Since the start of the year, Ransomware has claimed many organisations, with some opting to pay the hackers demands and further fuelling their business model. Identifying the people behind these malicious programs, and stopping them spreading their vile attacks, is a high priority and PhishMe has confirmed it’s done just that – Twice!
Ronnie Tokazowski, senior researcher, PhishMe explains how PhishMe deconstructed a recent ransomware attack to identify the hackers behind the attempt, “In many ransomware attacks, including Dridex, attackers employ a very wide “spray and pray” in the hopes that people will pay the ransom. Criakl is yet another ransomware sample, however the lure and targeting was quite different. Here, a small group of Russian and Ukrainian hackers sent a phishing email to our co-founder and CTO with one phishing email to his inbox. He reported it, and we analysed it.”
Once infected, the victim’s machine beacons out to let the attackers know that the system is infected and the entire desktop wallpaper changes, showing an image to send an email to the This email address is being protected from spambots. You need JavaScript enabled to view it..
Ronnie continues, “Pretending to be a distressed user, we responded back, asking for help, since there were no other instructions other than emailing our attacker. When they responded back, our attackers said we needed to pay $500, however they came from a TOR IP address. Also note they sent the email using AOL webmail. When we didn’t respond back, our attacker was rather persistent, trying to get our “infected” user to click on the email.
“When looking at the headers, the attackers sent the original phishing email from 82.211.30.242. With most attackers, they choose to use either fake accounts or compromised accounts, we strongly believe these are accounts that the attackers own. We observed three accounts used by this gang, anastasiya8183, andry.volk, and aste2006 from kollectors[d]xyz. We confirmed the presence of these accounts by using Netcat to connect to port 587 on the remote system, and initiating an SMTP exchange with the server. For our attackers, they slipped up by using personas that tie back to them. By performing OSINT on our attacker handles, we were able to find many things that our attackers have done in the past, as well as when.”
An image of this activity is available on request.
Ronnie adds, “Our attackers were also communicating on Russian pornographic websites, and based on the overlap of locations and frequenting of similar websites, we can safely assume that our Russian and Ukrainian hackers are in fact from Russia and Ukraine, and may have been collaborating on different projects for the last year.”
Having pretended to pay the ransom, Ronnie says, “Once the “transaction” went through, we sent them a link to the confirmation, although it was actually a link to our Simulator platform which we can use it to track the IP address they [the attackers] click from. This IP address is a confirmed proxy. We were able to determine that our attackers were using Firefox 38, configured using Russian as the default language. Yet another piece of evidence supporting our belief the hackers are Ukrainian and Russian.”
An image showing the IP address is available on request.
Detailing the second attack, Ronnie confirms, “We responded back to the attackers and were instructed how to go about paying the ransom. Quick payment receives a discount. How nice of them, eh? For the bitcoin transactions, the two accounts have had 11.3 and 2.25 BTC transferred to them, totalling ~5546 USD at current exchange rates.
Speaking about both attacks, Ronnie concludes, “For a majority of the transactions to both addresses, each transaction out of the wallet has a larger and a smaller amount then potentially tossed through a tumbler service to clean and launder the bitcoins. The distribution of the second attack is wider, showing that the attackers are experimenting even more with larger distribution channels.
“Maintaining operational disciple to remain anonymous, is difficult for most attackers, especially in high volume ransomware phishing scams. If a hacker uses new infrastructure every time, new accounts each time, and new everything…then it’s possible. In the case of the first Criakl attack, even though they were hiding behind TOR, they made a very basic mistake in this case by re-using a persona, and that’s how we were able to track them. These are not A-players, C- at best. Yet they are still showing some success.”
With the success of CryptoLocker and CryptoWall, PhishMe warns that more and more copycats of this destructive type of malware will be seen. The good news is there are a few things that can be done to prevent these attacks from being successful:
1. If a suspicious email is received at home, don’t open it. Delete it.
2. If a suspicious email is received at work, report it! Because this email was rapidly reported, PhishMe was able to neutralise it enterprise wide, even though at the time of receipt not a single anti-virus vendor had a signature for it.
3. Don’t wait until something happens to make a back up! Make a backup now, and make sure it’s disconnected from the computer. Some malware will encrypt network and USB drives.
4. Seriously, do #3. Backups will save you the hassle of finding bitcoin to pay the ransom. By having a backup and recovery plan, this is one more victim who won’t need to pay the attacker, successfully cutting into their profit margins.