Ransomware Explosion Continues: CryptFlle2, BrLock and MM Locker Discovered

A

Alkajak

Thread author
Ransomware makes headlines when hospitals are taken offline or police departments pay cybercriminals to decrypt their files. Established threat actors have also begun distributing ransomware in high volumes (as withLocky) and through exploit kits (à la CryptXXX), further raising the profile of ransomware in the security and business communities. However, an even bigger story that sometimes gets lost in the noise around high-profile infections is the rapid development of new strains of ransomware. The sheer number of new ransomware variants that have emerged in the wild in 2016 increases the chances that both businesses and individuals will encounter this type of malware.

Figure 1 shows the increase in the total number of ransomware strains that have emerged since December 2015:

roundup-1.png


Figure 1: Total new ransomware strains in the wild since December 2015 observed in Prooofpoint and public sources

Some of these variants have not gained significant traction and none, so far, have matched Locky in terms of scale. But, as we described in February, ransomware appears to have become the new "Hello World" of malware with experienced actors and new players alike getting into the market. We are also observing new features, highlighted in some of the examples in this post, as well as a maturing black market for ransomware as illustrated by Appendix A, an underground forum advertisement for ROI Locker. This ad is fairly typical of this type of malware, as well as "ransomware-as-a-service" offerings. The analysis here provides additional insight into these new features, aspects of code sharing and reuse, as well as the market itself.

Analysis

CryptFIle2

CryptFIle2 started spreading in mid-March 2016, delivered by Nuclear and Neutrino exploit kits. We named this ransomware based on the debug string in one of the samples, “S:\Crypt\CryptFIle2\Release\CryptFIle2.pdb”. This ransomware encrypts files of interest and demands Bitcoin payment for an unknown sum via email communication with the attacker.

roundup-2.png


Figure 2: CryptFIle2 ransom message

To alert the victim that they are infected and their files are encrypted, this ransomware creates two types of files, similar to many other types of ransomware, on the Desktop and sprinkled in many other folders on the system:

  • HELP_YOUR_FILES.HTML
  • HELP_YOUR_FILES.TXT
The encrypted files are renamed to contain the original file name, followed by the “.id_[personalid]_[ransomemail].scl” extension. In this new extension, the “personalid” is a 16-character string consisting of lower-case letters and numbers. The “ransomemail” is the email with which the infected user is supposed to communicate to get their files decrypted. Examples of renamed files appear below:

  • file.txt.id_a0d01d07e030f060_email_xerx@usa.com[.]scl
  • settings.xml.id_a0d01d07e030f060_email_xerx@usa.com[.]scl
roundup-3.png


Figure 3: Partial list of the file extensions that this ransomware encrypts, including popular types such as “doc,” “xls,” and “ppt.” The complete list includes 1207 filename extensions.

Files are encrypted using RSA encryption. Below we show a screenshot of a key generation algorithm from the sandbox environment, with the generated public key exported using the CryptExportKey API.

roundup-4.png


Figure 4: Key generation prior to file encryption

Shortly after infection, the malware

  • Performs a connectivity check by resolving google.com
  • Contacts the C&C server to report the infected machine's unique id (the “idn” parameter) and the key generated previously (the “key” parameter).
Note, however, that successful communication with the C&C server is not necessary for file encryption to occur.

roundup-5.png


Figure 5: Network traffic generated by the ransomware

It is likely that this ransomware is another one in the series of CrypBoss clones [1][2][3], which already include HydraCrypt and UmbreCrypt. We arrived at this conclusion based on a comparison of the CryptFIle2 code to a HydraCrypt sample [4]. While much of the code bases are different (and in fact CryptFIle2 removes a lot of functionality, including the option to delete shadow volumes), there are several similarities, including:

  • Network protocol (key passed as comma-separated bytes, with a connectivity check to google.com)
  • String obfuscation
  • Encrypted file extensions
  • Ransom message (states that your “guarantee” for getting your files back is the fact that the attacker will decrypt one file; “EMAIL-1” and “E-MAIL2” variables are also used in UmbreCrypt)
roundup-6.png


