Category: Ransomware

Jul 25 2017

NoMoreRansom – One year on!

One year on.  It is fair to say that the No More Ransom project not only exceeded our expectations, but simply blew these initial expectations out of the water.  A collaboration between six partners (McAfee, EC3, Dutch Police, Kaspersky Lab, AWS and Barracuda) has now grown to include more than 100 partners across the public and private sector.  We often hear people talk about Public-Private Partnerships, but here is a true example of that commitment in action.

Because of this commitment from all the partners, this initiative has resulted in the successful decryption of more than 28,000 computers.  Let us put that into context, for zero cost, victims of ransomware who do not have to be customers of any security provider can get their data back for nothing.  They don’t have to fill in a survey, enter their email address, provide their credit card details, in fact they don’t even have to worry about obfuscating their IP address.  For the first time, there is another option.  No longer are victims faced with the option of a) lose my data or b) pay criminals.

So thank you to all of our partners, thank you to those of you that tweeted, blogged about it.  This site has been successful, in fact so successful that we even have ransomware named after us.

Of course, the Queen of England gets a boat named after her, we get ransomware!  Well that’s okay, because it shows that as the tens of millions of dollars we have prevented going into the hands of criminals, they have taken notice.

We will not stop, in fact, we need more partners, more decryption tools, and more successes.   The message of #DontPay seems to be working (as we witnessed with WannaCry and nPetya), and we will continue in our efforts to hurt the bottom line of criminals.


The post NoMoreRansom – One year on! appeared first on McAfee Blogs.

Jul 20 2017

Darknet Markets Will Outlive AlphaBay and Hansa Takedowns

On June 20, law enforcement took over the Hansa marketplace after investigations that began in 2016. On July 5, police in Thailand arrested Alexandre Cazes, alleged to be the operator of the large underground market AlphaBay. These efforts have taken two of the largest darknet markets offline.

AlphaBay, and later Hansa, was one of many markets that filled the void left by the notorious drug sales market Silk Road, which was shuttered by law enforcement in 2013. Some of these opportunistic markets quickly shut their doors, while others were scams to take advantage of buyers looking for new places to purchase illegal goods. Sheep Market absconded with more than $40 million in an elaborate exit scam. Evolution bilked $12 million from vendors in 2015. Other markets have come and gone for various reasons, including law enforcement takedowns such as Silk Road 2.0 in 2014. AlphaBay opened shop in 2014 and by 2015 had become the largest darknet marketplace. Until their recent takedown, AlphaBay remained the longest lasting market also ranked at the most popular while Hansa was ranked third.

Drug sales are the main driver behind the plethora of darknet markets. Following Silk Road, most markets opened their policies to include many items, including guns and stolen data. Partially due to the 2014 retail dumps, excess credit card data drove the growth of new markets, as discussed in my article “Dynamic Changes in Underground Data Markets.”[1] Customers who otherwise would not have purchased stolen digital content now had easy access, creating more demand. Botnets, hacking services, and other cybersecurity-related goods also appeared on new markets, attracting impulse buyers who otherwise would have had no access.

The recent law enforcement takedowns will inevitably change behaviors in current markets, temporarily reducing the buying and selling of illicit digital goods. Both buyers and sellers will be on guard, but it is naive to believe that stolen data and malware sales will decline. The takedowns of these markets will be only a hiccup in overall sales because other markets are quite willing to take on new customers.

It is relatively simple to use search engines and popular communities to find a list of darknet markets. Sites such as Dream Market are still very active. Dream Market is mostly a drug-sales market but also includes a large amount of digital goods. The following screen image shows postings for stolen accounts, including digital streaming accounts, and various fraud tools.

We also expect to see continued sales of stolen data and malware because some markets, especially the smallest, are eager to take on the new business. The relatively new market House of Lions is offering AlphaBay vendors discounts to move their shipments to its platform. These new platforms need established, trusted sellers to bring in more clients.

We’ve already seen evidence of customers quickly migrating to new markets, with some struggling to keep up with the influx of users. Hansa, which has been operated by law enforcement since June 20, saw a large influx of AlphaBay users flock to its services. On July 17, law enforcement halted registrations to deal with the large migration.

Unlike in the days of Silk Road, buyers and sellers have many choices today. Formerly, darknet markets used various digital currencies and were just beginning to use Bitcoin as their primary means of trade, according to the McAfee report “Digital Laundry.” Silk Road popularized Bitcoin for darknet markets and it remains the primary currency. Several markets—such as Wall Street or Trade Route, which offer stolen databases and identity theft data among other goods—are experimenting in other crypto coins, such as Monero.

Buyers looking for ransomware can find listings on Zion. Nearly all the darknet markets deal in stolen credit cards, so there are plenty options. Each market has its own focus and features. Buyers and sellers inconvenienced by the takedown of AlphaBay and Hansa will find their way to one of the many options available today, just as with legitimate retail shops.


