Tuesday, 23 May 2017

Targeted Ransomware Attacks Middle Eastern Government Organizations for Political Purposes

Ransomware persists as one of the top crimeware threats thus far into 2016. While the use of document-based macros for ransomware distribution remains relatively uncommon, a new family calling itself “Locky” has borrowed the technique from the eminently successful Dridex to maximize its target base. We first learned of Locky through Invincea and expanded on qualifying this threat with the help of PhishMe. Locky has also gained enough traction to find its way onto Dynamoo’s Blog and Reddit.
Using Palo Alto Networks AutoFocus, Unit 42 observed over 400,000 individual sessions containing the Bartallex macro downloader, which in turned dropped Locky ransomware onto victim machines. Researchers suspect there is a link between the Dridex botnet affiliate 220 and Locky due to similar styles of distribution, overlapping filenames, and an absence of campaigns from this particularly aggressive affiliate coinciding with the initial emergence of Locky. This blog post explores this threat further and offers recommendations on mitigating its impact.

Delivery and Installation

Palo Alto Networks telemetry showed that Locky focuses primarily on e-mail delivery through massive phishing campaigns with Microsoft Word document attachments. The subjects for these malicious messages adhere to the following convention:
ATTN: Invoice_J-< 8-digits>
The naming convention of respective malicious Word document carrier files match the e-mail subject line portion after the “ATTN: “, switch the “i” in invoice to lowercase, and append a “.doc” extension. An example follows:
Subject: ATTN: Invoice J-11256978
Attachment: invoice_J-11256978.doc
Our analysis revealed that this ransomware requires command and control (C2) communication for a key exchange, prior to encrypting victim files. It performs its key exchange in memory for this process. This is interesting, as most ransomware generates a random encryption key locally on the victim host and then transmits an encrypted copy to attacker infrastructure. This also presents an actionable strategy for mitigating this generation of Locky by disrupting associated C2.
Unfortunate victims unable to mitigate this threat would see the following ransom demand.
locky1
And a subsequent visit to the referenced Locky payment portal site would reveal the following options for victims.
locky2

Threat Volume and Targeting

We observed approximately 446,000 sessions for this threat, over half of which targeted the United States (54%). For comparison, the next most impacted countries, Canada and Australia, only accounted for another nine percent combined.
locky3
Industry analysis for targeting reveals expected indiscriminant distribution within impacted countries; however, Higher Education, Wholesale and Retail, and Manufacturing make up over a third of observed targeting.
Pairing this volume with the “decryption cost” advertised for Locky victims, it is clear why ransomware in general continues to thrive in the threat landscape. Using some napkin math furnished by our friends at PhishMe, even if one assumed a 50% efficacy / infection rate for these 446,000 sessions and a 1% payment rate of 0.5 bitcoins (BTC) from victims, the currently observed activity alone yields several hundred thousands of dollars in profits for Locky’s malicious actors.

Conclusion

Locky is aiming high in an effort to join the ranks of other big name ransomware families. Despite some weaknesses in its current implementation, we can expect to see further developments for this threat in the future. Ultimately, successes experienced by one attacker group embolden and inspire others. It goes without saying that cybercrime adversaries will continue to advance efforts to commoditize the already lucrative extortion of victims through encryption-based extortion.
Defending against ransomware first requires a focus on the basics of a strong security posture: security awareness and the hardening and patching of systems. Ransomware can be especially damaging in enterprises, where this class of threat commonly targets network shares and other media attached to corporate assets. To further reduce associated risks, layered preventive controls are a must.
Palo Alto Networks customers are protected through our next-generation security platform:
  • WildFire successfully detects this threat as malware
  • AutoFocus identifies this threat under the Unit 42 “Locky” tag
  • The C2 domains and files mentioned in this report are blocked in our Threat Prevention product

Indicators of Compromise (IOCs)

