Pierluigi Paganini
August 04, 2015
A false sense of hope that the presence, or rather the active spread, of crypto-ransomware in-the-wild has begun to slowly die out has been quickly diminished thanks to the group behind the CTB-Locker ransomware. While ransomware is of course still a huge issue today, the lack of new variants that have been discovered within the past few months may have given analysts and management alike a glimmer of hope.
Unfortunately, cybercrime is growing at an exponential rate; as security professionals, we are constantly playing a game of catch-up with the bad guys.
Let’s face it: wearing a black hat comes with huge risks, but it also is quite profitable. Well-organized cybercrime groups often do very well. This causes a huge headache for security professionals; the malware tied to these more persistent groups is being spread in what seems like a countless number of never-ending campaigns! The CryptoWall ransomware still has the throne; regarding crypto-ransomware, CryptoWall 3.0 has been public enemy number one, with the rapid launching of new campaigns dedicated to spreading this ransomware skyrocketing in number on a daily basis. Recent estimates state that as a collaborative whole, the CryptoWall group has raked in upward of 18 million US dollars.
So with regard to the profitability facet, the distribution of ransomware appears to be quite an attractive field for cyber criminals to get involved in. While CryptoWall certainly remains “the king” right now, another slightly older ransomware variant that wreaked havoc appears to be back, in a big way; yes, CTB-Locker has returned.
Leveraging the Release of Windows 10 as an Attack Vector
The group behind the CTB-Locker ransomware, or at least this particular phishing campaign, leveraged a new tactic that has proven to be extremely effective. Exploiting the human mind by manipulating them to believe that their free “Windows 10 upgrade” that they’ve been waiting so long for has finally arrived. As you may or may not know, Microsoft has released Windows 10 on July 29th, 2015; additionally, they promised a free upgrade to currentWindows 7 and Windows 8 users. The criminals behind this chapter in the ongoing CTB-Locker saga decided to impersonate Microsoft via phishing e-mail, and apparently, their tactics have been quite effective.
As reported by the Cisco Talos Group, the following characteristics describe the phishing e-mails being distributed during this new phishing campaign:
The malware file itself is delivered via e-mail attachment, compressed within a ZIP archive; the naming convention observed by Cisco, for example, is as follows:
Attachment: Win10Installer.zip
Files within Compressed ZIP Archive: Win10Installer.exe
Additional CTB-Locker Characteristics / Observed Behavior
This should serve as a refresher for the most part, but to recap, here are some of the CTB-Locker characteristics observed and reported by the Cisco Talos Group as a result of their analysis on a sample e-mail / attachment(s) in question (NOTE: Listed below are some of the more “dynamic” or perhaps new(er) components):
Note: The Talos Group also uncovered several pseudo-random domain names when analyzing the binary and its network traffic; however, many if not all of the domains observed were not yet registered, and no DNS queries involving said domains were observed.
Sources
The wealth of information and awesome analysis performed by Cisco’s Talos Group provided the fuel and information required to put this article together.
About the Author Michael Fratello
Edited by Pierluigi Paganini
(Security Affairs – CTB-Locker, ransomware)
