The Ransomware Threat: Tracking the Digital Footprints

CSF so out of the thousands of students that go there we got one and he got a job working for Open DNS so let me turn this over to you because I'm curious to see what you got where' you gra when did you graduate how how far back can you guys hear me okay sorry I'm just trying to judge the mic beforehand just start talking uh 2014 so 20 so last year an open DNS hired you right away and now you're making $150 200,000 a year I I was actually hired before I graduated congratulations talk to them um hi uh so um like Doug said my name is Kevin bottomley I'm one of the security

analysts at Open DNS I apologize for the spotlight behind my slide deck um you just have to bear with me I'll put it up uh probably on SlideShare or something immediately following the talk uh so my Twitter handle is uh you probably can't see it it's k3v lower score uh b0t um so if you just follow that or look there you can find it um so let's move ahead uh actually Doug ruined this entire slide for me so uh like you said I graduated from City College in 2014 uh with the as in computer networking and information security I'm currently a security analyst with open DNS along with half of the crowd it looks like um

and then I've also spoken I spoke at bsides last year uh I spoke at bsides La NASA AIM security week and uh bsides NYC earlier this year um a little bit about what we're going to go over uh some of the common prominent variants that we've seen in the ransomware department uh some of the vectors of compromise the C2 setup and design and uh kind of how we went about TR ing these and stopping them really quickly so this kind of a little historical thing this is your classic FBI lock screen uh kind of Circ 2002 or 2012 or somewhere in there 2011 mainly delivered by the uh revon family Trojan family it's basically just a fake lock

screen that you would see it would have uh sometimes it would tap into your webcam give you your IP address tell you that you were doing something illegal uh super easy to get around you just boot into safe mode and use anything like malware bites or something to to remove the registry key and and just get rid of it not really anything uh too crazy but as time went on we started to see this guy who kind of came on the scene pretty fast uh crypto Locker I think we all know who that is um basically it was like the first ransomware to really come out and start attacking like you're attached and network storage devices so

beyond just uh the the main endo uh using like a 248 bit encrypted uh uh processing schema and it's also basically what every single crypto infection nowadays is called um so it we kind of started to see it in the uh late 2013 around September mainly through uh the game over Zeus botnet um the thing about that was that it was mainly using uh domain generated algorithms so um it would produce thousands of these domains once and only actually register one of them is the C2 mainly to give people like researchers and analysts a uh pain in the ass time to try and and knock it offline and then it's kind of really hard to see this but

the the common uh schema of what a domain look like is it's like a bunch of random characters Slamm together uh making a domain and of course the bad part of Ru here that's kind of hard to see on the screen pretty much says it's bad anyway uh so around mid2 14 we saw the takedown of the uh game of a spotnet basically took crypto locker with it um but right around the same time we started to see a bunch of new variants emerge um starting with like torrent Locker which we mainly saw in the Australian and New Zealand and some parts of European areas uh it was mainly sent in the form of a fish that looked

like either you had gotten a red light ticket and they have some name for red light tickets down in Australia that I don't remember the name of but it's not red light tickets and uh or like a fake tax notice and the screen usually you would get redirected to a page that kind of look like sorry kind of look like this uh where it's like an official state of Revenue uh tax notice like a capture that you have to go through to make sure it's not some automated process and most of the naming conventions for the torrent Locker at least at the time when we were really looking into it all kind of had like a

an oz uh New South Wales slash poster gov uh and then whatever TLD at the end of it and they basically set out a a ton of domains that look like this so like database hyphen nsw hyen you know gov.org or some type of like oneoff that looked kind of legitimate but the cool thing was that they Ed the exact same naming schema every single time so all we had to do was kind of go through and block every single TLD that had that naming uh schema behind it and it would knock it offline pretty uh pretty easy um one of the other on we started to see was Alpha Crypt or Tesla Crypt it's basically the exact same thing just

uh revisioned um it kind of started out attacking video game extensions uh so going after Gamers basically but they converted it over uh and started using like DGA based domains once again sorry really hard to see um but it's basically just a bunch of letters SL letters and numbers Slamm together to make a domain and then they would register like one or two of them out of the thousands that were produced so any type of lexical analysis on the domain should have been able to like spot this in your network really easily if you're doing any you know looking into that type of stuff which hopefully you are um they kind of changed this up

