Even though ransomware is one of the threats du-jour, it’s not something I’ve closely studied. So I decided that this weekend was as good a time as any to conduct some research and develop a better understanding of this threat.
I wish I could say I identified novel features of what I discovered were large, multi-wave ransomware campaigns between May and August. But that didn’t happen. The reality is pretty mundane: I pulled together existing research and documented—in my own words—what others have already reported.
As an analyst, I’m okay with that. I’ve found this type of research to be typical. And it brings up thoughts (and tips!) I have on intelligence consumption. But more on those soon… First, let’s look at the recent ransomware activity.
Windows Script Files Seen in Multiple Ransomware Campaigns
Starting in May, ransomware distributors began using Windows Scripting Files (
.wsf) to download and execute various ransomware payloads: Locky, Cerber, and CryptMIC. The script files are commonly contained in
.zip email attachments but sources have also observed phishing messages with a URL pointing to a malicious
- Early May: actors behind the Cerber ransomware launch a phishing campaign relying on
.wsffiles contained in double-zipped email attachments. Forcepoint says that this was the first time it has seen Cerber delivered using
- Mid- to late-July: criminals use the
.wsfmethod to push the Locky and Cerber ransomware, according to both Cloudmark and Microsoft. Unlike the early May Cerber campaign, the script files are not double-zipped. TrendMicro also spots widespread Locky phishing activity using the same installation technique: a
.wsffile in a
- Early August: Invincea identifies an attempted CryptMIC infection. Delivery techniques mirror those seen in July. Additional details on this recent activity are provided below.
Recent August 2016 CryptMIC Ransomware Campaign
In early August, Invincea observed an attempted CryptMIC ransomware infection. Notable in the infection chain was the use of a Windows Script File (
.wsf) to execute the malware.
The reported infection chain is as follows:
- Via phishing or possibly via drive-by-download, a user receives a
.ziparchive containing a
.wsffiles both download to the users
- The Windows Script Host (
wscript.exe) process executes the
.wsffile a) writes a PHP script to the user’s Internet Explorer cache directory (this location will vary depending on the Windows OS version) and b) writes and executes
radXXXXX.tmpto the current
.tmpfile is the ransomware identified as CryptMIC. The
XXXXXcharacters will be a random hexadecimal value (e.g.,
075AC). Lastly, the
.wsfwill c) create a malicious
.job(i.e. scheduled task) file in the
See Appendix A for file and network indicators associated with this activity.
Some Thoughts on Consuming Intelligence
As I mentioned in the introduction of this post, I think this type of research is routine. I often encounter threats and TTP that I’m not familiar with, so I have to invest time into studying and absorbing the knowledge that already exists. I suspect this is the case for many analysts. I consider this process to be an important an aspect of intelligence consumption.
There are three points I want to raise about this process:
- It’s impossible for analysts to understand every threat. No analyst is aware of, or can understand every threat or tactic. Analysts must be allowed the time to study threats they don’t understand and which are—or could be— relevant to the organization.
- Intelligence consumption involves more than just ingesting IOC. I believe that the time that analysts spend studying threats is a part of intelligence consumption process—it’s not just about collecting IOC. It’s about consuming the knowledge that is available to develop an understanding of the threat. This often flows directly into the analysis process as analysts consider how and why the threat at hand is relevant.
- Producing organization-specific intelligence should be a by-product of consumption. If analysts are taking the time to do the research, they should take the extra step to document and memorialize it for the benefit of their future selves, their intelligence customers, and their organization. The analyst should write a report (not just notes) with a title, summary, and research findings. More importantly, the analyst should include an organization-specific spin: why is the threat relevant to the organization? Are there opportunities to prevent or detect the threat? Answering these questions, even at a basic level, reinforces the practice of tying intelligence activities and reporting to requirements.
Intelligence Consumption Tips – Setting Yourself Up For Successful Production
I think that generating intelligence reports can go hand-in-hand with consuming intelligence. Generating reports also provides a consistent way of managing knowledge.
So, here are some consumption-to-production tips that have worked for me:
- Don’t under-value the importance of synthesizing multiple sources and creating a narrative in your own words. Don’t feel obligated to dig for ground-breaking information. Establishing what you know starts with figuring out what others already know.
