A Recent and Quick Encounter with “Ransomware”
Posted by William Diaz on October 21, 2012
While browsing the Internet last night from one of my home PCs, I was suddenly hit with the following full screen warning: “THE FBI Federal Bureau of Investigations. ATTENTION! Your PC is blocked due to at least one of the reasons specified below…”
I wasn’t able to exit the full screen and CTRL+ALT+DEL didn’t help because, even though I could select the Task Manager, I couldn’t see it since the above window remained in focus and everything opened behind it. Normally, you workaround this by just restarting the PC in Safe Mode and then doing your search for the offender and manually cleaning it out. In my case, I didn’t want to shutdown because I had an open files that were in the state of being edited and didn’t want to risk loosing data.
To work around this, I used the three finger salute to select the Switch User option. The “ransomware” infection was likely only affecting my user account, so from here, I logged on as one of the other accounts (my kids standard user account) and launched Process Explorer with admin privileges. It didn’t take long to spot the offender because I knew that this process does not run in the context of the user (blue-gray color vs. system processes in pink) and lsass.exe is actually the Local Security Authority Process, not the Windows host process rundll32.exe:
Looking at the process properties, we can see where it is running from and how it works:
It placed itself in the C:\ProgramData. The actual ransomware screen is being rendered by a VLC media component, vlcplayer.dll, that installed itself in the user temp folder. If you don’t already know, rundll32.exe is used to run a dll as a program. By comparison, the actual lsass.exe process looks like this:
Another thing worth noting, when fighting malware, scareware, and ransomware, one of the easy ways of spotting a rouge process is to check to see if its signature can be verified. Many malware authors like to describe their processes as valid Windows services or programs signed by Microsoft to avoid quick visual detection. Initially, as I was, one might be surprised by the fact that the process that actually renders the ransomeware screen is “Verified”:
In this case, the ransomware author decided to package a legitimate copy of rundll32.exe with the payload and renamed it to lsass.exe. The irony is that this might have been harder to spot if rundll32.exe wasn’t renamed to lsass.exe. Leaving it named as rundll32.exe would have actually left me stumped a bit longer because its not uncommon to see this process running in windows at anyone time, whereas two lsass.exe is an immediate give away.
Eager to get back to my original user session, I switched back to the previous account I was originally working in. With the ransomware screen out of the way, I could see that, the Microsoft Security Essentials did, in fact, spot the threat and seems to have suspended it; you can also see it auto starts itself by creating a links to itself in the user’s startup folder.: