3rd Meetup of Colombo White Hat Security - Sri Lanka Meetup Event : https://www.meetup.com/Colombo-White-Hat-Security/events/236089405/

1. The
rise
of
ransomware

2. Hello!I am Tharindu Edirisinghe
You can find me at ….
tharindue.blogspot.com @thariyarox https://lk.linkedin.com/in/ediri ediri@live.com

3. The FBI reported that cyber criminals used
ransomware to extort $209 million from
enterprise organizations in the first three months
of 2016 alone.
Source :
http://money.cnn.com/2016/04/15/technology/ransomware-cyber-security/

6. The name “ransomware” refers to a type of malware that is designed to infect machines,
encrypt as many files as possible and hold the decryption key for ransom until the
victim submits the required payment.
While documented complaints of modern ransomware date back to 2005, the malware
has recently gained a new popularity. In 2015 alone, there were nearly 407,000
attempted ransomware infections and over $325 million extorted from victims.
Souce : https://www.cyberark.com/resource/cyberark-labs-ransomware/

7. There is another variant of ransomware that blocks the usage of the
device with the same goal of extracting payment from the victim.
This behavior includes spawning multiple messages across the
screen disrupting user application usage or inhibiting the normal
boot process of the operating system with displaying a ransom
message instead of a user login screen.
Source : http://cyberthreatalliance.org/cryptowall-report.pdf

8. In cryptography, encryption is the process of encoding messages or information in such a
way that only authorized parties can access it.
Source : https://en.wikipedia.org/wiki/Encryption
Image Source :
http://kryptophone.kryptotel.net/faq/encryption/index.html

9. Image Source: http://www.sqlservercentral.com/blogs/zoras-sql-
tips/2014/09/11/understanding-the-core-of-cryptography-in-sql-server/print/

10. Image Source: http://www.sqlservercentral.com/blogs/zoras-sql-
tips/2014/09/11/understanding-the-core-of-cryptography-in-sql-server/print/

11. demo

17. Once the ransomware was triggered to execute, 90% of the samples analyzed first attempted to
communicate back to an attacker-managed key server, which held the unique public key used to encrypt files
on the machine. In 20% of all cases, if the connection could not be established, the ransomware would fail. Yet,
a full 70% of ransomware samples were able to execute using a default public key, even if a unique key could
not be retrieved from the key server. Notably, this approach can be less effective for the attacker, as a victim
can potentially use a single default decryption key that has already been purchased to decrypt all files that
were encrypted using the same key. The remaining 10% of samples included a unique key generator within the
ransomware file itself, thus eliminating the need for an outside connection. Based on this observation, the
research team noted that if organizations could limit the ransomware’s ability to establish an outside
connection, organizations could typically either prevent the ransomware from executing or force the
attackers to use a default key, thus minimizing the financial impact of the attack.
Souce : https://www.cyberark.com/resource/cyberark-labs-ransomware/

19. 1. Ransomware is Evolving by the Hour
Unlike traditional malware, which is frequently reused across a wide range of targets,
ransomware strains are typically mutated for each new victim. Traditional anti-virus
solutions that rely on blacklists are typically ineffective in preventing ransomware because
they simply can’t keep up with the thousands of new samples produced each day. To
effectively protect against ransomware risks, organizations can’t just protect against known
malware; they also need to protect against unknown malicious applications.

20. 2. A Common Path to Encryption
The team observed what actions were executed by different ransomware samples, and
learned the samples across different families all followed similar subsequent processes.
Typically, the malware first attempted to communicate back to an attacker-managed key
server, which held the unique public key used to encrypt files on the machine. Second, the
ransomware began to scan the infected machines to locate specific files types. Third, upon
locating the files, the ransomware began the encryption process, while working to maximize
the number of impacted machines.

21. 3. Ransom Payment Method of Choice
To receive the key needed to decrypt the impacted files, users were required to submit
payment – the ransom – to the attackers. Payment was typically demanded in Bitcoin, and
for Bitcoin novices, some attackers went so far as to set up “help desks” to help victims
purchase Bitcoin and complete the funds transfer.

22. 4. Ransomware Seeks Admin Rights
In 70% of tested cases, ransomware attempted to gain local administrator rights once
activated. But interestingly, only 10% of the tested files failed if these rights could not be
attained. This shows that even though the removal of local administrator rights from
standard users is a best practice and certainly could have prevented some of the
ransomware, this measure must be layered with application control to reliably protect
against file encryption.

23. 5. A Common Denominator
Testing by CyberArk Labs demonstrated that a highly effective way to mitigate the risk of
ransomware attacks is to prevent unknown applications, including unknown ransomware,
from gaining the read, write and edit permissions needed to encrypt files. When tested by
CyberArk Labs, a combined approach of removing local admin rights and application control,
including greylisting, which restricts read, write and modify permissions from unknown
applications was 100 percent effective in preventing ransomware from encrypting files.
https://www.cyberark.com/blog/new-cyberark-labs-research-analyzing-ransomware-
potential-mitigation-strategies/

24. Shade is a ransomware-type Trojan that emerged in late 2014. The malware is spread via
malicious websites and infected email attachments. After getting into the user’s system,
Shade encrypts files stored on the machine and creates a .txt file containing the ransom note
and instructions from cybercriminals on what to do to get user’s personal files back. Shade
use strong decryption algorithm for each encrypted file, with two random 256-bit AES keys
generated: one is used to encrypt the file’s contents, while the other is used to encrypt the file
name.
Since 2014, Kaspersky Lab and Intel Security prevented more than 27 000 attempts to attack
users with Shade Trojan. Most of the infections occurred in Russia, Ukraine, Germany, Austria
and Kazakhstan. Shade activity was also registered in France, Czech Republic, Italy, and the
US.
Source : https://www.helpnetsecurity.com/2016/07/25/no-more-ransom/

25. Ransomware is often spread via spam campaigns or exploit kits, but LeChiffre takes a
different approach. LeChiffre developers scan networks for poorly secured, vulnerable
Remote Desktops, log in remotely after cracking them, and then manually run an instance of
the malware to encrypt files and append the extension “.LeChiffre” to them.
Security researchers at Emsisoft already managed to come up with a LeChiffre decrypter,
after discovering that the malware encrypts only the first 8192 bytes of a file and if the file is
bigger than 16999 bytes, and also the last 8192 of the file, using Blowfish
Source : http://www.securityweek.com/lechiffre-ransomware-hits-indian-banks-pharma-
company

26. Ransomware is a very successful model of attack and its mobile variant is not much different
from its desktop counterpart. Usually, the user is tricked into installing a useful app—for
example, an app that pretends to be Adobe Flash player. Once installed and executed, the
malicious application attempts to encrypt all accessible documents, images, and multimedia
files on the device. When this process is finished, the ransomware application displays a text,
a warning that often seems to come from law enforcement agencies such as the FBI and
instructs the user how to pay to restore files and access to the device.
Some of the most successful Android ransomware families are Simplocker and Koler. The
recently discovered Locker family actually sets a PIN for the device and makes the restore
almost impossible if the
user is not willing to pay the attackers for recovery instructions.
Souce :
https://www.thehaguesecuritydelta.com/media/com_hsd/report/57/document/4aa6-
3786enw.pdf

27. 1. Have a Backup Solution in Place
Access and storage of your data is mission-critical to your business, especially when
dealing with a ransomware attack. If you backup your data routinely, ransom Trojans are
easy to remove. Recover the files from a backup and hope the person at fault learns their
lesson.
2. Keep Software up to Date
Some ransom Trojans target user carelessness (“click this link,” or “open this
attachment”). Others exploit vulnerabilities in software. Keep all your software patched,
especially the most common and popular off-the-shelf products – they are the first ones
a hacker will target.

28. 3. Filter Executables
Disguised as an invoice, an “urgent” document, or a notification that you’ve missed a
delivery -- these are often hidden in ZIP archives. Make sure to filter those and
executables in general.
4. Show File Extensions
By allowing Windows to show file extensions, it makes it difficult for hackers to keep thier
intentions hidden. For example, if a file is really called “Invoice.doc.exe,” then you shouldn’t
allow it to present itself to the user as “Invoice.doc.”

29. 5. Restrict User Privileges
Keep incidents isolated by making sure one infected user does not bring down your entire
network. By limiting machine access to only what it needs it can save your business
significantly in downtime, allowing unaffected users/departments to continue working
productively.
6. Disable Remote Desktop Protocol
Hackers love to use Windows’ native remote access feature and third-party software to
get malicious code onto computers. Although the remote desktop protocol is very useful,
it does not need to be switched on all the time.

30. 7. Get a Security Audit from a Reputable IT Consultant
A credible and experienced IT Consultant, like Lantium, can assess your organization’s
information systems, business processes, and overall cyber presence to help you identify
methods to keep your business protected. By being proactive, you can ensure your
business stays safe in 2017!
Source: http://blog.lantium.com/seven-things-to-protect-your-business-from-
ransomware

31. The “No More Ransom” website is an initiative by the National High Tech Crime Unit of
the Netherlands’ police, Europol’s European Cybercrime Centre and two cyber security
companies – Kaspersky Lab and Intel Security – with the goal to help victims of
ransomware retrieve their encrypted data without having to pay the criminals.
Source : https://www.nomoreransom.org/about-the-project.html

32. Ransomware Families and Types http://avien.net/blog/ransomware-resources/ransomware-families-and-
types
Analysis of the CryptoWall Version 4 Threat
http://cyberthreatalliance.org/cryptowall-report.pdf
Even the best antivirus likely can't save your files from a ransomware infection
http://www.businessinsider.com/fighting-ransomware-with-antivirus-2016-1
Hewlett Packard Enterprise - Cyber Risk Report 2016
https://www.thehaguesecuritydelta.com/media/com_hsd/report/57/document/4aa6-3786enw.pdf
Shoddy Programming causes new Ransomware to destroy your Data
https://www.bleepingcomputer.com/news/security/shoddy-programming-causes-new-ransomware-to-
destroy-your-data

33. THANKS!Any questions?
You can find me at ….
tharindue.blogspot.com @thariyarox https://lk.linkedin.com/in/ediri ediri@live.com