CryptoLocker: What's Old is New Again (in cyber years)

Posted by Micah Graf   |   March 22, 2017

RansomwareIt’s been a few years since we have seen CryptoLocker on a regular basis, but now it seems to be making its rounds again via a new spam campaign. The new CryptoLocker variant has been around for many years, and has evolved over that time.

CryptoLocker used to be very popular back when the Zeus botnet was making its rounds. The way it worked was once a computer was infected with the Zeus malware, it would be used to push the CryptoLocker ransomware onto the machine.However, in June of 2014, law enforcement ceased control over the botnet and put the botnet’s creator on the FBI’s Wanted List, in addition to warning consumers and organizations. There were some large CryptoLocker spam campaigns targeting Europe and other parts of the world in 2014 and 2015, and the new campaign also seems to be taking on a similar pattern of infiltration with its European focus.

Initial Infection Vector

While the emails vary depending on the country they are targeting, the emails seen in Italy were Digitally signed by PEC (Posta Elettronica Certificata) which helps make the emails look more legitimate and helps bypass spam filters.

The email pretends to be related to an Invoice and includes a malicious attachment. The malicious file attached varies, and is either a Zip file, a JavaScript file, or an HTML file. One email campaign had a Zip file attached, and inside of the Zip file is an HTML file.endpoint security Inside of the HTML file, the attackers have concealed a highly obfuscated JavaScript which is used as a downloader (known as Neumucod malware variant) to download the ransomware payload, as seen in Figure 1 to the right. 

As you can see in Figure 2 below, the initial javascript downloader code, reaches out to an AWS URL and pulls down a second JavaScript file which then executes the first script in memory, and leads to the CryptoLocker payload being downloaded onto the machine and executed.


The Future of CryptoLocker and Ransomware

Like all different classes of attacks, there is a cycle where we see the reemergence of certain applicable techniques, and then variants that work just slightly differently enough to evade detection.

What we have observed is exactly that – some similarities, some differences here in the latest campaign. The reality is that ransomware continues to evolve, to the point where even some subtle differences in how malware is built and how attack campaigns are constructed so attackers can continually target victim organizations successfully.

One of the main differences not just in detecting advanced attacks like these is having technology that can help a threat analyst or SOC Manager “act.” By this, I mean that an accurate identification that something is attempting to encrypt files the way ransomware does, is essential, and behavioral analysis is an enormous advantage here, especially if teams rely on signature-based detection on the endpoint layer – it will not be effective against this type of attack.

Second, time is a critical factor, so that full encryption does not occur and the payload (the ransomware) is not able to be fully deployed, to prevent the attack from fully executing on victim machines. This can be done by killing the process at the right time so that it salvages the contents on the machine or network of machines, and then quarantining the machine as a preventative measure.

Take a look at the video I put together that shows how our Endpoint Threat Platform (ETP) can detect and stop a ransomware attack, in this case, Cerber. This illustrates how easy it is to inadvertently launch ransomware on an organization’s system through a Flash download.

The video walks through what the user does to enable the ransomware to access files on the machine. Then it toggles to show what a security analyst will see in terms of behavior detected by our ETP platform, severity level of threat detected, and finally an automatic response triggered to stop the threat from penetrating any further and doing any further damage.


Topics: endpoint security, EDR, endpoint detection and response, Ransomware, ETP, CryptoLOcker, enterprise security, Endpoint Threat Platform, endpoint security solution

Subscribe to Email Updates

Recent Posts

Posts by Topic

see all