April 14, 2016
Aaron Shelmire

Targeted Ransomware Activity

<h3>Overview</h3><p>Since late 2013 there has been a growing trend of Ransomware activity. In these attacks actors encrypt files on hard drives, and request that a ransom be paid in order to decrypt the files. Many of these attacks have focused on client side vulnerabilities using phishing messages as a delivery vector. Since December 2015 there have been new ransomware intrusions that have been relying upon server side compromises. These compromises are used to deliver the SamSam ransomware family. As of the end of April 2016, the SamSam activity has targeted a minimum of 58 organizations including those in the HealthCare industry.</p><h3>SamSam Activity</h3><p>The samples related to the SamSam family are composed of 4 major samples. These are:</p><ul><li>SamSam - The name given to the original ransomware by the author</li><li>MIKOPONI - A second major variation of SamSam. Much of the code base has evolved from SamSam, and the ransomware now directs users to a Tor site for payment.</li><li>DelFileType - A tool used to delete files on the host. Original samples included the SysInternals sdel tool to delete the encrypted files from a host.</li><li>SamDdec - The tool used to decrypt files after the ransom has been paid.</li></ul><p><img src="https://cdn.filestackcontent.com/MF7lugeZSTGFdBpK6X2k"/></p><pre> <code>Figure 1: Timeline of SamSam Activity</code></pre><p>The SamSam actors currently rely upon web pages on Tor hidden services for interacting with the victim organization. The actors ask that the victim pay the ransom using Bitcoin. The SamSam activity appears to have started around 9 December 2015 as is displayed in the Timeline in Figure 1. This is based upon the compilation time of a SamSam sample which includes a debug database path with “Test” in the path. The actor continued to label the PDB path for each sample with an incremental sample number until sample number 54, which has a compilation date of 18 February 2016. Up until this point the victims were sent to Wordpress sites for ransom instructions. The actor then began using Tor for the ransom sites, such as the one in Figure 2 below, as early as 23 February 2016. The actors began calling the ransomware MIKOPONI as early as 01 March 2016.</p><p><img src="https://cdn.filestackcontent.com/fbKe12gSIWHnr8ccqdPi"/></p><pre> <code>Figure 2: SamSam Ransom Page</code></pre><p>The SamSam actors appear to be storing the source code on a removable drive. This conclusion is based upon the PDB strings found within the compiled malware. Some examples of the PDB strings found within SamSam executables include:</p><pre> <code>d:SAMclientsSam41SAMobjReleasesamsam.pdb f:SAMclients estencSAMobjReleasesamsam.pdb i:SAMServersSam-onion-no-check-lock-file-enc-all-extSAMobjReleaseMIKOPONI.pdb l:SAMServersSam-onion - CopySAMobjReleaseMIKOPONI.pdb u:SAMServersSam-onion-no-check-lock-file-enc-all-extSAMobjReleaseMIKOPONI.pdb x:SAMServersSam-onionSAMobjReleaseMIKOPONI.pdb </code></pre><p>These drive letters are atypical of standard Windows drive letter assignments. Usually the Windows operating system will assign the next available drive letter to a newly attached removable drive. If your computer only has a fixed drive with the C drive letter assigned, then the removable drive would be assigned the letter D. While the drive letter changes, the directory structure remains the same, which may be evidence of a removable drive. The drive letters D and F are more typical, but the other drive letters found in the PDB strings are odd.</p><p>The use of atypical drive letters could be caused by mounting an encrypted TrueCrypt container. In the TrueCrypt client the user is able to select a drive letter for mounting.</p><p><img src="https://cdn.filestackcontent.com/gca35eUBQdwLuJ0f4jeh"/></p><pre> <code>Figure 3: SamSam Day of Week Histogram</code></pre><p>Based upon sample compilation times the SamSam actors appear to operate most frequently between 1700 and 0100 UTC, with samples compiled as early as 1000 UTC. If these compilation dates are accurate, this could mean that the actors are located in a Western nation, most likely within UTC+0200 to UTC-0400. The actors also appear to be most active within the work week on Fridays, with some activity on Saturdays.</p><h3>Recent C0d0s0 / Peace Activity</h3><p>The C0d0s0 a/k/a Peace actors have a long history of intrusion activity that has been related to them. This activity stretches back at least to October 2010 when the Nobel Peace Prize site was used to distribute their tools via a strategic web compromise leveraging a 0-day vulnerability in Firefox.</p><p>Since at least November 2015 the group has been utilizing JBOSS server vulnerabilities in order to gain access to target networks. This activity was described by <a href="http://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/" target="_blank">Palo Alto Networks</a>. Additional C0d0s0 activity is described by <a href="http://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" target="_blank">Proofpoint.