CryptoFortress, a TorrentLocker clone that also encrypts unmapped network shares

On further inspection, though, we have discovered that CryptoFortress includes the new and nasty feature of being able to encrypt files over network shares even if they are not mapped to a drive letter.

 

Grinler,

 

Does this mean that CryptoFortress would be able to mount a dismounted HDD that is connected to a local PC?

 

For example, if I have a standalone PC (not networked) with a connected HDD that's dismounted, will this version mount the drive with its code?

 

Or is it able to access and encrypt items on any connected drive regardless of its status (mounting not required, dismounted with no drive letter assigned)?

No, it would not mount an unmounted drive. What this one does is search the network for open shared folders and encrypt the data on them as well.

Thanks for the info on this.

According to Marc-Etienne as researcher for ESET, this is a copycat and not a new variant of TorrentLocker:

https://twitter.com/marc_etienne_/status/573842470691344384

According to Marc-Etienne as researcher for ESET, this is a copycat and not a new variant of TorrentLocker:

https://twitter.com/marc_etienne_/status/573842470691344384

 

Expected; Nathan confirmed this quite early on during the initial stages of analysis.

What IP range / network / protocol / service do we have to block to keep this from even being possible. Where is this coming from? Does anyone know the origin and what you would do to block access to it? Anyone have a solution (other than backing up on the cloud / offline backup) ? To me this is a domain killer. Entire companies will go down and it's just a matter of time. Meanwhile... our government does nothing.

 

CAN IT FIND HIDDEN SHARES?

 

What application is this exploiting - Flash?

Edited by souldjer777, 09 March 2015 - 09:41 AM.

Yes, it can find hidden shares.

Currently installed by Nuclear Pack exploit kit.

Cloud backup/offline is the only solution righ tnow.

What IP range / network / protocol / service do we have to block to keep this from even being possible. Where is this coming from? Does anyone know the origin and what you would do to block access to it? Anyone have a solution (other than backing up on the cloud / offline backup) ? To me this is a domain killer. Entire companies will go down and it's just a matter of time. Meanwhile... our government does nothing.

 

CAN IT FIND HIDDEN SHARES?

 

What application is this exploiting - Flash?

 

Even when looking at historical data, one could you not explicitly state which application(s) is being exploited to spread this ransomware or any other malware for that matter.  Each exploit kit, exploit kit affiliate, phishing campaign, etc. uses numerous techniques to successfully infect target machines.  In the case of CryptoFortress being observed by Kafeine, the Nuclear Pack exploit kit exploited CVE-2013-2551, an exploit in Internet Explorer versions 6 through 10.  But that's not say that it isn't being pushed as a payload leveraging other exploits, such as the more common exploits (aside from IE) including those in Flash and Java.

 

What we've learned over time, especially after the Adobe Flash zero-days, is that we will never be able to prevent exploitation of commonly used software with absolute certainty.  This being said, the best defense against these attacks are to deploy security controls in both an administrative and preventive fashion.  We must ensure that our users are educated and kept up-to-date regarding current and emerging threats via policies and procedures, i.e. a Security Awareness Policy that mandates end-user education upon onboarding as well as regular time intervals.  We must ensure that we adhere to a patch management policy, and enforce compliance within out personal and corporate networks; if a patch is available, it should be either automatically applied or the device should not be able to utilize unpatched, non-compliant software--whether this is ensured either via penalties after an incident occurs, or through the use of a NAC that quarantines devices found to be non-compliant.

 

We need to learn to be vigilant; the Internet is a dangerous place, and none of us are safe.  We need to deploy controls that have been tried-and-true and have been found to successfully mitigate such exploitation attacks with great success.  Some security controls that come to mind include, primarily, those that fit the category of host-based intrusion prevention systems (HIPS).  McAfee HIPS with custom-written rules, MalwareBytes Anti-Exploit. CryptoPrevent, among various others seem to do the job quite well.

Are there any new SRP's that should be put in place to help protect against cryptofortress?

My advice would be to run NoScript and use firefox as the browser, there are some equivalent script blockers for other browsers but NoScript in Firefox is the one i have had experience with. This way you would have to allow javascript to run from an attackers site (or a site compromised by the malware distributor) for an exploit kit to stand any chance of working, and if it exploits flash, java(not to be confused with javascript, thye are utterly different things), or silverlight (these 3 are the usual targets) you would usually have to allow the infected plugin object as well as the page's javascript. Further protection can be achieved by deactivating all plugins in your browser, except when you (for example) need flash to watch an online video at which point you set flash to "ask to activate" (this type of: automatic, click-to-play or deactivated plugin setting is available for both firefox and chrome) watch the video and set it back to fully deactivated once finished. extra protection might be achieved with a type of anti-exploit software (like malwarebytes anti exploit) which would run as a third layer of armour beneath the techniques described above and infront of your antivirus, antimalware and other such tools. Keeping any plugins you have, and your browser itself, up-to-date adds another layer of protection.


This type of attack verifies my advice about making sure your backups are on USB, DVD, CD or external hard drives locked away in a safe several metres from your machine, don't connect them except when writing to them/copying from them. A backup that is permanently connected isn't a backup against this.

Edited by rp88, 11 March 2015 - 01:06 PM.

~ backup solutions where you install an agent on each computer that handles backups.

 

Please elaborate, I was on the verge of offering a combination hardware/remote solution, and that costs money to implement and promote.  If it's already done, I'll move on to something new...

 

 

Bruce

I'm thinking about seriously backing up by enabling / disabling the NICS that have access to our NAS. Maybe even scripting a unique user / password connection to the mapped drive after enabling the NICs and removing the drive afterwards. That'd do it. That's just as good as having removable storage imo. I can't explain how much I hate the creators of this ransomware. I hope we do more than sanction these countries that are obviously responsible for multiple variants and they check the country code of your device before encrypting.

Edited by souldjer777, 09 September 2015 - 01:51 PM.

Wouldn't something like File History prevent this, which only gives read permissions to the backup folder? Also, it's stated in the post that it deletes shadow copies via the vssadmin command. Does that not require administrator privileges?

No, it would not mount an unmounted drive. What this one does is search the network for open shared folders and encrypt the data on them as well.

So hidden shares ($ added) are safe, if not mapped, regardless of write access?

I'm curious about the vulnerability of UNC network paths using authentication. 

 

Say for instance a UNC share has authentication enabled but is using Active Directory LDAP authentication where the infected user would have access. Does the malware run as the current user granting full access to the UNC path? And same question in regards to saved credentials when accessing a UNC path. Im trying to understand the capabilities of this malware to determine how many layers of abstraction I need to have between my users and my storage to keep it safe.