September 25, 2013 at 08:57FileCoder ransomware families activated
Malicious software that encrypts user files and then asks for money for decryption is not new. Such families have received the general name Filecoder and are a common type of threat - they are called ransomware. Over the past few months, we have seen a significant increase in FileCoder ransomware activity. ESET antivirus products detect these threats like Win32 / Filecoder and Win32 / Gpcode .
Our ESET Live Grid telemetry system shows that the weekly number of Win32 / Filecoder object detections has grown by more than 200% since July 2013 - compared with the average for January-June of the same year.
Russia has suffered the most from the activity of this malware. In other countries, activity is less present.
As with other types of trojans, cybercriminals use various methods to install Filecoder on users' computers:
In one of the infection scenarios, we observed that the modification of Win32 / Filecoder.Q (and later Win32 / Filecoder.AA , Win32 / Filecoder.W ) was distributed through backdoors, for example, Poison Ivy RAT. Attackers sent the user a backdoor via email. If it was installed on the user's computer, the malicious code contacted its C&C server and received the Filecoder ransomware through it.
In another scenario, attackers used RDP to manually install Filecoder on a computer. We do not have enough information to say how the attackers were able to use RDP for this purpose and obtain credentials for access .
FileCoder uses an extensive range of capabilities when encrypting files in its various modifications.
The ransomware uses the following encryption methods:
... and encryption keys may be:
The Filecoder family, which is distributed via RDP, has noticeably improved its tactics using scareware / rogueware tricks and through the GUI presents itself as “Anti-Child Porn Spam Protection” or “ACCDFISA” (Anti Cyber Crime Department of Federal Internet Security Agency). Of course, such an agency does not exist. Comprehensive information on such options can be found on Emsisoft's blog . This modification is detected by ESET as Win32 / Filecoder.NAC, it has been used by attackers for a long time. It should be noted that it is this modification that differs from others in the amount of money buyback that he asks for a decryption - 3000 €. Apparently, this is due to the potential targets of attackers who choose to compromise various organizations. However, other representatives of this family extort amounts of 100 - 200 €.
The Win32 / Filecoder.BH variant , also known as DirtyDecrypt, has in its equipment an interesting way to display a buyback message for the user. During the cycle of encrypting the contents of graphic files and documents, the malicious code adds information with the message shown below to the end of the encrypted file.
Another option is Win32 / Filecoder.BQtries to influence the user by displaying a countdown timer that shows how much time is left before the ability to decrypt files expires. Interestingly, along with the usual ransomware payment methods in the form of MoneyPak or Ukash, it allows you to use Bitcoins for this. More detailed information can be found in our Win32 / Filecoder.BQ threat encyclopedia .
Attackers generate some variants of FileCoder using a special tool - a builder, similar to a banking Trojan program builder. This tool allows an attacker to select the types of files to be encrypted, the encryption method, message text, etc.
Some FileCoder modifications use weak ciphers, incorrect encryption implementations, or store the password for decryption where it is easy to get it. In this case, decrypting files can be much simpler, but in most cases, attackers do not allow such errors and it is almost impossible to recover encrypted files without a key.
If you use RDP, take appropriate security measures that will prevent arbitrary users from gaining remote access to your system. Consider using a VPN with a two-factor authentication mechanism that allows you to stay safe. In addition, it is good practice to protect the settings of your antivirus software with a special password so that an attacker cannot change them.
Our ESET Live Grid telemetry system shows that the weekly number of Win32 / Filecoder object detections has grown by more than 200% since July 2013 - compared with the average for January-June of the same year.
Russia has suffered the most from the activity of this malware. In other countries, activity is less present.
As with other types of trojans, cybercriminals use various methods to install Filecoder on users' computers:
- Drive-by exploits using exploits for stealth installation;
- Email attachments
- Using other malware, such as a downloader;
- Manual installation by an attacker through RDP.
In one of the infection scenarios, we observed that the modification of Win32 / Filecoder.Q (and later Win32 / Filecoder.AA , Win32 / Filecoder.W ) was distributed through backdoors, for example, Poison Ivy RAT. Attackers sent the user a backdoor via email. If it was installed on the user's computer, the malicious code contacted its C&C server and received the Filecoder ransomware through it.
In another scenario, attackers used RDP to manually install Filecoder on a computer. We do not have enough information to say how the attackers were able to use RDP for this purpose and obtain credentials for access .
FileCoder uses an extensive range of capabilities when encrypting files in its various modifications.
- Encryption can be implemented using native code or using a third-party legitimate tool (for example LockDir , WinRar, etc.).
- Some modifications of the malicious code encrypt the entire file, others only a part of the file.
- Various methods are used to get rid of the original file. In some cases, the file is deleted, but then can be restored using various recovery tools. In another case, the file is permanently deleted by special means (for example, using the Microsoft SysInternals SDelete utility ) or simply completely overwritten.
The ransomware uses the following encryption methods:
- Blowfish
- AES
- RSA
- Tea
... and encryption keys may be:
- Hard coded in FileCoder;
- Obtained manually (via the command line option or dialog box if the attacker has access to the computer via RDP);
- Arbitrarily generated by malicious code.
The Filecoder family, which is distributed via RDP, has noticeably improved its tactics using scareware / rogueware tricks and through the GUI presents itself as “Anti-Child Porn Spam Protection” or “ACCDFISA” (Anti Cyber Crime Department of Federal Internet Security Agency). Of course, such an agency does not exist. Comprehensive information on such options can be found on Emsisoft's blog . This modification is detected by ESET as Win32 / Filecoder.NAC, it has been used by attackers for a long time. It should be noted that it is this modification that differs from others in the amount of money buyback that he asks for a decryption - 3000 €. Apparently, this is due to the potential targets of attackers who choose to compromise various organizations. However, other representatives of this family extort amounts of 100 - 200 €.
The Win32 / Filecoder.BH variant , also known as DirtyDecrypt, has in its equipment an interesting way to display a buyback message for the user. During the cycle of encrypting the contents of graphic files and documents, the malicious code adds information with the message shown below to the end of the encrypted file.
Another option is Win32 / Filecoder.BQtries to influence the user by displaying a countdown timer that shows how much time is left before the ability to decrypt files expires. Interestingly, along with the usual ransomware payment methods in the form of MoneyPak or Ukash, it allows you to use Bitcoins for this. More detailed information can be found in our Win32 / Filecoder.BQ threat encyclopedia .
Attackers generate some variants of FileCoder using a special tool - a builder, similar to a banking Trojan program builder. This tool allows an attacker to select the types of files to be encrypted, the encryption method, message text, etc.
Some FileCoder modifications use weak ciphers, incorrect encryption implementations, or store the password for decryption where it is easy to get it. In this case, decrypting files can be much simpler, but in most cases, attackers do not allow such errors and it is almost impossible to recover encrypted files without a key.
If you use RDP, take appropriate security measures that will prevent arbitrary users from gaining remote access to your system. Consider using a VPN with a two-factor authentication mechanism that allows you to stay safe. In addition, it is good practice to protect the settings of your antivirus software with a special password so that an attacker cannot change them.