Figure 6: String obfuscation instruction similarities between HydraCrypt (left) and CryptFIle2 (right)

ROI Locker (aka Manamecrypt.A, CryptoHost)

roundup-7.png


Figure 7: ROI Locker initial ransom screen

ROI Locker was identified early in April, but appears to have been in circulation as early as March, based on our observation of an advertisement in an underground market. This ransomware is potentially distributed via rogue software websites, based on the fact that this sample was observed sporting the icon of the popular P2P application uTorrent, and is bundled with a uTorrent installer. After ROI Locker is installed, it makes its presence known to the victim in the usual manner with a variation on a lock screen. However, under the hood it operates much differently.

ROI Locker differentiates itself from other ransomware variants mainly in the ransom note screen, as well as the “encryption” mechanism it employs. ROI Locker moves commonly used file-types found on the victim computer into a password-protected RAR archive. Once the files are moved into the RAR archive, ROI Locker spawns an application which contains detailed information for the victim about the infection and the status of their files, as shown in Figure 7. However, due to the way in which this process is carried out, the password to the RAR archive can be found in clear-text in the victim machine’s memory. Additionally, it is important to note that a decrypter has been made publically available for this ransomware, and can be found with additional details at BleepingComputer [5] .

ROI Locker attempts to encrypt the following file types:

.jpg, .jpeg, .png, .gif, .psd, .ppd, .tiff, .flv, .avi, .mov, .qt, .wmv, .rm, .asf, .mp4, .mpg, .mpeg, .m4v, .3gp, .3g2, .pdf, .docx, .pptx, .doc, .7z, .zip, .txt, .ppt, .pps, .wpd, .wps, .xlr, .xls, .xlsl

When executed, ROI Locker will make a copy of itself named “cryptohost.exe” located in the C:\Users\<User>\AppData\Roaming\ directory. Once there, another binary is created and dropped in the same directory called “processor.exe”. This appears to be a version of WinRAR and carries out deletion and addition of identified files to the RAR archive. It should be noted that ROI Locker deletes files after moving them to the RAR archive. Therefore, there is no filename extension for encrypted files associated with this ransomware.

Executed Command via WinRAR

C:\Users\[User]\AppData\Roaming\processor.exe A -r -p{SHA-1 Hash of System Info}[User] -m0 -dw C:\Users\[User]\AppData\Roaming\{SHA-1 Hash of System Info}.rar C:\*.jpg C:\*.jpeg C:\*.png C:\*.gif C:\*.psd C:\*.ppd C:\*.tiff C:\*.flv C:\*.avi C:\*.mov C:\*.qt C:\*.wmv C:\*.rm C:\*.asf C:\*.mp4 C:\*.mpg C:\*.mpeg C:\*.m4v C:\*.3gp C:\*.3g2 C:\*.pdf C:\*.docx C:\*.pptx C:\*.doc C:\*.7z C:\*.zip C:\*.txt C:\*.ppt C:\*.pps C:\*.wpd C:\*.wps C:\*.xlr C:\*.xls C:\*.xlsl

Switch

Function

A

Create RAR archive

-r

Recursive search of subfolders

-p

Set password

-m0

Set compression method; 0 indicates file are added with no compression

-dw

Wipe files after archiving

Once running, ROI Locker will close the browser if it contains certain keywords. For example, it will kill the browser if the victim visits certain websites, such as Amazon.com. It displays an error letting the user know they need to pay the ransom before they can go on Internet. Some of the monitored keywords include:

anti virus, anti-virus, antivirus, avg, bitdefender, eset, mcafee, dr.web, f-secure, internet security, obfuscator, debugger, monitor, registry, system restore, kaspersky, norton, ad-aware, sophos, comodo, avira, bullguard, trend micro, eset, vipre, task manager, system configuration, registry editor, game, steam, lol, rune, facebook, instagram, youtube, vimeo, twitter, pinterest, tumblr, meetme, netflix, amazon, ebay, shop, origin