TypeIndicator
E-mail SubjectATTN: Invoice_J-<8-digits>
Attachment Filenameinvoice_J-<8-digits>.doc
C2109.234.38.35
C2173.214.183.81
C2193.124.181.169
C2195.154.241.208
C2195.64.154.14
C246.4.239.76
C266.133.129.5
C286.104.134.144
C291.195.12.185
C2iynus.net
C2www.iglobali.com
C2www.jesusdenazaret.com.ve
C2www.southlife.church
C2www.villaggio.airwave.at
SHA256ee6abe4a9530b78e997d9c28394356216778eaf2d46aa3503999e7d6bfbefe90
SHA2565466fb6309bfe0bbbb109af3ccfa0c67305c3464b0fdffcec6eda7fcb774757e
SHA256add7794c4d70fd49c96c11dc924c6b65c4459d6295331414b40768867dab0350
SHA256e7277e4aa4905168f6890c6b7b80515030806db46b7ec41a8afa33d6dda231dc
SHA2566e2a597d8c6b4ebc6474c4a96bce61340a1a66b7e8e33cdf42f3e34cef1a94fe
SHA25676bcba80045b043e8e69f7a2a92bc8879e7b13e29d50f10b41c11bd114a288ae
SHA256e37cb6cb2d39e3ceeb946e4a55890cd278a0ba3d541c0d18a22a0bf84c1dcadb
SHA25618f7150992020e369dbc2aa32fdec2e3003d782716a79be654b9e4eecff0113a
SHA256c9bfb22f9655e53dacbce66c4bfba1e5b42250f0b41973c1e4433f285ed73d79
SHA25641a7bfe77c89b3c151f0e847e44e8f58d63ed82a8ad370bc679c29d89a20a657
SHA2561833ea2138d21962d6f47def5d01cbec299eb6deb89fe729fd5b80c0f603a766
SHA25603da53e5fe550a1914179d5102479771651d4fa8797f46df3e4f66a05fa64bd6
SHA256338f15ac0d07db13e1f291c53aa004f46d994ee5bacd2787c0d536284b465f9e
SHA2561d8cc4e8416b5ac16864583e8bb0d8f8d8ad4b32de7de111067c38da0cfc57b1
SHA256abdbc74907d7670a65b5a4cc8c08da751cc837a11d1abb43e3ddaa932bdbf60c
SHA2568877b9a036b76495d9f4add16d56c8819d12a92cd32ae0e4c06be4faa719a991
SHA2564ae1f9229bfb5385949a4dfe0ac89a49d785646389be556f90ad5d29e5ecc35f
SHA256b10733a1aa02d973d00bd780c7f1a7d1e71fd50155f2cfecfb2a8f1662aa1cd5
SHA2568a248e85579cde3e0e8e20f254ec2c15ce063f580084be2dca1f8e725ae7f148
SHA25611206eb0cfa0df32ef0b4d2cd2a704be11cbd6e6bc6a2d83eaf0ddf977d76ac5
SHA256521d2885aec43104e3903988f23e42a2543682556afc51bff44bb939c74eb421
SHA2563d84dd3f392eadaf3916c3f71cf98606c25f48feaad60b74af7196171aade0a7
SHA25617c3d74e3c0645edb4b5145335b342d2929c92dff856cca1a5e79fa5d935fec2
SHA256329197ec2fffb6365adee8b7302912c8ef0f7550f63c92887d2cfae432a15df4
SHA256f81d543f5144fe8dc1d0bb84625ed298867d9b34f805c7d26ce26f37d325467a
SHA2565843c22f9e27cd8a217114b21ccc706dafe40f626dc9fcef0000a7f79b2aad66
SHA256d0df113d589fe481bc045bda948ace1f2b9c43b4bd0652f00b0fbb096a2fb39c
SHA256a6189f9796f1c782b95eb6e0bc030e8d1de924efdafff8e329876b09b2b5173f
SHA256f3712d591fbf403d23eed006d5c5bb5b94e13360920a04095968d1a914bc3ff8
SHA256348c92b47a27fbf427d1093f09ef662dbd11846ca1f3e8cf9ba2dda8008f9c4f
