Crypto-Ransomware Encrypts Files "Offline"

← Back to Stories (view on slashdot.org)

Crypto-Ransomware Encrypts Files "Offline"

Posted by timothy on Thursday November 5, 2015 @08:52AM from the back-channels dept.

An anonymous reader writes: Ransomware comes in various forms, and not all ransomware encrypts files — some just block computers until the ransom is paid. When the file encryption feature is included, the encryption key is usually sent to the malware's C&C server, which is controlled by the crooks — but not always. Researchers have recently analyzed a crypto-ransomware sample that demonstrated an alternative method of encrypting files and delivering the key (i.e., the information required to discover the right key) to the criminal behind the scheme — it doesn't need to contact a C&C to receive an encryption key or to send it to the crook.

24 of 54 comments (clear)

Min score:

Reason:

Sort:

Stupid summary by Kjella · 2015-11-05 09:26 · Score: 4, Insightful

So instead of the malware actively sending the key, the victim has to send one of the encrypted files instead, big whoop. The method is the same, encrypt your files and put the key in an message encrypted for the malware author. Who does the sending is a technicality.

--
Live today, because you never know what tomorrow brings
1. Re:Stupid summary by Kjella · 2015-11-05 10:32 · Score: 1
  
  Difference is that this means you can't block it by filtering your internet connection.
  So what's the failure mode here... the malware has the public key embedded, it encrypts your files with a random key, puts the key in an encrypted message (for which you don't have the private key), tries to send it and.... no. Does it say "Sorry for the inconvenience, I'll just decrypt your files and move along"? My money would be on no.
  
  --
  Live today, because you never know what tomorrow brings
2. Re:Stupid summary by dbIII · 2015-11-05 15:06 · Score: 1
  
  The technically is that you are trusting someone who has carried out a criminal act on you already.
  
  If you don't have good backups the nature of the malware is that it writes out an encrypted copy of a file, deletes the original, and then goes on to the next one. In a lot of circumstances a file undelete program such as "photorec" can get the original files back, but it can be time consuming since the names of the files are lost.
3. Re:Stupid summary by darkmeridian · 2015-11-05 16:10 · Score: 1
  
  That's quite a change! Prior malware had hard-coded C&C servers, which were susceptible to hacking or white-knight control. This system allows these extortionists to change the address on the fly.
  
  --
  A NYC lawyer blogs. http://www.chuangblog.com/
4. Re:Stupid summary by Aaden42 · 2015-11-06 02:33 · Score: 1
  
  Any reasoanble implementation would overwrite the victim file’s blocks with the encrypted ones in-place. Most filesystems can’t do anything to undelete that. A copy-on-write system like ZFS would technically still have the blocks, but good luck reconstructing the metadata if you don’t have a snapshot pinned to them. SSD wear leveling might also preserve the original blocks, but again good luck getting to them in the right order.
Transmission of the Key by Coren22 · 2015-11-05 09:28 · Score: 5, Informative

So, to save others having to click the link, the method of the key transmission is like this:
The first part of every file contains the key encrypted with the ransomer's private key, the victim needs to send at least one file to the ransomer, which he then uses to extract the key to send it to the victim.
The ransomware also has some odd features, from TFA:

Once downloaded and run on the machine, the ransomware encrypts all personal files and renames them. The new names follow the following format: email-[address to contact].ver-[Ransomware internal version].id-[Machine identifier]-[Date & Time][Random digits].randomname-[Random name given to the encrypted file].cbf (example: email-Seven_Legion2@aol.com.ver-CL 1.0.0.0.id-NPEULAODSHUJYMAPESHVKYNBQETHWKZOBQFT-10@6@2015 9@53@19AM5109895.randomname-EFWMERGVKYNBPETHVKZNBQETHWKZNB.RGV.cbf).
The researcher also recommends paying up, as there does not appear to be any way around this one.

