Typical ransomware is bold. It does not bother to hide its code or its footprints. The BitPaymer ransomware is rather more secretive. Cyber-security experts who analysed the malware found complex code that made it very difficult to study how the malware worked – how the intrusion/infection occurred, and how further encryption of data took place.
The functioning of the BitPaymer was analysed by researchers at SophosLabs, and they found that the malware utilised(exploited) the alternate data streams (ADS) feature in Windows file systems. This allowed the malware lessen its process visibility, making it hard to detect. The BitPaymer has been detected as Troj/Agent-AXEG and Hpmal/Ransom-Y by SophosLabs.
How the malware works
Apart from using ADS to reduce its visibility, the ransomware initially executes itself. It is an executable file, and when it executes it makes a copy of itself and runs in two ADS. It hides as a sub-component of empty files to avoid suspicion. The malware deletes its older executable file and transfers control of the malware to the newly created files.
The file system in Windows consists of a main stream and a number of ADS, which can be accessed by referencing the main file name. A file is actually a sequence of bytes and is also referred to as a stream. Whenever the Windows Explorer is invoked, file names are listed – but these are file names of the main stream. The ADS names which are an extension of the main file name are not displayed.
The threat actors have exploited this feature and have tried to hide the ransomware through ADS. This is a unique method, and the researchers report that this is the first time that they have come across such obfuscation techniques for a ransomware.
The basic feature of ADS is to store additional data related to the mainstream file, and this feature has been expertly exploited. The BitPaymer ransomware hides in the APPDATA directory, and also makes an entry in the registry to relaunch itself when the system is rebooted.
The malware then accesses details about the system's network shares and then creates another copy to encrypt the data on the obtained network shares and the local disk.
The BitPaymer ransomware creates further copies of itself while deleting older copies to maintain a very low profile that is difficult for detecting. Malware copies are deleted as and when their tasks are completed – hence, hiding any trail.
The ransomware uses strong RSA-1024 keys and functions for encrypting the targeted data, applications and program files on the victim's systems. After encryption, the malware deletes the original files to prevent recovery. Typically, other ransomware encrypt only the data, but BitPaymer also encrypts the program files and applications. However, the operating system files are left untouched so as to allow the victim to access the internet to pay the ransom demand.
After the malware completes encryption, it displays a message on the screen: "YOUR COMPANY HAS BEEN SUCCESSFULLY PENETRATED". It demands the ransom to be paid in bitcoins and warns not to attempt any decryption methods. The analysis till now shows that the BitPaymer did not exfiltrate any data.
Ransomware and other malware are becoming more sophisticated. Hence, cyber-security experts recommend enterprises to implement a strong backup and restoration strategy. However, to ensure effective defence, a robust endpoint security solution must be installed. This defence must include a default-deny strategy that blocks attacks through zero-day exploits.
Contributed by Julia Sowells, author, information security specialist, malware and vulnerability analyst.
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.