SHA2561083fd1d0a02d36582b78fdba4478e75401f7ec37359f6d8142426f8f3523328
SHA2562e1305b440274e1f4340a10180709b83f5aad182963d6f6594613e71b309d7d5
SHA256e6079af75b4a06f6ce95cb95d3de3b8af89afbf7722a64a6f7b04f3c643024b2
SHA256dca90037836376ce5634f277ee21e779462b6faaff83ade1ba36f75fc0bc255b
SHA2565fc15b920f00f427350987ae192b9baf2eb0fecfc662985fb612e8ebc60f9b30
SHA2560c38c96617436fadf66852e48365def3e00b297c7f160617768bebd09f15658d
SHA25613bd70822009e07f1d0549e96b8a4aec0ade07bea2c28d42d782bacc11259cf5
SHA2569b5653a986529c2eebc429387f3dea52ea167ccb259b6f57491d14ea4b86627e
SHA25655645af2a4c54c6c1141b7261ca598d2e250a5a1b51731920cf7c09264c4c160
SHA2561c5c1c287cd6151da44571b8cfae526b0b6e6d09faaa6723fdd040cb595b9fd0
SHA25689b732003c08f0f1c2f8a0412b1c2f0efc216ae0204103326571e1831e28b09e
SHA256711147bfafee1b3f71b0c8e9d00bb139401c207ca5518e2c02a6b0a7367cc9c2
SHA25653e91bbc1de973265ef3366201a70bce385951f805d2d9ebc9ab5f2d7627b7d3
SHA256f56655bfbd1be9eab245dc283b7c71991881a845f3caf8fb930f7baabae51059
SHA256555fb717902e671c26848ee80788769a1c88ac00c9f8440250f9936632597bc8
SHA256a5b2d0f5367bebd70137e0ebf3286d80434789e95aca488ffd8391905dd98fd9
SHA256da21dbe14f408ddb3de2e57fb77fd94e8615cb6cce5b7c541b8fe4e309b7fb6c
SHA256fd5c0d976292b233328ea085f101bbef9c6cae2007d275a5e6e07149d86c7968
SHA2567c3651cb149cb5f9a4db6b64e412fcd23977f5c083bdfd3ee8c7bbf929e20b4d
SHA2567b39dfb32220e3f653ce8ec124a3f1541230c158533ea4b799e766bb1f77b96f
SHA256e77aec1984755d69692487acbf1ce4743726714ffe9168610a49e05723e891cd
SHA2560661bd8cefcc41bba4322077b6ab96d49054074c6aa2a917acf87ff815d53e49
SHA2565bae6d580e1e16d29233f7164ce6aadfabcbd562b9137e92997e4ad3854926fd
SHA256ec9ac36b8ef41ecda870ed41297592a34e3250db821c8d518701c0e486c9379f
SHA2561c8ebb27ad656d720c854a476d6f0e1de4288e9f2a4c60ae35bb7020dedf5239
SHA256db3bc157f8f6bda96c63d2ba40c74e7bfd4d451d87eaa8ed02ce9ee692098d15
SHA2569cc592720e4d859f7cd2995587e1f724133ff3008164261ea7fb7e3269ac597a
SHA256c866dcfa95c50443ed5e0b4d2c0b63c1443ad330cb7d384370a244c6f58ce8a5
SHA2562dbfd8f5e20168a52dadf694fc9e63c8f09356dae60fd79e00897dc094a48cb6
SHA25678e9558a9762cf778a3ba9ba61e0ec73e8d81c22d0945e56ea75d197c512883a
SHA256708bae89b1866c85243f02b011d4d1e9585305845bf7a4df4430927cd5af8c27
SHA2567c9c451a3a3bded9aad02297f611e425b3649e629e4c5e24a7ccb7928babb006
SHA256069464563ca340ef167b29b55797bbb63792c00700a867437fdd9f640e99aa09
SHA256cba9de885f30b627d9c30079a22956e61cd1b03d10ec972ef9c90f8d23cff8aa
SHA2561f126aabbf32507f4385fe335b46fbb46234b2c25909ed6884ed664a5c93d0f9
