Crypto Trojans and protection - if it bleeds you can decrypt it ...

Discussion in 'Serious Discussion' started by CHEF-KOCH, Mar 24, 2016.

  1. CHEF-KOCH

    CHEF-KOCH MDL Addicted

    Jan 7, 2008
    937
    886
    30
    #1 CHEF-KOCH, Mar 24, 2016
    Last edited by a moderator: Apr 20, 2017
    Hello security friends.

    Please no troll comments like 'use Linux/Mac OS' it's not the answer to everything.

    In the past/now we get a massive attack especially from crypto trojans. If you not know what ransomware is you minimum need to read this.

    Here I want to show and inform others how to protect against this (Windows) in a way which should be understandable for everyone. Since ransomeware not want to touch OS related files which would require admin privileges it's pretty dangerous because it runs-out-of-the-box without any UAC prompt. Another dangerous is that the payload changes which means you're AV is pretty useless since an good AV needs around 24-48 hours to update the signatures and then it already was changed so that this is already outdated to the same time you get new signatures.


    What you can do?
    * Work with ACL (Access Control List) [example given in screenshots to restrict normal executables for a folder]
    * Do Offline or cloud based backups
    * Show hidden files and extensions to ensure an picture (.jpn/.png/...) is really a picture and not an .exe with an .png overlay icon to fool you.
    * Disable files running from AppData/LocalAppData folders and restrict them via secpol.msc (requires Windows Pro/Enterprise).
    * Disable RDP (Remote Desktop Protocol)
    * Patch and upgrade your software.
    * Disconnect from WiFi or unplug from the network immediately
    * Filter .exe/.js in your Mail program, most programs have options to do so. Like Thunderbird to disable html/JavaScript view and limit attachment size or disable it.
    * Work with VeraCrypt/Bitlocker/.. and ensure after you work is done that you lock the drive so that it not accidentally can be encrypted with Locky and other malware.
    * Ensure you use latest Office or alternatives like LibreOffice
    * Since I'm not a fan of AV's or such 'solutions' (like Malwarebytes anti-ransomeware) I not recommenced it, due above mentioned reason + it mostly ends up with false positives + it confuses beginners.
    * Disable Windows Script Host so that it can not execute the scripts in background.
    * I better suggest to work with an VM/Sandbox or and HIPS based firewall like Comodo Firewall to ensure you get minimum an notification or an environment you can work with. Doesn't matter which products you prefer, they working mostly the same by isolating and notifying about xyz threads. Of course for beginners this is difficult because you not know what to allow and what not, so I suggest to start with Sandboxie to in general protect Browser + Mail program.


    What if you already infected?
    * DO NOT DELETE YOUR DATA! OR PAY FOR IT TO UNLOCK! Don't do it!
    * It's depending with which variant you infected, some variants are 'harmless' because Kaspersky and other revealed the keys. E.g. If you got infected with ransomware like Locky, you have a high change to get your data back, they keys are here.
    * Kaspersky and others offers some utilities to remove or decrypt ransomware, they are all free avl. over here.
    * In case you#re infected with latest TeslaCrypt you maybe never get you're files back because it's currently not possible to decrypt it. But no reasons to delete your files, just wait, maybe someday we get the keys.


    [FONT=&amp]Paying the criminals may get your data back, but there have been plenty of cases where the decryption key never arrived or where it failed to properly decrypt the files. Plus, it encourages criminal behavior! Ransoming [/FONT]anything is not a legitimate business practice, and the malware authors are under no obligation to do as promised – they can take your money and provide nothing in return, because there is no backlash if the criminals fail to deliver.


    Here is an example to restrict (via ACL) an folder so that you not even or malware can kill your programs and disallow other applications to interference.