in the later versions to make it a little bit harder using uh compromise domains much like all the other ransomware variant started to

do uh the thing about the first round of Tesla cryp was that it used like a symmetric key which is really bad on their part so but uh the Talis group was able to release what was called Tesla Crypt which is basically you could like take a file drop it into the Tesla decrypt script and it would be able to like uh reverse engineer the key back or something so you got to unlock all your files and of course the nefarious actors read the blog about how to decrypt all this stuff so they went and they fixed that in the 2.0 version um so now we start getting into to our friend crypto wall actually and this is

kind of where a lot of this uh talk centers around uh crypto wall kind of Came Out Swinging there at the end of 2014 um so instead of like using all the normal djas and everything else it used a compilation of like compromise servers uh started to actually instead of exploiting stuff itself we would see it used through like it would be like an exploit kit and then the binary and and all that stuff uh so they they kind of changed up how crypto Locker originally uh infected stuff and then we also saw the implementation of like Tor and i2p being used uh they kind of cover the proxy tracks which um I didn't want to get in

a battle with tour um so kind of what you see this kind of shows up at least um your common compromise kind of happens either through the use of a fish or an exploit kit so either someone clicks on the fish and follows the link so they land on a page it's been compromised with either in code there's some like malicious ads that are running exploit kit happens and then the next procedure that happens is a call out to a raw like raw location IP address return um which basically just goes you know you're like hey where am I and then the domain goes you're at 1.2.3.4 or whatever uh and then after it figure out where it's at there's a a

request sent to any one of numerous compromised web servers that act as a proxy in between the tour c2s so it basically this fires off rapidly like domain one two three in a list that it has hardcoded basically into it to send the key and do all the key transfer and exchange uh with the main hidden C2 Services um and an example of what you would might see in your logs actually uh um if you were happen to notice one of these ransomware infections would be you would see this top domain here which is actually like the angle exploit kit and then pretty much immediately right after that you see this called to IP hyphen address which is the raw IP

return domain um and there's a there's a lot of these domains that do this um and then de immediately after that all these next four domains are all compromised uh proxies for the uh for the C2 setup so it's it's kind of easy to see like the times are super rapid fire uh sorry and then but so the main thing that we're looking for here is this guy so one of the reasons that they put this in here there's actually a few of them uh so one of it's the geolocation so basically to figure out where the compromised inpoint is um one of the reasons that they do this is there's a set of countries that it doesn't react

in mainly Eastern European Iran or any of your AP common countries that you hear about uh it won't act in any of those countries so you know Ukraine Russia China whatever um so it they would also like it might change the code as well so depending on what the original exploit kit was doing like you might hit like angler but instead it might give you like beep instead and this do some click fraud stuff um so one of the other things that would do originally was to return the ransomware message in the native language of the country that you were in so if you were in America the the message would be English if you were in

Spain the message would be you know in Spanish French Etc so it was this really nice feature that the authors had kind of built into the system really nice people um this part is going to be really hard to see sorry um so the other thing that it's used for is a unique identifier so when the request goes out to the c2s there's a there's a string and it's basically like a request ID um either like a campaign ID or an affiliate ID uh an md5 of the system for the computer um uh OS information and then at the very end is the IP address um so they can kind of do this for another couple

reasons one is to only allow one infection per system and then it also makes it so people like researchers and analysts have a harder time seeing exactly what's going on um but at the same time it's kind of a gold mine because what you can do is you can use like open source tools like malware.trace

