INSTRUCTION.TXT
• Renames encrypted target files “.locked”
• Recommend Windows File Screen audit rule to alert on these &
shutdown system until network is disconnected
Source: http://blogs.technet.com/b/mmpc/archive/2015/01/13/crowti-update-cryptowall-3-0.aspx

31. Detection - MS Recommendations (File Servers)
• Actively scan file shares using PowerShell script on a
scheduled task (CryptoWall active alerter / scanner)
– https://gallery.technet.microsoft.com/scriptcenter/Cryptowall-active-
file-ad91b701
– Could also be applied to desktops
• Implement Windows File Screening Management with audit
rule to alert/shutdown server on “Ransom File” creation
limiting scope of infection- http://technet.microsoft.com/en-
us/library/cc732074.aspx
• Variants have gone undetected on files servers for over 5
days thereby infecting full backups as well

32. Prevention: Old-School Security
• Not running as local admin provides some protection for other
users’ data
• User Account Controls (UAC) doesn’t apply to %appdata%
• Antivirus is now using Domain Generation Algorithms to detect &
block via desktop firewall (Ex. Avast Free/Pro, MBAM Pro)

33. Prevention - MS Recommendations
Specifically:
• Don’t pay the ransom
• Perform regular off-line backups/restore points
• Run A/V or antimalware software (FULL SCAN)
– Win Defender or Security Essentials
• Disable real-time scanning and run daily side-by-side with your 3rd party A/V
(controversial)
– MS Safety Scanner
• Enable MS Active Protection Service (MAPS)
• Prevent spam:
– Exchange online protection
– Office 365 Advanced Threat Protection
– Don’t open suspicious emails esp. from untrusted sources
– MS SmartScreen filter
Sources: https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Crowti, http://blogs.technet.com/b/mmpc/archive/2015/07/14/msrt-july-
2015-crowti.aspx, https://www.microsoft.com/security/portal/mmpc/shared/prevention.aspx
Security Practices:
• Awareness Training
• Run up-to-date
security software
• Get the latest software
updates
• Understand how
malware works
• Turn on your firewall
• Limit User Privileges

34. Prevention
• DNS reputation web filtering (OpenDNS, etc.) or Install web filtering software
• Don’t give users admin access to their computers or at least don’t login to windows
as admin for day-to-day
• Keep software up to date
• Install/enable a pop-up blocker
• Install CryptoLocker Prevention Kit (GPOs for Domain Members)
– http://www.thirdtier.net/2013/10/cryptolocker-prevention-kit-updates/
– Uses Software Restriction Policies to block executables in specified folders
(%AppData%)
– Alert on executable being blocked (Event ID 866)
• Disable JAVA/Flash/Silverlight; Install NoScript on Firefox browser (versions of JAVA
and Flash)
• Install CryptoPrevent (workstations only)
– https://www.foolishit.com/cryptoprevent-malware-prevention/
• Install BLADE (Block All Drive-by Download Exploits)
Sources: http://krebsonsecurity.com/2013/11/how-to-avoid-cryptolocker-ransomware/
http://www.cio.com/article/2448967/security0/6-ways-to-defend-against-drive-by-downloads.html

35. Professional Remediation
• Restore from incremental backup
• Use utilities and regain access to your files:
– RakhniDecryptor -
http://support.kaspersky.com/viruses/disinfection/10556
– XoristDecryptor -
http://support.kaspersky.com/viruses/disinfection/2911
– RectorDecryptor -
http://support.kaspersky.com/viruses/disinfection/4264
• Attempt to retrieve your keys from:
– FireEye’s website http://www.decryptcryptolocker.com/
– Kaspersky’s Website: https://noransom.kaspersky.com/

36. Professional Remediation
• REBUILD FROM GOLD IMAGE!!!
• Cryptolocker comes with:
– BlackShades RAT
– Trojan Downloaders

37. Incident Response
• Early reaction is essential
1. Disconnecting from the network has been shown
to halt the encryption process
2. Better yet… HARD Shutdown!
3. Mount HD externally and
4. Decrypt & salvage files
5. Re-image and restore files

38. Save It!
• As a last ditch effort keep your encrypted
files in off-line storage
• Cryptomalware rings are taken-down by
LEO and keys recovered/made available
on an on-going basis

39. Resources
• IOCs https://github.com/CyberThreatAlliance/cryptowall_v3
• CoinVault and Bitcryptor keys & app:
https://noransom.kaspersky.com/
• CryptoWall Dashboard: http://cyberthreatalliance.org/cryptowall-
dashboard.html
• Scripts and Files related to the CyyptoWall v.3 threat:
https://github.com/CyberThreatAlliance/cryptowall_v3
• CryptoLocker Scan Tool by Omnispear:
http://omnispear.com/cryptolocker-scan-tool/
• Using PowerShell to Combat CryptoLocker:
http://blog.varonis.com/using-powershell-combat-cryptolocker/

40. Questions?
Thanks for listening!

41. East Tennessee Chapter
of the
Information Systems Security
Association (ISSA)
ISSA.ETENN@gmail.com
@ISSA_ETENN
LinkedIn Group (Discussion, Events and more):
https://www.linkedin.com/groups/East-TN-ISSA-Chapter-8175959/about

42. Aaron Lancaster, CISSP
@aarondlancaster
@TekLinks
info@TekLinks.com
Contact Info