SHA2561bad53ce984f652bc03ecb96fad5746357968c2fdccdea82995231f1099773e4
SHA25662a19c7a08db69a45ecf009955e6d8aa441079dea06770af1a953b681a0d81a2
SHA2561450fa0c4f5973ebf3efa06fb03259105065baba29690362014926583bc85f48
SHA256d6772478ab901d81514b0d04852380932ee214b364dff246c3f91963d9ec6927
SHA256ec9bfe9c9d44437c04209269fcd26815dc99416722bb4f4a4a2049bc41c63cc6
SHA256acf01ba44f916a8f82f76c0b91021fd79d4968e3aa312fb77904a9757058b5ac
SHA256d69b7f196fa8a2298e261333d4794ac34a8a4503c26750c3d5a012b2b7b327f5
SHA256134ef8198282652fb98e4174deda4d105db53c54d50039a2c0f6eb283eed8a1b
SHA25650c2b1f4b32fcd43fa9871f51f72d2b227eab1a3e5d04159d326a22e56305dc8
SHA256e5aecadf8f132b64384bba0f1ffbf317637eed11398a0d6ef789b1dc10db4cb1
SHA25687068696c0291fe976f62afb23ff2720d53dfd638a6953c0d0867d9ad4ea451a
SHA256c7ab7c65e65cdc13bbb991403c1338c556500472114ba79bb31356eecabd0089
SHA256eaa4d072b1eb53b2dae7d5396e67c03e523fe05f76f793c991119463b1f8522c
SHA2563eb1e97e1bd96b919170c0439307a326aa28acc84b1f644e81e17d24794b9b57
SHA2562059727c6447781b2dc2e4c51c126bc0b7f05b9c23b3edf365332d90c078b7f6
SHA256d9de8ff8c82baeeab0e1e355f9f5025547ba40cb8d95e9cad9dc25ffdb690057
SHA256915be79a2330c1fcb9e0cf392913986dbe9bf7a404cdf88a65ae148586b162d5
SHA2565549b000fd38a2634adbe956d46f7bb649eda8efd768ef8919a703378885186b
SHA256bc98c8b22461a2c2631b2feec399208fdc4ecd1cd2229066c2f385caa958daa3
SHA25683279bbeb581892ccee9cfa7d37b73674d55380d55d78123781b3c38a2d8ffe0
SHA256f519f99c9b49cf730cb092d83350002fb0d90fd705c86ed306c36f38fd6af10a
SHA25650a2235f356d59269b98f1d6420afa257651b33e9d9af5af56ab777c331dc6dd
SHA256d7d23b516041299868eb67a814e22064a05f06283a673a186e24d184521fa33e
SHA2568545aa956982bf6f5763058cbde3f8c92e1dcbfb699a7248969ef12bb59a615c
SHA2563d08eb860a2a13e7fc36f7750a4a87cf11b994a19343234b8e0621fa951e5a38
SHA256488947790c6aba7dff05c5f1c9ce1d24b3f9e5a0677f1695bbd6ae2bd9d48236
SHA256d2369ae9977cbb23cfe1c63f6deb0d7fabe9ee38980831c8a636f91342f716c1
SHA256b16ed0060bd5359fc695b965ce4c459bbe73e083094aff720837739487fd2900
SHA2563c305696f35fe10eb27a97bb76bc737654727b33e81333c8fe73aeded98b6ca8
SHA256cf836b6a36bffc5a4545a27cc66bc9ddfd49483500aa1f055671e40f06e34221
SHA25666bf8957d55e0aacc3c2472ebd8966dc3370503e59d57f27ddbc1a83bcf5102a
SHA2562114322ecc57f0fab5dd1e5b348a066fcfd7baf8ced89fcdb23df172e30a4189
SHA256971b389bd82806942c44b48bdd0a4ac560377b7fcb5c872264796705b769414a
SHA2568426bdde88e8e59c56ab4ff6b32dfd1080dfc0fc86980a853802e9aea1773c47
SHA256fa3f2cf4b2f1a0393383294dae8ba20709b1ce0985b6fe8e51ccd90cb609ca6e
SHA25620c37d343ba95aed4180d75825a06828783e924f81a1237c4a68252e0ce97f2d
SHA25646cf36241696d4127b5d32cbde63a672d9a037d9d47bd59ae8346d83424b53c9
SHA256892fe60e489e229eb46627241b6078a5b213a4d1840bd39cc939f90cf903a560
SHA2564d203ae53a96b8207c81ecc0167bb06db3e67bb365639972b9ef22dafbbc189a
SHA256a32f9eff7fca4f8b98b553b90915b28d4e11e523d36bb64b41f1793c2ed7cf94
SHA2567f540e391b55221f7696031471b6f8d2068677a67ed8782d52a67872096d23a2
SHA256408f10baec56c62cc4692d1ba98aa77e7847a7b6f1d3cf812dd2f51c93d580a3
SHA2562410b7f81082b216c5edd99b4b0a22e7709b0e05b0f6961d4f93ee1a05590237
SHA256566878276748089f6e87b20fd18bfab4018d9e33fae6e28cb87ffb43b1b80582
SHA2560a6f1b58819fe0d5f0595be96847f9cb9722777501771d3066d1e7fd39fa3d48
SHA256d9d3acec0620a1395dda087318de075573fa3b4352641aedc01a16a921c11b5d
SHA2566e10b784d653ceca19a234411df7a570cb0923bef9a3fe1d91da1e8eb10306d3
SHA2568988323e0c8b26a3cb0166104001c8d5fd818bef72b506bd03403a2c7c552e8d
SHA256e7d7b7c8b9cba4dcfee5648f25ad0380c86398cd0b6cba59c3ee8256425d19e6
SHA256057c1fc879ff7fed218ef3142a0f8761b2651a4c060dc7d853e5621cddc0e6f9
SHA256ca7ea4325e6e55c504d29f0b080a5755aef771772d8c51f5016e4ce6ed88ccd0
SHA25677ea0b407dece7f22b0b4732ec06fb0e887262d847a49b9f8cd8611a5c865af4
SHA2565ad06eda999a9f2f28c2057ba40bd2f7b6a7cb2e1915104b2724753649e97de5
SHA256584a2767e5881c7f91a04ca2cd78e62e9d52841eea5e0ca7fcd197553666a827
SHA256a756d84edecae5f17726ba1e59cbc3a622f84159e293a875c24bacf1038f69f1
SHA2566d76567220652b0d03b34feafaef8b32a472bfd9d617b6eff4db5254c959bf6e
SHA2561227d8b7e375dfaf0ff76053e3ab158c0635cb288dc1a2f083536f5fe1820ddd
SHA2568d6be9b4df6679cc5db1750500e3e1645f885878223936670e9ce0442cd0e999
SHA25682761eb506711dd35af4fe7b71a4e926e1bd70d4dacadd1bb3e68bcd3ef480f3
SHA2569524daf160f35c3217df680f5676c8f177bc9a3de5b6a128d52bc46d97df96c0
SHA256c9303f7405c88da80d94df5b11c514ce791becab02e06dfbf4796f361fb93108
SHA256815530458a2e17fd67774a6802c49423088ddde0ae23e179cc4a608e088c276a
SHA25666314449bc3bd2772ff062c05ba21f1aa408ce4f7ff73ad37f0f7a2388ab819e
SHA2564b08d86ca080234c2432613e6730d06dd8c703b35ea7effc999a0e3c3b11ec48
SHA25688718a0ff51b2e7d9e17d8796cfed1f52d78653c42e3c5dd597833ee0036d803
SHA256feba92e398ba6da41cccffb0e6b5aacdee27fcfa4f6c3a469330be309eaad627
SHA25673c41e29e75e998a186e6fc74b81fbc537f3b232a5d07b5621e8fd3485506b87
SHA25606cc1531e8f912ca9e5f1e37f442d2145df6b8cdadf3d1d7abfc9dfae6bb98ab
SHA2566d74cb6e7e93277cef4a8d62fad53d806be140aaddb89b44d9b7eb8307c5b7f5
SHA25604e561cf760209b3bef678117366dd184f4474e4ba15ec9b95cddea4e01ade95
