Tuesday, November 11, 2014

Torrentlocker (Crytolocker) Ransomware Campaign - Oct/Nov 2014


Ransomware is a type of malware which restricts access to the computer system that it infects, and demands a ransom paid to the creator(s) of the malware in order for the restriction to be removed.

In mid October, 2014, a ransomware campaign using a new variant of CryptoLocker was launched. At the time of this post, the campaign is still active.

Once a user has unknowingly downloaded and run the malware, all files on their local disk and network drives are encrypted. The user is then presented with the following screen (below), which demands that the victim visit a hidden server to purchase the decryption key using Bitcoin.

This new Crypto-variant appears to be offered as a service to any criminal individual or gang who wants to get involved in the ransomware extortion business.

The malware appears to be delivered via spam e-mail.


WARNING
We have encrypted your files with CryptoLocker




"Buy decryption software and get all your files back"

Victim landing page demanding ransom payment in Bitcoin to decrypt files.


There are at least 10 active campaigns (ransomware 'botnets') utilizing this particular command and control server. From the structure and contents of the directories, it appears to be provided to other criminal individuals or gangs, as a "Ransomware-As-A-Service". The creators of the service provide the server and the malware to criminal clients so they can then run their own ransomware campaigns utilizing the infrastructure and software provided.

Each criminal customer of this ransomware extortion service has its own individual numbered botnets folder, which contains email lists to spam, SMTP servers to spam from, and logs of payments, feedback, etc. from the victims of the operation.

Every individual campaign would be responsible for distributing the ransom malware (spam) and managing user complaints, payments, etc.




Inside one of the individual botnet containers, the directories of this #11 campaign. 


Lists of email addresses to spam and attempt to infect new victims.


Some of the more "successful" campaigns have a feedback directory. This is where the victims can send messages to the crooks, asking for more time before the ransom for their files increases, or asking when they will get their files back.




The 'feedback' directory contains log files for payments and questions. 



Feedback from victims:


Feedback from ransomware victims asking for more time before the ransom increases on their files. 




More "feedback"  from victims: (campaign #13)

[2014-10-15 09:45:52] [6475, petvandam@x.com] 
I payed, but when I enter the transaction detail, tyour page says it already has been used for a payment! How is that possible? 
[2014-10-15 11:35:33] [6393, dennis@**REDACTED**.nl] 
Dear Sirs,

We made a payment of 1364 bitcoins with transaction nr. 9b2a0b4fef3e711f3fbc3491666644ca85bed77a288701142a93df9866fa23c2
If I enter this on your webpage, it tells me that this has already been used, which is not.
Can you please send me the instruction to quickly solve this problem?
With kind regards,
Dennis Huisman
[2014-10-15 11:44:02] [6393, dennis.huis@**REDACTED**.nl] 
Dear Sirs,
We have paid 1.364 bitcoins with transaction id 9b2a0b4fef3e711f3fbc3491666644ca85bed77a288701142a93df9866fa23c2.
If I enter this id, the site tells me this has already been used, which is not!
Please tell me what I can do to fix this.
With kind regards, 
Dennis Huisman
[2014-10-15 13:32:22] [6393, dennis@**REDACTED**.nl] 
Dear Sirs,
We made a payment of 1.364 with tranaction ID 9b2a0b4fef3e711f3fbc3491666644ca85bed77a288701142a93df9866fa23c2. When I fill this in on your webpage, it gives a warning that this has already been used, which isn't.

Can you please tell me what to do?

Thanks in advance for your answer.
Dennis Huisman
[2014-10-17 21:07:34] [8679, muratkazan55@**REDACTED**.com] 
I'm studying at the university. I have homeworks in my pc. Please help me to save them. I need them too much to complete my education. Thank you for your understanding. 
[2014-10-18 14:35:45] [8916, gokhan@**REDACTED**.tc] 
dosyalarımın ÅŸifresini çözmek istiyorum. AÄŸdan 3 adet makinama bulaÅŸtı 1200 tl den daha aÅŸağı olmaz mı? 
[2014-10-18 16:43:03] [8749, mbeykozlu@**REDACTED**.com] 
bitcoin için limit veriyor
ödemeyi yapamıyorum
zaten durumum iyi değil işim gücüm sıkıntıya girdi bittim
bana bi yol söyleyin 1200 tl borç harç göndericem

[2014-10-20 05:32:00] [8371, kelly@**REDACTED**.com.au] 
Hello,
We have deposited the money just waiting for the transfer.
Payment received
Your deposit has been received, your coin transfer will be carried out shortly.
Reference Number 12008
Amount in AUD 752.60
Amount in Bitcons 1.45200000
Email kelly@**REDACTED**.com.au
Wallet Address 1K3Z8tEDyo5FHtsGmxTZ4tbeuJdMMjEE72
We will keep you updated with the progress of the order.


