请选择 进入手机版 | 继续访问电脑版

技术控

    今日:27| 主题:54680
收藏本版 (1)
最新软件应用技术尽在掌握

[其他] HDDCryptor: Subtle Updates, Still a Credible Threat

[复制链接]
难瘦 发表于 2016-12-1 04:59:32
213 4

立即注册CoLaBug.com会员,免费获得投稿人的专业资料,享用更多功能,玩转个人品牌!

您需要 登录 才可以下载或查看,没有帐号?立即注册

x
by Stephen Hilt and Fernando Mercês
   Since first writing about thediscovery of HDDCryptor back in September, we have been tracking this ransomware closely as it has evolved. Last week, a new version was spotted in the wild, and based on our analysis, we believe that this variant is the one used in a recent  attack against San Francisco Municipal Transport Agency (SFMTA).
  In this attack, as we’ve seen with other versions of HDDCryptor, the ransomware dropped some tools to perform full disk encryption, as well as the encryption of mounted SMB drives. We believe the threat actors behind the attack don’t use exploit kits and automated installers to instantly compromise and infect victims. Instead, they first attempt to gain access to the machine, most likely through a more targeted attack or exploit, before manually triggering and executing the malware. While we don’t have specific information on how this was accomplished across SFMTA’s 2,000 machines, it is highly likely that it was through scheduling a job to run on all of the devices using some form of admin credentials.
   When contacted, the actors using this new HDDCryptor replied with a similar message to the one seen at the CSO online article .
   

HDDCryptor: Subtle Updates, Still a Credible Threat

HDDCryptor: Subtle Updates, Still a Credible Threat-1-技术控-specific,Stephen,believe,version,against

   Figure 1. The attacker’s e-mail response that includes instructions on how to obtain Bitcoin
  How has HDDCryptor Evolved?
   Previously, HDDCryptor did all of this with a user account that was added, which in September was “mythbusters.” Shortly after, it was observed to add a user of “ABCD,” as the creators had likely changed the username to avoid detection. In the most recent observed version as of last week, HDDCryptor no longer adds a user, however it creates a path of “ C:\Users\WWW ” in which it drops the files needed to perform the encryption of both the local hard drive and any attached file shares.
   

HDDCryptor: Subtle Updates, Still a Credible Threat

HDDCryptor: Subtle Updates, Still a Credible Threat-2-技术控-specific,Stephen,believe,version,against

   Figure 2. Components dropped by HDDCryptor
  After trying to encrypt remote network shares, the ransomware puts into place all the pieces needed for local encryption and the system is rebooted once. Then, HDDCryptor starts performing what it needs.
   

HDDCryptor: Subtle Updates, Still a Credible Threat

HDDCryptor: Subtle Updates, Still a Credible Threat-3-技术控-specific,Stephen,believe,version,against

   Figure 3. Snapshot of HDDCryptor’s malicious activities upon reboot
  One last reboot is needed and then the ransomware shows the modified Master Boot Record (MBR) as the ransom note. This has not changed, except for the email address and phrasing between versions.
   

HDDCryptor: Subtle Updates, Still a Credible Threat

HDDCryptor: Subtle Updates, Still a Credible Threat-4-技术控-specific,Stephen,believe,version,against

   Figure 4. HDDCryptor’s ransom note
  As with previous versions, the argument that is passed in during the execution of the ransomware binary is the password for decryption.
   The encryption ran on the remote file systems is performed by the mount.exe file. To do this, each drive that is to be encrypted is sent in as an argument to mount.exe along with the password that was passed in as an original argument to HDDCryptor. Unlike the main hard drive, mount.exe does not utilize the DiskCryptor methods for encryption.
   We noticed when analyzing the samples that between versions of HDDCryptor there are a few changes. First, the PDB strings of mount.exe in the current version show the number crp_95_08_30_v3:
  c:\users\public.unkonw\desktop\crp_95_08_30_v3\crp\release\mount.pdb
  HDDCryptor’s previous versions showed CRP_95_02_05_v3, indicating that the ransomware’s developers are updating and improving their code:
  C:\Users\public.Unkonw\Desktop\CRP_95\CRP_95_02_05_v3\CRP\Release\Mount.pdb
  Analysis of the samples proved that the actors do not recompile DiskCryptor, even though it is an open source tool. Instead, since the first version of HDDCryptor, they patched dcapi.dll file to add the ransom note. Previous versions had all dropped files as clear PE resources of the main dropper.  Since v2, HDDCryptor actors use a simple decryption scheme to decrypt the binaries in its .rsrc (resource) section:
      

HDDCryptor: Subtle Updates, Still a Credible Threat

HDDCryptor: Subtle Updates, Still a Credible Threat-5-技术控-specific,Stephen,believe,version,against