Darknet markets fill the demand for digital data. Although facilitators of those sales were taken down, the market for data still exists. We will still see the buying and selling of credit cards, databases, entertainment accounts, and other data. The demand will also continue to lead to attacks to acquire this data. If enough markets are taken down, it may eventually become too risky for criminals to remain in business, but in the meantime we must be diligent to protect our assets.

You personally may not be able to secure all your data because much of it may be stored outside of your control; however, there are many ways to reduce risk. For businesses, this includes maintaining proper procedures and security practices. For individuals, this includes good security hygiene. Never share passwords and keep an eye on bank accounts for suspicious activity. As long as there is value in data, we must take steps to secure it.

[1] “Dynamic Changes in Underground Markets,” by Charles McFarland. Cecile Park Media, November 2016.





The post Darknet Markets Will Outlive AlphaBay and Hansa Takedowns appeared first on McAfee Blogs.

Jun 30 2017

Petya More Effective at Destruction Than as Ransomware

At the beginning of the recent Petya malware campaign, the world was quick to exclaim this attack was ransomware. Now, with time to analyze the facts and make comparisons to other ransomware campaigns, this Petya attack does not look so much like ransomware. To back up this claim, let’s examine three other well-known ransomware campaigns: Cerber, Locky, and WannaCry.

Generally, the goal of ransomware is financial gain. For a ransomware family to make money in the long term, it must be able to both encrypt and decrypt files. These steps ensure that once payment is sent, data can be recovered. Otherwise, victims will learn that payments are worthless and the ransomware industry’s reputation will suffer, along with the loss in revenue for the criminal. Cerber, Locky, and WannaCry all had methods for decrypting files after encryption. Unlike Cerber and Locky, however, WannaCry lacked victim identification, which left most victims with encrypted disks even after payment. The recent Petya campaign does not include the capability to decrypt files due to changes in the key and victim ID, with or without payment. The word is spreading, and we can expect more and more victims to stop paying the ransom. In a financially motivated campaign, this significantly reduces the ransomware’s effectiveness. Thus, the orchestrators of this campaign appear to be either short sighted or not financially motivated.

What other indicators do we have of the attackers’ motivation? The behavior of malware can also help us infer intent of the authors. Let’s look at some key behaviors of the new campaign. Namely, the way it finds new hosts; the files it chooses to encrypt; its stealth tactics; and its ransom-note injunction with the method for collecting payment.

When Petya seeks new hosts it first checks to see if it is installed on a domain controller. If it is, it looks for the DHCP server service to understand the local network. Using this information, it then scans only the local network. If not on a domain controller, it uses an address resolution protocol (ARP) scan technique to discover the local network. See our previous post for more technical details.

In contrast, WannaCry generates random IP addresses to attempt to attack potential targets, not limited to the local network, allowing it to spread across the Internet. Cerber and Locky do not have a built-in spreading mechanism; they mostly use combinations of botnets and email spam or other social engineering techniques to infect users. If money is the motivation, as it is with traditional ransomware, the larger the spread across the Internet the better. Local spreading of the malware is more likely to cripple or sabotage a specific organization and less likely to spread across organizations. In this case, however, Petya also started to spread globally. One or more targets in the Ukraine were the first to be attacked. The infections spread from there. We believe that the Petya attackers did not intend to reach so broad an audience during the initial attack, yet still caused a lot of collateral damage.

The core function of ransomware is to encrypt files. Arguably the more files that are encrypted, the more effective the ransomware is. Encrypted files are the motivation for victims to pay ransoms. Most ransomware limits that files it encrypts based on file extension to ensure the victim’s system is still functional and the victim can pay the ransom.

In the preceding table, we compare the number of file types encrypted by the different ransomware families. A variant of Petya from nearly one year ago listed 228 extensions for encryption. These numbers show a large amount of coverage and the motivation to withhold as many files as possible without crippling the system. The recent Petya campaign targets only 65 file types and significantly reduces the time it takes for victims’ files to be fully encrypted. Although there can be reasons for speedy encryption, the actors sacrificed potentially important files, which cannot be used as leverage to entice victims to pay the ransomware.

When Cerber, Locky, WannaCry and previous Petya variants encrypt a file, they add their own extension to the file. This shows the user that the file is still there, but no longer in the usual format. The current Petya does not add an extension to a file after encryption. The users remain unaware of encryption or even which files are encrypted. They may not know if an important file they rarely access is indeed on the list of files they can no longer access. Instead of rebooting immediately, Petya restarts the system after an hour, allowing the malware some time to attack the network before anyone notices. Its priorities are to infect as many machines as possible instead of getting a ransom from a particular victim.

