Why Ransomware Works: Arrival Tactics

By Jon Oliver and Joseph C. Chen

Apart from understanding the ransomware tactics and techniques beyond encryption, it is equally important to understand how they arrive in the environment. Our recent analysis reveals that majority of ransomware families can be stopped at the exposure layer—web and email. In fact, Trend Micro has blocked more than 66 million ransomware-related spam, malicious URLs, and threats from January to May 2016.

More and more cybercriminals are using ransomware as an arsenal because it’s lucrative; in the past six months alone, more than 50 new families have emerged as compared to the combined total of 49 in 2014-2015. One critical aspect that contributed to ransomware’s success in recent years is its extortion technique. Playing primarily on the targets’ fear of losing access to their system, cybercriminals have continuously developed their techniques — from simply locking the user screen, using fake federal law violation warnings, to actually manipulating data.

Much of the discussion on ransomware focuses on its file component. The delivery mechanism is often overlooked, primarily because the perception is that it’s not creative or new. Perpetrators behind ransomware simply opted for the tried-and-tested tactics using email and the web. However, although simple, these tactics are mostly hidden from the users or are not readily visible to them on the surface. Such tactics are able to bypass traditional security solutions.

In this blog post, we will take a closer look at the attack vectors commonly used by ransomware, and how we can mitigate their risks even before they reach endpoints.

Not so new methods in spammed messages

Let’s take a look at the spam tactics used by ransomware and how it is able to evade spam filters. Typically, ransomware-related spam messages contain malicious attachments, be it in the form of macros, JavaScript, etc. that serve as downloaders of the actual ransomware. One example is CryptoLocker that has a malicious attachment (usually an UPATRE variant) that downloads ZeuS/ZBOT. This information-stealing malware then downloads and executes CryptoLocker in the system.

But the cybercriminals did not stop there. Some crypto-ransomware families added another layer—macros, an old tactic revived to circumvent sandbox technologies by requiring users to manually enable the macros embedded in the malicious attached document file for system infection. This is where social engineering baits and good understanding of the human psyche play a crucial role.

Locky crypto-ransomware is one notable example that leverage malicious macro attachments, even using the Form Object  (also found in macros) to hide the malicious code. This particular ransomware strain hit the Hollywood Presbyterian Medical Center last February. According to reports, after Locky’s disappearance roughly around last week of May to early June of this year, it has emerged again in the computing landscape.


Figure 1. Locky-related spam message

We also observed JavaScript attachments that automatically download ransomware variants like XORBAT, ZIPPY, TeslaCrypt 4.0, CryptoWall 3.0, and Locky. Another scripting language, VBScript, was also used by cyber crooks to distribute Locky as well as CERBER. Besides obfuscation, using  scripts as attachments can possibly avoid scanners.


Figure 2. Obfuscated code of the JS file related to CryptoWall 3.0

Commonly-used email subjects

The email subjects used by cybercriminals behind ransomware are nothing but ordinary. The ones we spotted pertain to resumes, invoices, shipping information, and account suspension, among others. Furthermore, these also pretend to come from legitimate sources.


Figure 3. Typical subjects are used by some ransomware families like TorrentLocker


Figure 4. Sample spam message related to TorrentLocker

TorrentLocker, which has plagued users and businesses in Australia and Europe, stood out when it comes to spam campaigns. This regional threat veers away from typical subjects and instead tailored its spammed messages, from the language used to the companies that they pretend to be from depending on the target country. For example, in Australia, the spammed messages pretend to come from Australian Federal Police, AUPost, or other local companies. Interestingly, these spam emails are only sent to legitimate email accounts only for antispam evasion purposes. This means that if the spam emails employed the name of an Italian company, they will only send it to Italian users.

Timing is key

Attackers also efficiently time when they’re going to send out spam emails to organizations and small businesses. For instance, CryptoWall arrive on users’ inboxes between 5:00 AM-9:00 AM EST while TorrentLocker-related emails are sent out between 1:00 PM-7:00 PM EST during weekdays, coinciding with business hours of their target countries. Lastly, instead of flooding the inbox with spam emails in one go,  cybercriminals optimize their timing by sending relatively low volume at different times of the day. With this, traditional spam filters cannot flag this as suspicious activity.

Other anti-antispam tactics

In the past, we noted how attackers stopped using botnets to send out their spam runs and opted for compromised mail servers.

Solutions with IP/web reputation as well as spear phishing protection can secure the email gateway as this can address the spam tactics discussed above by blocking all known malicious senders and content. As such, it won’t reach users’ inboxes and subsequently infect systems with any ransomware variants.

Proliferation via web: use of compromised websites

Ransomware is also hosted in malicious URLs and/or compromised websites. Legitimate web servers are also compromised, leading user systems to malicious websites. While this is not new or surprising anymore, compromised websites is still an effective means of avoiding web blocking technologies.