This appears to be a new feature for ransomware and demonstrates another tactic adopted by ransomware authors to prevent victims from getting help recovering their files.

roundup-8.png


Figure 8: ROI Locker notifying user they cannot visit this web page before paying the ransom

The ROI Locker ransom note is an interactive program which offers the user a few pointers to help them troubleshoot their predicament. First, there is an option to “Review Locked Files”. This will read data in from a file that is created in the /AppData/Roaming/ directory called “files” and display them for the user.

roundup-9.png


Figure 9: ROI Locker showing a list of “encrypted” files

ROI Locker attempts to assist the victim by explaining both how Bitcoin works and where to buy them, as well as how to then use the acquired Bitcoins to pay and unlock the files on their computer. The exact amount shown in the ransom screen must be payed for a successful decryption of files, a point the author of this ransomware emphasizes.

roundup-10.png


Figure 10: ROI Locker explaining how to purchase and use Bitcoin

roundup-11.png


Figure 11: ROI Locker explaining how to make a payment to unlock files

There is also an option on the ransom screen to check on the status of the payment, which will check the Wallet ID via blockchain.info to see whether or not the amount shown in the ransom screen was transfered into the attacker’s wallet. If the funds have not been transferred, a message shown in Figure 12 will appear.

roundup-12.png


Figure 12: ROI Locker after checking the payment status

The last option that we observed allows the user to uninstall the ransomware, but in the process also deletes the “encrypted” files, as seen in Figure 13.

roundup-13.png


Figure 13: ROI Locker allowing victim to remove the installed program, but lose all files

While ROI Locker can be easily defeated in several ways, it is worth pointing out that ransomware authors are becoming more and more creative in implementing their “product.” In the case of ROI Locker, this creativity manifests itself in the use of a legitimate file compression tool to remove and store all files in a local, locked archive. Additionally, the author of this program chose to use an interactive ransom note for several functions while blocking potential searches for outside help, a combination unlike the majority of other ransomware families.

BrLock

BrLock was found on April 18, 2016, but the exact date of its first appearance might be earlier. We named this ransomware based on comments inside the disassembled .NET code inside the sample. This ransomware targets Russian-speaking users and the lock screen is exclusively in Russian. The locker reboots the machine with “shutdown.exe -r -t 0” and creates a “ransom” browser window after reboot. This window fills the entire screen. Additionally Task Manager and Explorer processes are killed, so the user cannot use those to get rid of the ransom window.

The ransom demanded is 1000 Rubles (approximately $15 USD at the time of writing) to be paid to a “Билайн” (Beeline) phone number. (Beeline is a popular mobile phone service provider in Russia). The malware does appear to have the capability to actually encrypt the files using AES, although we have not investigated it further.

roundup-14.png


Figure 14: BrLock ransom screen informs the user that the “Ministry of Interior of Russian Federation” blocked the computer for breaking the law (viewing and copying pornographic material with other illegal content)

MM Locker

roundup-15.jpg


Figure 15: Wallpaper downloaded by MM Locker

Early in March, Proofpoint researchers came across a ransomware sample dubbed "MM Locker" due to the presence of a PDB path of "c:\mm\mm\obj\Release\mm.pdb". This sample is fairly straightforward, and is similar to conventional lockers in that it drops "help" files, and utilizes network communication to exchange keys. Files encrypted by MM Locker have an extension of ".locked" and a file called "READ_IT.txt" will appear on the desktop. Additionally, a wallpaper is fetched from Imgur and is set as the background.

