Tracking Cyber Kidnappers

APRICOT 2015, Fukuoka APCERT Security Track

Tracking cyber datakidnappers

Dr Andrew Clark Senior Technical Advisor, CERT Australia data Tracking cyber kidnappers

Presentaon overview • About CERT Australia • Ransomware campaign targeng Australia – Characteriscs – Response – Analysis • Related campaigns • Conclusion

APRICOT 2015 – Fukuoka - APCERT Security Track 2 data Tracking cyber kidnappers

About CERT Australia • Provides major Australian businesses with informaon about cyber threats and support in responding to cyber security incidents • Focus on systems of naonal interest, including crical infrastructure

APRICOT 2015 – Fukuoka - APCERT Security Track 3 data Tracking cyber kidnappers

About CERT Australia • Trusted source of informaon for partners (over 500 Australian businesses) • Parcipant in a global network of naonal CERTs, including APCERT

APRICOT 2015 – Fukuoka - APCERT Security Track 4 data Tracking cyber kidnappers

CERT Australia services

Publicaons Assistance / support to v Advisories v ACSC agency partners v Good pracce guides v Hotline

Proacve v Protect products Acvies Informaon exchanges v Onsite assistance v Regional (e.g. major ISPs, v Naonal technology companies) v CND advice Training and Exercises v Oﬀsite malware, log and

v ICS / domesc training other analysis Reacve v Eg. Cyber Storm v Regional exercises v Custom exercises

APRICOT 2015 – Fukuoka - APCERT Security Track 5 data Tracking cyber kidnappers

Background • In late 2013, CERT Australia began tracking an internaonal ransomware campaign targeng Australia • The aack was prolonged – persisng throughout 2014 (and into 2015) – aﬀected a large range of partners, across all sectors • The email lures used localised themes • The infrastructure shied rapidly to confound detecon

APRICOT 2015 – Fukuoka - APCERT Security Track 6 data Tracking cyber kidnappers

Background – targeng*

APRICOT 2015 – Fukuoka - APCERT Security Track * Source: “TorrentLocker: Ransomware in a country near you”, M-E.M. Léveillé, December 2014. 7 data Tracking cyber kidnappers

The ‘business’ model (a.k.a. TorrentLocker) 1. Send themed spam containing website link to vicm (official looking domain names, e.g. aus-post.info) 2. Vicm visits website and downloads ‘bill’ or ‘viewer’ (malware) and runs it 3. Malware encrypts files (including those on network shares) and asks for ransom to decrypt them 4. Vicm pays ransom (BitCoins) via TOR-protected site 5. Vicm downloads decrypon program to decrypt files

APRICOT 2015 – Fukuoka - APCERT Security Track 8 data Tracking cyber kidnappers

Campaign characteriscs • Keep ‘consumers’ (vicms) conﬁdent – Re-used previous campaign branding (CryptoLocker) – Won’t pay if they’re not going to get their ﬁles back • Constantly evolving – New domains registered almost daily • to keep ahead of takedowns – Malware binary changed almost daily • to keep ahead of an-virus updates

APRICOT 2015 – Fukuoka - APCERT Security Track 9 APRICOT 2015 – Fukuoka - APCERT Security Track 10 AV resistant for 24-48 hrs

APRICOT 2015 – Fukuoka - APCERT Security Track 11 data Tracking cyber kidnappers

Campaign characteriscs • Constantly evolving (cont.) – New infrastructure (IP addresses) – Regular theme updates • Australia Post (parcel to collect) • Energy Australia (electricity bill) • Telstra (telephone bill) • NSW Government (traffic speeding fine) • Various other internaonal flavours

APRICOT 2015 – Fukuoka - APCERT Security Track 12 postaut.com/

APRICOT 2015 – Fukuoka - APCERT Security Track 13 energy-objecve.com/

Examples energy-australia.org energyaaa.com energyai.net energymar.com

APRICOT 2015 – Fukuoka - APCERT Security Track 14 telstraa.biz/

Examples telstra-info.com teltsra.net tesltra.org tesltraa.org

APRICOT 2015 – Fukuoka - APCERT Security Track 15 details-nsw1-gov.net/

Examples nsw-gov.net osr-nsw-gov.net state-nsw-gov.com penalty-nsw-gov.org

APRICOT 2015 – Fukuoka - APCERT Security Track 16 csposta24.org/ (Czech Post)

Examples cs-post24.org cz-posta.net cz-post.net

APRICOT 2015 – Fukuoka - APCERT Security Track 17 mysda24.org/ (Italian Post)

Examples sda-expresso24.com sda-express24.org mysda24.com

APRICOT 2015 – Fukuoka - APCERT Security Track 18 auspost-home.com ??