--
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
1. Re:Transmission of the Key by Anonymous Coward · 2015-11-05 09:34 · Score: 2, Insightful
  
  The correct reaction however is to treat it like you accidentally wiped the disk: Restore from backup or, if you don't have a backup, learn your lesson and start making backups. Giving in to extortion just breeds more extortion.
2. Re:Transmission of the Key by cavreader · 2015-11-05 10:46 · Score: 1
  
  It would be nice if the so called "security researches" and all the high dollar security firms could actually prevent an attack every now and then. As it is the best these experts seem to be able to do is conduct postmortems after the damage is already done. It's plain to see that the real "security experts" are those creating malware and the ones trying to prevent malware and other security weak spots are 2 steps behind.
3. Re:Transmission of the Key by Anonymous Coward · 2015-11-05 12:31 · Score: 1
  
  As of now, this works, but malware is arguably the most well written software in existance these days, but i wouldn't be surprised if the next generation of software would have a random delay, not just to hide when the machine got infected, but to foul up backups. Of course, too much of a delay, and that adds time that the software can be detected.
  I wouldn't be surprised to see the next iteration of ransomware install a shim driver, then sit in the background encrypting files as this software does, but either leave the originals (hiding the encrypted files) or automatically/transparently decrypting the encrypted files (with a session key stashed in RAM), until a point in time is reached, or the machine is rebooted. What this will do is foul up backups (for example, some cloud utilities only keep one versions, others only keep 30 days.) Further advances will detect backup software, intercept the reads to encrypted files, and hand over pseudorandom garbage (so a verify pass will see the same data as the copy.)
  Of course, we haven't even touched the damage malware can do if it gets Domain Admin or EA rights.
4. Re:Transmission of the Key by Anonymous Coward · 2015-11-05 13:10 · Score: 1
  
  The researcher also recommends paying up, as there does not appear to be any way around this one.
  Apart from creating backups that is
5. Re:Transmission of the Key by cavreader · 2015-11-06 12:33 · Score: 1
  
  "Ditch windows"
  A "properly administered" Windows OS is no more secure or non-secure than any of other popular OS's being used today. Windows just presents a bigger footprint. Windows biggest weaknesses can be attributed to inept system administration, sloppy security patch procedures, bad user account setup, social engineering, and poor firewall administration. These same weaknesses also apply to all of the other OS's being used today. And unfortunately ditching Windows would also mean ditching all the programs running on the system. Other OS's provide some of the applications being run on Windows so your average user might adjust to the transition. However, all the businesses running internally developed custom Windows applications will not be keen on having to re-build all those applications to run on another platform.
  "Don't run the most vulnerable software, it does not matter if it is "industry standard". And what if this vulnerable software is the only option? I am forced to work with a 3rd party PLC interface library the could be vulnerable but there is no other choice available that meets my criteria.
  You can build a secure OS of any flavor and then have it fall apart as soon as administrators, developers, and support staff start using it. And enough with the "sheep" BS. Your almost out of puberty so put a lid on your arrogance and realize being OS agnostic will serve you well when you get your first job in a couple of years.
Dang... by truck_soccer · 2015-11-05 09:31 · Score: 2

So they were able to contact the author of the malware, but are unable to find him and bring him to justice?
1. Re:Dang... by Coren22 · 2015-11-05 09:39 · Score: 1
  
  Russia has no desire to prevent crime like this, they don't give a damn about anyone but themselves.
  
  --
  APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
2. Re:Dang... by truck_soccer · 2015-11-05 09:51 · Score: 1
  
  Well played. I figured that because this guy is targeting other russians, sooner or later he'll hit the "wrong" machine and get sent to Siberia.
Crypto-Ransomware runs on the machine .. by nickweller · 2015-11-05 09:35 · Score: 1

"Once downloaded and run on the machine"

How does this 'Ransomware' get downloaded and run on the machine?
1. Re:Crypto-Ransomware runs on the machine .. by PhunkySchtuff · 2015-11-05 09:58 · Score: 1
  
  Just like the vast majority of malware gets downloaded and run - phishing and drive-by downloads.
  The most recent ones I've seen were from the Australian Federal Police warning you about a traffic infringement - please open the attachment to see the photo.
  
