Adversaries are always looking to leverage current events to get users to install their malicious payloads. These backups should be stored offline to prevent them from being targeted by attackers. As a defense, users are encouraged to backup their data in accordance with best practices. The threat of ransomware will continue to grow until adversaries find a more effective method of monetizing the machines they compromise. This malware relies on Tor for Command and Control and therefore does not possess valuable IP information. IOCĪttachment: Win10Installer.zip (Win10Installer.exe) A quick analysis of the communication shows that it is not actually FTP communication but instead C2 activity. This is the port associated with FTP command traffic and therefore likely to be allowed outbound from a network. One final interesting piece is the use of port 21 for communication. The majority of the traffic is using ports commonly associated with Tor traffic, which is heavily used for C2 communications. The domains that Talos was able to identify are currently not registered and the samples do not leverage DNS resolution to try to connect to this domains. Talos was able to find domains being handled inside the communication as shown below: There are some other interesting aspects to the network communication. The most common ports being utilized are 9001, 443, 1443, and 666. An analysis of network traffic reveals that there were ~100 network streams to various IP addresses. There is also a significant amount of data being exchanged between systems, which is largely uncharacteristic for ransomware. CTB-Locker appears to be using hard coded IP addresses on non-standard ports to establish communication. Recent versions of ransomware are leveraging compromised wordpress sites to serve as a drop point for information related to the compromised host. CTB-Locker is only giving users 96 hours to pay for decryption, which is a shorter window than is standard for most ransomware.Īnother key difference is related to Command and Control (C2) communication. Second, there is the issue of the time window. CTB-Locker actually makes use of elliptical curve encryption which still provides the same public/private key encryption but it’s a different type of algorithm, with lower overhead and the same level of security utilizing smaller key space.
First is the type of encryption used, most variants use RSA asymmetric encryption. CTB-Locker has some interesting features that are different from large scale variants Talos has seen.
0 kommentar(er)