Of interest is the length at which the author went in the READ_IT.txt note to convince the victim to consider paying the ransom and receiving a decryption key. Below is an excerpt of the note (which can be read in its entirety in Appendix B).

roundup-16.png


Figure 16: Excerpt from MM Locker READ_IT.txt

MM Locker searches for and encrypts the following file types:

.txt, .doc, .docx, .xls, .xlsx, .pdf, .pps, .ppt, .pptx, .odt, .gif, .jpg, .png, .db, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .frm, .myd, .myi, .dbf, .mp3, .mp4, .avi, .mov, .mpg, .rm, .wmv, .m4a, .mpa, .wav, .sav, .gam, .log, .ged, .msg, .myo, .tax, .ynab, .ifx, .ofx, .qfx, .qif, .qdf, .tax2013, .tax2014, .tax2015, .box, .ncf, .nsf, .ntf, .lwp

Network traffic created by MM Locker begins with a POST to a hardcoded server and URI of “/createkeys.php”. This traffic also contains the username and computer name of the victim machine as well as a hardcoded “servkey” token. A similar network request is made to a “/savekeys.php” URI.

roundup-17.png


Figure 17: Network request to “createkeys.php”

Next, a request is made to the “/getamount.php” URI, to which the server returns the ransom Bitcoin amount to be displayed to the user. Also, a request is made to the image hosting website Imgur, from which it retrieves a .jpg that is later set as the victim’s Desktop wallpaper. Finally, the infected machine downloads the decryption tool during the infection process.

roundup-18.png


Figure 18: Infected machine downloads the decryption tool

After the encryption routine is finished, keys have been exchanged with the C&C server, and wallpaper image and decrypter program downloaded, the victim machine will send one final request to the C&C server with a URI of “/finished.php” indicating the process has been completed.

Conclusion

As ransomware becomes more common and pervasive and new actors join the fray, we are observing a number of important trends:

  • Ransomware is proliferating rapidly; not all variants get significant traction but the proliferation continues to increase opportunities for infection
  • There is significant code reuse among variants
  • Despite the code reuse, actors and authors are finding new and creative ways to compel infected users to pay the ransoms
  • The black market for ransomware is active and growing.
The four examples in this post demonstrate elements both of the reuse of code and ways in which new authors are differentiating their products. We expect to see continued growth in ransomware, echoed by recent statements from the FBI and others, making implementation of best practices (regular backups and robust network, endpoint, and email protection) essential.
 

Der.Reisende

Level 45
Honorary Member
Top Poster
Content Creator
Malware Hunter
Dec 27, 2014
3,423
Ransomware makes headlines when hospitals are taken offline or police departments pay cybercriminals to decrypt their files. Established threat actors have also begun distributing ransomware in high volumes (as withLocky) and through exploit kits (à la CryptXXX), further raising the profile of ransomware in the security and business communities. However, an even bigger story that sometimes gets lost in the noise around high-profile infections is the rapid development of new strains of ransomware. The sheer number of new ransomware variants that have emerged in the wild in 2016 increases the chances that both businesses and individuals will encounter this type of malware.

Figure 1 shows the increase in the total number of ransomware strains that have emerged since December 2015:

roundup-1.png


Figure 1: Total new ransomware strains in the wild since December 2015 observed in Prooofpoint and public sources

Some of these variants have not gained significant traction and none, so far, have matched Locky in terms of scale. But, as we described in February, ransomware appears to have become the new "Hello World" of malware with experienced actors and new players alike getting into the market. We are also observing new features, highlighted in some of the examples in this post, as well as a maturing black market for ransomware as illustrated by Appendix A, an underground forum advertisement for ROI Locker. This ad is fairly typical of this type of malware, as well as "ransomware-as-a-service" offerings. The analysis here provides additional insight into these new features, aspects of code sharing and reuse, as well as the market itself.

Analysis

CryptFIle2

CryptFIle2 started spreading in mid-March 2016, delivered by Nuclear and Neutrino exploit kits. We named this ransomware based on the debug string in one of the samples, “S:\Crypt\CryptFIle2\Release\CryptFIle2.pdb”. This ransomware encrypts files of interest and demands Bitcoin payment for an unknown sum via email communication with the attacker.

roundup-2.png


Figure 2: CryptFIle2 ransom message

To alert the victim that they are infected and their files are encrypted, this ransomware creates two types of files, similar to many other types of ransomware, on the Desktop and sprinkled in many other folders on the system:

