Threat Intelligence

The Five Largest Ransomware Attacks of 2017

The Year 2017 had a lot of sleepless nights for the security professional, IT admins, etc. as huge cyber-attacks marred it. Targets of those cyber-attacks were not some selected individuals but whole industries. Out of those attacks, Ransomware attacks were always making news due to their impact. The best thing about these ransomware attacks is that companies now started to taking security seriously; be it follow of hardening guidelines, regular patching, as they realize how it can impact their revenues. Though there were several ransomware attacks in 2017, in this article we will look at the five most significant ransomware attacks that left a note of what to expect in future.

WannaCry

This was the most famous ransomware of 2017 and believe it or not it brought (i hope so) a security revolution within companies. It all started when ShadowBrokers released various exploits (in use by NSA) in April and then later in May these exploits were leveraged by the attackers to launch WannaCry ransomware. It is believed that WannaCry has affected computers in at least 150 countries and has caused a potential loss in millions if not billions. Moreover, below are the main features of WannaCry

Hands-on threat intel training

Learn how to collect, analyze and act on cyber threat intelligence with expert instruction and hands-on exercises in Infosec Skills.

Get Started

This ransomware arrives from the vulnerable public facing SMB ports in the form of a dropper and before execution it checks for a long URL (which in turn turns out to be the KILLSWITCH) for it. If it is not there the infection process follows.
Initial file that is dropped is mssexsvc.exe which executes tasksche.exe. This exe checks for long URL domain.
The ransomware then exploits the SMB protocol. The exploit code was among the exploit kit stolen by Shadow Brokers from NSA and the one used by WannaCry was termed as EternalBlue.
WannaCry also checks for the existence of another exploit released by Shadow Brokers termed as DoublePulsar.
One of the exciting characteristics of WannaCry is that it can pivot from the infected machine to infect other systems geographically.
Microsoft released a patch for it MS17-010 back in March but because organizations failed to patch they got infected. After WannaCry breaks out, only then Orgs started to patch it.
It deletes shadow copies as well.
Below is the screen of WannaCry Ransom notice (it gets popped up as per locale settings) where the further instructions are listed.

Not Petya

Initially, some called it Petya ransomware with some code changes, but the code changes were so significant that later it is dubbed as Not-Petya. However, it is in the true sense is not ransomware as the damage caused by the malware was non-recoverable, and there was no intention collect ransom from victims. Not Petya is believed to have affected at least 65 countries and essential organizations like FedEx, Merck, Rosneft, etc. and have caused substantial monetary losses for example only AP-Roller-Maersk provides the attack estimates to be around $200-$300 million. Below are the some of the characteristics of Not-Petya.

It gets into the organization as admin via malicious Ukrainian tax software and via phishing emails.
Not-Petya also uses ShadowBroker exploits ETERNALBLUE and ETERNALROMANCE for infection.
Not-Petya moves through the network using tools like mimikatz to extract admin creds from memory and then uses PSExec and WMIC to connect to other systems.
It encrypts NTFS and MBR. When the system is infected, it creates a scheduled task to start encrypting the system precisely after 1 hour. When that task kicks off, it restarts the system and presents below the fake screen of C drive repairing. In the background, it was encrypting files.

Locky

Locky is one of the stealthiest ransomware out there. It was all in the news in 2016 and infected via Necurs (It is touted to be the most massive botnet available). Locky has multiple campaigns, and they come to force for some time. Locky, however, came to a halt in the early part of 2017 by Necurs to give way to JAFF (discussed below), but in April again Locky came back with few tweaks. Initially, Locky infection was up to 90K devices per day and Countries which were most affected were France, Italy, USA, Germany, and Spain. Affected victims like Hollywood hospital must pay $17000 to resume operations. Below is the infection process of Locky

The user receives a malicious email. The email was of the subject Payment or Receipt. The email body slightly differs in different campaigns, and the email contains the pdf attachment.
Victim opens the email and the attachment. The pdf attachment had an embedded MS word docm file. As soon the victim opens the pdf attachment, it asked for user approval to open the embedded docm file. Though this sounds simple technique to lure victim and has a dependency on the user to carry out further infection, it does evade sandboxes.
After the user gave permission to open the file, the JavaScript inside the pdf opens an MS word file.

Word document contains an XOR'd Macro file and attempts to download Locky ransomware from a compromised website.
As soon as the Locky is downloaded, it checks for any updates to its code and then began the encryption process.
Once the encryption process of over, user system wallpaper changes to the following which states all the information about the ransomware and how to contact the authors for further decryption of encrypted files.

Crysis

Though the Crysis ransomware came out in 2016, a new variant of it was seen in 2017. Based on Crysis history, this ransomware is distributed through RDP brute force attacks, and this variant encrypts the files with. arena extension. Locky was believed to be infecting mostly Russia, Japan, South Korea, North Korea and Brazil. Below are some of the important characteristics of this ransomware

This variant of ransomware encrypts the file with. arena extension. The format of encrypted files is <original file name>.id-<id>. <email>. arena.
Once it completes encrypting the files of the local system, it then starts to map all the open network drives to the infected system and start infecting them as well.
Ransomware also achieves persistence with by creating copies of itself in C:WindowsSystem32 and Startup folder.
This ransomware also deletes the backup copies created by Volume shadow service.
In each folder where the files have been encrypted, a file "FILES ENCRYPTED.txt" file is also created which states the message that the files are encrypted and whom to email for further info.
Below is another ransom note from file 'info.hta' is below. It also gives free service of decryption of 5 files.

JAFF

JAFF ransomware was also distributed via Necurs botnet. Since this ransomware has Necurs backing, success followed it. As expected, this ransomware was spread through campaigns. Since Necurs was behind JAFF, researcher detected thousands of emails as part of the campaign, and the requested ransom amount was 2.047 BTC. Below is the complete infection process of JAFF.

Infection Process of JAFF

Initially, the victim receives a spam email from the Necurs botnet. The email subject was Copy_<Random number string> or Document_<Random number string>. The email body slightly differs in different campaigns, and the email contains the pdf attachment.
Victim opens the email and the attachment. The pdf attachment had an embedded MS word docm file. As soon the victim opens the pdf attachment, it asked for user approval to open the embedded docm file. Though this sounds simple technique to lure victim and has a dependency on the user to carry out further infection, it does evade sandboxes.
After the user gave permission to open the file, the JavaScript inside the pdf opens an MS word file.

After this, the user is lured to enable macros. This is a very common step in almost every malware campaign. As soon as the macros are enabled, a VBA macro tries to download the ransomware. In JAFF, multiple domains were specified to increase the chances to download the malware.
Once the malware is downloaded, it is being XOR'd with an embedded XOR key.
After the completion of XOR process, the ransomware executable is launched with the cmd prompt.
Ransomware starts encrypting the files with. jaff extension. Once the encryption process is completed, user desktop is changed to following which gives a message to the user as to how to recover the encrypted files.

If the user proceeds with the recovery of files and reach the TOR address, user is presented with the following payment screen where the user enters the ID

After entering the ID, the user is presented with the follow-up instruction on how to recover the files.

So, 2017 was the in no doubt the year of ransomware and gained much popularity due to infection rate either due to lack of knowledge of end users or unpatched systems. However, with these ransomware, some companies have now started to adopt best security practices like regular patch management to reduce the attack surface from these ransomware.