How do we explain Petya’s attacks against the master boot record and master file table? These render the entire system unusable. In this case why does encrypting files matter? The attack on the boot record and file table are similar to the behavior of the previous version of Petya, but there is one important difference. In research reported by Hasherezade, the new Petya destroys the Salsa20 cipher key by erasing it from the disk. In previous versions of Petya, the key is backed up in the victim’s ID before being erased—allowing for the recovery of the disk.  Hasherezade also shows that the victim’s ID is generated before the random Salsa20 key is made, proving there is no relationship between the Salsa20 key and the victim’s ID. A reboot is required for this overwrite to take effect and supports the priorities we have mentioned. This difference in priorities implies the attackers are looking for pure destruction—closer in behavior to campaigns like Shamoon rather than ransomware such as Cerber, Locky, and WannaCry.

Before infection                                                After infection


Before                                                             After

Another distinct characteristic of the new Petya is that it attempts to cover its tracks. This variant has code to delete Windows event logs to make it harder for researchers to discover what it does. This secrecy is not present in major ransomware families such as Cerber, Locky, or WannaCry. Ransomware by nature is not stealthy; it needs to be seen by the user. It must be visible for the attackers to get paid. It is not uncommon to see antimalware evasion techniques in ransomware, but Petya’s cleanup at the end of the infection does not provide any coverage against antimalware products. Removing Windows logs does not match the normal steps of ransomware.

For ransomware to be financially effective, it needs a mechanism to collect payments. Cerber, Locky, and WannaCry use the TOR network in conjunction with a Bitcoin wallet. If the ransom is not sent within a certain time, the cost increases. This ticking clock pushes the user to pay as quickly as possible, a common social engineering technique. The use of TOR also makes the malware difficult to track. Petya uses a Bitcoin wallet but provides an email address to contact. It does not set a time limit or threaten to increase the cost. Effectively, it removes proven techniques used in the past to increase profits. Although email can be difficult to track, it provides more clues for law enforcement to follow than a TOR web page. A financially motivated attacker will try to force a user to pay as soon as possible, as we have seen in other ransomware campaigns.

The attacks that began on June 27 by the new Petya campaign are no doubt malicious and caused serious damage. In the rush to find solutions and combat this new threat, is it possible the world miscategorized this new threat? Our analysis comparing Petya to previous ransomware families supports the idea that this attack was not ransomware but was intended to maximize destruction. The attackers decisions regarding propagation suggest they may have had a certain group or groups in mind as targets. The security industry has seen many examples of campaigns intended to destroy systems, such as Shamoon and Shamoon 2.

Unfortunately, we expect to see more targeted acts of destruction in the future. The industry has also been knee deep in numerous new ransomware families and variants during the last two years. However, two major recent families seem to break the ransomware mold: to a lesser extent, WannaCry, which has more ransomware capabilities, and, to a greater extent, the new Petya variant, which appears to be significantly more interested in destruction than money. (We expressed our suspicions about WannaCry in “Is WannaCry Really Ransomware?”) For malware like this, demanding a ransom may be a red herring, merely a distraction to hide its true intentions.

The post Petya More Effective at Destruction Than as Ransomware appeared first on McAfee Blogs.

Jun 28 2017

Tuesday’s massive ransomware outbreak was, in fact, something much worse

Enlarge / Code in Tuesday's attack, shown on the left, was altered to permanently destroy hard drives. (credit: Matt Suiche)

Tuesday's massive outbreak of malware that shut down computers around the world has been almost universally blamed on ransomware, which by definition seeks to make money by unlocking data held hostage only if victims pay a hefty fee. Now, some researchers are drawing an even bleaker assessment—that the malware was a wiper with the objective of permanently destroying hard drives.

Initially, researchers said the malware was a new version of the Petya ransomware that first struck in early 2016. Later, researchers said it was a new, never-before-seen ransomware package that mimicked some of Petya's behaviors. With more time to analyze the malware, researchers on Wednesday are highlighting some curious behavior for a piece of malware that was nearly perfect in almost all other respects: its code is so aggressive that it's impossible for victims to recover their data.

In other words, the researchers said, the payload delivered in Tuesday's outbreak wasn't ransomware at all. Instead, its true objective was to permanently destroy as many hard drives as possible on infected networks, in much the way the Shamoon disk wiper left a wake of destruction in Saudi Arabia. Some researchers have said Shamoon is likely the work of developers sponsored by an as-yet unidentified country. Researchers analyzing Tuesday's malware—alternatively dubbed PetyaWrap, NotPetya, and ExPetr—are speculating the ransom note left behind in Tuesday's attack was, in fact, a hoax intended to capitalize on media interest sparked by last month's massive WCry outbreak.

Read 8 remaining paragraphs | Comments