  • HELP_YOUR_FILES.HTML
  • HELP_YOUR_FILES.TXT
The encrypted files are renamed to contain the original file name, followed by the “.id_[personalid]_[ransomemail].scl” extension. In this new extension, the “personalid” is a 16-character string consisting of lower-case letters and numbers. The “ransomemail” is the email with which the infected user is supposed to communicate to get their files decrypted. Examples of renamed files appear below:

  • file.txt.id_a0d01d07e030f060_email_xerx@usa.com[.]scl
  • settings.xml.id_a0d01d07e030f060_email_xerx@usa.com[.]scl
roundup-3.png


Figure 3: Partial list of the file extensions that this ransomware encrypts, including popular types such as “doc,” “xls,” and “ppt.” The complete list includes 1207 filename extensions.

Files are encrypted using RSA encryption. Below we show a screenshot of a key generation algorithm from the sandbox environment, with the generated public key exported using the CryptExportKey API.

roundup-4.png


Figure 4: Key generation prior to file encryption

Shortly after infection, the malware

  • Performs a connectivity check by resolving google.com
  • Contacts the C&C server to report the infected machine's unique id (the “idn” parameter) and the key generated previously (the “key” parameter).
Note, however, that successful communication with the C&C server is not necessary for file encryption to occur.

roundup-5.png


Figure 5: Network traffic generated by the ransomware

It is likely that this ransomware is another one in the series of CrypBoss clones [1][2][3], which already include HydraCrypt and UmbreCrypt. We arrived at this conclusion based on a comparison of the CryptFIle2 code to a HydraCrypt sample [4]. While much of the code bases are different (and in fact CryptFIle2 removes a lot of functionality, including the option to delete shadow volumes), there are several similarities, including:

  • Network protocol (key passed as comma-separated bytes, with a connectivity check to google.com)
  • String obfuscation
  • Encrypted file extensions
  • Ransom message (states that your “guarantee” for getting your files back is the fact that the attacker will decrypt one file; “EMAIL-1” and “E-MAIL2” variables are also used in UmbreCrypt)
roundup-6.png


Figure 6: String obfuscation instruction similarities between HydraCrypt (left) and CryptFIle2 (right)

ROI Locker (aka Manamecrypt.A, CryptoHost)

roundup-7.png


Figure 7: ROI Locker initial ransom screen

ROI Locker was identified early in April, but appears to have been in circulation as early as March, based on our observation of an advertisement in an underground market. This ransomware is potentially distributed via rogue software websites, based on the fact that this sample was observed sporting the icon of the popular P2P application uTorrent, and is bundled with a uTorrent installer. After ROI Locker is installed, it makes its presence known to the victim in the usual manner with a variation on a lock screen. However, under the hood it operates much differently.

ROI Locker differentiates itself from other ransomware variants mainly in the ransom note screen, as well as the “encryption” mechanism it employs. ROI Locker moves commonly used file-types found on the victim computer into a password-protected RAR archive. Once the files are moved into the RAR archive, ROI Locker spawns an application which contains detailed information for the victim about the infection and the status of their files, as shown in Figure 7. However, due to the way in which this process is carried out, the password to the RAR archive can be found in clear-text in the victim machine’s memory. Additionally, it is important to note that a decrypter has been made publically available for this ransomware, and can be found with additional details at BleepingComputer [5] .

ROI Locker attempts to encrypt the following file types:

.jpg, .jpeg, .png, .gif, .psd, .ppd, .tiff, .flv, .avi, .mov, .qt, .wmv, .rm, .asf, .mp4, .mpg, .mpeg, .m4v, .3gp, .3g2, .pdf, .docx, .pptx, .doc, .7z, .zip, .txt, .ppt, .pps, .wpd, .wps, .xlr, .xls, .xlsl

When executed, ROI Locker will make a copy of itself named “cryptohost.exe” located in the C:\Users\<User>\AppData\Roaming\ directory. Once there, another binary is created and dropped in the same directory called “processor.exe”. This appears to be a version of WinRAR and carries out deletion and addition of identified files to the RAR archive. It should be noted that ROI Locker deletes files after moving them to the RAR archive. Therefore, there is no filename extension for encrypted files associated with this ransomware.