SHA2566314ba359b26e05fba095ac58e3f9451243081cbc331bf60522ad69439b438c4
SHA2562f45d682260ca936e1c577c845576eef009a7017882ed57b6a8b76f9f6b83ad6
SHA256cc1afcf52046e08ba1314e74a852eec27211395c77f5b911de52245fae93ab3d
SHA25697b13680d6c6e5d8fff655fe99700486cbdd097cfa9250a066d247609f85b9b9
SHA256281d72fe63fae2e3b1b74c3953b3b4c429948d1f56c7897104754393dc0ab38f
SHA256e2790ea81b297f0b10871b9a16d0adbb670c7ea5900d64bc1d2f65a296d87ade
SHA256a9e663aa23a75f8574b5e10b4bea1deed22b49ed6dc451e4bb45f217811978a0
SHA256caac78ebfdb6102c05b82a00cf1acda1797cf4dc1bcc66336286289c8a309b47
SHA256bb85dedadd0b96084eb6c45b4a7650e33aa149f286d1272f17c56228278fe5b8
SHA256abffa851076dd0f2d408e66d047a2d50415513a17239b2d2ece33891c9c0ad23
SHA2569cfd1878606c41624b2e41a96eefcab6ca673d07f8e8f98ce6e86c4c8a806f5e
SHA2563cc5d88b8a69dec6a606aa01c29789811442b2572dcc51e25aa7711e657b51f3
SHA256e6ec5b942625bc910b3dc1c8f28940d5e5ba4f5fb89c7c189c61c3b46945f1f1
SHA256b37f2e7dd94e441a129629d1d352b82bb4a0e9b98a1c9a188f95e6c148e6b407
SHA25678b7b0eddc1d05cafd0202729f488daa027cac375dcd688c10fae34f65e0224e
SHA2569b4f6d76d125524f7ac11ddc3251152ca45c79d44a4359e831ebe0ec3142b609
SHA2565e945c1d27c9ad77a2b63ae10af46aee7d29a6a43605a9bfbf35cebbcff184d8
SHA2562d79bf996a3f5a10f5b42c6449df14a00395390f5028dca18aa768651ed7bf62
SHA256e8cbcdac6f39abf67c9c297203312d39f83a150277e0672a83657d38e6ef5446
SHA256e25d15f721362c6e6110ce21c3ced554a2c8510a6c5627457688fdb397608656
SHA256c8a7a0a8d702ce8087617a12572c00eefb92508ea6f1cfd95fe14c26107cef67
SHA2563f8437665c6c7638e5f86d034ac2ce3367ab97533c45476e6beee8863c365ff6
SHA2561a35563989c5528348713b0246374bb3c8d316561dc6b9bf17f2b20c88fbd178
SHA25669afcd4b38bf84069c4f520e65ef7df31411d69819d88716cbb5e17178e5b5b0
SHA256aef677a0a83d1ab1036fde6926e848674d7d53bf5dc3bd984c6c6d51337c4b61
SHA25676499405dd3cea63f170813d88ab32b2716e5682b8083a94966d494b706eadc7
SHA256acee75cd346795ceb02fc30aa822d13c4132e64fd36b5244dd822199a5a0c0a7
SHA2564f2ae18fe003ec4dfd47255f24141b42af1b423c94a1abcbe8af337f251c8789
SHA2563540b0720b610f93713df454af8ad1e7bd0e0eb3099d115a8cc5a9b7a85d3c50
SHA256e95cde1e6fa2ce300bf778f3e9f17dfc6a3e499cb0081070ef5d3d15507f367b
SHA2568c6e41a5e33749c31516b1931e129bbdaeff7f3434c4259c8842b0b9f047b6b7
SHA25647b27cb727b1ada6c65c7bf30b57537b26080f1f5a6730be91b767427945d731
SHA256658e17adf469ec61f1cc62a0c3932185e94f9557597dcf4714575706efd71141

No comments:

PAN-OS Supported ciphers

Following is a list of supported ciphers for PAN-OS 7.1 and later: SSLv3 Ciphers Supported (No change from PAN-OS 7.0) Non-FIPS mod...