Examples royalmail-service.co.uk royalmail-groupltd.net royalmail-service.org royalmail-tracking24.net

APRICOT 2015 – Fukuoka - APCERT Security Track 19 data Tracking cyber kidnappers

Campaign characteriscs • Constantly evolving (cont.) – Infecon vector a. vicm downloads exe/rar/zip b. aachment (Word) with malicious macro – macro downloads encrypon malware

APRICOT 2015 – Fukuoka - APCERT Security Track 20 MACROS

Examples:

royalmail-service.co.uk

royalmail-groupltd.net

royalmail-service.org

royalmail- tracking24.net

Now with social engineering

APRICOT 2015 – Fukuoka - APCERT Security Track 21 data Tracking cyber kidnappers

The CERT’s incident response role

Vicms Partners Samples Advice Advisories and indicators CERT

Analysis Theme Law Samples Vicms Enforcement

APRICOT 2015 – Fukuoka - APCERT Security Track 22 data Tracking cyber kidnappers

Defending against ransomware • Staﬀ educaon and awareness training • Applicaon whitelisng – Not just EXE’s – DLL’s, SCRIPTS and MACROS ! • Restrict admin privileges (to reduce impact) • Regular back-ups or snapshots (and store oﬄine) • Block indicators of compromise (IOCs)

APRICOT 2015 – Fukuoka - APCERT Security Track 23 data Tracking cyber kidnappers

Analysis - indicators • Pre-infecon – Email messages • sender, subject, links (URLs) – ‘Fake’ domains (mimicking valid sites) • Post-infecon – C2 domains & IP addresses – File names and hashes

APRICOT 2015 – Fukuoka - APCERT Security Track 24 data Tracking cyber kidnappers

Analysis – indicator sharing • Express indicators in STIX format • STIX: Structured Threat Informaon eXpression – highly descripve • indicators, observables, TTPs, CoA, Kill Chain – machine readable • supported by growing number of tools – automated sharing via TAXII service

APRICOT 2015 – Fukuoka - APCERT Security Track 25 data Tracking cyber kidnappers

Analysis - links to other campaigns • Links between this ransomware campaign and banking trojans have been idenﬁed – Hesperbot – Dridex

APRICOT 2015 – Fukuoka - APCERT Security Track 26 Info.doc “Invoice Theme” Macro Order.doc “Invoice Theme” Macro

Metadata linked

Australia Post Phishing Nsw-gov Speeding Fine Phishing aupostalservice24[.]org track_309280983902001.EXE penalty_id_879847922.exe (MD5: 381e3c5e57431ecbeb072463cacd2056) (MD5: D0533A17312C65B5C5560696E4CA994C) C2 = casinoroyal7[.]ru (TorrentLocker) C2 = allwayshappy[.]ru (TorrentLocker)

C2 linked C2 linked

MACRO > h[]p://oﬃceimage[.]ru/au.png MACRO > h[]p://109.105.193[.]99/a.png C2 = casinoroyal7[.]ru (TorrentLocker) C2 = allwayshappy[.]ru (Dridex) Same IP

APRICOT 2015 – Fukuoka - APCERT Security Track 27 data Tracking cyber kidnappers

Analysis – Word Macro observaons • As before, actors are connually tweaking techniques, also modernising old techniques – Early word macro code > URL’s were in clear text – Newer variants are increasingly more obfuscated – Password protected macro’s appearing – SANDBOXES having some trouble scanning these ﬁles – Advanced variants ulizing Powershell – Latest variant using embedded EXE’s, smaller footprint

APRICOT 2015 – Fukuoka - APCERT Security Track 28 data Tracking cyber kidnappers

Energy NSW-Gov Australia Australia “RTA Speeding Fine” Post Theme Theme Theme May 2014 Oct 2014 Oct 2013 CryptoLocker Hesperbot /CryptoWall TorrentLocker

Australia Telstra “Invoice” Post Theme Theme .DOC Macros Theme Sep 2014 Oct 2014 Nov 2013 TorrentLocker Dridex / CryptoLocker TorrentLocker

APRICOT 2015 – Fukuoka - APCERT Security Track 29 data Tracking cyber kidnappers

Conclusion

• Organised, well funded and VERY persistent • Prolific - affecng government, individuals, small and large businesses • Mulple countries targeted, with localised themes • Actors are nimble and connually tweaking techniques – TorrentLocker updated within a week to patch a “XOR” bug allowing decrypon. (September 2014) – Phishing websites filtering source IP address via country – Freshly compromised WordPress websites used in phishing emails as redirector links, complicang detecon and filtering – Connual wave of new IP addresses used to host phishing sites. Clean reputaon, IP addresses mostly not seen before.

APRICOT 2015 – Fukuoka - APCERT Security Track 30