Thursday, 25. August 2016

New Open Source Ransomware Based on Hidden Tear and EDA2 May Target Businesses

By Francis Antazo, Byron Gelera,  Jeanne Jocson, Ardin Maglalang, and Mary Yambao

In a span of one to two weeks, three new open source ransomware strains have emerged, which are based on Hidden Tear and EDA2. These new ransomware families specifically look for files related to web servers and databases, which could suggest that they are targeting businesses.

Both Hidden Tear and EDA2 are considered as the first open source ransomware created for educational purposes. However, these were quickly abused by cybercriminals. RANSOM_CRYPTEAR.B is one of the many Hidden Tear spinoffs that infect systems when users access a hacked website from Paraguay. Magic ransomware (detected as RANSOM_MEMEKAP.A), based on EDA2, came soon after CRYPTEAR.B’s discovery.

One factor that contributed to the proliferation of this ransomware type is the ease and convenience it offers to cybercriminals—they don’t have to be technically skilled to build their own ransomware from scratch. Before the source codes of Hidden Tear and EDA2 were taken down, these were publicly available and cybercriminals only had to modify the code based on their needs.

Imitating pop culture and mobile apps

KaoTear (detected as RANSOM_KAOTEAR.A), a Hidden Tear-based ransomware, uses the filename kaoTalk.exe and includes KakaoTalk icon to disguise its malicious nature. KakaoTalk is a widely-used messaging app in South Korea with 49.1 million active users globally.

KaoTear_ransomnote

Figure 1. KaoTear’s ransom note

English translation:

Your files have been encrypted.
Go to the following address:
You can check the information for decryption:
http://{BLOCKED}t225dfs5mom.{BLOCKED}n.city
Go to the site above. TOR browser is required

 Another recent Hidden Tear spinoff is POGOTEAR (detected as RANSOM_POGOTEAR.A) that capitalizes on the success of Pokemon Go. It even employs the filename PokemonGo.exe to lure users into thinking that it is a legitimate file.

POGOTEAR

Figure 2.  POGOTEAR’s ransom note bears the image of Pikachu from the gaming app, Pokemon Go.

Here’s a rough translation in English:

Sorry. Encrypting your files have been unintentional. The decoder is send to {BLOCKED} 200 edge following account\n {BLOCKED}@gmail.com.

hiddentearstring

Figure 3.  KaoTear and POGOTEAR have the string “hidden tear” on their form initialization.

On the other hand, FSociety (detected as RANSOM_CRYPTEAR.SMILA) is an EDA2-based ransomware that draws inspiration from the hacker group in the hit TV series, Mr.Robot.

FSociety

Figure 4. Cybercriminals ride on the popularity of the TV show, Mr. Robot.

A closer look at KaoTear, POGOTEAR, and FSociety

Aside from pop culture references, KaoTear, POGOTEAR, and FSociety have other similarities.

For one, they target almost the same file types to encrypt: *.txt, *.doc, *.docx, *.xls, *.xlsx, *.ppt, *.pptx, *.odt, *.jpg, *.png, *.csv, *.sql, *.mdb, *.hwp, *.pdf, *.php, *.asp, *.aspx, *.html, *.xml, and *.psd.  Some of these file extensions (such as XML, PHP, and ASPX) are related to web servers.

All three malware also search for SQL and MDB files, which are associated with databases. Based on these target files, it is very likely that businesses are being targeted.

Here are some of the similarities and differences:

KaoTear POGOTEAR FSociety Extension 암호화됨 (.encrypted) .locked .locked Ransom Note ReadMe.txt هام جدا.txt None Language Korean Arabic English MSIL compiled Yes Yes Yes Encryption Method AES 256 AES 256 AES 256 Propagation Routine None Spreads via fixed drives, removable drives, shared folders and mapped network drives None C&C None Connects to hxxp://10[.]25[.]0[.]169 Sends the key for encrypting files to hxxp://www[.]archem.hol[.]es/savekey[.]php POGOTEAR is the only ransomware with propagation mechanism that enables it to spread to removable and mapped network drives. It also creates an administrator-level user that can be hidden from the Windows login screen through this registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersionWinlogon\SpecialAccounts\UserList\Hack3r = “0”

With this, cybercriminals can further compromise the infected system and consequently, the network.

