Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CryptoFortress, a TorrentLocker clone that also encrypts unmapped network shares


  • Please log in to reply
29 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,000 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:14 AM

Posted 05 March 2015 - 12:09 PM

Update 3/7/15: It appears that this is just a copycat and not a new version of TorrentLocker. According to a researcher at ESET, the devs behind CryptoFortress just stole the HTML and site layout. See this tweet: https://twitter.com/marc_etienne_/status/573842470691344384

 

A new encrypting ransomware called CryptoFortress was discovered yesterday by security researcher Kafeine that appears to be either a copycat or a new version of TorrentLocker. When looking at the ransom note and decryption site for both CryptoFortress and TorrentLocker the differences between the two appear to be small. On further inspection, though, we have discovered that CryptoFortress includes the new and nasty feature of being able to encrypt files over network shares even if they are not mapped to a drive letter.
 


ransom-note-collapsed.jpg


Normally when a ransomware encrypts your data it does so by retrieving a list of drive letters on a computer and then encrypting any data on them. Therefore any network shares on the same network would be safe as long as they were not mapped to a drive letter. Unfortunately this all changes with CryptoFortress as this ransomware will also attempt to enumerate all open network SMB shares and encrypt any that are found. As you can see from the image below, CryptoFortress is successfully able to encrypt the file test.txt in an open share over SMB on my test network. This new ability changes the threat landscape for all server and network administrators and it is even more important than ever to properly secure your shared folders with strong permissions.
 

wireshark-smb.jpg


When CryptoFortress runs it will encrypt your data using RSA encryption and add the .frtrss extension to the end of the encrypted file. In every folder that a file is encrypted, it will also create a ransom note called READ IF YOU WANT YOUR FILES BACK.html. This note, which is shown above, contains links to a TOR Command & Control server where you can find your ransom amount, which is currently 1 bitcoin, and the address it should be sent to. Last, but not least, CryptoFortress will issue the following command to delete all Shadow Volume Copies so you are unable to restore your files from them:
 

vssadmin delete shadows /all /quiet

Without a doubt, encrypting non-mapped network shares makes it a big problem for network administrators. It is now a requirement for backup strategies to use drive rotation rather than rely on persistent attached storage or network shares as your backup medium. This makes cloud backups even a more attractive option as a safe and secure method of backing up your data without being affected by ransomware.

Thanks to Nathan Scott for helping to analyze this infection. You can also find more information about this infection from the analysis by White Hat Mike.



BC AdBot (Login to Remove)

 


#2 GT500

GT500

    Authorized Emsisoft Representative


  • Security Colleague
  • 122 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Fortville, Indiana, USA
  • Local time:08:14 AM

Posted 05 March 2015 - 02:50 PM

Thanks for the article Lawrence. :wink:

For we wrestle not against flesh and blood, but against principalities, against powers, and against the worldly governors, the princes of the darkness of this world...


#3 calgary11

calgary11

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:14 AM

Posted 05 March 2015 - 03:00 PM

I was wondering how long it would take them to start looking for network share, I guess that answered this question. One more headache to worry about. Thanks for the post



#4 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:08:14 AM

Posted 05 March 2015 - 03:04 PM

I was wondering how long it would take them to start looking for network share, I guess that answered this question. One more headache to worry about. Thanks for the post

 

I have seen other variants that enumerate network shares without logical mapping to a drive letter before, but they are extremely uncommon and I have never actually came across one of them in-the-wild or even seen many reports of ransomware with such capability.  It's unknown how large the campaign is that is pushing this variant, but the fact that is has been confirmed to be pushed as a payload of Nuclear Pack, in addition the unique capabilties that are introduced with CryptoFortress, leads me to believe that its prevalence has a great potential for growth in-the-wild.


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#5 zingo156

zingo156

  • BC Advisor
  • 3,330 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:07:14 AM

Posted 05 March 2015 - 04:39 PM

Another great write up grinler, and another trashy bit of software! Hmm... I guess I may be setting up some local FTP servers and removing any mapped drives/open network drives. I had already thought about this but I know users are not going to "want" to learn something new.


