Skip to main content

Ransomware Part 2: Technical Analysis

May 12, 2016

The concept behind ransomware simple: an attacker finds a way to run file encryption software on a machine, and then demands payment in return for a decryption key. Though the implementation of ransomware varies, it follows similar infection vectors as other types of malware. These include malicious email attachments, malicious links and web browser exploits. In this respect implementation does not vary all that much from what we are used to seeing. 

Documents with malicious Microsoft Office macros have been a common vector for ransomware infection. This tactic has been widely used for ransomware since at least 2014 and includes one of the most prevalent strains through early 2016: Locky. Locky uses a document that tricks the user to enable macros to view the document properly but then the macro downloads ransomware. In March 2016 a new strain called Maktub Locker used a different tactic. It deployed an executable script that masqueraded as a text file, showed a readable document, but also executed ransomware.

Ransomware is also disseminated via JavaScript applications attached to emails. Ransom32 was a ransomware-as-a-service strain and was the first identified ransomware strain to use a standalone JavaScript application. Locky, though it originally emerged as a strain disseminated via document macros, quickly morphed its distribution to zip archives with malicious JavaScript inside.

Drive-by downloads also push ransomware via exploit kits to users running unpatched browsers and plugins. Last year, the Magnitude and Hanjuan kits distributed CryptoWall. The Angler exploit kit has peddled well known strains TeslaCrypt and CryptoWall 4.0. Radamant was detected in late 2015 being transmitted via the Rig exploit kit, but vulnerabilities in both version 1 and version 2 have allowed researchers to write and release decryptors. 

Some ransomware effectively uses malicious web download links. For example one of the newest strains, Petya, entices users with a link claiming to be a resume on Dropbox. The link instead contains a self-extracting Petya executable.

Other attackers take a more direct approach. Recent Samas ransomware campaigns exploit vulnerable versions of JBoss and WildFly application servers. Attackers use a scanning and exploitation tool called JexBoss to identify targets and then install Samas.

Ransomware has also expanded to Linux and Macintosh. In November 2015, a strain called Linux.Encoder.1 was discovered. In March of 2016, KeRanger targeted Macintosh machines via a Trojanized version of Transmission BitTorrent Client. Optiv’s Global Threat Intelligence Center has seen KeRanger in the wild.

Finally, a more recent trend in ransomware involves encrypting open SMB shares, not just individual users’ files. This makes sense for an attacker because encrypting an entire share makes enterprises more motivated to pay the ransom. File share ransomware has been seen since at least March 2015, with TorrentLocker and CryptoFortress, and multiple strains now take this approach. For example Locky has been reported to encrypt unmapped network shares. It is worth noting that the Samas strain also aggressively targets network shares.

In our next blog post, we will look into some practical, field-tested solutions for what enterprises can do to defend against the ransomware threat.


    Nicolle Neulist

By: Nicolle Neulist

Intelligence Analyst

See More

Related Blogs

May 30, 2018

Phishing - The Rest of the Story

Receiving an email lure designed to trick you into clicking a phishing link and then logging into a fake website has become a common threat. In this b...

See Details

May 17, 2018

Dear Board of Directors, It’s Time to Do the Right Thing and Elevate IAM

I talk with IT executives regularly and have noticed a trend across industries that is concerning. While the threat of a data breach looms large on th...

See Details

April 03, 2018

Escape and Evasion Egressing Restricted Networks – Part 2

Attackers and security assessors alike are utilizing a technique called domain fronting, which masks malicious command and control (C2) traffic. This ...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

RELATED INSIGHTS

June 28, 2017

Petya / Petna / NotPetya Ransomware Recommendations from the Trenches

Here we go again. Not long ago I updated a blog post containing actionable recommendations to protect your environment from ransomware threats, includ...

See Details

June 09, 2018

Endpoint Security Technology

Gain enterprise-level visibility and management over your endpoints in addition to preventing, detecting and responding to advanced threats and malwar...

See Details

July 21, 2015

Network Security Solutions

Learn how we help protect your environment while maintaining connectivity.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.