Sophos Cloud Optix
Thanks to Dorka Palotay and Fraser Howard of SophosLabs for their behind-the-scenes work on this article.
A few readers have asked us about a ransomware variant with the intriguing name of Mole.
Interest seems to have been sparked by a recent security advisory from CareCERT, the cybersecurity initiative set up for the UK’s National Health Service (NHS), currently the world’s fifth largest employer.
(You know you want to ask, so we’ll answer. Depending on whom you consult and how you count, the list goes something like this: US Department of Defense, PRC People’s Liberation Army, Walmart, McDonalds, NHS.)
With cyberattacks on hospitals getting huge publicity in recent years, it’s not surprising that the UK’s healthcare CERT wants to keep its constituents on their toes when it comes to fending off ransomware attacks.
Ransomware is probably the most in-your-face sort of malware ever devised: when it triggers, it immediately scrambles your data files, sends the decryption key to the crooks, and offers to sell the key back to you.
Unless the crooks are lazy or have made a programming mistake, they end up with the only copy of the decryption key…
…so if you don’t have a recent backup, you may have little choice but to try to do a deal with the crooks to buy back the decryption key. (Sometimes, the crooks mess that part up, so even if you do pay the extortion money, you might end up with nothing anyway.)
How Mole starts off
Typically, ransomware attacks start with an email that tries to threaten, cajole or simply just sweet-talk you into running a malicious file that’s supplied by the crooks, shipped in from outside your network.
Just the sort of email or web link, in fact, that you really ought to treat with sufficient distrust to delete without opening or clicking on it.
Nevertheless, the crooks often hit their target by using emails that are mundane and unexceptionable enough that opening them up feels harmless – like this one associated with the Mole ransomware:
SophosLabs has also seen the Mole ransomware packaged inside a ZIP file, presumably so that the crooks can send out an attachment rather than (or even as well as) a weblink.
Some of us are more inclined to open attachments than to click unsolicited links, perhaps because we’ve ended up in trouble before from booby-trapped websites.
Others of us are diligent about deleting unsolicited attachments but more open to clicking through to websites, perhaps because we regularly exchange links with people we don’t know very well.
Launching the malware
If you click through to the link in the malicious email, you’ll typically be downloading the malware directly, under the guise of installing a special viewer program needed as a plugin for your browser to let you view the document from the courier company.
If you open the malware via an attachment, you’ll load the ransomware indirectly by launching a script inside the ZIP, again claiming to be a special viewer program.
In the sample we examined, the script file was called Flash-2017.js, as though it were an updated Flash viewer app.
Once you’ve invited the ransomware program into your computer, the trouble starts.
The ransomware leaves Windows itself and your apps intact, so you can still get online and to send email, which is how the crooks make sure you’ll still be able to use your computers to contact them for “help” after the damage is done.
But your data files go from looking something like this…
…to this:
Even your filenames are scrambled, with every extension changed to .MOLE, and the names replaced with random numbers in hexadecimal.
The encryption is done with the RC4 algorithm, using a new, randomly-chosen key for each file.
This means that even if multiple copies of the same file are scrambled, each copy looks different from all the others, so you can’t even tell that the files used to be the same.
The decryption key for each file is itself encrypted using the RSA public-key algorithm, and then stored along with the encrypted file and filename.
Why use both RC4 and RSA?
The reason for using RSA to encrypt just the decryption key is that RSA is a special sort of encryption system that’s too slow to scramble whole files but fast enough for small amounts of data such as cryptographic keys.
But why bother with the extra step of using RSA, given that the file is already encrypted with RC4?
The answer is that RSA is what’s called a public key or asymmetric algorithm.
You need one key (called the public key, which you don’t need to keep secret) to scramble the data, but a completely different key (the private key, kept secret as the name suggests) to unscramble it later.
In other words, even though the crooks ship a copy of their public key inside the ransomware program to do the encryption of the RC4 keys, only the crooks themselves can unravel those decryption keys, assuming they keep the corresponding private key private.
Simply put, the ransomware program can lock your files, but once it’s finished running, it can’t unlock the files, so you’re stuck with negotiating with the crooks, as explained in a text file that Mole opens automatically on your desktop:
Calling home
Like a lot of ransomware, Mole “calls home” when it starts up, connecting to a server operated by the crooks to let them know they’ve clocked up yet another victim.