In one particular incident, the attackers compromised the blog page of the news site, The Independent last December 2015 to distribute TeslaCrypt 2.0. Users who visited the said blog page were led to a series of redirections, including a site hosting Angler Exploit Kit. If the systems were vulnerable to this particular Adobe Flash Player flaw (CVE-2015-7645), then they can be infected with this breed of ransomware.

Apart from hacking websites, cyber crooks also abused legitimate services to host their malicious files. PETYA, for one, abused the cloud storage site, Dropbox. Technically speaking, it still comes via spam emails with URL supposedly from Dropbox in order to access the CVs, which in actual is the malware.

Other anti-web blocking mechanism

It was TorrentLocker that took advantage of CAPTCHA codes in order to avoid blocking of landing pages, drive-by download detection, or automated detection. Before, cybercriminals used to implement short time to live (TTL) when it comes to DNS records. This means that the associated malicious domains were only up and accessible for a brief period (approximately 1 hour).  This, of course, could pose difficulty when blocking ransomware-related URLs. On the other hand, Tor is also employed for anonymity purposes.

Distributed by exploit kits

Several ransomware families are being distributed by exploit kits via malvertisements. When users visit any sites affected by malvertisements, there’s a possibility that unpatched systems are at risk of being infected with a plethora of threats, including ransomware.

In the table below, we show different ransomware families as delivered by various exploit kits:

Exploits Delivered Ransomware (2015) Delivered Ransomware (2016)
Angler Exploit Kit CryptoWall, TeslaCrypt, CryptoLocker CryptoWall, TeslaCrypt, CryptoLocker, CryptXXX
Neutrino Exploit Kit CryptoWall, TeslaCrypt CryptoWall, TeslaCrypt, Cerber, CryptXXX
Magnitude Exploit Kit CryptoWall CryptoWall, Cerber
Rig Exploit Kit CryptoWall, TeslaCrypt Ransom_GOOPIC
Nuclear Exploit Kit CryptoWall, TeslaCrypt, CTB-Locker, Troldesh TeslaCrypt, Locky
Sundown Exploit Kit CryptoShocker
Hunter Exploit Kit Locky
Fiesta Exploit Kit TeslaCrypt


This year, we spotted Angler exploit kit pushing TeslaCrypt but when its owners decided to shut down the operations last April, Angler started distributing CryptXXX instead. Speaking of halting activities, it appears that the creators of Angler, the most active exploit kit last year, put a final nail on their operations. Some reports attributed this on the possible arrest of the attackers behind Angler.

In effect, some cyber crooks are employing other exploit kits such as Neutrino and Rig. CryptXXX and Locky ransomware are being pushed by Neutrino and Nuclear exploit kits respectively.

Keeping systems up to date with patches can prevent the download of any threat being delivered through exploit kits and malvertisements. At this point, it is effective to have a robust web reputation as well as vulnerability shielding in the solutions to help block malicious URLs and protect systems from security bugs.

How can Trend Micro solutions secure the network perimeter?

The best way to protect the network and crown jewels against ransomware is to mitigate these at the entry points.  Once it reaches the endpoints, more or less, it is arduous to restore files or regain access to systems. What’s more dangerous is when these threats propagate in the network, infecting other systems and even servers. Using traditional AV solutions is no longer enough given the nature of ransomware. As such, we advocate multilayered defense for organizations and small businesses.


Figure 5. A multilayered defense against ransomware


Trend Micro offers solutions that can stop ransomware at the exposure layer or gateway level. Enterprises can rely on Trend Micro™ Deep Discovery™ Email Inspector to block and detect ransomware-related emails, including malicious attachments. Its custom sandbox technology can detect ransomware variants that also use macros. Our IP and web reputation included in this solution can protect the exposure layer by blocking known malicious URLs and senders.

Our strong endpoint solution, Trend Micro Smart Protection Suites can prevent the execution of the malicious file routines and activities via our behavior monitoring, application control, and vulnerability shielding. Our Anti-Ransomware feature can proactively detect & block ransomware execution. As such, no files can be encrypted; and the threat won’t spread in other systems in the network or reach servers.

For network protection, our Trend Micro Deep Discovery Inspector can detect and block ransomware on networks through its malware sandbox and network scanning features. Moreover, any lateral movement to reach other parts of the network can also be prevented through our product. Trend Micro Deep Security™ stops ransomware from reaching enterprise servers–whether physical, virtual or in the cloud.  It secures systems and servers from vulnerabilities used by exploit kits that push ransomware.

For small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order to detect and block ransomware.

Users can also use our free tools such as the Trend Micro Lock Screen Ransomware Tool, which is designed to detect and remove screen-locker ransomware; as well as Trend Micro Crypto-Ransomware File Decryptor Tool, which can decrypt certain variants of crypto-ransomware without paying for the use of the decryption key.

With additional analysis by Maydalene Salvador, Lala Manly, Michael Casayuran, Paul Pajares, and Rhena Inocencio.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Why Ransomware Works: Arrival Tactics

Read more: Why Ransomware Works: Arrival Tactics

Story added 27. June 2016, content source with full text you can find at link above.