API that you can use like to actually do stuff uh quickly so what we had kind of done uh was put our intern on this project of making our own API from malware so it could query uh do like a bunch of search and submit stuff really really fast which probably breaks the toss or something but whatever um so what you get back after you do this search is a bunch of file hashes uh that have all been submitted to malware that have that one artifact in it of the uh raw IP call out to it so like up here we have the you know our search term or whatever and then you get all of your AV

results that are basically taken from virus total and as you can see like it's kind of hard to see but if you look at the file names they're all really super close like pretty much obviously the exact same thing but they all have a different md5 and and the scores from virus total all different so uh you don't really get the most consistent results back from The Av engine so like that um so if we go and we look and we just take like one of the random hashes this is kind of snipped out from the page because there's a lot of information but so in the artifacts here in the domains we have uh our IP address

through all call out and then right after that we have a bunch of other uh hardcoded domains into it which are all basically signaling to us that they're the proxies for the uh ransomware binary so I did this for a long probably about a month manually going through like every hour typing that in and searching to find brand new domains um obviously it gets real tedious and it's not really uh efficient especially in like a big scale situation um so what we started to do and for some reason half of my slide isn't there but um for some reason uh or whatever sorry so using virus total and then there's also another thing and I

have no idea why this part of the thing isn't there but um so there's also there's virus total and virus total intelligence so if you're lucky enough to have virus total intelligence it gives you the back end with a really awesome API that allows you to do a lot of really searchable stuff one of the things that allows you to do is use yur rules to um hunt for basically anything you want so what we decided to do was set up a bunch of Y rules in virus total basically looking for these raw IP call outs um so in here there's four of them there's like IP and address curl my IP my external IP and IP info all four of

these are used by various ransomware families um to figure out where they're at but the a lot of them are like things like um torrent Locker will use my external IP which is a really noisy legitimate service that things like Nvidia and Google and Facebook and everything else Ed so if you're really trying to just find that uh you you get like a bunch of excess white noise and it's really hard to figure out where the bad stuff is but luckily the the nefarious actors decided to use IP hypen address which almost no one uses so it makes things stick out a little bit more as we'll see here in a minute um this is

kind of an example of what you get back if you have those Ur rules set up um so just by knowing what rule hit we can tell like the first one's Alpha Tesla crypto wall crypto wall Alpha Tesla crypto wall uh it's pretty easy to identify you know put attribution to to the sample uh so if we take this one we can take a quick look and it's kind of the same thing that Mau had there's are raw domain call and then some more malicious domains uh that are kind of hard to see but they're there so basically we were like this works really well but it's really slow and we're relying on other people to submit the

sample so obviously we went a little bit bigger and couple of the things that we look at especially at open in DNS are two things like one of them is called a co- reccurrence and the other one is a related domain uh the sub pullet points here basically a co- recurrence is basically um an endpoint that requests two or more domains in a short time and by like short time we're talking like milliseconds so like if you land on Google and all that analytic stuff that happens at the exact same time is basically a co-occurrence because it's like a batch and then you have related domains where there's like a little bit more of a delay uh in the call so it's

more like a oneon-one type of thing um so what we did was looking at this is a internal picture from our investigate tool that we have um as you can see kind of down here there's like a co-occurrence and then down over here there's a related domain section um so this was kind of our Gold Mine of Treasure Trove here uh we could use the IP address to Pivot and then I already went through that thanks really okay so basically Ming in here um you can see these this curl my IP and my external IP so that means like basically in a sample it had IP address my external. and curl my IP or whatever as

a as backups in case they couldn't reach IP address um and I should kind of back up for a second we originally like my first thing was I tried to block all of these raw IP calls to see if it actually stop the infection and I discovered that it doesn't so but it was a it was a valiant effort on my part but once we uh so basically what we started to do is kind of look at like what was going on here and uh you know as you can see there's like some legitimate domains this is like Microsoft uh a bunch of Microsoft stuff some Google Microsoft um you know so there's still some noise so you can't just like block

every domain that happens to be related to that domain um but aside from these Circle things every single other one of these domains is actually one of the crypto wall proxies uh except maybe one that I missed but so if you could filter out all this noise you can basically say okay you're bad so basically what we did was we kind of set up a a script to run that checked against uh what was newly seen against IP address you know every x amount of time and so the script would Drew on and be all like have I seen you yet and it's like I haven't se if I've seen you you know you have a decision move on if I

haven't seen you send out a notification to one of the analysts to kind of take like a bigger more uh Deep dive look into it and then one of the analysts would determine if it was bad or not uh just to kind of help knock out the fal positives if it was bad we would block it and then we would update the training set So eventually and then the cycle would you know rinse and repeat every x amount of time but eventually what it allowed us to do was build up such a training set that every time a new domain was seen related to IP address that like didn't quite hit the score we could block it in basically real time so