    [​IMG]


    [​IMG]

    [​IMG]
    [​IMG]




    [video=youtube_share;nsacrHzUYrY]https://youtu.be/nsacrHzUYrY[/video]
    [video=youtube_share;equvK65PakY]https://youtu.be/equvK65PakY[/video]
    [video=youtube_share;3YXYnAiSYrY]https://youtu.be/3YXYnAiSYrY[/video]
    [video=youtube_share;PyOMKC-h2Ug]https://youtu.be/PyOMKC-h2Ug[/video]


    For Petya crypto-trojan:
    Code:
    bootrec /RebuildBcd
    bootrec /fixMbr
    bootrec /fixboot
    
    ^^ is good enough. As long the second 'wave' not worked, which means entire pc will be encrypted (mostly after a BSOD). If you see after a restart an 'repairing file system C:' dialog, please shutdown the PC immediately! Because at this point your hdd get's encrypted by this malware. Boot into to repairing mode, open notepad via cmd which allows you to browse trought the pc. 'Open file dialog'.


    Fake processes via PS:
    Code:
    # Simulate fake processes of analysis sandbox/VM that some malware will try to evade# This just spawn ping.exe with different names (wireshark.exe, vboxtray.exe, ...)
    # It's just a PoC and it's ugly as f*ck but hey, if it works...
    # https://gist.github.com/x0rz/e8b36fee33b87aa7e4e5dfd4c0cfc1a6
    
    
    # Usage: .\fake_sandbox.ps1 -action {start,stop}
    
    
    param([Parameter(Mandatory=$true)][string]$action)
    
    
    $fakeProcesses = @("wireshark.exe", "vmacthlp.exe", "VBoxService.exe",
        "VBoxTray.exe", "procmon.exe", "ollydbg.exe", "vmware-tray.exe",
        "idag.exe", "ImmunityDebugger.exe", "idaq.exe", "idaq64.exe", "idaw.exe", "idaw64.exe")
    
    
    if ($action -ceq "start") {
        # We will store our renamed binaries into a temp folder
        $tmpdir = [System.Guid]::NewGuid().ToString()
        $binloc = Join-path $env:temp $tmpdir
    
    
        # Creating temp folder
        New-Item -Type Directory -Path $binloc
        $oldpwd = $pwd
        Set-Location $binloc
    
    
        foreach ($proc in $fakeProcesses) {
            # Copy ping.exe and rename binary to fake one
            Copy-Item c:\windows\system32\ping.exe "$binloc\$proc"
    
    
            # Start infinite ping process (localhost) - that's kind of ugly
            Start-Process ".\$proc" -WindowStyle Hidden -ArgumentList "-t -4 127.0.0.1"
            write-host "[+] Process $proc spawned"
        }
    
    
        Set-Location $oldpwd
    }
    elseif ($action -ceq "stop") {
        foreach ($proc in $fakeProcesses) {
            Stop-Process -processname "$proc".Split(".")[0]
            write-host "[+] Killed $proc"
        }
    }
    else {
        write-host "Bad usage: need '-action start' or '-action stop' parameter"
    }
    
    
    


    Cheers
    CK :mocking:


    Research:
    * http://www.ghacks.net/2016/03/30/anti-ransomware-overview/
    * https://blog.kaspersky.com/cryptolocker-is-bad-news/3122/
    * https://support.kaspersky.com/viruses/common/10646
    * http://www.howtogeek.com/174343/ran...-is-so-dangerous-and-how-to-protect-yourself/
    * www.foolis**t.com/vb6-projects/cryptoprevent/
    * https://blog.malwarebytes.org/intelligence/2013/10/cryptolocker-ransomware-what-you-need-to-know/
    * http://www.bleepingcomputer.com/new...al-files-and-unmapped-network-shares/#cid1473
    * https://www.youtube.com/watch?v=G2sUQFME0bE&feature=youtu.be
    * https://thehackernews.com/2016/03/macro-malware-protection.html
    * http://0xec.blogspot.de/2016/04/reversing-petya-ransomware-with.html