We observed that POGOTEAR and FSociety may still be under development. One indicator for this is POGOTEAR’s use of a private IP for its command-and-control (C&C) server.  Since it uses a private IP, the information sent stays within the organization’s network. On the other hand, FSociety searches for a folder named ‘test’ in the %Desktop%.  If the said folder is not found, FSociety does not encrypt any files.

The risks of open source ransomware

The creation of open source ransomware for educational purposes has raised security concerns that call for stricter measures in knowledge sharing.  In the case of Hidden Tear and EDA2, the cybercriminals used the public source code as a baseline and modified to pursue their own interests.

Another educational ransomware spotted is ShinoLocker (detected as RANSOM_SHINOLOCK.A). Aside from file encryption, it can also uninstall itself and restore files it has encrypted. The developer created it for simulation purposes.

As security researchers, we have to thoroughly assess the possible risks and consequences of creating and distributing educational information. If the sharing of source codes or samples is necessary, it is best to distribute these only to targeted credible recipients through secure channels. Before releasing anything to the public, we need to assess its benefits against the potential threats that it can introduce if it goes into the wrong hands.

Trend Micro solutions

Enterprises and small-medium businesses are viable targets for ransomware attacks. The recently-discovered open source ransomware strains show the possibilities that they can potentially affect organizations—disruption to productivity and operations, including damage to company brand or reputation. Although still under development, we can expect the perpetrators behind these threats to enhance their arsenals to advance their interests.

The recent developments in open source ransomware also highlight the importance of how a multilayered protection can secure enterprise networks from all aspects—gateway, endpoints, network, and servers. Our endpoint solutions can detect KaoTear, POGOTEAR, and FSociety ransomware before they can encrypt crucial files in the system.

PROTECTION FOR ENTERPRISES
•  Email and Gateway Protection Trend Micro Cloud App Security, Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security address ransomware in common delivery methods such as email and web.

Spear phishing protection Malware Sandbox IP/Web Reputation Document exploit detection



•  Endpoint Protection Trend Micro Smart Protection Suites detects and stops suspicious behavior and exploits associated with ransomware at the endpoint level.

Ransomware Behavior Monitoring Application Control Vulnerability Shielding Web Security



•  Network Protection Trend Micro Deep Discovery Inspector detects malicious traffic, communications, and other activities associated with attempts to inject ransomware into the network.

Network Traffic Scanning Malware Sandbox Lateral Movement Prevention



•  Server Protection Trend Micro Deep Security™ detects and stops suspicious network activity and shields servers and applications from exploits.

Webserver Protection Vulnerability Shielding Lateral Movement Prevention










PROTECTION FOR SMALL-MEDIUM BUSINESSES AND HOME USERS
•  Protection for Small-Medium Businesses Trend Micro Worry-Free™ Business Security Advanced offers cloud-based email gateway security through Hosted Email Security that can detect and block ransomware.

Ransomware behavior monitoring IP/Web Reputation



•  Protection for Home Users Trend Micro Security 10 provides robust protection against ransomware by blocking malicious websites, emails, and files associated with this threat.

IP/Web Reputation Ransomware Protection






Related SHA1 hashes:


•  a5f0b838f67e0ca575a3d1b27d4a64dec8fac2fc – RANSOM_CRYPTEAR.SMILA
•  f7a78789197db011b55f53b30d533eb4297d03cd- RANSOM_KAOTEAR.A
•  aee02b10a74c2fdd257d161fd8e03b37878a803f – RANSOM_POGOTEAR.A


Post from: Trendlabs Security Intelligence Blog - by Trend Micro

New Open Source Ransomware Based on Hidden Tear and EDA2 May Target Businesses