Defeating Cryptolocker with ThreatCloud and Gateway Threat Prevention

Summary

Check Point’s Malware Research Group has been investigating the ‘Cryptolocker’ malware that has recently been reported to be on the rise. As part of the analysis, the researchers created a ‘sinkhole’ – a system pretending to be a Cryptolocker command and control (C&C) server – in order to study and gauge infections in the wild. An analysis of live communication from infected clients confirms that the number of victims is rising, with the majority of victims affected being in the US and UK.

This research yielded smart Anti-Bot and Antivirus signatures that were then relayed to Check Point ThreatCloud. These signatures block all C&C communications, effectively preventing the malicious data encryption by the malware. As a result, during the first days following the release of the signatures, in the early days of the outbreak, Check Point detected and stopped this malware at more than fifty organizations, saving them up to $500,000 in ransom fees.

Details

Cryptolocker: A Ransomware Campaign on the Rise

Cryptolocker is a strain of malware known as ‘ransomware’, and was first identified at the beginning of September 2013. Like other forms of ransomware, Cryptolocker installs itself on the victim computer and runs in the background, unknown to the end user, encrypting various user data files. The known list of file types that Cryptolocker searches for and encrypts is:

3fr, accdb, ai, arw, bay, cdr, cer, cr2, crt, crw, dbf, dcr, der, dng, doc, docm, docx, dwg, dxf, dxg, eps, erf, indd, jpe, jpg, kdc, mdb, mdf, mef, mrw, nef, nrw, odb, odm, odp, ods, odt, orf, p12, p7b, p7c, pdd, pef, pem, pfx, ppt, pptm, pptx, psd, pst, ptx, r3d, raf, raw, rtf, rw2, rwl, srf, srw, wb2, wpd, wps, xlk, xls, xlsb, xlsm, xlsx

Having completed the encryption phase, Cryptolocker displays a prompt that informs the user that his files have been ‘taken hostage’, and demands the payment of a ransom to the criminals in order to receive the encryption keys that will allow decryption of the files. The ransom is often about 300EUR or US$300, with an increase to 10 bitcoin (about US$3,800) if the user does not pay the ransom right away. The description further states that if the user does not comply with this request within the payment window (often less than four days), the private key needed for decryption will be deleted from their servers, rendering the victim’s data permanently unrecoverable.

There is no currently known alternative method for restoring access to encrypted files.

ThreatCloud Blocks C&C to Defeat Cryptolocker

An important trait of Cryptolocker is that the malware agent needs to find and initiate communication with a command and control (C&C) server before it can begin the process of encrypting the files. Once a connection with a C&C server has been established, the server generates a unique public key which it sends to the agent for use encrypting the victim computer’s data.

The most effective way to defeat Cryptolocker is therefore to detect and block the initial communication attempt by the agent before it can connect with the C&C server and start the encryption process. Cryptolocker utilizes a Domain Generation Algorithm (DGA) in order to find a C&C server with which to communicate; each day, a set of 1,000 different domains is generated and attempted by live Cryptolocker instances.

By reverse-engineering the Cryptolocker DGA to arrive at pre-computed tables of the daily generated list, the Check Point malware research team was able to predict the target URLs for the C&C servers that Cryptolocker agents would attempt to contact, and then create ‘smart signatures’ for the Check Point Anti-Bot and Antivirus engines. Dynamically updated for all ThreatCloud users, this protection in effect blocks communications to Cryptolocker C&C servers and prevents the malicious encryption process from starting.

Since this protection was added to ThreatCloud, statistics collected from globally deployed Check Point gateways have reported the successful blocking of hundreds of Cryptolocker incidents at more than 50 different organizations, all without requiring any additional configuration or updates by administrators.

Using Sinkholes to Track the Growth of Cryptolocker

In order to measure the scope and velocity of Cryptolocker in the wild, the Check Point malware researchers deployed a live Internet server and registered several of the pre-computed domains, expected to be used by the malware. This ‘sinkhole’ server was then used to measure infections by counting the number of unique IP addresses contacting the server.

3,021 unique IP addresses contacted Check Point’s sinkhole during a 2-day period beginning November 1^st and ending November 3^rd. During the 24 hours of Friday, November 2^nd, 2,300 unique addresses attempting to access the sinkhole server were acquired, which represents a significant increase in frequency from the 2,700 detected over a 2-day period (October 15-17^th) in an analysis by Kaspersky Lab.

The chart below demonstrates the distribution of countries from which the infected IP addresses originated their connection to the sinkhole server:

The chart reveals that the malware is primarily distributed in the United States, with a massive 76% of live unique infections. The United Kingdom is the second most infected by Cryptolocker, with a dramatically lower 5% of live infections. These results generally agree with previous reports but underscore the increasing speed with which the infection continues to spread.

Looking Ahead

Cryptolocker is an emerging threat, with a rising number of infections over the past few weeks. The threat target individual users as well as businesses and organizations, with the primary presence of infections detected in the US and UK. Check Point will continue following this threat to allow the on-going protection of all customers and share additional research details as they become available.

Protecting your organization from this type of attack

All Organizations

• Educate users to be alert to unusual attachments or suspicious links. Malware often propagates via phishing campaigns, in which the recipient receives an email with a malicious file or link to a page containing browser-based exploits.
• Ensure that all available OS and application patches are installed, as Cryptolocker and many other malware initially install themselves on a computer by exploiting a known vulnerability in the operating system or common applications such as Microsoft Word or Adobe Reader.
• Perform regular backups of all critical data and store them offline to prevent attackers from mapping and also infecting external drives.

Check Point Customers

Customers who have enabled the Anti-Bot and Antivirus Blades on their Check Point gateways automatically receive updated detections for Cryptolocker through ThreatCloud. Check Point recommends that customers enable Prevent mode for Anti-Bot and Antivirus in their gateway Threat Prevention policies.

Non-Check Point Customers

Implement gateway URL filtering for the URLs and domains that are used by the Cryptolocker agent. Your antivirus or gateway security vendor should provide you with a list the current predicted URLs, as well as a way to obtain a daily updated list of addresses to block.

Appendix

Below are additional details from the Check Point analysis of Cryptolocker.

1. Domains used by Cryptolocker, as detected by the Check Point malware research team, include a set of 12-15 character string, with a suffix from one of the following: {.biz,.ru,.org,.co.uk,.net,.info}. Domain examples that were used by the malware on November 1st were:tahbdicgupnj.biz
   wbtpwjlbtbjobr.ru
   kooeaohklkyuao.org
   psueyhxjnbwhuu.co.uk
   olwxfgovoall.info
   fjxfxydqiybxbd.com
2. According to the Domain Generation Algorithm that was analyzed by the security research team, Check Point registered few of the domains in advance as a sinkhole, in order to observe the number of infected devices and their origin. Over 1 day of activity Check Point observed CnC communication from a total of 3,021 infected devices from 43 counties, as of the following: