September 6, 2016
Ransomware purporting to come from a phony government agency, something called the Central Security Treatment Organization, has been making the rounds, researchers say.
The ransomware, which is already known by a number of names including Cry, CSTO ransomware, or Central Security Treatment Organization ransomware, uses the User Datagram Protocol (UDP) to communicate and the photo sharing service Imgur and Google Maps to carry out its infections to an extent, as well.
A security researcher who goes under the guise MalwareHunterTeam discovered the malware last Thursday.
Lawrence Abrams, who runs BleepingComputer.com, helped analyze the ransomware alongside MalwareHunterTeam and security researcher Daniel Gallagher. Abrams discussed their collected findings in a blog post Monday night.
The three point out that the ransomware is still being analyzed so many of the details around it are still hazy; that includes how it’s being distributed and whether or not decryption is possible. What is known is that the malware has managed to hit 8,000 victims in almost two weeks so far.
Abrams told Threatpost on Tuesday that when he started to analyze the ransomware with MalwareHunterTeam on Sept. 2 there were roughly 3,200 victims. That figure later ballooned to 6,800 two days later and when he checked on Monday, it had reached 8,000. The ransomware is still being developed too; Abrams claims Gallagher discovered a new sample earlier today.
After machines are infected, Cry leaves ransom notes, “Recovery_[random_chars].html” and “!Recovery_[random_chars].txtencrypts” on a victim’s desktop, notifying them their files have been encrypted with the “.cry” extension – hence the name. The notes demand 1.1 bitcoin, or roughly $625 to decrypt them.
From there, it uses the UDP protocol to relay information about the infected machine, including its Windows version, its Windows bit type, which service pack is installed, the computer’s name and CPU type to over 4,000 IP addresses.
According to Abrams, this method is likely used to make it trickier for authorities to finger the command and control server’s location, a technique that has been used in the past by the Cerber ransomware strain. Researchers at Invincea saw a Cerber variant in May generating loads of outgoing UDP traffic, to the point that it was flooding subnets with UDP packets over port 6892. Experts didn’t rule out the possibility that the ransomware could be capable of carrying out a distributed denial of service attack.
In addition to UDP, Cry also uses two other services not usually leveraged by ransomware: Imgur and Google Maps.
The ransomware culls all the information it sends to the IP addresses and embeds it in a PNG image file and subsequently uploads to an Imgur photo gallery.
“Once the file has successfully been uploaded, Imgur will respond with a unique name for the filename,” Abrams writes. “This filename (can) then be broadcasted over UDP to the 4096 IP addresses to notify the Command & Control server that a new victim has been infected.” The ransomware can also use Google Maps’ API to determine the Service Set Identifier (SSID) of packets sent by any nearby wireless networks. By using Windows’ WlanGetNetworkBssList function, Cry can get the list of wireless networks and SSIDs. After querying any SSIDs visible to the infected machine, it can use Google Maps to get the victims’ location. While the location data is no doubt valuable, Abrams claims it’s unclear what exactly it’s for, but admits it can likely be used to further scare a victim into paying.
The ransomware can also use Google Maps’ API to determine the Service Set Identifier (SSID) of packets sent by any nearby wireless networks. By using Windows’ WlanGetNetworkBssList function, Cry can get the list of wireless networks and SSIDs. After querying any SSIDs visible to the infected machine, it can use Google Maps to get the victims’ location. While the location data is no doubt valuable, Abrams claims it’s unclear what exactly it’s for, but admits it can likely be used to further scare a victim into paying.
Abrams told Threatpost that while it wasn’t discovered until Sept. 1, it appears the developer behind Cry first began testing the waters several days before, on Aug. 25. Abrams, Gallagher and MalwareHunterTeam can see the developer began testing uploaded PNG files at the time with just the strings “LOLWTFAMIDOINGHERE.”
While the Central Security Treatment Organization doesn’t exist, neither does the Department of Pre-Trial Settlement or the Federal Agency of Investigation, two other bogus groups that the ransomware touts itself as representing on its Tor payment site. The seal for the fake organization appears to borrow the crest, branches, and stars from the FBI’s logo and the eagle’s head from the CIA logo.