The story of grandma and the encrypted granddaughter pictures. In this presentation we explained how ransomware creators think, what's their goals and methods of achieving them. Then we described the research we've done on the Dircrypt ransomeware, and how we found errors in their encryption implementation - allowing us to decipher most of the encrypted information, without paying off the criminals. A full article can be found here: https://www.checkpoint.com/download/public-files/TCC_WP_Hacking_The_Hacker.pdf

1. Fighting back against the DirCrypt bully
Nitay Artenstein
Michael Shalyt
HACKING THE HACKER

2. BLACK HAT
“A ‘black hat’ hacker is a hacker who violates computer
security for little reason beyond maliciousness or for
personal gain“ - Wikipedia.

3. WHITE HAT
“A ’white hat’ hacker breaks
security for non-malicious
reasons… The term "white hat"
in Internet slang refers to
an ethical hacker.” - Wikipedia.

4. WHITE HAT
“A ’white hat’ hacker breaks
security for non-malicious
reasons… The term "white hat"
in Internet slang refers to
an ethical hacker.” - Wikipedia.

5. THE GRANDMA

6. THE GRANDDAUGHTER

7. THE GRANDDAUGHTER

15. WHAT JUST HAPPENED?

16. WHAT JUST HAPPENED?

17. WHAT JUST HAPPENED?

18. CRYPTERS IN THE WILD

19. CRYPTERS IN THE WILD

20. CRYPTERS IN THE WILD

21. CRYPTERS IN THE WILD

22. CRYPTERS IN THE WILD

23. FOR EXAMPLE: DIRCRYPT

24. ENCRYPTION DEMO

25. CRYPTO 101

26. CRYPTERS ARE WRONGER

27. CRYPTERS ARE WRONGER
• “Innocence based” attacks.

28. CRYPTERS ARE WRONGER
• “Innocence based” attacks.
• Scare tactics.

29. CRYPTERS ARE WRONGER
• “Innocence based” attacks.
• Scare tactics.
• The victim pays the price, unlike banking trojans.

30. CRYPTERS ARE WRONGER
• “Innocence based” attacks.
• Scare tactics.
• The victim pays the price, unlike banking trojans.
• Highschool bully – crypters will evolve and spread as
long as victims pay the ransom instead of resisting.

31. AND NOW FOR THE GOOD PART…
• It‘s hard to implement a secure cryptographic protocol
• Many malware writers are not exactly masters of secure
coding
• What if we can hack the hackers and save Grandma?

32. LOOKS LIKE A JOB FOR A REVERSER

33. WHAT IS REVERSE ENGINEERING?
• The malware executable holds some of the secrets we
need to uncover:

35. MALWARE RESEARCHER == DETECTIVE
• A malware binary is like a crime scene
• Through skill and experience, a reverse engineer
develops a “nose for mystery”
• A bunch of tools help us rise above the bits and bytes,
and make it easier to connect the dots

36. THE GOAL: MOVE FROM THIS…

37. TO THIS

38. FROM PLAINTEXT TO CIPHER

42. IMAGINE YOU WERE A HACKER…
• Where would you hide the key?
• Your options: the registry, a hidden file, or only on the
C&C server
• There is always a compromise

43. A FEW SLEEPLESS NIGHTS LATER…

44. SO NOW WE HAVE A HINT

45. THE UNBEARABLE LIGHTNESS OF KEY REUSE

46. ATTACKING KEY REUSE

47. ATTACKING KEY REUSE
• Which files will always be on Windows?

48. ATTACKING KEY REUSE
• Which files will always be on Windows?
• We need the largest file possible. Sample videos?

49. ATTACKING KEY REUSE
• Which files will always be on Windows?
• We need the largest file possible. Sample videos?
• The max size decryptable will be the size of that file

50. ATTACKING KEY REUSE
• Which files will always be on Windows?
• We need the largest file possible. Sample videos?
• The max size decryptable will be the size of that file

51. READY TO SOLVE THE PUZZLE?

52. THAT AWKWARD MOMENT
WriteToFile(hFile, SymmetricKey, 10);

54. DECRYPTION DEMO

55. DECRYPTION… CHECK

56. GRANDMA IS HAPPY AGAIN