    Decrypters (downloads .exe files to unlocked the specific Ransomeware):
    * helpme@freespeechmail.org
    * TorLocker
    * TeslaCrypt
    * CoinVault
    * CryptoLocker
    * uTorrent decryption keys
    * Petya Sector Extractor
    * JigsawDecryptor
    * Ransomware Removal Kit
    * decrypt_autolocky.exe
    * Emsisoft Decrypter tools (includes a bunch of decryptors)
    * RannohDecryptor (CryptXXX)


    Iso (get's regular updates):
    * Kaspersky Rescure disk (comes with bunch of tools)


    Preventation tools only:
    * Trend Micro Anti-Ransomware Tool
    * BitDefender Anti-Ransomeware
    * Malwarebytes Anti-Ransomeware
    * HitManPro Alert
    * CryptoPrevent
    * AppGuard
    * WinAntiRansome


    Ransomeware online service (Allows you to upload ransom notes or encrypted file samples to identify the ransomware used to attack you):
    * https://id-ransomware.malwarehunterteam.com/index.php


    Network based ransomeware attacks (no protection yet, except restricting access):
    * Crypto-ransomware has turned every network intrusion into a potential payday
     
  2. MysTikAL3

    MysTikAL3 MDL Senior Member

    Jul 15, 2013
    387
    8,437
    10
    #2 MysTikAL3, Mar 24, 2016
    Last edited: Mar 24, 2016
    Great info.. :good3:
    Especially your advice to NEVER PAY! :yes:

    I would suggest dumping your AV altogether and use this instead.
    At about 1/3 the cost of most AV's, and Better overall protection than any of them, IMHO.

    HitmanPro.Alert 3.1

    CryptoGuard stops ransomware
    The exclusive Risk Reduction features of HitmanPro.Alert include behavior-based protection against high-impact crypto-ransomware, a prolific threat that slips by web filters and antivirus defenses every day.This type of infection—also generalized as cryptoware and cryptolocker—goes after images, documents, and other personal and critical data on local disks, connected USB drives and shared folders on servers. Cryptolocker malware encrypts the computer files of its victims and demands ransom money for the decryption key. The signature-less operation of HitmanPro.Alert's CryptoGuard technology universally prevents spontaneous encryption of data by cryptolockers. Even when trusted files or processes are hijacked for unsolicited encryption—as observed in cryptolockers "VaultCrypt", "CryptoWall" and"CTB-Locker"—it is stopped and reverted by HitmanPro.Alert, without interaction from users or IT support personnel.

    [​IMG]

    HitmanPro.Alert proactively protects your data against ransomware

    [​IMG]

    Advanced user interface for power users and IT professionals

    Risk reduction
    Other Risk Reduction features focus e.g. on anti-espionage, such as kernel-level Keystroke Encryption, Webcam Notifier and Bad USB Protection. Moreover, Vaccination and Process Protection will deter or make malware self-terminate, where Safe Browsing and Application Lock down reveal malware that hide inside or attempt to piggyback on trusted programs to gain persistence or hoist in additional payloads.
    Whether computers are targeted indiscriminately or singled out in a watering-hole or spear-phishing attack, HitmanPro.Alert offers high-performance protection without requiring prior knowledge of attacks.

    Read more
    :)
     
  3. revertex

    revertex MDL Member

    May 30, 2010
    118
    45
    10
    The only efective way I known to stop this kind of malware is to use restricted accounts and applocker.
    All other methods are not 100% effective.
     
  4. Michaela Joy

    Michaela Joy MDL Crazy Lady

    Jul 26, 2012
    3,649
    3,950
    120
    Also, make sure you have the latest version of Silverlight (Netflix uses this).

    That's how I caught it. Malwarebytes was able to catch it, but it got a few of my files.

    Do I have to say make frequent backups?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. ThomasMann

    ThomasMann MDL Expert

    Dec 31, 2015
    1,014
    160
    60

    That link shows how to start it, not how to stop it.....
     
