CyberWire Daily - An in-depth look on the Crytox ransomware family. [Research Saturday]
Episode Date: November 12, 2022Deepen Desai from Zscaler sits down with Dave to talk about the Crytox ransomware family. First observed in 2020, Crytox is a ransomware family consisting of several stages of encrypted code that has ...fallen under the radar compared to other ransomware families. While other groups normally use double extortion attacks where data is both encrypted and held for ransom, Crytox does not perform this way. The research says "The modus operandi of the group is to encrypt files on connected drives along with network drives, drop the uTox messenger application and then display a ransom note to the victim." It also shares how you may be compromised with this ransomware and goes through each stage in depth. The research can be found here: Technical Analysis of Crytox Ransomware Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Crytox ransomware has been around since at least 2020, but it hasn't been in the news.
We haven't seen anything major back then.
That's Deepan Desai from Zscaler.
Today, we're talking about his team's research on the Krytox ransomware family.
In September 2021, the team actually noticed a company named RTL.
It's a Netherlands-based company that was hit, and it was publicly acknowledged as well.
Although one of the things that the team noticed back then was the ransom amount was 8,500 euros.
then was the ransom amount was 8,500 euros.
That's very, very small compared to the ransom demands that we see with some of the other ransomware
gangs like Conti and Hive and others.
So we've been tracking the payloads, we've been tracking
the developments on the campaign
side as well.
And one of the things that the team noticed over here was unlike many of the other ransomware groups,
Krytox ransomware does not perform double extortion attacks.
It just performs data encryption
and holds it for ransom.
It does not perform data exfiltration
from the impacted machine.
Going a little old school with the ransomware, right?
Exactly.
It is one of the old school ways of doing things.
There are a couple other things we noticed.
They did make it easier for the victims
to communicate back with the threat actors.
So they were dropping this peer-to-peer instant messenger app called Talks on the infected machine.
And you just click on it and you're basically able to communicate and negotiate the ransom amount with the threat actor.
Can you walk us through what's going on technically behind the scenes here?
Is there any interesting aspects to that part of it?
In terms of the encryption, there's nothing that is different than what we have seen before.
It's using AES CBC with Perl file 256-bit key that is protected with a locally generated RSA public key.
And he uses this to encrypt local disks, network drives,
and at all of those locations,
you will see a ransom note with a five-day timer
that's basically notifying the victim
that your files have been encrypted,
pay, or you will lose all the data.
And so you still have the ability to pay on that machine.
I mean, they don't completely disable it.
You can communicate with them.
Yeah, you're basically using the messenger application to communicate.
And then they will provide the link for performing the payment.
Is there any sense that if you follow through with them
and you pay the ransom, you'll get your files back?
For most ransomware groups, we do observe that you do get a key back,
which will allow you to decrypt your files.
So while we didn't go that route to confirm it,
at least for the publicly known case, they did get the key and were able to restore their file.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
sponsor Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever
with AI tools. It's time to rethink your security. Zscaler Zero Trust plus AI stops attackers by
hiding your attack surface, making apps and IPs invisible, eliminating lateral movement,
connecting users only to specific apps, not the entire network, continuously verifying every request based on identity and context,
simplifying security management with AI-powered automation,
and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI. Learn more at
zscaler.com slash security. It's interesting that the ransom demand is so low, and I wonder if they're comparatively trying to fly under the radar compared to some of the bigger players here.
Yeah, that does sort of raise his eyebrow.
Like, why so low?
Maybe they're trying to do more development and more testing.
more development and more testing.
And then, as you pointed out,
staying under the radar so that there's no law enforcement action as well,
given so much focus on the ransomware
threat actors these days.
We also noticed, actually,
while the team was analyzing some of the payloads,
that the encryption mechanism that they've used,
it's actually prone to some weaknesses that could actually allow some brute forcing methods
that can result in us decrypting the files as well.
So definitely not one of those sophisticated ransomware payloads.
It still probably appears to be a work in progress.
And is the group trying to prevent analysis from researchers like yourself?
Do they have elements of that in there?
They did have some basic anti-debug, anti-analysis technique, but nothing to write home about.
Okay, nothing sophisticated.
Is that pretty much what you're seeing here with
this group that we wouldn't rate their sophistication as being particularly high?
And that is accurate, yes. Yeah. And so in terms of folks best protecting themselves against this
specific group, what are your recommendations? Yeah, so I think the guidance over here is to look at the ransomware problem holistically.
Every time I speak to some of the large organization security leaders,
I always ask them to look at the problem in four buckets.
What are you doing to reduce your external attack surface?
Because when these gangs go after you, they will first try to find
out what all things are exposed. They may come through one of the users falling for a phishing
attack. They may come after you through an asset that is exposed to the internet. It could be a
server. It could be a workload. It could be your system sitting in the corporate environment.
workload. It could be your system sitting in the corporate environment. It could be VPN,
as we have seen before. So look at what you can do to reduce that external attack surface. Second is provide consistent security on all internet-bound traffic with full SL inspection.
And that's where a proxy-based architecture really helps out. The goal over
there is to prevent that initial infection. The third bucket is what can you do to prevent that
lateral propagation phase? That's where majority of these ransomware gangs does a lot of damage.
Having one system going down with a ransomware attack versus the entire environment going down
is the difference between it being a small incident
to an org-scale breach.
So over there, user-to-app segmentation,
app-to-app micro-segmentation plays a very important role
in containing this incident to a single host
versus entire environment.
And then finally, in this case,
Krytox is not exfilling data,
but more than 50% of the ransomware threat actors
that were tracking perform data exfiltration as well.
So you need to have consistent data loss prevention strategy
for all your internet-bound traffic.
And that's where, again, SSL inspection
plays a very important role
because these guys are just using public cloud,
SaaS locations to even exfil your data from the infected machines.
Yeah, it's really interesting to see as the ransomware,
I don't know, ecosystem continues to evolve
that we have players coming in and running at all different levels.
I think it's perhaps easy to say that these folks are kind of at the entry level,
not terribly sophisticated, not asking for a lot of money,
trying to go unnoticed.
And then you have that all the way up to the big players and everything in between.
Exactly. Yeah, it's a gamut.
Exactly. Yeah, it's a gamut. It's a pyramid model where there's highly sophisticated gangs at the top and then there's dozens and dozens of these new kids on the block or more work in progress kind of ransomware gangs.
Yeah. All right. Well, Deepin Desai, thanks for joining us. Our thanks to Deepin Desai from Zscaler for joining us.
The research is on the Crytox ransomware family. We'll have a link in the show notes.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home. Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Rachel Gelfand, Liz Ervin,
Elliot Peltzman, Trey Hester, Brandon Karpf,
Eliana White, Puru Prakash, Justin Sabey,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilby, and I'm Dave Bittner. Thanks for listening. We'll see you back here
next week.