A new sample was released today courtesy of http://www.pcapanalysis.com which can be located at the reference linked at the bottom. The ransomware is currently being distributed mostly via malspam campaigns but was also observed being served up by the lord exploit  kit and links were found posted on hacked wordpress sites and forums for drive-by-download watering hole style attacks.

What makes the crimeware profiteers so hard to stop from this ransomware attack is that they are using burner e-mail addresses and dynamic DNS which they can create and destroy on the fly to deliver their malicious executable. Let’s not forget that they are also not generating any network traffic other than utilizing Google’s own services to track successful installations and metrics and the only trace back to them looking at network traffic would be the original download or vector.

After you have downloaded the word document or PDF executing the word document a series of powershell commands download the latest binary that the crimeware actors scan daily after making changes to it on VirusTotal to see what the detection rate is. Below is an image of what an infected user will see after this occurs. There is an e-mail and a bitcoin address as identifying marks. See below:

The e-mail address is listed as [email protected] and it was using the domain name service-updater[.]hopto[.]org with an IP address resolving to 41.97.11.131 with a network whois:

Network Whois record

Queried whois.afrinic.net with “41.97.11.131“…

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '41.97.0.0 - 41.97.255.255'

% No abuse contact registered for 41.97.0.0 - 41.97.255.255

inetnum:        41.97.0.0 - 41.97.255.255
netname:        Oran
descr:          Residentiel
country:        DZ
admin-c:        SD6-AFRINIC
tech-c:         SD6-AFRINIC
status:         ASSIGNED PA
mnt-by:         DJAWEB-MNT
source:         AFRINIC # Filtered
parent:         41.96.0.0 - 41.111.255.255

person:         Security Departement
address:        Alger
phone:          tel:+213-21-91-12-24
fax-no:         tel:+213-21-91-12-08
nic-hdl:        SD6-AFRINIC
mnt-by:         GENERATED-IRIXFFLWUREDGEB9HMRODGUJH3OJCIPE-MNT
source:         AFRINIC # Filtered

% Information related to '41.96.0.0/12AS36947'

route:          41.96.0.0/12
descr:          Algerie Telecom
origin:         AS36947
mnt-by:         DJAWEB-MNT
source:         AFRINIC # Filtered

So not a lot to go on, just because that large IP block is owned by Algerie Telecom doesn’t mean they are behind the crimeware or involved in anyway.

Prevention:

Disable macros on your Microsoft Office products, never open suspicious e-mails, block dynamic DNS completely

Reference: http://www.pcapanalysis.com/pcap-downloads/malware/jigsaw-ransomware-malware-crimeware-pcap-file-download-traffic-sample/