We have discovered a new ransomware (malware) variant referenced as CryptoFortress in the wild and would like to provide additional information as to what we have discovered at this time. Please find below a more detailed investigation into the behavior of and mitigation methods applicable to CryptoFortress ransomware.
What We Know
Behavior of CryptoFortress:
- Infections are occurring through exploit kits and spam emails, programs that pretend to be flash updates or video players required to view an online video. You can expect social engineering campaigns as part of this infection vector.
- After an infection occurs, there might be a 24-hour period before the malware starts to encrypt files. In some cases, the program appears to lie dormant for a time (perhaps to foil some malware analysis methodologies).
- Unlike other ransomware variants that connect to command and control servers, this variant comes packaged autonomously with the encryption keys and exhibits no signs in network traffic.
- Deletes all Volume Shadow Copies precluding restoration of files. This means you will only be able to restore your files from previous backups or by paying the ransom.
- Scans your computer and encrypts data files such as text files, image files, video files, and Office documents.
- Creates a “READ IF YOU WANT YOUR FILES BACK.html” file in every folder that a file was encrypted. The HTML and text files will contain instructions to access a payment site for ransom remittance.
- The ransomware was undetected until late this morning and is now caught by 6 / 57 anti-virus engines.
- The files are encrypted with an RSA-1048 public key.
- New malware similar to CryptoLocker or CryptorBit (There does not appear to be a direct connection to Cryptlocker/CryptorBit).
- The decryptor costs $500 USD, escalating to $1000 USD after 72 hours.
- Since this is a new variant, some information is unknown. We do not know if paying the ransom will actually decrypt your files. Please be cautious as some variants did not decrypt the files properly.
- Pay attention to emails that claim to be a Xerox copier, delivering a PDF of an image, or from a major delivery service like UPS or FedEx offering tracking information.
- Phishing will be one of the main vectors of this ransomware getting into your network. Ensure employees are well aware of the telltale signs of illegitimate emails.
eSentire features that help protect you:
- Executioner can stop the download of malicious payloads over HTTP if you have instructed ESOC to enable it.
- AMP can block the communication to known command and control servers.
- Behavioral analysis tools can detect anomalous network behavior.
- The ESOC can quarantine suspected systems at your direction or based on established policy.
How to further protect yourself from this emerging threat:
- The variants eSentire have analyzed are caught by most updated endpoint anti-virus systems.
- Ensure the use of proper user privileges.
- Notify upstream SMTP email provider to implement appropriate spam filtering.
- Review policy regarding permission of third-party personal email services such as gmail or yahoo.
- Configure Windows to display full file extensions (This will stop attackers from masking executable files as common files).
User awareness (Infections are occurring from users clicking on a malicious payload that is being delivered via spam email attachments).
- Remind users not to visit untrusted websites or follow links provided by unknown or untrusted sources.
- Remind users to be cautious when clicking on links in emails appearing to come from trusted sources (Potentially spoofed sources).
eSentire recommends blocking .zip and .exe file extensions on your SMTP server.
- If you are using Exchange, paste this into the Exchange shell:
- New-TransportRule -Name 'Block All .ZIP Attachments' -Priority '0' -Enabled $true -AttachmentNameMatchesPatterns ' *.zip' -DeleteMessage $true
- New-TransportRule -Name 'Block All .EXE Attachments' -Priority '0' -Enabled $true -AttachmentNameMatchesPatterns ' *.exe' -DeleteMessage $true
Back up important data offline.
If you are running Windows 7 Ultimate/Enterprise or Windows 8 Pro/Enterprise you have the ability to use AppLocker. AppLocker is able to defend against CryptoFortress infections because it can require all programs to be signed by a legitimate software publisher.
- Create a new GPO.
- Right-click on it to edit, and then navigate through Computer Configuration, Windows Settings, Security Settings, Application Control Policies and AppLocker.
- Click Configure Rule Enforcement.
- Under Executable Rules, check the Configured box and then make sure Enforce Rules is selected from the drop-down box. Click OK.
- In the left pane, click Executable Rules.
- Right-click in the right pane and select Create New Rule.
- On the Before You Begin screen, click Next.
- On the Permissions screen, click Next.
- On the Conditions screen, select the Publisher condition and click Next.
- Click the Browse button and browse to any executable file on your system. It doesn't matter which.
- Drag the slider up to Any Publisher and then click Next.
- Click Next on the Exceptions screen.
- Name the policy something like "Only run executables that are signed" and click Create.
- If this is your first time creating an AppLocker policy, Windows will prompt you to create default rules -- go ahead and click Yes.
Alternatively, AppLocker has the ability to whitelist folders.