Ransomware is currently a popular vector currently being used by hackers. Alberto Ortega, Research Team Engineer at AlienVault has taken a deep dive into the most popular ransomware at the moment, Urausy, to explain what this malware does and how to combat against it.
The full analysis is below or here: http://labs.alienvault.com/labs/index.php/2013/urausy-ransomware-family-a-quick-internals-overview/
Ransomware is popular among bad actors. Reveton malware family (based on Citadel) made a difference last year, now it is losing popularity in favour of Urausy, just another lock-screen ransomware. There are a plenty of them living in the wild, but in this post we are going to focus on Urausy.
These malware families are being spread by using exploit kits like Blackhole or Cool EK, which exploit vulnerabilities in web browsers, flash or Java, to install malicious software in victim’s computers.
When the victim is vulnerable, and his computer gets infected with this kind of ransomware, the screen is locked supposedly from a legitimate law enforcement authority, asking for a “fine” that must be paid to restore normal access to the system and files. The malware accepts paysafe and ukash payments.
Screenshot: http://labs.alienvault.com/labs/wp-content/uploads/2013/06/urausy_spa.png
Needless to say, this is a scam. Law enforcement authorities will never block your computer in this way, and for sure they will never ask you for money from your computer.
People from botnets.fr have made great work collecting a lot of screens locked by Urausy (https://www.botnets.fr/index.php/Urausy) and some more ransomware lockers.
As we said, the infection vector is: vulnerable victim lands in an exploit kit infection page, which exploits a web browser vulnerability and executes malware (ransomware in this case).
The malware sample is packed to avoid AV detection, but it is detected by most AV companies, 37 / 47.
However, once unpacked, it is detected by less AV companies, 30 / 47 (weird, some of them were matching just the packing?).
The piece has several anti-analysis tricks to avoid debugging and execution in sandboxing environments.
It checks if it is running under the eye of a debugger, and has some VM artefacts embedded, not to stop working but probably to change the behaviour: http://labs.alienvault.com/labs/wp-content/uploads/2013/06/urausy_antivm.png
When started, the malware injects itself in benign Windows process svchost as a new thread, copies the piece in “C:\Documents and Settings\Administrator\Application Data\skype.dat” and a .ini file in “C:\Documents and Settings\Administrator\Application Data\skype.ini” to run at startup and gain persistence, and finally goes to sleep for a long time to avoid automated analysis.
After that, the fireworks begin. The computer is locked with the screen shown at the beginning, to get this done, it uses CreateDesktopW (named MyDesktop) and CreateWindowEx (named YIWEFHIWQ) to take control over the whole UI, and then calls home (C&C).
The C&C host is kidje[.]biz -> 50.7.166.134
Screenshot: http://labs.alienvault.com/labs/wp-content/uploads/2013/06/kidwhois.png
The communication is done by using HTTP and encapsulating encrypted data inside: http://labs.alienvault.com/labs/wp-content/uploads/2013/06/urausy_uri.png
http://labs.alienvault.com/labs/wp-content/uploads/2013/06/urausy_response.png
AlienVault have developed a yara rule to match against memory of processes infected by Urausy, you can take it from our repo:
http://labs.alienvault.com/labs/wp-content/uploads/2013/06/yara_urausy.png
AlienVault Unified Security Management (USM) is able to detect the activity of this ransomware family and all the other threats mentioned on this blog post.
http://labs.alienvault.com/labs/wp-content/uploads/2013/06/urausy_alarm1.png
http://labs.alienvault.com/labs/wp-content/uploads/2013/06/urausy_events1.png
Security operators will see this kind of alarms for other similar ransomware families such as Rannoh, Bomba Locker, Galock or Reveton.