Ransomcrypt: A Thriving Menace

While Ransomlock Trojans have plagued the threat landscape over the last few years, we are now seeing cybercriminals increasingly use Ransomcrypt Trojans. The difference between Ransomlock and Ransomcrypt Trojans is that Ransomlock Trojans generally lock computer screens while Ransomcrypt Trojans encrypt (and locks) individual files. Both threats are motivated by monetary gains that cybercriminals make from extorting money from victims.

Recently, a new threat detected by Symantec as Trojan.Ransomcrypt.F (AKA Cryptolocker) has been growing in the wild. Trojan.Ransomcrypt.F encrypts data files, such as images and Microsoft Office documents, and then demands payment through Bitcoin or MoneyPak to decrypt them—all within a countdown time period. This Ransomcrypt Trojan uses strong encryption algorithms which make it almost impossible to decrypt the files without the cryptographic key.


Figure 1. Trojan.Ransomcrypt.F payment screen

Most of the Trojan.Ransomlock.F infections observed by Symantec have been in North America.


Figure 2. Trojan.Ransomlock.F infection map

The initial attack vector involves an email containing a malicious Trojan.Zbot attachment that downloads and then installs Trojan.Ransomlock.F on the compromised computer. The Ransomcrypt Trojan employs a domain generation algorithm (DGA) to find an active command-and-control (C&C) server.


Figure 3. Ransomcrypt DNS requests

Symantec customers are protected by the intrusion prevention signature (IPS) System Infected: Trojan.Ransomcrypt.F, which blocks the Trojan’s access to the generated domains.

Malware authors use DGAs to free their malware from reliance on just a handful of static servers. Instead, malware like Trojan.Ransomcrypt.F use dynamically generate domain names based on some criteria (usually including the current date). This makes it more difficult to block traffic based solely on domain name filtering.

An interesting feature of this Trojan’s DGA is the employment of a Mersenne twister to generate random numbers for the generated domain names. Trojan.Ransomcrypt.F uses the GetTickCount and QueryPerformanceCounter Windows functions to generate seed values for the Mersenne initialization routine.


Figure 4. Trojan.Ransomcrypt.F Mersenne twister initialization

Modular arithmetic is used on the Mersenne twister output value to keep it in a 0–1000 range. This value is then mixed with the current date to produce up to 1,000 generated domain names per day.

Mersenne twisters are unusual to see in malware samples but we have seen them used before, specifically in Trojan.Zbot.


Figure 5. Trojan.Zbot Mersenne twister initialization

When we compare Trojan.Zbot and Trojan.Ransomcrypt.F we see code similarities that lead us to believe there may be a connection between the two Trojans. The Zbot source code is freely available on the Internet for modification.

Users should never pay any ransom to have their files decrypted. The latest Symantec technologies and Norton consumer and Symantec enterprise solutions protect against these kinds of attacks. Backup and restore files if necessary.