The network packet is sent out as an innocent-looking POST request via HTTP:
The guid field in the uploaded HTTP data is the same as the DECRYPT-ID in the INSTRUCTIONS file shown above, so that the crooks can tie any later correspondence with you to your call-home.
After the ransomware has finished scrambling your files, it calls home again:
This time, the field labelled fc tells the crooks the file count – how many of your files they were able to scramble.
We assume that they’ll use this as a factor in negotiating the ransom price they want you to pay later on.
What to do?
Try these simple tips:
- When an unsolicited email asks you to open a file or click a link, don’t. (Sometimes, it really is that easy.)
- Be wary of unexpected web plugins. These days, most web pages, including those containing documents, videos and audio, are designed to load and display directly in your browser, specifically to reduce the need for plugins. If in doubt, ask someone you know and trust – never the sender of the unsolicited email!
- Keep a reliable current backup. That way you can recover from lost or scrambled files yourself, with no need to negotiate with crooks.
Remember: the only backup you will ever regret is the one you didn’t make.
Note. Sophos products detect and block this malware as Troj/Ransom-EKZ (the downloaded program that actually does the scrambling) and JS/DwnLdr-SQU (the script part, if used).
LEARN MORE
As always, the best defence against ransomware of any sort is not to get infected in the first place, so we’ve published a guide entitled How to stay protected against ransomware that we think you’ll find useful:
You might also enjoy our Techknow podcast Dealing with Ransomware:
(Audio player above not working? Listen on Soundcloud or access via iTunes.)
Does InterceptX stop MOLE?
Yes. Specifically, the part of Intercept X known as “CryptoGuard”. CryptoGuard watches out for file-scrambling behaviour in such as way as to [a] kill off the rogue process doing the dirty work (in this case, the Mole ransomware program) and [b] revert its unauthorised changes.
As an aside (now I have my product hat on :-), Sophos gateway products also proactively blocked the inbound spam that tried to spread this thing (see sample email above), will head off attempts to download the malware either directly via clicking through in a browser or indirectly via the
Flash_2017.jsscript, and will also prevent the call-home from working…though of course you wouldn’t expect to see a call home if the malware never showed up in the first place.HtH.
What happens to your backup files stored on OneDrive? Do they get encrypted as well or are they safe?
Usual process will be as follows:
1) Files in your local sync location get encrypted/renamed
2) Since files are changed, they get uploaded to actual OneDrive/Dropbox whatever service. So it’s always important to turn off computer during ransomware attack. Doing this can result in no option to recover your files though in case you decide to pay the malware distributor in the end if there is no other possibility. Since decryption key might not be uploaded on their end. They usually offer to decrypt couple of files for free as proof
Options to get files back:
1) OneDrive has version history which allows you to revert back to previously uploaded unencrypted file version. Sounds great, but it becomes problematic if you have >100 files since if nothing has changed there is no batch revision. You need to do this for each file or create Microsoft support ticket, they can do batch versioning from their end at least for commercial OneDrive 4 business / Sharepoint. Same goes for Dropbox. Not sure about Google and others
2) Find a device with same sync library that was not connected to internet thus not updating your previous local “healthy” files with now encrypted ones. If you have such device, it’s crucial to not be connected to internet at any point while you copy your files to safe location
The answer is, “It depends” 🙂 As the commenter above points out, even if the ransomware can’t interact directly with OneDrive, or any other cloud-based storage system, it may interact *indirectly* if you have configured the cloud storage to sync automatically. The cloud storage will see that the file has changed (indeed, it will effectively be you who changed it, because the ransomware runs as if it were you, under your logon) and therefore needs backing up. But you ought to be able to roll back to an earlier version in that case.
Also, some cloud services have special drivers you can load that pretty much turn the cloud storage area into a network share or a drive letter so you can access it directly. That adds a lot of convenience, but also increases risk, because any program that knows how to access files can suddenly access your cloud storage directly, without any additional programming.
Loosely speaking, any file that you could load into NOTEPAD (even if it opened up as incomprehensible binary garbage) and save back to disk with Ctrl-S is *directly* at risk from malware, especially ransomware. Because what you can do, the malware can do, given that it effectively “is” you, at least as far as its Windows process is concerned.