According to security experts, most of the ransomware attacks are deployed through exploits, booby-trapped email attachments, or Microsoft Office loopholes, which occur when users are tricked into enabling macros. However, a series of recent onslaughts appeared to be different as the attackers have been using TeamViewer sessions as the malware entry point.
TeamViewer is a cross-platform piece of software used for remote computer access, which allows customers to get professional tech support, set up online meetings and interact with partners in real time via an intuitive interface. Due to the fact that the application boasts user count of 1 billion and growing, hackers have decided to try out its functionality in a not-so-benign way. Apparently, the potential attack surface is huge.
The ransomware campaign appeared on March 9 and originally didn’t seem to differ a lot from numerous copycats. One of the infected users complained that suddenly his personal data, including images, videos, text documents, PDF and DWG files, became inaccessible. An unknown malicious program had encrypted the files and concatenated a “.surprise” extension to every filename. Thus, a sample item named “presentation.pdf” morphed into “presentation.pdf.surprise”.
Additionally, the ransomware created several new files on the Desktop, namely DECRYPTION_HOWTO.Notepad, Encrypted_Files.Notepad, and surprise.exe. The first two are ransom notes and encrypted files list, respectively, and the last one is the malicious executable. The document with ransom instructions informs the victim to contact the attackers over the following emails: firstname.lastname@example.org and email@example.com, and provide such details as the country, computer name and username. The user should also indicate the same information in messages to both of the above addresses, most probably because the hackers assume either of these accounts may be suspended as a result of infected people’s complaints.
The only way for these files to be recovered is after the victim pays a ransom in Bitcoins. The most intriguing fact here is that the amount depends on how important the locked data is, and it may range from 0.5 BTC to as much as 25 BTC. These terms are to be negotiated individually. Apparently, if this ransom Trojan hits an enterprise network consisting of multiple machines, the ransom will be much higher than in a single PC assault scenario. Besides, the attackers are “helpful” enough to decrypt one file for free, which is sort of a cold comfort to the target. This is how cyber criminals try to prove they are capable of restoring the frozen data.
While analyzing the incident, security researchers found out that it wasn’t a run-of-the-mill ransomware breed. The inspection of its executable – surprise.exe – revealed the Trojan’s affiliation with the ill-famed EDA2, a fully functional open-source ransomware devised by Utku Sen, a Turkish enthusiast who wanted to demonstrate how this sort of malicious code operates. The researcher ventured to publish his source code on GitHub. Despite the fact that he emphasized that EDA2 was intended for educational purposes only, the attackers ended up using it to coin more than 20 real-world crypto malware spin-offs. This turn of events made Mr. Sen abandon his proof-of-concept project and remove the code from GitHub, however, cyber criminals had apparently made copies to further use it for creating new file-encrypting viruses.
The surprise.exe process loads the malicious program from Base64 encoded string into the targeted computer’s memory and launches it from there. When deploying the crypto job, the malware ignores a number of directories, including Windows, Program Files and folders whose depth exceeds 235 characters. The Trojan uses a mix of RSA-2048 and AES-256 to encrypt files. The combination of public-key cryptography and symmetric cipher makes it impossible to derive decryption keys. The only way for recovery is to access the hackers’ Command and Control server and try to obtain the keys stored on it, though the C2 appears to be down for the moment. Besides, the researchers found that this ransomware runs a batch script to erase Shadow Copies and thus make the VSS-based file restoration vector inefficient.
However, the main zest of this campaign, is in the way the ransomware propagates. It appeared that all infected users who joined the aforementioned forum thread had TeamViewer v10.0.47484 software installed on their virtual machines. Besides, the analysis of TeamViewer traffic logs showed that someone had remotely executed surprise.exe process on computers, which resulted in malware injection behind the scenes. Also, the experts found out that the user ID was identical across most of the unauthorized remote connection sessions, but not all. For that reason, it is premature to state for a fact that one account (479440875) was used to infect systems. The scariest thing is that the strange traffic behavior had been taking place for months in some of the reported cases.
The preliminary analysis of this incident has spawn some speculations regarding the role of TeamViewer in these attacks. There may have been an undetected breach that resulted in a massive theft of user credentials. Both the security researchers and infected users reached out to the vendor for comments on this defiant abuse of their service. In particular, identifying the likely attacker by the ID mentioned above might help stop the malware circulation and track down the perpetrators. The company gave no answer at this point.
In the meantime, the C2 for Surprise Ransomware remains down. This circumstance is a doubled-edged sword. On the one hand, the extortionists are unlikely to attack new workstations, because the secret encryption keys cannot be generated by the server, and decryption keys cannot be properly stored. On the other hand, the users who fell victim to this Trojan earlier have hardly any chances to get their files back even if they are willing to pay the ransom. The likelihood of forensic software recovering the data isn’t high either, because the infection leverages advanced shredding techniques to securely delete the original copies of one’s files.