An Encounter with Ransomware

An organization which I am associated with (not Mozilla) recently had its network infected with the CryptoWall 3.0 ransomware, and I thought people might be interested in my experience with it.

The vector of infection is unknown but once the software ran, it encrypted most data files (chosen by extension) on the local hard drive and all accessible shares, left little notes everywhere explaining how to get the private key, and deleted itself. The notes were placed in each directory where files were encrypted, as HTML, TXT, PNG and as a URL file which takes you directly to their website.

Their website is accessible as either a TOR hidden service or over plain HTTP – both options are given. Presumably plain HTTP is for ease for less technical victims; Tor is for if their DNS registrations get attacked. However, as of today, that hasn’t happened – the site is still accessible either way (although it was down for a while earlier in the week). Access is protected by a CAPTCHA, presumably to prevent people writing automated tools that work against it. It’s even localised into 5 languages.

CryptoWall website CAPTCHA

The price for the private key was US$500. (I wonder if they set that based on GeoIP?) However, as soon as I accessed the custom URL, it started a 7-day clock, after which the price doubled to US$1000. Just like parking tickets, they incentivise you to pay up quickly, because argument and delay will just make it cost more. If you haven’t paid after a month, they delete your secret key and personal page.

While what these thieves do is illegal, immoral and sinful, they do run a very professional operation. The website had the following features:

  • A “decrypt one file” button, which allows them to prove they have the private key and re-establish trust. It is, of course, also protected by a CAPTCHA. (I didn’t investigate to see whether it was also protected by numerical limits.)
  • A “support” button, which allows you to send a message to the thieves in case you are having technical difficulties with payment or decryption.

The organization’s last backup was a point-in-time snapshot from July 2014. “Better backups” had been on the ToDo list for a while, but never made it to the top. After discussion with the organization, we decided that recreating the data would have taken much more time than the value of the ransom, and so were were going to pay. I tried out the “Decrypt One File” function and it worked, so I had some confidence that they were able to provide what they said they were.

I created a wallet at blockchain.info, and used an exchange to buy exactly the right amount of Bitcoin. (The first exchange I tried had a ‘no ransomware’ policy, so I had to go elsewhere.) However, when I then went to pay, I discovered that there was a 0.0001BTC transaction fee, so I didn’t have enough to pay them the full amount! I was concerned that they had automated validation and might not release the key if the amount was even a tiny bit short. So, I had to go on IRC and talk to friends to blag a tiny fraction of Bitcoin in order to afford the transfer fee.

I made the payment, and pasted the transaction ID into the form on the ransomware site. It registered the ID and set status to “pending”. Ten or twenty minutes later, once the blockchain had moved on, it accepted the transaction and gave me a download link.

While others had suggested that there was no guarantee that we’d actually get the private key, it made sense to me. After all, word gets around – if they don’t provide the keys, people will stop paying. They have a strong incentive to provide good ‘customer’ service.

The download was a ZIP file containing a simple Windows GUI app which was a recursive decryptor, plus text files containing the public key and the private key. The app worked exactly as advertised and, after some time, we were able to decrypt all of the encrypted files. We are now putting in place a better backup solution, and better network security.

A friend who is a Bitcoin expert did do a little “following the money”, although we think it went into a mixer fairly quickly. However, before it did so, it was aggregated into an account with $80,000+ in it, so it seems that this little enterprise is fairly lucrative.

So, 10/10 for customer service, 0/10 for morality.

The last thing I did was send them a little message via the “Support” function of their website, in both English and Russian:

Such are the ways of everyone who is greedy for unjust gain; it takes away the life of its possessors.

Таковы пути всех, кто жаждет преступной добычи; она отнимает жизнь у завладевших ею.

‘The time has come,’ Jesus said. ‘The kingdom of God has come near. Repent and believe the good news!’

– Пришло время, – говорил Он, – Божье Царство уже близко! Покайтесь и верьте в Радостную Весть!

9 thoughts on “An Encounter with Ransomware

  1. This write-up is interesting but I hope you do realize you’re doing the criminals a favor by posting this, not to mention you’re incentivizing more to crop up in the future.

    • I don’t think this is a significant factor. For an infrequent event like a kidnapping, paying a ransom may have some effect on the incentives of the criminals to repeat the behaviour. In this case, with the attacks being scattershot across the world (although the malware refuses to install on computers geolocated in Russia or neighbouring countries), and with so much money clearly being available, one write-up is not going to make any difference to their motivation.

  2. Thanks for the write-up, and sorry that you lost money this way. I find these modern ransomware schemes fascinating and technically well-executed.

    It seems that you need to assume three things, and then just be as prepared as you can.

    1. You cannot avoid infection in the long run
    2. Once infected, it will be impossible to decrypt the files without paying the ransom
    3. Having paid the ransom, it will be impossible to track down the criminals

    If you act pessimistically and assume these three things, then the best way to prepare is be disciplined with backups. Regular, offline, tested backups.

    Also, please report this to Action Fraud if you haven’t already: http://www.actionfraud.police.uk/

  3. Would trying to restore the files with something like Photorec (= tries to find data in vacant portions of the hard drive) work? [That is, assuming the file system was reasonably empty before.]

    • Givent that it happened on a Tuesday and I heard about it on a Friday, unlikely. Also, early ransomware had all sorts of problems; the new stuff is very thorough in disabling all sorts of ways that you might retrieve the files or the key. Because it writes out the new file then moves it over the old one, the disk is constantly under change, and I suspect very little would be retrievable this way. If people start achieving success like this, I’m sure they’d switch to secure delete…

  4. “After discussion with the organization, we decided that recreating the data would have taken much more time than the value of the ransom, and so were were going to pay.” – OMG, where is the don’t feed the criminals policy? At least do not make it public… You know how this all works in the net, social medias and so on – now everyone know that a Mozilla guy Gerv paid, so… Mozilla paid in a way and you could spend rest of your life correcting this new born urban myth…
    I really do hope that this was done with full cooperation with national cybercrime and professional IT Forensic institutions to get the all traces of infection secured for further analysis. Otherwise seems everything in your associated organization is wrong. Not just the IT security… Thank you very much – you made this criminal scheme proved profitable and gave the resources for better, stronger, more creepy software from those bastards.
    BTW:
    Here is a Cisco analysis http://blogs.cisco.com/security/talos/cryptowall-3-0.

    • OMG, where is the don’t feed the criminals policy?

      If you are in a dark alley and someone with a gun demands your wallet, you can decide on principle “no, I don’t give money to criminals”, and face the consequences, or you can hand it over. We decided to hand it over. The great thing about being a Christian is that you know that one day, justice will be done.

      I really do hope that this was done with full cooperation with national cybercrime and professional IT Forensic institutions to get the all traces of infection secured for further analysis.

      We did inform the police, but I think you overestimate the importance of this small organization in the grand scheme of things if you think that “national cybercrime” has any interest in us whatsoever.

  5. When I got hit by ransomware it was pretty obvious because of all the CPU it was chewing up encrypting my hg clones so fortunately it hadn’t got to anything too valuable.