Ransomware - No Sign of Relief, Especially for Australians

Websense® Security Labs™ researchers observed that ransomware was a plague in 2014 and this threat type shows no sign of relief in 2015.  In this blog we profile the user experience for a Torrentlocker variant focusing on the Australian region. 

Ransomware is an umbrella name for a type of cybercrime in which the attackers restrict access to a computer until a ransom is paid to restore system access and function.  Crypto Ransomware is a form of ransomware in which access to data is blocked by encrypting the data and withholding an encryption key until a ransom is paid to the cyber criminals.  (Authors' note: We do not recommend that a ransom is paid to the cyber criminals). 

We have seen that Torrentlocker rotates through many themes/lures/targets and tends to be low volume and targeted. 

In the latter half of 2014 we observed fake Royal Mail lures (targeting UK end-users) and Australia Post lures, but then Torrentlocker moved on to Turkish-themed lures (Turk Telekom, TTNET) and then New South Wales Government lures, of which we see a repeat in our current case study.  There have also been Czech Post lures, TESA Telecom (Brazilian-themed) lures, Italian lures and others too. The lure tend to be fake ‘eFax’ or ‘penalty’ download pages. 

The Websense ThreatSeeker Intelligence Cloud identified a campaign sent yesterday to Australian end users.  This ransomware followed the 7 Stages of Advanced Threats model in a typical fashion.

Australian-themed Ransomware

Our case study, the Australian-themed ransomware, exhibits the typical process from lure to infection.

Ransomware is most often distributed via email lures or compromised websites (specifically malvertising).  Today's case study used an initial email lure with a topic of penalties induced by speed cameras.  A typical subject is "Penalty id number - <random number> / Fixed by speed camera".

The lure email contains a URL (in this case a compromised wordpress host).  The end user is sent through to a website that makes a call to action:

In this case we see a Penalty Notice claiming to be from the New South Wales Office Of State Revenue.  For the avoidance of doubt the OSR is a legitimate organization and their website is hosted at http://www.osr.nsw.gov.au/.  Social Engineering is needed to convince the end user to perform an action. Note the use of a legitimate-looking logo as well as a CAPTCHA entry form to add a degree of legitimacy on the fraudulent website, and to encourage a further click action.  Hosts of the fraudalent website rotate, but include hxxp://nsw.gov.yourpenalty.com/ and hxxp://osr.nsw.mypenalty.org/  Similar variants on the theme will likely occur in the future.

Once the end user has been duped into clicking through, they are presented with a warning notice:

Decrypt instructions are provided via an HTML document installed on the user's machine.  This points the user to yet another website where they are encouraged to perform a transaction:

As is typical, the decrypter service website offers two prices for decryption.  If the end user pays promptly they have to pay 2.4 bitcoins, (approximately) 499 USD.  If they pay after 3 days they would have to pay approximately 998 USD.

A timer is shown to encourage urgent action.  The malicious website also reveals the number of files that have been encrypted.  Instructions are provided if the user is unsure how to trade in Bitcoins.

As before, we do not recommend paying the cyber-criminals to decrypt the files.  Success is not guaranteed.  If you fear you may have encountered a ransomware website (at any stage of the threat lifecycle) you can check our view on that by submitting the site to our online CyberSecurity Intelligence website analysis tool at http://csi.websense.com/

This variant of Torrentlocker cycles through hosts with various country code Top Level Domains (ccTLDs).  We observed .com, .at (Austria), .lt (Lithuania) and .ru (Russia).  Variants included:

hxxp://hochim.ru/wp-content/themes/thems/readip.php?eid=8335416278221988351634911194654464864426932877911359115391878239578365375 
hxxp://kronbichler.at/wp-content/themes/thems/readip.php?eid=6976374276886957263939312995363812751134728673645492585177832379924246324
hxxp://zsohajnowka.pl/wp-content/thems/readip.php?eid=623534149942711528344994141811459

As mentioned above the fraudalent OSR-themed websites also change frequently to make detection difficult without real-time detection technologies.

The Financial Services sector was the one most targeted by this particular campaign.

Protecting from Ransomware

Websense customers were protected at the time of this Australian-themed ransomware attack via real-time analytics within ACE, our Advanced Classification Engine. Protection is offered at the different stages of the attack detailed below: 

• Stage 2 (Lure) - ACE has detection for the email lure, and the website contained within.
• Stage 3 (Redirect) - ACE has detection for the link inside the email lure, and for the ultimate destination of the counterfeit website.
• Stage 5 (Dropper) - ACE has detection for the dropped file, as shown by our File Sandboxing report mentioned below.
• Stage 6 (Backchannel Traffic) - ACE has detection for the command-and-control communication, preventing the malware from functioning correctly.

Our File Sandboxing tool classifies the ransomware payload as Malicious in the report here.

At the time of writing (25 February 2015) the file sample has a detection rate of only 3 out of 57 anti-virus vendors in VirusTotal.

Ransomware will continue to evolve as we progress through to 2015.  Once a machine has become infected and files encrypted there is a little that an end user can do to counter it.  To strengthen your overall security posture we recommend that you raise awareness within your employee base of the dangers and signs of ransomware, and adopt suitable technologies to identify and protect from the threat in the early stages of the threat lifecycle.

Blog Contributors: Mark Haffenden, Nicholas Griffin, Carl Leonard.