Edited by zingo156, 05 March 2015 - 04:41 PM.

If I am helping you with a problem and I have not responded within 48 hours please send me a PM.

#6 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,000 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:14 AM

Posted 05 March 2015 - 04:55 PM

If you do not want to setup a cloud backup, i know there are backup solutions where you install an agent on each computer that handles that backups. That way you avoid UNC shares and drive mappings.

#7 RobertHD

RobertHD

  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Somewhere in Oz
  • Local time:10:44 PM

Posted 06 March 2015 - 12:10 AM

Thanks for letting all us know


Robert James Crawley Klopp


#8 Angoid

Angoid

  • Security Colleague
  • 291 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:East Midlands UK
  • Local time:01:14 PM

Posted 06 March 2015 - 06:26 AM

Thanks for the article Grinler.

It's rapidly getting to the point where the only safe Internet connection is a broken one  :blink:


Helping a loved one through a mental health issue?  Remember ALGEE...

Assess the risk | Listen nonjudgementally | Give reassurance and info | Encourage professional help | Encourage self-help and support network

#9 Sintharius

Sintharius

    Bleepin' Sniper


  • Malware Study Hall Senior
  • 5,602 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:02:14 PM

Posted 06 March 2015 - 06:44 AM

It's rapidly getting to the point where the only safe Internet connection is a broken one  :blink:

Which we all know is not feasible :lmao:
Member of the Bleeping Computer A.I.I. early response team!

#10 RobertHD

RobertHD

  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Somewhere in Oz
  • Local time:10:44 PM

Posted 06 March 2015 - 07:06 AM

:bubbles:


Robert James Crawley Klopp


#11 rp88

rp88

  • Members
  • 2,711 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:14 PM

Posted 06 March 2015 - 11:23 AM

When you describe it attacking other things on a network, does this mean that any computers sharing a router or wi-fi connection point are going to be attacked if any one of them is infected? For example if you had a home network of three computers, the network being that they shared a wi-fi access point, wuld an infection on any one of them then encrypt data on all the others, or does this only apply to networks of the type where everything is stored on a central server and the physical machines dotted around the building are just access points and have no files stored on them?

#12 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:08:14 AM

Posted 06 March 2015 - 12:36 PM

When you describe it attacking other things on a network, does this mean that any computers sharing a router or wi-fi connection point are going to be attacked if any one of them is infected? For example if you had a home network of three computers, the network being that they shared a wi-fi access point, wuld an infection on any one of them then encrypt data on all the others, or does this only apply to networks of the type where everything is stored on a central server and the physical machines dotted around the building are just access points and have no files stored on them?

 

It does not self-replicate itself and traverse the network in the same fashion that worm does.  It will only affect files / documents on another device if they are natively accessible from the initially affected device, i.e. a shared folder (requiring no authentication), an open network share, etc.  The encryption of files on a device other than the initially compromised device is most commonly seen when an organization has a [file] server that employees all have access to, for centralized storage of data and other documentation.


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#13 bluerussian

bluerussian

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:14 AM

Posted 06 March 2015 - 03:03 PM

Delivery Method:  Is this known?

 

Is it still through infected emails and the user clicks away?  Is it still limited to the users rights at the time of infection?



#14 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,000 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:14 AM

Posted 06 March 2015 - 03:18 PM

According to Kafeine, it is exploit kits.

#15 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:08:14 AM

Posted 06 March 2015 - 06:12 PM

Delivery Method:  Is this known?

 

Is it still through infected emails and the user clicks away?  Is it still limited to the users rights at the time of infection?

 

As Grinler stated above, Kafeine was searching for a different piece of malware being pushed by an exploit kit and accidentally encountered the CryptoFortress ransomware.  The only confirmed delivery method that I've heard of so far is via exploit kit, and in Kafeine's case, the Nuclear Pack EK.


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users