  6. Tiger-1

    Tiger-1 MDL Guru

    Oct 18, 2014
    3,814
    4,117
    120
    yay, good job dude very useful for all here and around the world too :):clap:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. CHEF-KOCH

    CHEF-KOCH MDL Addicted

    Jan 7, 2008
    937
    886
    30
    Last point of the FAQ 'What types of Remote Desktop connections should I allow?".


    Sr, this is not true, this isn't malware which want to change system related files, which means you not need extra privileges. So you not see any UAC or other prompts, I do agree that working with folder restrictions or limited user accounts lowers the surface attack but in this case it is useless. There are also new variants which want to change MBR, then it crashes you're PC to force you to restart and then you see an ASCII picture which introduce you how to pay. This mostly only works in older Systems and then you (in this cases) would require other privileges. The 'normal' Javascript / batch based ransomware I know not need special rights, that's why they are so dangerous together with the fact that the payload changes often. An Firewall will not prevent from been infected in this case, but it would block (if general script hosting is blocked) the payload and then you have a higher change to detect it. As mentioned some firewalls (even free ones) are coming with Sandbox/HIPS based systems (like Comodo) if you set to paranoid, then you need to allow everything manually and if I say everything I really mean everything which changes e.g. registry, scripting related things and more. For beginners I think this is an good option to start with. It requires some work and reading to understand but even you clicked on something dangerous you're mostly secure to go since you get an prompt.
     
  8. CHEF-KOCH

    CHEF-KOCH MDL Addicted

    Jan 7, 2008
    937
    886
    30
    #8 CHEF-KOCH, Apr 11, 2016
    Last edited: Apr 11, 2016
    (OP)
    I added several decrpytors, most of them are so easy to use that you can download and just execute it if you're infected (just try to boot into Windows live cd or safe mode - if that is locked, just try to boot into console (cmd mode I call that) ... open notepad with it (just type notepad into console) and then you're in ~~> since you can use 'open file' dialog to navigate like within explorer and then you can execute everything normally).

    The Petya ransomeware is a bit special, that's why I added the entire article because it's not so easy especially for beginners, so please take your time and read.

    In meantime I re-tested all tools, they are all bull*it, I not can say this in other words, because they costs money (most of them) and it's not worth, even the free ones not detect most stuff (or not my tested examples). HitManPro also had several negative side-effects if you use the strongest settings because e.g. some applications needs fronts otherwise they just stop working (if you block external fonts with it). I still think EMET (Microsoft free solution) should be preferred or simply work with ACL and then you're good to go. There is a lot of hype about these tools and it's not worth they promises you a lot but simply click not on everything is a lot of better as possible troubles like you get with such tools.

    I not want yet to start a discussion about which tool or not, it's up to you but please keep in mind that Windows itself offers several protection layers and mostly you just can work with them and get the same results. This is also not time consuming because that needs to be only done once. - I will update it as soon I have more time, may a Youtube video is a little bit better - I will think about such thing.
     
  9. CHEF-KOCH

    CHEF-KOCH MDL Addicted

    Jan 7, 2008
    937
    886
    30
    I added Emsisoft decryptor tools, it's more a collection/pack which includes the following:


    • Decrypter for AutoLocky
    • Decrypter for Nemucod
    • Decrypter for DMALocker2
    • Decrypter for HydraCrypt
    • Decrypter for DMALocker
    • Decrypter for CrypBoss
    • Decrypter for Gomasom
    • Decrypter for LeChiffre
    • Decrypter for KeyBTC
    • Decrypter for Radamant
    • Decrypter for CryptInfinite
    • Decrypter for PClock
    • Decrypter for CryptoDefense
    • Decrypter for Harasom

    Does't really matter which one you choose e.g. for locky, there exist several solutions which working all the same.

    The problem still remains that there (for beginners) are not really an easy solution, I already contacted several AV's and ask them to add maybe an information link or directly something to their solutions to show 'mortals' how to e.g. deal with Windows own mechanism, but I doubt that will be added because otherwise they could not advertise their own products.