Dissecting the
Cryptolocker Ransomware
Cyphort Labs Malware’s Most Wanted Series
June 2014
Your speakers today
Nick Bilogorskiy
Director of Security Research
Jean Krahulec
Event Marketing Director
Agenda
o What is Cryptolocker
o Major incidents involving Cryptolocker
o Dissecting the malware
o Wrap-up and Q&A
CyphortL...
We work with the
security ecosystem
•••••
Contribute to and learn
from malware KB
•••••
Best of 3rd Party threat
data
We e...
Poll #1
Who does Cryptolocker target?
o Governments
o Individuals
o Corporations
What is Cryptolocker?
o Began September 2013
o Encrypts victim’s files, asks for $300
ransom
o Impossible to recover files...
If you see this screen - You are infected
Image source: FBI
Who pays the ransom?
Police department paid $750 to decrypt images and word documents
PGPCoder Trojan – 1024 RSA key, collects money
via EGOLD
Bitcoin was invented by Satoshi Nakamoto
Reveton Trojan, aka Poli...
Cryptolocker History
September
2013
October
2013
November
2013
December
2013
February
2014
May
2014
June
2014
Cryptodefens...
Attribution
According to the FBI, losses are “more than $100 million.”
Image source: FBI
Attribution
Evgeniy Mikhailovich Bogachev, 30, of
Anapa, Russia. nickname “Slavik”
,indicted for conspiracy, computer
hack...
Cryptolocker Victims and Damages
o Dell SecureWorks estimates that CryptoLocker has
infected 250,000 victims. The average ...
Cryptolocker Victims and Damages
Image source: FBI
Poll #2
What percentage of victims
pay the ransom?
o 0.1%
o 1%
o 25%
o 41%
41% of people pay ransom
Data from a Jan 2014 survey by University of Kent
http://www.cybersec.kent.ac.uk/Survey2.pdf
Cryptolocker overview
z
Bitcoin Ransom Sent
C&C
Server
Private Key Sent
Locked Files
Unlocked Files
Cryptolocker analysis
- Drops copy of itself in %APPDATA%{random}.exe
- It creates the following autorun key.
HKCUSOFTWARE...
Cryptolocker C&C
Domain Generation Algorithm
It uses any of the following TLD for every generated domain:
.com , .net , .b...
Cryptolocker C&C
CnC - Sinkholed – what does it mean?
CryptoLocker Victims
Filename and Extensions Encrypted by
CryptoLocker
Cryptolocker analysis
It searches in all local and remote drives for files to encrypt.
All files that are encrypted are al...
Cryptolocker Ransom
Payment options:
moneypak, ukash,
cashu, bitcoin
Price: $300 USD or 2 BTC
Cryptolocker 2.0
Original Cryptolocker Cryptolocker 2.0
Compiler C++ .NET
Encryption RSA-2048 RSA-4096
C&C servers Employs...
Cryptodefense aka Cryptowall
o Cryptodefense is a newer variant of Cryptolocker.
o appeared in Feb 2014
o no GUI
o pops up...
Cryptodefense aka Cryptowall
Android SimpleLocker
May 2014 – Simplelocker appears in Ukraine
- Asks for $22 USD using Monexy
- Uses TOR for C&C
Checks ...
Conclusions
1. Cryptolocker evolved into a major threat
allowing criminals to easily monetize malware
infections via Bitco...
Q and A
o Information sharing
and advanced
threats resources
o Blogs on latest
threats and findings
o Tools for identifyin...
Thank You!
Upcoming SlideShare
Loading in …5
×

Malware's Most Wanted: CryptoLocker—The Ransomware Trojan

13,563 views
13,318 views

Published on

The CryptoLocker Malware encrypts certain files with a private key and demands payment to regain access to the files. Nick Bilogorskiy, Director of Security Research, presents this deep dive into CryptoLocker and looks at the latest information around what is called one of the two most sophisticated and destructive forms of malicious software in existence. (The other being Gameover Zeus.)

Malware’s Most Wanted is a monthly series to inform IT security professionals on the details of the most dangerous advanced persistent threats. Attendees receive a special edition t-shirt.

Published in: Technology
1 Comment
4 Likes
Statistics
Notes
No Downloads
Views
Total views
13,563
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
114
Comments
1
Likes
4
Embeds 0
No embeds

No notes for slide

  • FBI’s Washington Field Office, in coordination with law enforcement counterparts from Canada, Germany, Luxembourg, the Netherlands, United Kingdom, and Ukraine.
  • Michele Spagnuolo , Italian grad student looked at a few known CryptoLocker Bicoin payment addresses and observed in the course of one day in December - day: In total, we
    identified 771 ransoms, for 1226 BTC. Which was USD 1,100,000 dollars  on December 15, 2013.

    So the gang could be estimated, making a million dollars a day.

    Security researchers estimate that, as of April 2014, Cryptolocker had infected more than 234,000 computers, with approximately half of those in the United States. One estimate indicates that more than $27 million in ransom payments were made in just the first two months since Cryptolocker emerged.
  • Now we have our first Poll question:

    What do you think is the most prevalent use of Zeus malware?
  • Interdisciplinary Research Centre in Cyber Security at the University of Kent in Canterbury did an survey in January 2014,
    Where it found that the proportion of Cryptolocker victims that claim to have agreed to pay the ransom to recover their files (41%) seems to be much larger than expected (3% was conjectured by Symantec,
    0.4% by Dell SecureWorks).
    http://www.cybersec.kent.ac.uk/Survey2.pdf
  • It employs Domain Generation Algorithm for its C&C Servers and checks for active server by sending system data. Communication to the server is encrypted with an RSA public key found on the malware’s body. A valid C&C server will be the only one that can decrypt the data because it is expected to have the private key. All communication between the Cryptolocker malware and the C&C server is encrypted with this RSA public key.

    After the C&C server establish a connection with the malware, it generates a key pair, public key and private key. The malware sends a request for the public key and the server responds.
  • If you have DropBox mapped to a drive letter on an infected computer, CryptoLocker will attempt to encrypt the files on the drive. DropBox offers free versioning on all of its accounts that will allow you to restore encrypted files through their website. Unfortunately, the restoral process offered by DropBox only allows you to restore one file at a time rather than a whole folder
  • Malware's Most Wanted: CryptoLocker—The Ransomware Trojan

    1. 1. Dissecting the Cryptolocker Ransomware Cyphort Labs Malware’s Most Wanted Series June 2014
    2. 2. Your speakers today Nick Bilogorskiy Director of Security Research Jean Krahulec Event Marketing Director
    3. 3. Agenda o What is Cryptolocker o Major incidents involving Cryptolocker o Dissecting the malware o Wrap-up and Q&A CyphortLabsT-shirt
    4. 4. We work with the security ecosystem ••••• Contribute to and learn from malware KB ••••• Best of 3rd Party threat data We enhance malware detection accuracy ••••• False positives/negatives ••••• Deep-dive research Threat Monitoring & Research team ••••• 24X7 monitoring for malware events ••••• Assist customers with their Forensics and Incident Response About Cyphort Labs
    5. 5. Poll #1 Who does Cryptolocker target? o Governments o Individuals o Corporations
    6. 6. What is Cryptolocker? o Began September 2013 o Encrypts victim’s files, asks for $300 ransom o Impossible to recover files without a key o Ransom increases after deadline o Goal is monetary via Bitcoin o 250,000+ victims worldwide (According to Secureworks)
    7. 7. If you see this screen - You are infected Image source: FBI
    8. 8. Who pays the ransom? Police department paid $750 to decrypt images and word documents
    9. 9. PGPCoder Trojan – 1024 RSA key, collects money via EGOLD Bitcoin was invented by Satoshi Nakamoto Reveton Trojan, aka Police Trojan. collects money via Moneypak BitCoin becomes popular, price increases Cryptolocker Ransomware History 2005 2009 2012 2013 2013
    10. 10. Cryptolocker History September 2013 October 2013 November 2013 December 2013 February 2014 May 2014 June 2014 Cryptodefense, BitCrypt Android - Simplelocker Cryptolocker author identified and added to most wanted list Cryptolocker 2.0 CryptoLocker Decryption Service introduced Cryptolocker 1.0 appeared
    11. 11. Attribution According to the FBI, losses are “more than $100 million.” Image source: FBI
    12. 12. Attribution Evgeniy Mikhailovich Bogachev, 30, of Anapa, Russia. nickname “Slavik” ,indicted for conspiracy, computer hacking, wire fraud, bank fraud, and money laundering . Bogachev is identified as a leader of a cyber gang of criminals based in Russia and Ukraine that is responsible both GameOver Zeus and Cryptolocker.
    13. 13. Cryptolocker Victims and Damages o Dell SecureWorks estimates that CryptoLocker has infected 250,000 victims. The average payout is $300 each o 1 million dollars a day. o $27 million in ransom in first 2 months (FBI)
    14. 14. Cryptolocker Victims and Damages Image source: FBI
    15. 15. Poll #2 What percentage of victims pay the ransom? o 0.1% o 1% o 25% o 41%
    16. 16. 41% of people pay ransom Data from a Jan 2014 survey by University of Kent http://www.cybersec.kent.ac.uk/Survey2.pdf
    17. 17. Cryptolocker overview z Bitcoin Ransom Sent C&C Server Private Key Sent Locked Files Unlocked Files
    18. 18. Cryptolocker analysis - Drops copy of itself in %APPDATA%{random}.exe - It creates the following autorun key. HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun "CryptoLocker":<random>.exe - It creates two processes of itself. The other acts as a watchdog. Later versions of CryptoLocker create an additional registry entry: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunOnce "*CryptoLocker":<random>.exe
    19. 19. Cryptolocker C&C Domain Generation Algorithm It uses any of the following TLD for every generated domain: .com , .net , .biz, .ru , .org , .co.uk , .info 1 2 3 4 Encrypt Files with the public key flow 5 6
    20. 20. Cryptolocker C&C CnC - Sinkholed – what does it mean?
    21. 21. CryptoLocker Victims Filename and Extensions Encrypted by CryptoLocker
    22. 22. Cryptolocker analysis It searches in all local and remote drives for files to encrypt. All files that are encrypted are also saved in the following registry for record: HKEY_CURRENT_USERSoftwareCryptoLockerFiles The only way to decrypt is to buy the private key from the attackers.
    23. 23. Cryptolocker Ransom Payment options: moneypak, ukash, cashu, bitcoin Price: $300 USD or 2 BTC
    24. 24. Cryptolocker 2.0 Original Cryptolocker Cryptolocker 2.0 Compiler C++ .NET Encryption RSA-2048 RSA-4096 C&C servers Employs DGA No DGA Payment Scheme moneypak, ucash, cashu, bitcoin bitcoin only Around December 2013, a new ransomware emerged claiming to be Cryptolocker 2.0. Drops copy of itself in %system%. As msunet.exe
    25. 25. Cryptodefense aka Cryptowall o Cryptodefense is a newer variant of Cryptolocker. o appeared in Feb 2014 o no GUI o pops up a webpage, drops text file o Uses TOR for anonymous payments
    26. 26. Cryptodefense aka Cryptowall
    27. 27. Android SimpleLocker May 2014 – Simplelocker appears in Ukraine - Asks for $22 USD using Monexy - Uses TOR for C&C Checks SD card for: jpeg, jpg, png, bmp, gif, pdf, doc, docx, txt, avi, mkv, 3gp, mp4 Unlike Cryptolocker, Encryption key is hardcoded on the malware. Encrypted files are appended with “.enc”.
    28. 28. Conclusions 1. Cryptolocker evolved into a major threat allowing criminals to easily monetize malware infections via Bitcoin 2. Due to current geopolitical situation, Russian attackers will likely continue the barrage against US businesses and individuals while enjoying safe haven in their home country. 3. Cryptolocker needs public key to encrypt files so blocking known C&C servers may help prevent data encryption 4. Backup your files! Since decrypting the cryptolocker encrypted files is not impossible frequent backups become even more critical. And keep your backup offline.
    29. 29. Q and A o Information sharing and advanced threats resources o Blogs on latest threats and findings o Tools for identifying malware
    30. 30. Thank You!

    ×