TastyLock Ransomware – A Closer Look

We hope that you took some downtime over the last few weeks. Unfortunately, ransomware campaigns did no such thing. Let’s take a look at one of the nastier variants we have seen lately: TastyLock.

TastyLock: Technical Details

TastyLock is not an entirely new breed of ransomware. Instead, it appears to be part of the CryptoMix/CryptoWall family tree. Like CryptoMix/CryptoWall, TastyLock encrypts files on victim machines using AES in CBC mode with a random 256-bit key. The ransomware then changes the filetype/extension to “.tastylock”, before displaying the victim a text file ransom note called “_HELP_INSTRUCTION.txt”.

When all of these factors are taken together, you shouldn’t expect to see a decryptor available for this particular variant.

TastyLock Ransom note.
TastyLock Ransom note.

Communications and Network Behavior

Like many other pieces of ransomware, TastyLock tells victims to email them a specific code (shown above). We’ve heard that the malware authors were originally requesting one Bitcoin (roughly $16,000 on Jan 1, 2018) for the decryption keys.

Even if you decide to pay the ransom to get your files back (and we hope you don’t need to consider that because you’re running CryptoDrop – see our results below), you’re unlikely to be able to actually do so. While the aol.com email address used by the attackers still seems to be receiving email, none of our requests were responded to by the authors. That means that while the ransomware is still lurking out there (we’re seeing it in a small number of our sensors), no payment will get your files back.

How Did CryptoDrop Do?

As always, we ran this sample of ransomware against CryptoDrop. TastyLock wasted no time trying to encrypt our files, but it was no match for our software. We had no difficulty detecting the attempts to encrypt files, and put the system into lockdown mode.

CryptoDrop stops TastyLock

TastyLock aggressively attempts to kill Windows Defender, making any new versions of this ransomware particularly dangerous. Better to protect yourself against this variant than to just hope it simply goes away.

CryptoMix/CryptoWall has been around for quite some time, and is one of the more successful campaigns. While we do not expect many people to be hit by this particular variant, it is safe to bet that new variants will be seen in the near future. Not to worry though – CryptoDrop will protect you against those, too.

Still not running CryptoDrop? Give us a shot – we’ve stopped every piece of ransomware that we and independent lab AV-Test has thrown at us. When traditional anti-virus products fail (or are attacked, like we saw here), CryptoDrop gives you an extra layer of protection. Try out our Free version today, and use our Fast Recovery version to restore any lost files and get back in business in seconds.

We Stop Ransomware!

Soaring Bitcoin and Its Impact on Ransomware

Just about everyone has heard about the soaring price of Bitcoin. The value of this cryptocurrency has risen over 1500% in 2017 (nearly tripling in the last month alone), and its growth shows little hint of slowing.

We’re not taking a position on the value or utility of  any cryptocurrency. Ultimately, the market will decide if Bitcoin will continue to grow as decentralized and un-censorable platform or simply fade away rapidly if/when the bubble pops. That said, we think you have reason to care.

Bitcoin and Ransomware

Like it or not, Bitcoin matters to you today for one main reason: ransomware. It’s the favorite payment platform of ransomware authors because it’s pseudo-anonymous (there are lots of ways to determine identities affiliated with Bitcoin wallets, but we leave that discussion to another day). Unlike traditional payment methods, Bitcoin is also difficult to block. While law enforcement and traditional financial institutions long worked together to stop payments to criminal operations, such cooperation has had little success in the cryptocurrency ecosystem.

Bitcoin is not the only cryptocurrency ever used by ransomware. CryptoLocker used LiteCoin through at least 2015. CradleCore (a “Ransomware-as-a-Service” platform) has built-in support for Ethereum and Monero. There’s no technical reason why any of these “alt-coins” can’t be used for ransom payments.

So why is Bitcoin king of cryptocurrencies for ransomware payments? Two reasons: First, Bitcoin is a brand, just as much as Visa, Mastercard or Western Union. Granted, Bitcoin isn’t owned by any single centralized entity, but ransomware authors benefit from regular people knowing about this particular payment platform. If ransomware victims have faith that Bitcoin is a reliable means of getting funds to their attackers (and ultimately getting their data back), payments are more likely to be made. Second, with the price of Bitcoin skyrocketing, a payment of $1000 today may be worth far more in a month. That means that every Bitcoin paid to the attackers is likely to be worth far more when they eventually decide to cash out. Imagine if your bank account accumulated interest at the same pace as the price of Bitcoin has surged!