- Establish a basic chronology of the threat activity you are studying. The chronology should be based on when the activity occurred, not when sources reported it. Be sure to cite your sources!
- If you don’t have time to create a full timeline, that’s okay. Just focus on capturing the information you can. When you return to the project it will be easier to continue building a timeline and broader context. When I started writing this post, I focused on the CryptMIC activity first. I wanted my synthesis of the
.wsfTTP to stand on it’s own as a short report. It actually wasn’t until I was further into the research that I realized I could couch the CryptMIC activity into a more expansive timeline. But the timeline section could also stand on its own. Whether you start with the technical deep-dive or the high-level synthesis, be sure that you can eventually tie the two together.
- Practice taking your raw notes and massaging them into complete sentences. Then craft those sentences into paragraphs and build a narrative. We tend to jot down fragmented notes which remain like that on our desktops in CSV, TXT, and DOC files. This is a challenging way to manage your knowledge. Pull those notes and sources together and write a report!
I personally learned a lot from doing this exercise. Sure, I could have read all of the reports I reference above and left it at that, but there’s nothing like putting pen-to-paper to ingrain what you’ve learned—and to make it available for your customers.
These types of intelligence products generally aren’t glamorous. But I think they form an essential foundation of knowledge. This knowledge can drive prevention, detection, and hunting efforts.
Appendix A: Indicators for the .WSF-enabled Ransomware Campaigns
# Early May Forcepoint-reported file and network indicators 0x90_315_kspc.zip - 444FC88BB139F0729FD54542666AC95D33FAB7DE 4x94_182_qfx.wsf - 03D84211C2FA968B7737B37A5968B716259848A2 1x91_426_cedu.zip - D797EE6794769FD8520586DA844728CF2600D764 4x94_447_xih.wsf - 7BE42FFAAC461BB87B39098706A0A4022CC78517 4x94_300_l.zip - C08C59EF13874CDB23EC7EB4DE4CD76AF131DC7A 5x95_323_ofxh.wsf - 8A34DA2DB8A079C4CD5050EBD29A73A351EDE832 4x94_175_g.zip - 36AFE469B1CA6BC122414D94B814222B7887D80F 1x91_449_dcro.wsf - E69FD09F846C999C95CDF43A6CF114D73FE618F8 # Fake unsubscribe link http://vetdoctor.su/go.php # Malicious ZIP with WSF downloader http://content.screencast.com/users/invoice1619/folders/Default/media/a21db752-f6f0-4389-9419-0c5040c54e61/0x90_170_cxz.zip # Mid-July Cloudmark-reported file and network indicators fax_scan_doc_607810.zip pdf_letter-uBM_196204.zip sales_scan_letter_709050.zip spreadsheet_ed9b..wsf profile-f98c..wsf # Payload URLs http://hiramteran.com/9av7cb http://theblackrock.net/e86ry http://237travellin.com/telo70 # Mid-July Microsoft-reported file and network indicators profile-d39a..wsf profile-e3de..wsf profile-e7dc..wsf profile-f8d..wsf profile-fb50..wsf spreadsheet_07a..wsf spreadsheet_1529..wsf spreadsheet_2c3b..wsf spreadsheet_36ff..wsf spreadsheet_3a8..wsf # Payload URLs http://right-livelihoods.org/rpvch