[2014-10-20 09:04:23] [8544, erdogankeklik_88@**REDACTED**.com] 
Öncelikle merhaba benim bilgisayarımda dosyalar ÅŸifrelendi. Yedeklerimin hepsi var. Sadece 1 2 günlük belgeler lazım. Fiyatınız çok yüksek. Yardımcı olur musunuz? 
[2014-10-20 13:38:09] [8557, adorelguvenlik@**REDACTED**.com] ab39f8c79a581656b295bfa8fd87a4185f515860480a0fe72d308dacfba27659
bu kodu sonradan öğrendim giriyorum ancak ilkini yanlış girmiÅŸiz bu konuda yardım bekliyorum 
[2014-10-20 13:38:10] [8557, adorelguvenlik@**REDACTED**.com] ab39f8c79a581656b295bfa8fd87a4185f515860480a0fe72d308dacfba27659
bu kodu sonradan öğrendim giriyorum ancak ilkini yanlış girmiÅŸiz bu konuda yardım bekliyorum 
[2014-10-20 17:05:12] [8557, adorelguvenlik@**REDACTED**.com] 
aşağıdaki ıd numarası ile ilgili işlem yaptık lütfen sizde gerekeni yaparmısınız lütfen
Id
ab39f8c79a581656b295bfa8fd87a4185f515860480a0fe72d308dacfba27659 
[2014-10-21 08:03:42] [6207, practicombit@**REDACTED**.com] 
Hi,

Last week i paid you for the decrypter software $ 500,- when i have run the software i see that only a few files where decrypted. I paid it whith url: http://3v6e2oe5y5ruimpe.tor4u.net/buy.php?a9q1vi but when i look into my files and folders and click another decrypted_instuctions.html i see that it have another url: http://3v6e2oe5y5ruimpe.tor4u.net/buy.php?a9jme9 maybe thats why not al my files could decrypted. When i click buy i see that you want me to pay $ 1000. Could you send me a file to decrypt my other files because i already have made a payment for it. I hope you can help. I'm not happy to have not al my files back. Hope i get a reply very soon.

The bitcointransaction id is 230dfaa00246c04ca528fb29003542d0eef47c6f5399292f1ed2fffef8b853fa

Hope so you can help.

Yesterday you send me a mail to wait 1-2 hours but did not hear anything from you.
Greetings Mark 
[2014-10-22 07:17:20] [9540, coin.accont@**REDACTED**.com] 
I have made the payment but it keeps coming up with transaction ID already used.

74c5b0d6641baaaf233c80ee72b6cabb57c15a669490adbc9855ca0a4b34bcf4

What can we do now? 
[2014-10-22 09:59:19] [9089, ozansevimligul@**REDACTED**.com] 
merhaba bu yazılım 2 bilgisayarimi etkiledi ve bu kadar param yok odeme yapicak lütfen bana daha uygun bir tutar cikarin ödeyebilmeye gucumun yeticegi bir tutar ve işlemler bir bilgisayar için diyor benim diğer bilgisayarimda Windows xp yuklu onda nasil sifreleri acicam?




Admin Templates:

Templates for criminal admins to manage their campaign. 




Template payments page that victims will be directed to:





Custom ransom pages template uploader:


Settings template:



 Statistics template:



Technical Details:

Sample:

(This particular sample belongs to campaign #14)

508136766c7ea2f26ef44ffd81a63bcb

https://www.virustotal.com/en/file/cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d/analysis/

https://malwr.com/analysis/MjE5MWRhMzczODdkNDk1YjhkNDE3ZDU0NmNkMTcwODg/

hxxp://lebanonwarrior.ru:8080/data/botnets/14/


C&C Server:

lebanonwarrior.ru
46.161.30.19 
inetnum: 46.161.30.0 - 46.161.30.255
netname: KolosokIvan-net
descr: Net for customer ID 12510
country: RU




someone left a note

No comments:

Post a Comment