Businesses Held for Ransom: TorrentLocker and CryptoWall Change Tactics

Perpetrators behind ransomware have moved away from targeting consumers and tailored their attacks to extort small and medium-sized businesses (SMBs).This business segment make potentially good targets for ransomware since small businesses are less likely to have the sophisticated solutions that enterprises have. And at the same time, the owners often have the capacity to pay.

Moreover, these SMBs are less likely to use comprehensive backup solutions unlike in enterprises, increasing the probability of paying the ransom. Imagine a small company with less than 50 employees. Now imagine one of its higher-ups receiving an odd billing statement via email with an innocent-looking URL. They click it and end up with ransomware. Unfortunately, their company doesn’t backup data. As such, the tendency would be to pay the ransom, so the business’s files can be saved. Paying to get the files back is likely to encourage cybercriminals to launch more attacks in the future.

We saw this trend most evident in attacks that used TorrentLocker and CryptoWall— two of the more persistent and high-volume ransomware variants today.

From June-July 2015, we observed that majority of the users who clicked on malicious links in CryotoWall-related emails are in the SMB segment.

Figures 1 CryptoWall-related URL distribution by segment June-July 2015-01

Figure 1.  CryptoWall-related URL distribution by segment (June-July 2015) (click to enlarge)

While majority of the TorrentLocker-related URLs are clicked by consumers with 46.36%, SMBs followed closely with 42.15%.

 Figure 2 TorrentLocker targets both consumers and SMBs as seen in the URL distribution by segment-01

Figure 2. TorrentLocker targets both consumers and SMBs as seen in the URL distribution by segment (June-August 2015) (click to enlarge)

Attacks launched during business hours

CryptoWall and TorrentLocker send out their spam runs in the early hours of the morning in the time zone of its intended victims, suggesting they are targeting business users. We have plotted the number of clicks occurred on confirmed CryptoWall URLs for 8 outbreaks in early July 2015 in Figure 3 below. We see that the intended victims are clicking on these links in the period between 9 AM to 1 PM, with the outbreaks starting at 9 AM to coincide with the typical times that people arrive at work.

Figure 6 Cryptowall Number of clicks on malicious URLs-01

 

Figure 3. Number of clicks on malicious URLs per hour on day of outbreak – July 2015 (click to enlarge)

Social engineering lures to infiltrate business users

Much of the social engineering lures used by ransomware this year are more compatible with the business segment.  For instance, CryptoWall made use of subjects such as resumes, orders, and passports for their spam runs as shown below.



spamsample_crypto1a

spamsample_crypto2a

spamsample_crypto3a

Figures 4-6. Sample screenshots of spam runs by CryptoWall

While the baits used by CryptoWall are not tied up to any region, TorrentLocker became known for its regional specificity, as their social engineering lures are based on their victim countries. This threat often leverages notifications from post services, telecommunication, utilities, and government bodies.

Based on feedback from our Smart Protection Network™, Australia (31.54%), Italy (26.60%), and Turkey (20.40%) are the top three countries targeted by email messages pointing to TorrentLocker.  We examined the baits typically employed in these countries. For instance, the courier service in Turkey, Turkish Cargo is being used to trick users into executing the malicious file.  Meanwhile, TorrentLocker’s bait in Italy varies from the courier service, SDA to ENEL, a utilities company.  In addition, the perpetrators added the telecommunications company, Italia Mobile (TIM) to its bag of lures last August.  Fake messages from the Australia Post and the AFP are still the same baits being used to trick users in Australia.

Some of TorrentLocker’s social engineering tactics are consumer-focused, as exemplified by bogus speeding fines sent by the Australian Federal Police (AFP) in Australia. However, most of the lures are compatible with business targets, such as parcel notifications, which are an important part of a small business’s day-to-day activity.  In short, TorrentLocker targets both consumers and SMBs.

Notable tactics to bypass security

Further evidence of ransomware’s change of focus to business targets can be seen in the evasion techniques used. Some variants of TorrentLocker have self-destruct capabilities to prevent IT personnel from collecting samples and eventually setting up security measures to protect the network. Captcha codes are employed on the landing pages so that automated crawlers and sandboxes have more difficultly identifying the malware samples. They also optimize the timing as shown in Figure 3 to maximize the number of business victims while at the same time minimizing the time that security vendors have to respond. They use techniques to bypass antispam filters and web filters such as using a layer of compromised websites to redirect web traffic.

Another common tactic used by both TorrentLocker and CryptoWall is compromised websites to hide redirections, thus avoiding detection on the infected system. Most of these compromised websites related to TorrentLocker are hosted in the US (28%). On the other hand, most of the landing pages imitate Australian postal service, Australia Post, and the AFP. For the intended victims in Italy, cybercriminals spoofed the ENEL website, while for users in Turkey, there were bogus sites made to look like TurkCell.

Below are some samples of landing pages:

enel

tim

turkish-cargo

Figures 7-9. Screenshots of the bogus ENEL (1st), TIM  (2nd), and Turkish Cargo (3rd) websites to trick users into thinking that nothing malicious is happening in the background (click to enlarge)

It’s interesting to note that Torrentlocker files are commonly downloaded in file storage sites like Yandex Disk and Cubby.com to hide malicious files and consequently, avoid detection. We also monitored the C&C servers where we identified are mostly hosted in Russia and some in Germany and Czech Republic. CryptoWall also employed compromised websites.

Protecting your business environment

Ransomware has evolved from being a simple scareware like FAKEAV to enhancing its routines to locking up files and systems while capitalizing on fear to get its victims to pay the ransom. We believe that ransomware will continue to improve its tactics and target more business environments.  The findings we presented in this blog entry all supports this shift in the targets.

Cryptoransomware variants-01

Figure 12. From scareware to crypto-ransomware (click to enlarge)

TorrentLocker and CryptoWall pose serious risks to a company’s confidential data. However, SMBs can protect their network via vigilance and awareness of such security risks. As simple as verifying emails first and checking the reputation of websites before visiting can go a long way.  It’s also recommended that employees do not enable macros by default to avoid the execution of CryptoWall. We cannot stress enough the importance of backing up files, following the 3-2-1 rule as best practice. Empowering employees with awareness and knowledge on security threats and their social engineering lures is one step in defending your network. SMBs should have a security solution that protects their system and network from all layers against threats like ransomware via detecting malicious file and spam, and blocking related URLs.

With additional inputs from Christopher Talampas, Yi Lee, Maydelene Salvador, Adremel Redondo, Lala Manly, Jessa Golez, and Maela Angeles

Read more: Businesses Held for Ransom: TorrentLocker and CryptoWall Change Tactics

Story added 23. September 2015, content source with full text you can find at link above.