ESET malware researcher Lukas Stefanko gives us a peek behind the scenes of his analysis of CryCryptor ransomware and puts the threat into a broader context
The COVID-19 pandemic has reshaped the way we work and, in many cases, also the way we interact with our loved ones. While a number of governments contemplate using contact tracing to stem the spread of the virus, cybercriminals have come up with a slew of tricks to take advantage of the situation, not only with scams of all kinds, but also with ransomware attacks.
Lukas Stefanko, a malware researcher at ESET, recently analyzed a new ransomware family posing as a contact-tracing app developed by Canada’s healthcare agency, Health Canada. Along with technical details about this ransomware, called CryCryptor, ESET provided a decryption tool, so that victims can get their data back.
We sat down with Lukas to speak about the ins and outs of CryCryptor and about how this ransomware family compares to other threats facing Android users not only during the pandemic.
Hi Lukas, thanks for joining us. First, could you walk us through the discovery and analysis of CryCryptor?
Hello, thanks for having me. I have to say I was lucky, as I found it by accident while scrolling through Twitter earlier that day. It was posted by malware researchers, who claimed it was an Android banking threat. This made sense, because this has been a popular way to misuse COVID-19 and distribute banking malware. However, most of the time I double-check any such claims and even at first sight the app didn’t look like a typical ‘banker’. That was the first clue that led to the identification of a new Android ransomware family.
You did mention in the article that a malware researcher on Twitter had mistaken CryCryptor for a banking Trojan. This suggests some technical resemblance between ransomware and banking Trojans. How would you compare them?
The makers of Android banking Trojans have been heavily misusing the situation caused by the pandemic, distributing the threats via fake websites that impersonate COVID-19 trackers, government apps, identifiers of coronavirus symptoms, financial loss compensation apps, fake Zoom apps and others. We have seen dozens of such malicious attempts; however, the distribution of ransomware wasn’t popular.
RELATED READING: Navigating the murky waters of Android banking malware
When we compare the impact of Android banking Trojans and Android ransomware, most banking Trojans, once installed, request extra activity from the victim to gain access to their funds, such as requesting the user to log into fake banking screens and then stealing two-factor-authentication codes if they’re set. There aren’t any such extra steps with ransomware, just launch the app and files will get encrypted.
One special feature of this ransomware is that it does not lock the device itself, but rather encrypts all files on the external storage and displays an alert to the victim that their files have been encrypted. When I first read your article, I was quite surprised to see that the readme_now.txt file does not ask for any specific ransom. How common is this?
The attacker could also lock the device; however, it is more difficult on the latest Android version and it would take more effort from the malware developer to implement such a feature. However, it is not impossible. Additionally, it is not that common not to indicate a specific ransom amount to be paid to decrypt files back, since it creates an extra step for the attacker and the victim might change their mind and eventually refuse to pay up.
Too often, we hear about ransomware without any decryption key, even on the attacker’s part. It is intriguing that a bug within the malware made the development of a decryption tool possible. Could you tell us more about how you created the decryption tool?
It was a lucky day! After analyzing any ransomware I always think of a possible way to either create a decryptor, in case the encryption key is not randomly generated, or a decryption tool. When I did a quick vulnerability analysis of this ransomware, I identified a mistake in it that, once correctly exploited, could trigger decryption functionality even without knowing the encryption key. When I tested it, it worked perfectly, so within a couple of minutes I created a fully functional decryption tool.
Over the years, you’ve become an expert in threats facing Android devices. What are some of the threats you predict will gain in prevalence in the near future, whether it’s exploits targeting vulnerabilities or malicious apps?
Vulnerabilities are mostly exploited in targeted attacks, so the vulnerability isn’t exposed to wide ‘audiences’, including security or malware researchers who would notify the vendor and fix it. As far as the prevalence of malware goes, Android banking Trojans remain very popular – I have seen many new ones being sold on underground forums. Another common threat is posed by adware and ad fraud apps, since they don’t request any extra input from users to misuse their phones and generate revenue for the attacker.
What key advice would you give to Android users regarding app safety?
Most of all, download apps only from Google Play Store, use an up-to-date Android operating system and apps, and use an up-to-date and reputable Android security solution that takes care of your smartphone safety.
Thanks again, Lukas.