CYBER CALIPHATE POTENTIAL CAPABILITIES
ISIS already teaches its militants about encryption in the manuals that it distributes from the “help desk” and in publications like Kybernetiq. Assuming that parts or all of ISIS want to increase available funds, inflict financial harm on “Crusaders”, and disrupt critical operation in Western nations, with the least amount of prerequisite technical knowledge and monetary investment, then it is surprising that the Cyber Caliphate has not already popularized ransomware attacks within the organization and purchasing Ransomware as a service (RaaS). Ransomware attacks are form of malware that weaponizes encryption to prevent the victim from accessing their systems or data until a payment has been made to the attacker and the files have been unlocked using a decryption key. Ransomware attacks can also be used to lock down a target system for a time, or as one stage of a layered attack that involves distracting the user with ransomware attacks while the files on the system are searched and exfiltrated. Ransomware attacks made a large resurgence in February 2016 when medical systems belonging to Hollywood Presbyterian Medical Center were infected with the Locky ransomware. After nearly two weeks of stunted operations, the hospital paid a $17,000 ransom. Almost overnight, adversaries began developing and distributing new variants of ransomware that charged users hundreds or thousands of dollars to free their systems.
Ransomware attacks are favorite among the unsophisticated hacking communities because it is easy to distribute, has a high return on investment, and it can be purchased as a Ransomware as a Service (RaaS) model. Under the Ransomware as a Service model, a sophisticated adversary writes the malware and then sells or distributes it to numerous less skilled hackers, who then distribute it to victims. If the victims pay the ransom, then the malware developer receives a percentage of the ransom. Ransomware and Ransomware as a Service are easily purchased on online forums; as a result, terrorist groups such as ISIS would not have any difficult purchasing a variant on the dark net or working under a Ransomware as a Service model. While Locky is currently the most popular and most abundant ransomware variant, ISIS would likely benefit more from the Cerber ransomware.
The Cerber ransomware attacks began to infect systems in late February 2016 by encrypting their files with AES encryption until a ransom of 1.24 Bitcoins (~$500) was transferred to the attackers. The ransomware is available for purchase or as a Ransomware as a Service on closed Russian markets on the dark web. The former option means that a group, like ISIS, could train personnel, purchase a copy, duplicate it for any number of cyber-trained operatives, and conduct attacks for financial gain, to disrupt services, or to incite fear or panic. The latter option enables the operatives to deliver the malware and conduct attacks through simplified graphical user interfaces on the condition that the Cerber developers earn a commission of each ransom payment.
Ransomware, like Cerber, can be delivered through phishing emails, transferred through watering-hole attacks, or distributed through botnets. Malwarebytes discovered that Cerber is also delivered via the Magnitude exploit kit through malvertising networks on adult, torrent, and streaming websites. The campaign leverages a vulnerability in Internet Explorer to fingerprint possible victims to ensure that only genuine systems are infected. The fingerprinting process includes enumeration of the local file system, detection of virtual machines, detection of certain security software, and detection of web debuggers. FireEye reported that the malware was similarly delivered through the Nuclear Pack zero-day Flash exploit. If no software to detect the malware is detected, then the malvertising landing page infects the victim system. FireEye also observed the ransomware delivered through the same macro downloader spam distribution framework used by the Dridex criminal group. In this model, the victim receives an email with a malicious attachment that contains a macro that drops the VBScript in the %appdate% path of the system. The VBScript contains obfuscated code that is used to download the Cerber payload. VBScript checks for internet connectivity, and if internet is available, it sends an HTTP Range Request to fetch a JPEG file from a malicious URL. A value in the Range header indicates to the attacker’s web server to only return content beginning at a predetermined offset of the JPG file. The response content of this request is XORed with a key and decrypted as the Cerber payload. The variant has also been detected in emails, in Word files and in Steam gaming related files. In some cases, attackers bypass spam filters by using double zipped Windows Script Files (WSF) in malicious emails to deliver the malware.
Upon execution, Cerber checks whether the victim’s system is located in a former Soviet state; if so, then the malware automatically terminates. Cyber-Jihadists would have to either remove this stipulation by editing the JSON file or focus their campaign on Western nations. If it executes, then Cerber installs itself in the %AppData%{2ED2A2FE-872C-D4A0-17AC-E301404F1CBA} folder and names itself after a random Windows executable. It then executes a command to configure Windows to boot into Safe Mode with Networking on the next reboot. It also configures itself to start automatically when the victim logs into Windows, to set itself as the screensaver if the system goes idle, and to execute itself as a task every minute. The ransomware then issues fake system alerts until the system is allowed to restart. The system will reboot into Safe Mode with Networking, shutdown again after the user logs in, and then reboot into normal mode. Once the user logs in, Cerber begins encryption by encrypting the victim’s files with AES-256 bit encryption. A JSON configuration file, included with the malware, details what extensions and files to encrypt, what countries to not infect, and other configuration information. Encrypted files are appended with the .CERBER extension. Cerber contains the ability to scan for, enumerate, and infect Windows files shares and networked drives. The ransomware creates three ransom notes (a .txt, .html, and .vbs file) on the victim desktop and in every folder containing encrypted files. The ransom note contains instructions to access Tor, purchase Bitcoins, and an address to pay the ransom.
The .vbs files contain a VBScript that causes the victim machine to verbally inform the victim of the infection by repeating a message from the attacker. Traditionally, the vocal reminder that files are encrypted jars victims and pressures them into making the irrational decision to pay the ransom. A Cyber-Jihadist group could alter the message to spew propaganda in order to incite panic, increase notoriety, or otherwise harass the victim. The audio message continues to repeat until the victim either pays the ransom or removes all of the VBS files from the system.
The site to pay the Cerber ransom is available in 12 different languages. The ransom is doubled if the victim does not pay within 7 days. When the attackers receive the entire payment, the interface provides the victim with a decryptor tool unique to their system. At the time of this writing, there is no way to recover the files encrypted by Cerber ransomware encryption without the decryptor tool.
Whether or not the files are decrypted after payment is sent is dependent upon the attacker. Though some criminals decline to decrypt files after payment is received, many traditional cyber criminals often decrypt the victim files because the ransomware business model only remains profitable if victims believe that they can get their files back by paying the demanded Bitcoins. If every attacker left the files encrypted, then the attack vector would be notorious as a scam and no victim would ever pay. Groups, such as ISIS, benefit from the disruption and chaos of permanently encrypting the files on a target system almost as much as they benefit from the ransom itself. Further, if the group employs ransomware attacks as a diversionary tactic or as part of a layered attack, then it is in their best interest not to decrypt the files. While the victim is responding to the attack or reverting their files from a backup, the terrorists or their hired mercenaries could exfiltrate data relevant to future attacks, steal PII or electronic health information (EHI) to sell or use, or launch a cyber-physical attack.
In March 2016, Cerber was modified to also turn infected systems into bots for DDoS attacks. The additional functionality is likely a secondary source of revenue in case the victim does not pay the ransom. Victim machines are used to flood the subnet with UDP packets over port 6892. By spoofing the source address, a collection of bots can be used to render a target unresponsive by flooding the system with traffic. The attackers use Visual Basic to launch a file-less attack, which most anti-virus and security applications do not preemptively block. The scanners do not detect the attack until files are dropped on disk, after the attack has succeeded. The botnet may be directed against other victims, against targets of opportunity, or they may be rented out on the Dark Web.