</a><br/> The C0d0s0 actors install a wide range of backdoors including PlugX, new variants of Derusbi, and Bergard. In at least one case, the C0d0s0 actors were operating on the same JBOSS server host where the SamSam tool was deployed. There have been some claims in the media that the SamSam activity is the work of the C0d0s0 group. At this point Anomali Labs has not been able to directly connect this activity. While both the SamSam activity and C0d0s0 activity have recently used JBOSS vulnerabilities, the different sets of activity appear to leverage different operating times. These times are almost complementary.</p><p>The presence of the two sets of tools on one host and the shared targeting of JBOSS could be coincidence. Evidence that shows a direct instance of a shared session of activity where actors interact with the C0d0s0 related artifacts AND SamSam related artifacts would contradict this. No such evidence has been presented.</p><h3>Competing Hypothesis</h3><p>There are a handful of additional hypothesis to explain a relationship between the C0d0s0 and SamSam activity.</p><ul><li>The SamSam activity could be from a 2nd group that receives access to compromised hosts from the C0d0s0 actors after the C0d0s0 actors have gained a foothold.</li></ul><p><img alt="Compile Time of SamSam Samples" src="https://cdn.filestackcontent.com/7n3DJ5skSmqRpljGcjsI" title="SamSam Compile Times"/></p><pre> <code>Figure 4: SamSam Compile Time Wheel </code></pre><ul><li>The SamSam activity could be activity from the C0d0s0 actors outside of their normal work duties. This theory is possible. The two sets of activity are nearly complimentary. The C0d0s0 activity mostly occurrs during 0300 - 1000 hours UTC, with less activity during 1200-1600 hours, and a few off hour samples. This activity is more easily aligned to time zones on the Asian continent, including China Standard Time (+0800).</li></ul><p><img alt="Compile Time of C0d0s0 Samples" src="https://cdn.filestackcontent.com/nlaws7nMSq2M1CHnG1jp" title="C0d0s0 Compile Times"/></p><pre> <code>Figure 5: C0d0s0 Compile Time Wheel </code></pre><p>The SamSam activity mostly occurs from 1500-0100 hours. There are two samples (out of 49) tied to the C0d0s0 group which fit the SamSam time profile. There are also 3 SamSam-related samples (out of 36) that fit the later portion of the C0d0s0 activity. If the SamSam activity is perpetrated by actors in China, they are operating in the middle of the night.</p><h3>Key Assumptions Check</h3><p>There are two key assumptions underpinning this analysis that put the conclusion at risk:</p><ul><li>We assume the compilation time of the samples has not been modified</li><li>We assume the hosts that the samples have been compiled on have accurate Date/Time settings.</li></ul><p>Another key assumption is that the C0d0s0 samples have been correctly attributed to one actor group. Similarly that the SamSam samples are correctly attributed to one actor group. We believe these two assumptions are less of a risk to the conclusions.</p><p>Finally, the C0d0s0 activity used as part of this analysis is absolutely a minor subset of the actors activity. It is possible that this sampling of activity is biased, and a full set of activity would result in different conclusions.</p><p><span class="hs-cta-wrapper" id="hs-cta-wrapper-ff5685c6-716a-440e-9035-fc0328826466"><span class="hs-cta-node hs-cta-ff5685c6-716a-440e-9035-fc0328826466" data-hs-drop="true" id="hs-cta-ff5685c6-716a-440e-9035-fc0328826466" style="visibility: visible;"><a class="cta_button" cta_dest_link="{page_3451}" href="https://cta-service-cms2.hubspot.com/ctas/v2/public/cs/c/?cta_guid=3f378abe-6680-4ed3-9173-e5958a1c8fad&amp;placement_guid=ff5685c6-716a-440e-9035-fc0328826466&amp;portal_id=458120&amp;redirect_url=APefjpFDpmcZ92i64VMd6EHFur4Fq1LoBkjBWoj1Q8Moc_yY032T2HCJ9fmt_hDA0bENtTfJcL92pMhFgRWruGwVxQtPUQ4ynQ8qKJXwy2AqBmN6ZFsFKHVC7KGAPlpEN7B7jWvRNEmbYBES7RB2N_QhZzsGhtEvxu17-QrDBttZDGIU5vkTB6ETjj0g01Ibss9jP6UpmPSPG7rxR8JHcpqHbQlQnyaw4HlJClDXbEh-mEaz0N751ssWNjX9HA-NW-9qvQbqPirU5Bv9FudtWV_QXvKqcbjFSXZUX-Pd9iPy73OpY2DzXzUO0Yp2z7j77WfRQfiu6gjIghw6jQDOohJ78xiGT8GCKw&amp;hsutk=2767d93d6471d657e0c9f660e4b58ef8&amp;utm_referrer=https%3A%2F%2Fblog.anomali.com%2Ftargeted-ransomware-activity&amp;canon=https%3A%2F%2Fblog.anomali.com%2Ftargeted-ransomware-activity&amp;pageId=4087285338&amp;__hstc=41179005.2767d93d6471d657e0c9f660e4b58ef8.1456736058655.1478831861868.1478887113345.180&amp;__hssc=41179005.53.1478887113345&amp;__hsfp=1335165674" id="cta_button_458120_3f378abe-6680-4ed3-9173-e5958a1c8fad" style="" title="Free White Paper">Free White Paper </a> </span> <script charset="utf-8" src="https://js.hscta.net/cta/current.js"></script> <script type="text/javascript">hbspt.cta.load(458120, 'ff5685c6-716a-440e-9035-fc0328826466', {});</script> </span></p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.