  --
  Specialist Mac support for creative pros, Melbourne
2. Re:Crypto-Ransomware runs on the machine .. by tlhIngan · 2015-11-05 11:08 · Score: 1
  
  How does this 'Ransomware' get downloaded and run on the machine?
  Easy. From most likely to least, here's a few ways
  1) User visits web page, web page says it needs to install a plugin to work, click here for the link. (Variants include downloading a movie that shows "Codec not installed. Visit http://evil-site.example.com/c... to download required software", email that says "Your invoice is enclosed - refund and cancellation instructions contained within" (interestingly - all those emails for fake invoices always make it so helpful to cancel the order), and many others).
  2) User downloads pirated software or crack/keygen wrapped with this software so before the crack/keygen runs, it infects the PC. This is a very popular way, so popular that malware authors are dispensing with the whole "wrapping" aspect (where a legitimate application has a malware executable set to run first then the application, bundled into a single file) and just releasing the malware stubs under all sorts of filenames in the hopes the user will download it and blindly click it.
  3) Infected media exploiting autoplay (USB, optical disc, etc)
3. Re:Crypto-Ransomware runs on the machine .. by dbIII · 2015-11-05 15:14 · Score: 1
  
  The copy of Internet Explorer on many machines sucks so badly that it helpfully runs code on webpages that tell it to install and run the malware. All the user has to do is click on a link in an email in MS Outlook or webpage in IE to start off the process.
  Ridiculous in 2015, stupid in 2005, not all that clever in 1995 so it seems we have to put up with this shit forever no matter how many times developers are warned not to do stupid shit in networked software.
Minor technicality... by PhunkySchtuff · 2015-11-05 09:56 · Score: 1

With ransomware, like Cryptolocker, it doesn't generate the key and then send it to the C&C servers - the machine doing the encrypting (i.e. what was your machine before it got owned) never has the private key in it's possession. When it's ready to start encrypting, it contacts the C&C server. The C&C server generates a new private/public keypair and sends the public key to the owned machine. The owned machine then starts encrypting everything with the public key, and only the private key (that resides on the C&C server and nowhere else) is able to decrypt the files.
This means that even if you were monitoring all network traffic and you scour the memory and the disk, you will never see a copy of the private key needed to decrypt the files.
Anyway, I'm going off on a tangent here, this doesn't have much to do with TFA...

--
Specialist Mac support for creative pros, Melbourne
1. Re:Minor technicality... by ArmoredDragon · 2015-11-05 10:36 · Score: 1
  
  In this case they're trying to do it in such a way that requires no contact with C&C. I.e. the target downloads and installs "cool free app that you must try now" from a site not owned by the C&C owner. But because lots of firms are routinely shutting down C&C botnets, we just skip the C&C process, and from what I gather they do something like this:
  - Include hardcoded public key with trojan package
  - Generate 256-bit key
  - Encrypt file with said key
  - Encrypt symmetric key with asymmetric public key
  - Inject the encrypted symmetric key into the filename
  The ransom "drop" would then happen like this:
  - Target emails the file (or just the filename) and sends bitcoin payment.
  - Perp decrypts symmetric key using asymmetric key, mails a file back to the target with information required for the trojanized malware to decrypt all of the files, thus completing the transaction.
Pardon my asking by Provocateur · 2015-11-05 11:11 · Score: 1

What's a C & C server? I think I missed the memo...(Command and Conquer? shows you how much I think I know)

--
WARNING: Smartphones have side effects--most of them undocumented.
1. Re:Pardon my asking by QRDeNameland · 2015-11-05 15:33 · Score: 1
  
  What's a C & C server?
  A cocktail waitress.
  
  --
  Momentarily, the need for the construction of new light will no longer exist.
2. Re:Pardon my asking by LordWabbit2 · 2015-11-05 21:43 · Score: 1
  
  Clearly you are trolling, a simple google of "C & C server" tells you exactly what it is in the first link.
  If you are not, then perhaps you should not be reading /. posts if you can't figure out how to google.
  
  --
  There are three kinds of falsehood: the first is a 'fib,' the second is a downright lie, and the third is statistics.
We could use a detection app by hackertourist · 2015-11-05 23:17 · Score: 1

A program that constantly monitors my documents, and warns when a document is encrypted. That would give me time to stop the next backup from happening (so I can prevent the malware from accessing the backup medium), and to nuke the malware before it can do more damage.