Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

MMW April 2016 Ransomware Resurgence


Published on

Cyphort Labs presents "Malware's Most Wanted: Ransomware Resurgence: Locky and Other “New Cryptolockers”

Like many viruses, botnets and malware families that we’ve seen over the past decade, hackers continue to find new ways of reinventing old threats. And this is no different for Ransomware.

Ransomware has come a long way from non-encrypting lockscreen FBI scare warnings like Reveton. In 2016 alone, there have been new ransomware families popping up and we expect that to only pick up steam over the summer.

In this edition of MMW, Nick Bilogorskiy, Senior Director of Threat Operations at Cyphort, will discuss:

Locky, the new “it” ransomware and how it works

A deep dive into a new family of ransom locker discovered by Cyphort Labs in March, that uses TOR Hidden Service

Other new ransomware families and why it’s becoming the preferred monetization method for attackers

Published in: Technology
  • If you have any problems with writing, feel free to ask our writers for help! ⇒ ⇐ is ready to help with any kind of academic writing!
    Are you sure you want to  Yes  No
    Your message goes here
  • Thank you for sharing the information that is pretty helpful. Make sure all the software on the system is up to date to prevent ransomware viruses. Locky ransomware spreads widely recently, so I hope the tutorial can give some help!
    Are you sure you want to  Yes  No
    Your message goes here