as soon as you know the very first instance that we would see anything related to that minutes later we could send it off block it it would never be an issue uh which was pretty awesome um so kind of like uh this is hard to see again but so basically these kind of relate to a couple of the domains that we had visited in a previous slide and these traffic or these bumps in the spikes are basically like when traffic starts to pick up um so like if you look kind of halfway over here there's like no one ever going to these websites and then all of a sudden they start taking off and all of these single spikes are

hundreds of requests well you know tens to hundreds or whatever of requests uh by infected clients who have been exploited and then that's the request trying to call to the C2 which can no longer get through because we actually caught this stuff you know way below when the well at the beginning before the Spikes have even happened uh um yeah so it was pretty pretty quick response time um so basically using this method we were able to identify somewhere in the realm if it was like 2,95 like different various uh Locker based domains um some of the other findings that we had also come across were uh it would surface some of the exploit kits

so like we saw things like angler nutrino and rig uh which was a side takeaway that we didn't actually expect but was pretty cool and um probably wondering some of the ways to prevent stuff so pretty much the number one way that the best defense that you have is basically backups uh a lot of people don't do this often or well enough but you basically want to do backups and keep them disconnected from your network due to the uh the ransomware mapping to all of your attached storage and everything uh and then I'm adamantly all about ad block and no script that kind of helps against your malvertising or your uh injected codes um social

engineering classic should train your end users against fishing fishing fishing and more fishing because it happens a lot especially with those invoice and resume uh attachments and then my recommendation is you never pay The Ransom of course some people might say that it's cheaper to pay the ransom than the deal with all the backups it's personal choice um and then this kind of hard to see map was kind of a geod distribution of the 2,95 domains that um that we saw so you can kind of see they're pretty much all over the place except Africa it's it's the safest place to have the internet so questions the Geo distribution is of what exactly sorry the the Geo

distribution is basically just like a map of all the 2,95 uh compromised websites that IP addresses are hosted yeah where it was back traced to so you know at the time of finding out where they were hosted so so what people are tracking the IP addresses of the malware control signs are the encryption malware is going to start encrypting things first

um wait sorry can you if I understood right you were identifying the evil sites to keep people from connecting to so that they didn't get infected oh so you're asking if they start encrypting before they make that call to the proxy well they have to they have to be able to export everything like the all the command structure like so they know system is calling because if they don't send that out first then they won't be able to decrypt the computer which if they can't decrypt the systems then no one's ever going to pay their anom because no one will ever be able to get their stuff back so yeah but if if you block it in a way that uh that

you can tell the victim they unblock this or uh or you'll never get decrypted that that would sound like you know that they may have some at this point in time the encryptions oh yeah we're on video um um I can't speak for them yeah so that's going to be my my get out of that question there why are there so many countries that they don't attack

you don't want to infect your

mom affiliate program probably something I I I haven't been able to talk to him and ask him that far into it yet yeah yeah uh you know I mean I I guess it would be like an axis allies type you know thing maybe you know I don't know extradition profitable yeah you know that's probably pretty good

answer I'm looking at the guy from bellarus behind you uh I'm specifically staying away from anything recently mainly because of that camera over there and the people who watch stuff uh um but a lot of the locky stuff is all DGA based currently uh so there are actually um like a lot of this DGA stuff you know it all comes from like a seed so once you reverse it and you get the seed you can just Mass block all the domains out ahead of time which is something that's kind of going on with locky right now that kind of answer your question without answering the question of those people over there got a great name yeah

yeah it's the same drag X people so the the dedex campaign guys are the locky campaign people I saw that there you

are something like as the file and then create like a header where you attach I RSA and like you would be giving people the fish you would bundle that you're under arrest uh okay yeah so you you are kind of pivoting off the other question about the the pre- encryption before the call to the to the proxies I I I think it all kind of goes back to like if you can't talk to the to the main c2s then you won't like the c2s won't be able to get the the key at all that way first and then after you've already encrypted everything then you send the private key over or uh you actually communicate with the the

server2 and if they want to decry their files then they have to allow you communicate out like why are you doing this I I think there's some people in Eastern Europe right now who probably want to talk with you about some ideas yeah