Executed Command via WinRAR

C:\Users\[User]\AppData\Roaming\processor.exe A -r -p{SHA-1 Hash of System Info}[User] -m0 -dw C:\Users\[User]\AppData\Roaming\{SHA-1 Hash of System Info}.rar C:\*.jpg C:\*.jpeg C:\*.png C:\*.gif C:\*.psd C:\*.ppd C:\*.tiff C:\*.flv C:\*.avi C:\*.mov C:\*.qt C:\*.wmv C:\*.rm C:\*.asf C:\*.mp4 C:\*.mpg C:\*.mpeg C:\*.m4v C:\*.3gp C:\*.3g2 C:\*.pdf C:\*.docx C:\*.pptx C:\*.doc C:\*.7z C:\*.zip C:\*.txt C:\*.ppt C:\*.pps C:\*.wpd C:\*.wps C:\*.xlr C:\*.xls C:\*.xlsl

Switch

Function

A

Create RAR archive

-r

Recursive search of subfolders

-p

Set password

-m0

Set compression method; 0 indicates file are added with no compression

-dw

Wipe files after archiving

Once running, ROI Locker will close the browser if it contains certain keywords. For example, it will kill the browser if the victim visits certain websites, such as Amazon.com. It displays an error letting the user know they need to pay the ransom before they can go on Internet. Some of the monitored keywords include:

anti virus, anti-virus, antivirus, avg, bitdefender, eset, mcafee, dr.web, f-secure, internet security, obfuscator, debugger, monitor, registry, system restore, kaspersky, norton, ad-aware, sophos, comodo, avira, bullguard, trend micro, eset, vipre, task manager, system configuration, registry editor, game, steam, lol, rune, facebook, instagram, youtube, vimeo, twitter, pinterest, tumblr, meetme, netflix, amazon, ebay, shop, origin

This appears to be a new feature for ransomware and demonstrates another tactic adopted by ransomware authors to prevent victims from getting help recovering their files.

roundup-8.png


Figure 8: ROI Locker notifying user they cannot visit this web page before paying the ransom

The ROI Locker ransom note is an interactive program which offers the user a few pointers to help them troubleshoot their predicament. First, there is an option to “Review Locked Files”. This will read data in from a file that is created in the /AppData/Roaming/ directory called “files” and display them for the user.

roundup-9.png


Figure 9: ROI Locker showing a list of “encrypted” files

ROI Locker attempts to assist the victim by explaining both how Bitcoin works and where to buy them, as well as how to then use the acquired Bitcoins to pay and unlock the files on their computer. The exact amount shown in the ransom screen must be payed for a successful decryption of files, a point the author of this ransomware emphasizes.

roundup-10.png


Figure 10: ROI Locker explaining how to purchase and use Bitcoin

roundup-11.png


Figure 11: ROI Locker explaining how to make a payment to unlock files

There is also an option on the ransom screen to check on the status of the payment, which will check the Wallet ID via blockchain.info to see whether or not the amount shown in the ransom screen was transfered into the attacker’s wallet. If the funds have not been transferred, a message shown in Figure 12 will appear.

roundup-12.png


Figure 12: ROI Locker after checking the payment status

The last option that we observed allows the user to uninstall the ransomware, but in the process also deletes the “encrypted” files, as seen in Figure 13.

roundup-13.png


Figure 13: ROI Locker allowing victim to remove the installed program, but lose all files

While ROI Locker can be easily defeated in several ways, it is worth pointing out that ransomware authors are becoming more and more creative in implementing their “product.” In the case of ROI Locker, this creativity manifests itself in the use of a legitimate file compression tool to remove and store all files in a local, locked archive. Additionally, the author of this program chose to use an interactive ransom note for several functions while blocking potential searches for outside help, a combination unlike the majority of other ransomware families.