MMW April 2016 Ransomware Resurgence

  1. 1. ResurgenceNick Bilogorskiy Cyphort @belogor
  2. 2. Your speakers today Nick Bilogorskiy @belogor Director of Security Research Marci Kusanovich Marketing Communications Manager
  3. 3. Agenda o History of Digital Extortion o Cryptolocker, Cryptowall, Locky o How Ransomware works o Tips to protect yourself o Wrap-up and Q&A CyphortLabsT-shirt
  4. 4. Housekeeping • You are on mute • Enter questions • Can order t-shirt
  5. 5. Threat Monitoring & Research team ________ 24X7 monitoring for malware events ________ Assist customers with their Forensics and Incident Response We enhance malware detection accuracy ________ False positives/negatives ________ Deep-dive research We work with the security ecosystem ________ Contribute to and learn from malware KB ________ Best of 3rd Party threat data
  6. 6. What is Ransomware Ransomware is any malware that demands the user pay a ransom. There are two types of ransomware: lockers and crypters.
  7. 7. Kovter
  8. 8. o More IOT (Internet Of Things) security incidents Prediction #4
  9. 9. • easy to use, • fast, • publicly available, • decentralized, and • Provides anonymity, which serves to encourage extortion. Bitcoin Primer
  10. 10. The Ransomware Business Model o Data Theft in place o Anonymity (TOR, Bitcoin) o Operating with impunity in Eastern Europe o Extortion o Focus on ease of use to maximize conversion o Currently 50% pay the ransom, it was 41% 2 years ago
  11. 11. z Bitcoin Ransom Sent C&C Server Private Key Sent Locked Files Unlocked Files The Ransomware Business Model
  12. 12. HOSPITALS Hollywood Presbyterian Medical Center , Kentucky Methodist Hospital, Alvarado Hospital Medical Center and King's Daughters' Health, Kentucky Methodist Hospital, Chino Valley Medical Center and Desert Valley Hospital, Baltimore’s Union Memorial Hospital, and many others POLICE Tewksbury Police Department Swansea Police Department Chicago suburb of Midlothian Dickson County, Tennessee Durham, N.H Plainfield, N.J Collinsville, Alabama, hackers in Detroit demanded $800,000 in bitcoin after they had encrypted the city's database. Known Victims… So far SCHOOLS GOVERNMENT 321 incident reports of "ransomware-related activity" affecting 29 different federal networks since June 2015, according to the Department of Homeland Security. South Carolina school district paid $10,000 . A New Jersey school district was hit, holding up the computerized PARCC exams. Follett Learning's Destiny library management software, which is used in US schools is vulnerable to SamSam ransomware.
  13. 13. Recorded Future Stats 500% growth last year
  14. 14. Google Trends: “ransomware” search interest 20 100 10 Stats 500% growth last year
  15. 15. Ransomware: The Price You Pay 2014 - $24 M. | 2015 - $24 M. | 2016 - $209 M in Q1
  16. 16. o network mitigation o network countermeasures o loss of productivity o legal fees o IT services o purchase of credit monitoring services for employees or customers o Potential harm to an organization’s reputation. Ransomware: Additional Costs
  17. 17. Ransomware poses a threat “to everyday Americans, law enforcement, government agencies and infrastructure, and sectors of our economy like healthcare and financial services.” – Representative Derek Kilmer (D-WA) “I am concerned that by hospitals paying these ransoms, we are creating a perverse incentive for hackers to continue these dangerous attacks” –Senator Barbara Boxer
  18. 18. Ransomware Resurgence Timeline: Explosion of Variants in 2016 Endgame
  19. 19. What is Cryptolocker? o Began September 2013 o Encrypts victim’s files, asks for $300 ransom o Impossible to recover files without a key o Ransom increases after deadline o Goal is monetary via Bitcoin o 250,000+ victims worldwide (According to Secureworks)
  20. 20. Cryptolocker Mastermind According to the FBI, losses are “more than $100 million.” Image source: FBI
  21. 21. Attribution Evgeniy Mikhailovich Bogachev, 30, of Anapa, Russia. nickname “Slavik” ,indicted for conspiracy, computer hacking, wire fraud, bank fraud, and money laundering . Bogachev is identified as a leader of a cyber gang of criminals based in Russia and Ukraine that is responsible both GameOver Zeus and Cryptolocker.
  22. 22. Cryptodefense aka Cryptowall o Cryptodefense is a newer variant of Cryptolocker. o appeared in Feb 2014 o no GUI o pops up a webpage, drops text file o Uses TOR for anonymous payments
  23. 23. Locky o Installed by Dridex gang o Word documents with macros over email o Also used JavaScript, Powershell o over 400,000 victims in hours Palo Alto Networks Unit 42
  24. 24. o First seen: Nov 2014, new versions throught 2015 o Target: North American and European Banks o Distribution: Spam mails with Word Documents o Some version use p2p over http for carrying out botnet communication o Uses web injects to carry out man- in-browser attack, Uses VNC Dridex Gang
  25. 25. Locky Ransom Note
  26. 26. G
  27. 27. KeRanger o First ransomware on OS X o Appeared in March 2016 o 1BTC - $400 ransom o Signed! o Infected Transmission BitTorrent client installer
  28. 28. I
  29. 29. Android SimpleLocker May 2014 – Simplelocker appears in Ukraine - Asks for $22 USD using Monexy - Uses TOR for C&C Checks SD card for: jpeg, jpg, png, bmp, gif, pdf, doc, docx, txt, avi, mkv, 3gp, mp4 Unlike Cryptolocker, Encryption key is hardcoded on the malware. Encrypted files are appended with “.enc”.
  30. 30. 2016 Ransomware tricks o Encrypting the whole drive (Petya) o Encrypting network drives o Deleting cloud backups o Encrypting web servers (Kimcilware) o Ransomware as a Service (RAAS)
  31. 31. How do Users get Ransomware? Osterman research
  32. 32. Tips to Avoid Ransomware Infection o Install the latest patches for your software, especially Adobe, Microsoft and Oracle apps o Use network protection o Use a comprehensive endpoint security solution with behavioral detection o Turn Windows User Access Control on
  33. 33. Tips to Avoid Ransomware Infection o Be skeptical: Don’t click on anything suspicious o Block popups and use an ad-blocker o Override your browser’s user-agent* o Consider Microsoft Office viewers
  34. 34. Tips to Avoid Ransomware Infection o Be skeptical: Don’t click on anything suspicious o Block popups and use an ad-blocker o Override your browser’s user-agent* o Consider Microsoft Office viewers
  35. 35. On a Mac - RansomWhere
  36. 36. Tips to Avoid Ransomware Infection o Identify Ransomware and look for a decryptor: o Shadow Copies o Turn off computer at first signs of infection o Remember: the only effective ransomware defense is backup
  37. 37. Tips to Avoid Ransomware Infection o List of free decryptors:
  38. 38. Summary 1. Ransomware evolved into a major threat allowing criminals to easily monetize malware infections via Bitcoin 2. Every platform is vulnerable to ransomware. 3. Due to current geopolitical situation, Eastern European attackers will likely continue the barrage against US businesses and individuals while enjoying safe haven in their home country. 4. Backup your files! Since decrypting encrypted files is not always possible frequent backups become even more critical. And keep your backup offline.
  39. 39. Q&A Thank You! Twitter: @belogor Previous MMW slides on malwares-wanted/