I am not sure if this is a local thing (Ohio), but one of my least favorite’s things about fall is the gradual invasion of insects fleeing the cooling Ohio outdoor temperatures in favor of the warmth of a heated home. Over the last few years, we’ve dealt with a little brown bug about a half inch long and spade looking in shape. Any guesses? The bug in question is the Halyomorpha halys or more commonly known as the brown stink bug. The Asian transplant brown stink bug earns its name and reputation from the stinky odor it produces when it gets smashed or squeezed. My family likens this awful stench to smelly feet. Gross! However, a positive spin on the brown stink bug is that they don’t bite or sting, they’re certainly not poisonous or deadly and unlike other invading insects they aren’t going to do structural damage to your house. No Biblical-sized insect plague here! In other words, they’re more annoying than anything else.
While I’m sure my friends the stink bugs will certainly frustrate and annoy me again this Fall through Spring, I fully understand that their mere existence in my living area can also be traced back to my homeowner shortcomings (and possible laziness!). I’m smart enough to know that stink bugs don’t just magically appear by a wave of the wand or appear out of thin air: stink bugs enter your living space by making their way through small cracks and openings (ie. poorly sealed Windows, roof vents, holes in screening, doors left open, etc.). Proper maintenance and inspection on my house would probably alleviate most of my stink bug (and likely other) problems. And so is the case with protecting your data/files from these latest variations of Ransomware.
This past summer, the Thirtyseven4 Behavior Detection System, integrated within the Thirtyseven4 Endpoint Security product line, began proactively blocking thousands of files as Suspicious and automatically relaying these suspicious files to our Virus Research Team for further analysis. Upon detailed analysis by my Virus Team and I, we quickly discovered a new variation of the CrypMic ransomware.
The interesting (and for the most part unusual) thing about this variation of CrypMic is that unlike past infamous ransomware like CryptoLocker and CryptoWall, and even newer ransomware like Locky and Zepto, this latest CrypMIC ransomware doesn’t spread through the traditional email attachment methods using large scale malware spam campaigns. Instead, this variant uses a Neutrino Exploit Kit (What!?) infecting users simply by visiting a compromised site. By definition, an exploit kit is a software kit designed to introduce malicious code onto a web server, with the purpose of identifying software vulnerabilities in client machines communicating with it, and using these vulnerabilities and the compromised web server as a mechanism to deliver malware. This technique does not require any user interaction and happens silently in the background at the user’s expense.
Like most observed ransomware, after the encryption is completed on the user’s system, this variation of the CrypMic ransomware deletes itself to avoid any traces of it being left behind- only the dropped ReadMe files remain on the system. (The ReadMe files contain the payment information). However, unlike most ransomware, CrypMic does not append any file extensions to the encrypted files (ie. .crypto, .locky, .zepto, etc.).
Is anyone else confused? This is brand-new ransomware—and it’s unlike any that we have seen previously!
How does this new variation of CrypMic operate?
As noted, CrypMic does remove itself from a victim’s system, so replicating exact scenarios can be challenging, however, collected/blocked samples do contain very similar functionality so I will do my best to explain.
1. An unknowing user visits a compromised website while browsing. In many cases, the website visited is a legitimate website; however, the site itself was exploited.
2. Once the user loads the compromised website, the user will get automatically redirected to the landing page of the Neutrino Exploit Kit ( i.e. 'bidiagoXXXXzation.manwXXXXers.com' ). Once on this page, it will deliver a small HTML page with an object tag defined in its body. This object tag directs the browser to load an instance of Adobe Flash Player and then uses the player to execute a malicious SWF file specified in the URL. The delivered Flash file contains exploits for:
CVE-2013-2551, CVE-2014-6332, CVE-2015-2419 affecting Internet Explorer and CVE-2014-0569, CVE-2015-7645 affecting Adobe Flash Player.
In many analyzed cases, the location (URL) from where the exploit (SWF) file was believed to be downloaded from have been de-activated (these are “hit & run” websites); however, in all cases Thirtyseven4 always takes the necessary precautions and adds the website into its Thirtyseven4 Browsing Protection listing. It also important to note that new domain names and URLs for the CrypMic ransomware are generated dynamically, making proactive site blocking difficult. It has been reported that the cybercriminals behind the Neutrino Exploit Kit are abusing the registration of free domains registered inside the country code top level domains (ccTLD) such as .top, .pw, .xyz, .ml.
3. Next, as soon as the above file is downloaded, in a matter of seconds we’ve observed a series of activities that are related to the download of the ransomware payload (%temp%\rad43d29.tmp.dll).
- To perform the data encryption, the file ‘%temp%\rad43d29.tmp.dll’ file is called and loaded by the Windows system file, regsvr32.exe. Note: The filename of the malicious DLL is not constant and will vary from case to case.
- Prior to encryption the ransomware also deletes volume shadow copies
- Once the encryption completes, the ransomware proceeds to delete itself.
Given the severity of the CrypMic threat, here are some recommendations moving forward:
- It is important to download and install all the latest 3rd party software updates. For example, update your Browser Plugins like adobe flash player, java and silver light plugins to the latest version that would help reduce the chances of such attacks. In the noted case above, it was observed that the affected system had an old adobe flash player version [Adobe Flash Player 13 ActiveX (220.127.116.11)]
- Install strong security (antivirus/antimalware) software. Thirtyseven4 not only offers superior signature-based detection but our behavior-based detections are industry leading. This threat was stopped in its track proactively as ‘Ransom.CrypMIC.PB5’ by means of Path-based detection within our Virus Protection/Scanner modules.
- With Thirtyseven4 installed, we highly recommended that you enable the Thirtyseven4 Secure Browse module (Open Thirtyseven4 > Internet & Network > Browser Sandbox). Browser Sandboxing restricts any possible encryption activity to limited user locations (UserProfile and Subfolders: where browser sandbox has write access).
It is important to note that due to the high profitability of ransomware, cybercriminals are continually altering their strategies and techniques to evade security detections and extort your hard earned money by keeping your files hostage. Even during the writing of this column, our Thirtyseven4 Labs are coming across new variations of the Troldesh ransomware (also known as XTBL) that is spreading by gaining direct access to a victim’s computer through Remote Desktop. This is a type of Brute force attack that capitalizes on lazy security practices by guessing generic usernames (ie. admin, administrator) and weak passwords to directly gain access to a system using the RDP- Remote Desktop Protocol. But, I guess more on this will have to come in a future article. The threats are real, and all security practices most be constantly followed.
Like the pesky brown stink bugs, cyber-threats creep and sneak in, doing their absolute best to be undetected. But the worst part about a stink bug is only their stale odor. In contrast, Ransomware bites us, and leaves a mark. Sometimes the cut is deep, when data is encrypted and is unrecoverable. I strongly encourage you to take the time and effort to “seal your cyber windows and lock your computer doors”, if you will. Use caution when visiting websites and be diligent with passwords and protection measures. Stay current with program updates and install Thirtyseven4 Antivirus (or another strong AV program)! Okay, that was blatant, but Thirtyseven4 does provide cutting edge protection against the latest threats and proactively protects against myriads of unknown vulnerabilities. Strong security software is no longer a recommendation, but a requirement because of the aggressive nature of cybercriminals. Unless your files and data don’t matter much to you. Then open the windows and throw up the screens. A few bugs won’t bother you and the smell goes away after a while. But as for me and my house, we will serve the Lord (Joshua 24:15), and I will do my best to keep our files protected from ANY sort of bugs!