http://nmfabb.com/rgrna1gc http://www.fabricemontoyo.com/v8li8 # Mid-July TrendMicro-reported file indicators (with TrendMicro AV detections) # JS_LOCKY.DLDVEF 0A17D419461F2A7A722F4E15C2760D182626E698 0B4396BD30F65B74CE38F7F8F6B7BC1E451FBCCC 0C82F9EBC4ACE5D6FD62C04972CF6A56AA022BFD 21DCA77E6EF9E89C788EE0B592C22F5448DE2762 288C7C4FA2FC2A36E532F938B1DC18E4918A0E36 69DA16CB954E8E48CEA4B64A6BBC267ED01AB2B3 6A9B6AE21C5F5E560591B73D0049F6CA2D720122 752AB2146016BCAFBFE17F710D61D3AD3822F849 8BDC38B005E09B34C1BCE94529158DE75408E905 B8B79E8BAF39E0E7616170216B25C1505974F42C 5994eb7696e11818d01bc7447adcf9ec5c1c5f13 936ac2f42a1a641d52ba8078c42f5879e2dd41a0 0b7b2ba3c35e334bf5bc13929c77ecaf51758e2b 3bc8656186ee93d25173ba0f3c07a9cced23e7cd 08f1565514122c578da05cbf8b50ee9dcfa41af6 4641fb72aaf1461401490eaf1916de4103bbece5 3790c8bc8e691c79d80e458ba5e5c80b0b12a0c8 91762a5406e5291837ed259cd840cf4d22a2ddfa 005cc479faa2324625365bde7771096683312737 eb01089b3625d56d50e8768e94cfef1c84c25601 # JS_LOCKY.DLDVEJ 812FBF9E30A7B86C4A72CCA66E1D2FC57344BB09 AE78A7B67CB5D3C92406CFA9F5FB38ADC8015FDF 0e76d8fd54289043012a917148dacda0730e4d88 c76222e1206bad8e9a4a6f4867b2e235638a4c4c # JS_LOCKY.DLDVEL A2420F7806B3E00DB9608ABF80EE91A2447F68AD A94CE98BCC9A130AA88E9655672497C701BDA4A5 fc591d83cdebe57b60588f59466ec3b12283cc2c 719f0d406038b932805d338f929d12c899ec97e1 # JS_LOCKY.DLDVEP DA0FD77C60A2C9A53985A096BDAE1BEF89034A01 56dd1d2b944dae25e87a2f9b7d6c653b2ece4486 # RANSOM_LOCKY.DLDVEO 180BDD12C3EE6D8F0A2D47DDAAD5A2DAA513883E 2C62F7B01DD423CEF488100F7C0CA440194657D9 6DECCBB36F4E83834985FE49FC235683CF90F054 E2D94F69134D97C71F2B70FC0A3558B30637E46D E3E49BF06CD03FB0EA687507931927E32E0A5A1C # RANSOM_LOCKY.DLDVEF 22DE960D38310643C3E68C2BA8EC68D855B43EBD # RANSOM_LOCKY.DLDVEL 5A044104A6EED7E343814B3E0FC2DB535C515EA2 9BA7499C98E2B52303912352E1ACA694552E0E86 9F48FA841FC8B0E945C43DB5B18B37BDF2DA8F5B # RANSOM_HPLOCKY.SM2 3329FB8FD5E664CCDE59E12E608E0BCE3EF95225 5BE1DE4A018B746953381EA400278D25E7C3D024 B2D1E7860F617014E0546B9D48450F221FE118EC BB8ABA09BC9B97C7358B62F2FF016D05955A5967 # RANSOM_HPLOCKY.SM3 1A46C45A443B1C10EAA9AA317CD343B83160828F A2899353B237E08A7570C674D05D326D43173231 D8FF29CFF5341B361CA3CEE67EABBD22698DAA2B # RANSOM_LOCKY.F116GT 565951232E4A1D491D932C916BC534E8FB02B29B # RANSOM_LOCKY.F116GS E362B04FE7F26663D7D43DD829D3C4310B2FC699 # RANSOM_LOCKY.SMA6 6014A6AFDF09EDEB927A9A6A4E0DF591D72B1899 DCDB228D515F08673542B89ABB86F36B3B134D72 # Early-August Invincea-report file and network indicators f547e9d8fb5060918f969895a2d486e201fd36d43c13229a5c90ceef42dd8759 3999639544117d532f83eebd74e1d4816e301a9cd7a3e651ce9dcbf337f7a22c 5b0dba45e0c32c706c78238d8c2b2fb3 35b4b5b28211f7d8a7cd83dc43730fe56b3cba17ff6e01675f2df4a358e0bdb2 c70a777f00920cda8fbf248ecab229b0 1aacd87f9b200a2f13667db9626034522ac79a42f7ba041d41acd4d1831c71b0 8260e3742d4c59aedc54dc934c853d19 188.8.131.52 # Domain resolutions for 184.108.40.206 (last checked August 20, 2016) land.fastfashiongroup.com sale.armageddonarms.net 220.127.116.11 # Domain resolutions for 18.104.22.168 (last checked August 20, 2016) forward.coffeeandteagetaway.com