Bitcoin has a new and potentially considerable threat to its reputation, if California cybersecurity firm Proofpoint is correct. Last week, the company warned that a previously undocumented ransomware sample that they found, CryptXXX, would not only be encrypting files locally and on all mounted drives, “it’s stealing Bitcoins and a large range of other data.”
Not only is CryptXXX a multi-purpose thief, but the company's analysis shows it spreads in new and powerful ways; through a common trojan called Bedep after infection via the extremely popular Angler exploit kit.
First appearing in late 2013, Angler is now “the number one exploit kit by volume,” Proofpoint asserted, “making the potential impact of new ransomware in the hands of experienced actors with access to this vector quite significant.” This exploit kit became the most popular kit in the second quarter of 2015, overtaking the ‘Nuclear’ Exploit kit, according to Global IT security company Trend Micro.
“Angler dominated as the king of exploit kits throughout 2015. The reason behind this is Angler’s design, which makes it easier to integrate the kit into cybercriminal operations and campaigns like Pawn Storm.”
– Trend Micro
Bedep is a trojan first spotted in September 2014. Trend Micro's recent findings show that Bedep's main purpose is to connect as many victim machines as possible, as a botnet, to perform other malicious activities. It carries out advertising fraud routines and downloads other malware into the infected system, Trend Micro explained.
"Bedep is a malware downloader that is exclusive to Angler," Nick Biasini, Talos Security Intelligence and Research Group Threat Researcher, elaborates.
Proofpoint first spotted CryptXXX on April 15, but the company traced it back to incidents where victims reported the same type of infections on March 31. After a multitude of analyses, together with threat intelligence shared by Frank Ruiz of Fox IT InTELL, Proofpoint announced “we are confident in the connection between CryptXXX and the Reveton Team.”
An early Ransomware trojan made by the Reveton team, simply named Reveton, became widespread in early 2012. Its payload displayed a warning, purportedly from a law enforcement agency, claiming that the computer has been used for illegal activities. It also displays either the user's IP address or footage from a victim's webcam. The user had to pay to unlock the infected machine, using a voucher from an anonymous prepaid cash service such as Ukash or Paysafecard.
By August 2012, a new variant of Reveton ransomware began to spread in the United States, demanding payment of $200 using a MoneyPak card. “We’re getting inundated with complaints,” stated Donna Gregory of the Internet Crime Complaint Center (IC3). The bogus message claims that the user's internet address was identified by the FBI, “having been associated with child pornography sites or other illegal online activity,” the agency said.
“Reveton is described as drive-by malware because unlike many viruses—which activate when users open a file or attachment—this one can install itself when users simply click on a compromised website. Once infected, the victim’s computer immediately locks, and the monitor displays a screen stating there has been a violation of federal law.”
- Federal Bureau of Investigation
Unlike the traditional infection method, of using a windows .EXE executable file, Reveton uses a .DLL library file to spread infections through systems. This file type is much less suspicious to both people and anti-malware programs.
In August 2014, Reveton ransomware began using a very powerful password stealer trojan ,called Pony Stealer, desinged to steal passwords from five different types of cryptocurrency wallets. “As the Reveton ransomware continues to evolve, it also continues to find different ways to infect PCs and gather information from victims,” Security Awareness Training platform provider KnowBe4 explained.
“Pony Stealer is a password stealer that can decrypt or unlock passwords for over 110 different applications including VPN, FTP, email, instant messaging, web browsers and much more. Pony Stealer is very dangerous and once it infects a PC it will turn the device into a botnet, allowing it to use the PCs it infects to infect other PCs.”
Malware Pony Stealer is known to be spread via convincing spam email, that is launched by opening an email attachment. It convinces people they need to pay an overdue invoice by downloading the invoice from a link in an email message. It steals account credentials and financial information soon afterwards.
High profile sites have also been hijacked to deliver ransomware. In March, Malwarebytes Labs published a list of high profile publishers whose adverts were hijacked by two rogue domains modified to install ransomware on users computers They include MSN, New York Times, BBC, AOL, NFL, Realtor.com, and Newsweek.
The malware was delivered through multiple ad networks and targets a number of vulnerabilities, including a recently-patched flaw in Microsoft’s former Flash competitor Silverlight, which was discontinued in 2013 but still popular.
Fast forward to today and CryptXXX contains the majority of these threats. As the latest ransomware linked to the Reveton team, it’s a threat to more than just bitcoin users. Once executed on a computer, it will begin its campaign of terror by seeking to encrypt files. The user will be locked out of their computer, and a ransomware screen will then appear. Proofpoint's test, using Window 10, shows that users have to pay US$500 worth of bitcoin to get the decrypt key, within a specified amount of time before the ransom increases.
“Given Reveton's long history of successful and large-scale malware distribution, we expect CryptXXX to become widespread. While we have observed many new ransomware instances in recent months, many have been written and/or distributed by less experienced actors and have not gained significant traction. Those associated with more experienced actors, however, (such as Locky) have become widespread quickly.”
Proofpoint believes that a large amount and range of data is expected to be stolen, “the information stealing functions in this ransomware are the same as in the ‘private stealer’ distributed by this instance of Bedep,” the company explains.
The ransomware page suggests various methods to obtain bitcoin, including using Bitstamp.net, Cex.io, Localbitcoins.com, BTCdirect.eu, and Bittylicious.com. The page has been translated into many languages, indicating that the team behind this ransomware expect CryptXXX to be widespread.
Even if the ransomware doesn’t work, the same trojan that delivered it will have lots of other tricks up its’ sleeve to rob victims, such as a bitcoin private-key sniffing bot, and password stealing apps. “Bedep has a long history of dropping information stealers in its update stream. Specifically, it dropped Pony from November 2014 until mid-December 2015. It replaced Pony with an undocumented ‘private stealer’ until mid-March 2016,” states Proofpoint.
Prior to the new ransomware discovery, Bitcoin ransomware was already on the rise, paralyzing a range of organizations, including police departments, and hospitals.
Encrypting ransomware became widespread with the propagation of CryptoLocker demanding bitcoin payments in 2013. However, CryptoLocker was isolated when the U.S. Department of Justice (DOJ) announced the seizure of the Gameover ZeuS botnet in July 2014, and publicly issued an indictment against the Russian hacker, Evgeniy Bogachev, for his alleged involvement.“The FBI estimates that Gameover Zeus is responsible for more than $100 million in losses,” the DOJ revealed. It had been extremely profitable, and we’ve had nonstop ransomware threats ever since.
Even Apple products which have previously been immune to ransomware are now vulnerable. In March, researchers at Palo Alto Networks reportedly revealed that they uncovered "the first fully functional ransomware" for Apple's OS X platform.
The demise of CryptoLocker propelled a whole family of file-encrypting ransom bots, known collectively as CryptoWall, to gain notoriety. Cryptowall first appeared in early 2014, and was actively targeting U.S. victims in 2014, costing them between $200 to $10,000 in bitcoin each. This caused the FBI to issue a public warning in June 2015.
CryptoWall infections are seen all around the world, but predominantly in North America. According to security software and hardware company, Sophos, “the US and Canada [made] up 13% of infections. Great Britain, the Netherlands and Germany also feature with 7%, 7% and 6% respectively.”