The Problem with Success

The skyrocketing price of Bitcoin may not actually be a benefit to the ransomware ecosystem. To understand why, let’s start with a look at the Bitcoin Mempool over the past few days.

Johoe’s Mempool Statistics: https://jochen-hoenicke.de/queue/

If you’re not familiar, the Mempool is basically the waiting area for Bitcoin transactions. All unconfirmed transactions wait here until a miner decides to include them in a block (which is ultimately included in the public ledger or “blockchain”). All that talk about Bitcoin in the past few days has dramatically increased transaction volume, and the graph above shows between 100k and 225k transactions waiting to be made official.

Is this normal? Let’s take a more historical perspective:

Johoe’s Mempool Statistics: https://jochen-hoenicke.de/queue/

The three-month view shows us that volume is exceptionally high at the moment; however, there is no reason to believe that we have not reached a new normal. The trend-line continues moving upwards.

Ok, so Bitcoin is being exchanged more often. So what?

BLOCKCHAIN LUXEMBOURG S.A. – https://blockchain.info/charts/avg-confirmation-time?timespan=30days

This graph shows the average confirmation time for Bitcoin transactions over the past month. The most critical points in this graph are the spikes up around 1,200 minutes. That’s 20 hours. Remember, too, that this is an average, meaning that larger transactions tend to be serviced in the Mempool more quickly, whereas those for just a few hundred dollars (i.e., fractions of a Bitcoin) may languish for much longer.

That is one busted clock… goodbye, decryption keys…

Most ransomware has a hard deadline of 24 hours before the bad guys delete the decryption keys. That means that even if you are sitting at your computer when the attack happens and immediately decide to pay the ransom, you may not be able to pay the attackers in time to get your data back. Hesitation essentially ensures that your transaction won’t be confirmed before the deadline. While many things paid for in cryptocurrencies don’t necessarily need to be settled immediately, the ticking clock that is ransomware puts pressure on the need for near-to-real-time transactions.

Disruption in the payment ecosystem means there’s in increased risk of disruption in the ransomware ecosystem.

What Can We Expect?

The only constant here is change. At the moment, ransomware authors have three main options:

  1. Extended Deadlines: It’s possible that ransomware authors collectively decide to give their victims 48 hours instead. However, if Bitcoin continues to grow in popularity as we have seen over the past year, transaction throughput will easily become a choke-point again. We think this approach is plausible but unlikely because extended time decreases the “impulse effect”. That is, victims are potentially less likely to pay the ransom because they have time to think about their decision (and potentially find copies of some of their data).
  2. Switching to Alt-Coins: Alternatively, ransomware authors could start using alt-coins (e.g., LiteCoin, Ethereum, Zcash, etc). This response is also risky, given the loss of both the surging price (although some others are also increasing) and loss of brand recognition.
  3. Raising Ransoms (via transaction fees): Finally, ransomware authors may simply raise their prices (if only via telling victims to pay transaction fees at an increasingly high rate) to ensure that their transactions are chosen more quickly in the Mempool. The risk here is that paying the ransom becomes entirely unreasonable in the eyes of victims, reducing the overall payout received by the bad guys.

We certainly don’t expect ransomware authors to quit simply because of volatility in their preferred payment platform. We also want to remind you that even when payments are handled swiftly that there paying a ransom provides no guarantee of getting your files back. However, we’ll be watching to see how they react.

Final Thoughts

Regardless of your opinions on the long-term success of cryptocurrencies, you have to pay attention to this space. Payment platforms are tremendous influencers of traditional businesses – think about how few people in the United States go into gas stations since the near universal deployment of pay-at-the-pump. There’s no reason to believe that cryptocurrencies won’t continue to impact how ransomware authors operate.

The best way to ensure that the rapidly fluctuating Bitcoin ecosystem doesn’t impact your decision or ability to pay ransom is to take steps to never have to pay it. Protect your data. Grab a free copy of CryptoDrop today, and consider using our Fast Recovery Edition to get your files back in seconds.

We Stop Ransomware