BrLock

BrLock was found on April 18, 2016, but the exact date of its first appearance might be earlier. We named this ransomware based on comments inside the disassembled .NET code inside the sample. This ransomware targets Russian-speaking users and the lock screen is exclusively in Russian. The locker reboots the machine with “shutdown.exe -r -t 0” and creates a “ransom” browser window after reboot. This window fills the entire screen. Additionally Task Manager and Explorer processes are killed, so the user cannot use those to get rid of the ransom window.

The ransom demanded is 1000 Rubles (approximately $15 USD at the time of writing) to be paid to a “Билайн” (Beeline) phone number. (Beeline is a popular mobile phone service provider in Russia). The malware does appear to have the capability to actually encrypt the files using AES, although we have not investigated it further.

roundup-14.png


Figure 14: BrLock ransom screen informs the user that the “Ministry of Interior of Russian Federation” blocked the computer for breaking the law (viewing and copying pornographic material with other illegal content)

MM Locker

roundup-15.jpg


Figure 15: Wallpaper downloaded by MM Locker

Early in March, Proofpoint researchers came across a ransomware sample dubbed "MM Locker" due to the presence of a PDB path of "c:\mm\mm\obj\Release\mm.pdb". This sample is fairly straightforward, and is similar to conventional lockers in that it drops "help" files, and utilizes network communication to exchange keys. Files encrypted by MM Locker have an extension of ".locked" and a file called "READ_IT.txt" will appear on the desktop. Additionally, a wallpaper is fetched from Imgur and is set as the background.

Of interest is the length at which the author went in the READ_IT.txt note to convince the victim to consider paying the ransom and receiving a decryption key. Below is an excerpt of the note (which can be read in its entirety in Appendix B).

roundup-16.png


Figure 16: Excerpt from MM Locker READ_IT.txt

MM Locker searches for and encrypts the following file types:

.txt, .doc, .docx, .xls, .xlsx, .pdf, .pps, .ppt, .pptx, .odt, .gif, .jpg, .png, .db, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .frm, .myd, .myi, .dbf, .mp3, .mp4, .avi, .mov, .mpg, .rm, .wmv, .m4a, .mpa, .wav, .sav, .gam, .log, .ged, .msg, .myo, .tax, .ynab, .ifx, .ofx, .qfx, .qif, .qdf, .tax2013, .tax2014, .tax2015, .box, .ncf, .nsf, .ntf, .lwp

Network traffic created by MM Locker begins with a POST to a hardcoded server and URI of “/createkeys.php”. This traffic also contains the username and computer name of the victim machine as well as a hardcoded “servkey” token. A similar network request is made to a “/savekeys.php” URI.

roundup-17.png


Figure 17: Network request to “createkeys.php”

Next, a request is made to the “/getamount.php” URI, to which the server returns the ransom Bitcoin amount to be displayed to the user. Also, a request is made to the image hosting website Imgur, from which it retrieves a .jpg that is later set as the victim’s Desktop wallpaper. Finally, the infected machine downloads the decryption tool during the infection process.

roundup-18.png


Figure 18: Infected machine downloads the decryption tool

After the encryption routine is finished, keys have been exchanged with the C&C server, and wallpaper image and decrypter program downloaded, the victim machine will send one final request to the C&C server with a URI of “/finished.php” indicating the process has been completed.

Conclusion

As ransomware becomes more common and pervasive and new actors join the fray, we are observing a number of important trends:

  • Ransomware is proliferating rapidly; not all variants get significant traction but the proliferation continues to increase opportunities for infection
  • There is significant code reuse among variants
  • Despite the code reuse, actors and authors are finding new and creative ways to compel infected users to pay the ransoms
  • The black market for ransomware is active and growing.
The four examples in this post demonstrate elements both of the reuse of code and ways in which new authors are differentiating their products. We expect to see continued growth in ransomware, echoed by recent statements from the FBI and others, making implementation of best practices (regular backups and robust network, endpoint, and email protection) essential.
Very good Share @Alkajak :)
So I guess detection by HIPS, Engines or whatever part of the AV might be faster / might increase as great parts of the code are shared?
 
  • Like
Reactions: Alkajak and frogboy

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top