Analysis of CryptFile2 Ransomware Server

Curt Wilson

Download ASERT Threat Intelligence Report 2016-06 here

This report describes several elements of a ransomware staging system using the Nemucod malware to deliver CryptFile2 (aka Hydracrypt.A and Win32/Filecoder.HydraCrypt.C) ransomware, an ongoing threat since at least mid-March of 2016. This report reveals TTP’s (tactics, techniques, procedures) of threat actors, including insight derived from limited interactions via e-mail. The information in this report is derived from the analysis of a now defunct C2 server/staging site discovered in August of 2016 and is provided to inform detection capabilities and improve defensive posture with regards to ransomware staging and distribution.While this report focuses on the server-side aspects of a CryptFile2 ransomware operation, an understanding of the endpoint behavior may be obtained from the following reports:

Ransomware continues to be a substantial problem for many victims. Every week, ASERT encounters substantial movement involving the ransomware threat landscape as the victim count increases. Threat actors in this case don’t appear to be running a huge campaign from the vantage point of the victims profiled herein, however we must be mindful of the fact that this is just one aspect of one ransomware campaign. Since most analysis of ransomware activity tends to focus on endpoint malware activity, encryption method, and in some cases how to decrypt without paying the ransom, visibility into the threat from the server side hopefully provides additional context to this malware family that can be used to enrich situational awareness surrounding this and other ransomware activity.

This report was previously delivered exclusively to Arbor customers.

Download ASERT Threat Intelligence Report 2016-06 here