By Francis Antazo and Mary Yambao
Perhaps emboldened by the success of their peers, attackers have been releasing more ransomware families and variants with alarming frequency. The latest one added to the list is R980 (detected by Trend Micro as RANSOM_CRYPBEE.A).
R980 has been found to arrive via spam emails, or through compromised websites. Like Locky, Cerber and MIRCOP, spam emails carrying this ransomware contain documents embedded with a malicious macro (detected as W2KM_CRYPBEE.A) that is programmed to download R980 through a particular URL. From the time R980 was detected, there have been active connections to that URL since July 26th of this year.
Figure 1. One of R980’s ransom notes also serves as the infected machine’s wallpaper.
Figure 2. The macro embedded in the malicious document, which retrieves the ransomware from the URL, hxxp:// bookmyroom[.]pk/assets/timepicker/f[.]exe.
R980 encrypts 151 file types using a combination of AES-256 and RSA 4096 algorithms. Although it appends the .crypt extension to the encrypted files, it does not bear any other resemblance to previous versions of CryptXXX which used the same extension name. For the encryption mechanism, R980 uses a Cryptographic Service Provider (CSP), a software library used by developers to implement cryptographic functions to Windows-based applications.
Figure 3. Similar to Locky other ransomware families, R980 uses RSA to encrypt files via functions such as CryptAcquireContext and CryptGenerateRandom from a Cryptographic Service Provider.
For persistence, it uses the registry key, HKCU\Software\Microsoft\Windows\CurrentVersion\Run. Unlike most ransomware, it does not delete itself after infecting the system. R980 is also somewhat reminiscent of DMA Locker (detected as RANSOM.MADLOCKER.B) as it drops the following components and indicators of compromise (IOC):
- rtext.txt – the ransom note
- status.z – IOC for initial execution of the ransomware
- status2.z – IOC for the execution of the dropped copy
- k.z – contains the downloaded base64 decoded data
- fnames.txt – contains the filenames of the encrypted files
Figure 4. One of R980’s ransom notes include specific instructions on how to send payment of 0.5 bitcoin (US$294.42 as of August 9, 2016) in order for a decryption tool to be sent to the victim.
R980 communicates with its command-and-control server (C&C) to provide a custom bitcoin address which their victims can use to pay the ransom. To maintain anonymity, attackers create disposable email addresses by abusing the services of Mailinator, an email system which automatically deletes emails after a few hours. Through the same website, attackers also create public email accounts for their victims—which will be used to house the link to the decryptor tool that can purportedly unlock the encrypted files.
Figure 5. Snapshot of R980’s network communication with its C&C server, showing how it provides a bitcoin address that the victim can use to pay the ransom. The bitcoin addresses are unique for each victim.
Despite being a crude mishmash of its predecessors, R980’s use of malicious macros and compromised websites as infection vectors shows how this particular ransomware is still a dangerous threat. As such, users are recommended to disable macros on their MS Office® applications and to avoid opening email attachments from unsolicited and suspicious sources. A solid back-up strategy is also an effective defense against ransomware.
Trend Micro Ransomware Solutions
Protecting your systems from ransomware requires a holistic approach. A layered protection from ransomware can block the threat at any stage of infection. For ransomware such as R980, Trend Micro can detect the malicious macro and blocks ransomware before it infects your systems.
Trend Micro Deep Discovery Inspector detects malicious traffic, communications, and other activities associated with attempts to inject ransomware into the network.Network Traffic ScanningMalware SandboxLateral Movement Prevention
Trend Micro Deep Security™ detects and stops suspicious network activity and shields servers and applications from exploits.Webserver ProtectionVulnerability ShieldingLateral Movement Prevention
PROTECTION FOR SMALL-MEDIUM BUSINESSES AND HOME USERS
Protection for Small-Medium Businesses
Trend Micro Worry-Free™ Business Security Advanced offers cloud-based email gateway security through Hosted Email Security that can detect and block ransomware.Ransomware behavior monitoringIP/Web Reputation
Protection for Home Users
Trend Micro Security 10 provides robust protection against ransomware by blocking malicious websites, emails, and files associated with this threat.IP/Web ReputationRansomware Protection
- 252E82E52DDDEE5D2593DA23793244195DFCF368 – W2KM_CRYPBEE.A
- 8340937BFD1546988E036FA5A5B44337EEA08466 – RANSOM_CRYPBEE.A
Hat tip to Jasen Sumalapao