     Figure 5. Resources decryption algorithm found in sample with hash 97ea571579f417e8b1c7bf9cbac21994. After loading the resource, decryption starts at address 0x9922D0.
      Both v2 and v3 are compiled with Visual Studio 2013 (first version is compiled with VS 2012) and have some improvements like basic anti-sandbox and anti-debugging features, string encoding, and simple resources encryption as shown in the screenshot above. This shows that the HDDCryptor actors are quickly evolving this ransomware family to evade AV and other detection techniques. In no cases have researchers been able to attribute HDDCryptor executables to any phishing campaigns or any other types of attacks that have been utilized. It appears that the actors have prior access to the systems and manually execute HDDCryptor. It is believed that this is done overRDP that is exposed to the internet directly, apart from exploiting tools. Given the fact is easy to buy access to compromised servers within theunderground. HDDCryptor actors may be using this technique, too.
  The last variant uses the same ransom note mentioned on SFMTA attack. We can’t safely trust on compilation timestamps, especially for the first observed variant but the second and third variants really appear to be evolutions from the first one as we explained earlier.
  What’s Next for HDDCryptor?
  It’s been speculated in the SFMTA attack that 30GB of data was exfiltrated and could be released and sold in the Deep Web. Though we can’t confirm that is the case here, this is an evolution of ransomware we have predicted for a while. Typically, ransom is demanded to return the original files to the owner and that’s that. On a large scale, it’s really difficult to sift through all of this encrypted data to find valuable information that could be sold. However, it is a logical step for the ransomware to simultaneously encrypt and exfiltrate a copy of the data to the attacker. When the victim pays the normal 2 BTC ransom – indicating they care about the data – the attacker does a manual check to see who they are. If it just mom and pop at home, they take the money, decrypt the files and delete the exfiltrated documents. If, however, it turns out to be an organization like SFMTA, they can immediately up the ransom and also hold the threat of releasing the files as additional extortion. This is a direction we fully expect to see more frequently over the next 12 months.
   The indicators of compromise (IoCs)/related hashes for RANSOM_HDDCryptor can be found in  our appendix   .
  Trend Micro Ransomware Solutions
   This latest incident underscores ransomware’s potentially detrimental consequences to organizations—business disruption, financial losses and damage to reputation. At the same time, it highlights the importance of a proactive approach to security. A multilayered defense system that can securegateways, endpoints ,networks andservers is also recommended.
      PROTECTION FOR ENTERPRISES

      
         
  •   

    HDDCryptor: Subtle Updates, Still a Credible Threat

    HDDCryptor: Subtle Updates, Still a Credible Threat-6-技术控-specific,Stephen,believe,version,against

    Email and Gateway Protection

      Trend Micro Cloud App Security ,  Trend Micro TM Deep Discovery TM Email Inspector  and  InterScan TM  Web Security addresses ransomware in common delivery methods such as email and web.
    Spear phishing protection
    Malware Sandbox
    IP/Web Reputation
    Document exploit detection
       
   
         
  •   

    HDDCryptor: Subtle Updates, Still a Credible Threat

    HDDCryptor: Subtle Updates, Still a Credible Threat-7-技术控-specific,Stephen,believe,version,against

    Endpoint Protection

      Trend Micro Smart Protection Suites detects and stops suspicious behavior and exploits associated with ransomware at the endpoint level.
    Ransomware Behavior Monitoring
    Application Control
    Vulnerability Shielding
    Web Security
       
         
         
  •   

    HDDCryptor: Subtle Updates, Still a Credible Threat

    HDDCryptor: Subtle Updates, Still a Credible Threat-8-技术控-specific,Stephen,believe,version,against

    Network Protection

      Trend Micro Deep Discovery Inspector detects malicious traffic, communications, and other activities associated with attempts to inject ransomware into the network.
    Network Traffic Scanning
    Malware Sandbox
    Lateral Movement Prevention
       
   
         
  •   

    HDDCryptor: Subtle Updates, Still a Credible Threat

    HDDCryptor: Subtle Updates, Still a Credible Threat-9-技术控-specific,Stephen,believe,version,against

    Server Protection

       Trend Micro Deep Security TM  detects and stops suspicious network activity and shields servers and applications from exploits.
    Webserver Protection
    Vulnerability Shielding
    Lateral Movement Prevention
       
          PROTECTION FOR SMALL-MEDIUM BUSINESSES ANDHOME USERS

      
         
  •   

    HDDCryptor: Subtle Updates, Still a Credible Threat

    HDDCryptor: Subtle Updates, Still a Credible Threat-10-技术控-specific,Stephen,believe,version,against

    Protection for Small-Medium Businesses

       Trend Micro Worry-Free TM Business Security Advanced  offers cloud-based email gateway security through Hosted Email Security that can detect and block ransomware.
    Ransomware behavior monitoring
    IP/Web Reputation
       
   
         
  •   

    HDDCryptor: Subtle Updates, Still a Credible Threat

    HDDCryptor: Subtle Updates, Still a Credible Threat-11-技术控-specific,Stephen,believe,version,against

    Protection for Home Users

      Trend Micro Security 10 provides robust protection against ransomware by blocking malicious websites, emails, and files associated with this threat.
    IP/Web Reputation
    Ransomware Protection
       
       Additional analysis by William Gamazo Sanchez and Robert McArdle



上一篇:Redis + Node.js: Introduction to Caching
下一篇:Saying Farewell to Snapins!
左眼角的淚痣 发表于 2016-12-2 02:51:49
支持一下,下面的保持队形!
回复 支持 反对

使用道具 举报

同州地产 发表于 2016-12-4 16:17:52
有些失望是无可避免的,但大部分的失望,都是因为你高估了自己。
回复 支持 反对

使用道具 举报

巧幻 发表于 2016-12-9 03:22:50
楼主,你说,你几个意思?
回复 支持 反对

使用道具 举报

中意被你中意 发表于 2016-12-18 11:57:55
very good!
回复 支持 反对

使用道具 举报

*滑动验证:
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

我要投稿

推荐阅读


回页顶回复上一篇下一篇回列表
手机版/CoLaBug.com ( 粤ICP备05003221号 | 文网文[2010]257号 )

© 2001-2017 Comsenz Inc. Design: Dean. DiscuzFans.

返回顶部 返回列表