Site icon Sophos News

How BitPaymer ransomware covers its tracks

Thanks to Anand Ajjan and Dorka Palotay of SophosLabs, and Paul Ducklin of Naked Security, for the research this article is based on.

Ransomware is a blunt instrument that wants your money and doesn’t usually care if it leaves footprints behind.

So when SophosLabs researchers analyzed a sample of the BitPaymer ransomware family, they were surprised to see it using a malware coding trick that you don’t see very often – one that makes it harder to figure out how the attack unfolded after the event.

While that may sound like cold comfort if your files have just been scrambled, it makes it harder to warn the next victim what to look out for.

This sample uses a feature of the Windows file system called alternate data streams (ADS) so that the malware is less obvious while running.

BitPaymer starts off as a regular .EXE (program) file, but when running the malware copies itself into not one but two alternate data streams where it exists as a sub-component of otherwise empty files.

The malware then transfers control into the new copies of itself in ADS and deletes the more obvious .EXEfile in which it arrived.

(SophosLabs researchers have received a sample of the malware but fortunately haven’t seen it in the wild yet. If it were used, it would likely arrive as a malicious email attachment or link, as is typical for ransomware attacks.)

Sophos Anti-Virus detects BitPaymer as Troj/Agent-AXEG and HPmal/Ransom-Y.

Let’s explore this malware in greater detail…

What are alternate data streams?

Conventionally, a file consists of a sequence of bytes stored under a unique filename. This sequence of bytes is often referred to as a stream.

Windows NTFS (NT file system) files not only have a main stream, referred to by the filename, but can also have any number of alternate data streams stored along with the file and referenced by the filename, followed by a colon, followed by the alternate data stream’s name.

Only the filename of the main stream shows up in regular directory listings or in Explorer.

Because of this, attackers sometimes use ADS in an attempt to hide what they’re doing from security software, but it’s rare to see ransomware using it in this manner.

According to SophosLabs researcher Anand Ajjan, ADS is typically used for storing additional data about the main stream, such as the date and time the file was downloaded from the Internet.

Ajjan said:

ADS adds more stealth.  When a process is launched and does something malicious, there are no files backing the process except alternate data streams.

Attack sequence

According to our analysis in SophosLabs, BitPaymer:

Because the running copies of the original malware files end up shrouded in two ADSes, they are less noticeable than usual, and can delete the original malware files when they’re finished.

To encrypt files:

Most ransomware sticks to encrypting your data files, steering clear of your application directories and program files such as EXEs and DLLs: software that goes missing unexpectedly can cause problems such as crashes and instability. (The crooks want to make sure you can still get online and use your browser after the attack, because that’s how they squeeze the ransom out of you.)

BitPaymer is more aggressive than that, encrypting your apps and program files along with your data, although it carefully avoids the Windows folder to avoid messing with the operating system itself.

The pay page

BitPaymer, like most ransomware, does its damage quietly with your files getting scrambled invisibly in the background.

You only realise you’re in trouble when your files turn into shredded cabbage and you’re greeted with the message YOUR COMPANY HAS BEEN SUCCESSFULLY PENETRATED:

Defensive measures

As mentioned above, Sophos Anti-Virus detects this ransomware as Troj/Agent-AXEG and HPmal/Ransom-Y.

To avoid the financial and data loss that goes with such an attack, we also recommend regularly backing up files and keeping a recent backup copy off-site.

There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete.

Encrypt your backup and you won’t have to worry about the backup device falling into the wrong hands.

Other resources

Other links we think you’ll find useful:


Techknow podcast — Dealing with Ransomware:

LISTEN NOW

(Audio player above not working? Listen on Soundcloud or access via iTunes.)

Exit mobile version