4. Systems impacted by Ransomware
• Personal computers
• Mobile devices
• Servers
5.
6. • Crypto ransomware
• A crypto ransomware works by applying encryption and decryption algorithms on device data.
• Encrypts victim’s data files and demands a ransom for decrypting.
• Data are encrypted using public keys and the users are given back the private keys to decrypt their data.
•Locker Ransomware
• A locker ransomware works by restricting user access to device/system functionalities.
• It typically locks computer devices, interfaces and then asks for a ransom fee to restore blocked resources.
•Hybrid Ransomware
• Hybrid ransomware attacks that enable encryption and locking mechanisms are more dangerous because
the device data and functionality could be compromised.
Type of Traditional Ransomware
7. Type of Ransomware of things
•Crypto Ransomware
• In the case of IoT devices, a crypto ransomware is more dangerous when it attacks back-end
application servers because IoT devices at the forefront do not contain a large amount of data.
•Locker Ransomware
• Locker ransomware may alter the functionality of IoT devices to persuade device owners to pay
ransom money .
• Locker ransomware attacks are usually launched at the front-end IoT devices.
•Hybrid Ransomware
• A hybrid ransomware attack could become more vicious because it can target front-end and back-
end IoT devices and systems.
8. • Both types have same attacking nature but after infecting, it is different for both types.
Type of Ransomware
9. PadCrypt targets Windows OS and
spreads through spam email
containing an executable script
disguised as a PDF file. Once installed,
PadCrypt encrypts all data that resides
in the targeted folders as well as on
local drives and changes their file
extensions to .ETC or .padcrypt. It also
deletes Shadow Volume Copies to
prevent file recovery. PadCrypt is the
first variant that comes with its own
“Live Chat Support” feature for
victims to contact the ransomware
developer directly in order to navigate
through the ransom payment process
Cryptolocker is a malware threat
that gained notoriety over the last
years. It is a Trojan horse that
infects your computer and then
searches for files to encrypt. This
includes anything on your hard
drives and all connected media —
for example, USB memory sticks
or any shared network drives. In
addition, the malware seeks out
files and folders you store in the
cloud.
DirtyDecrypt or Revoyem
is a ransomware that
infiltrates systems and
encrypts various file
types (including .pdf,
.doc, .jpeg, etc.).
During encryption,
DirtyDecrypt embeds an
image file into each
encrypted file. Thus,
when victims attempt to
open an encrypted file,
the image (which
contains a ransom-
demand message) is
opened
Crypto Ransomware
10. Cryptowall is a ransomware malware
that encrypts files on an infected
computer using and demands a
ransom in exchange for a decryption
key. Cryptowall is usually spread by
spam and phishing emails, malicious
ads, hacked websites, or other
malware and uses a Trojan horse to
deliver the malicious payload.
TeslaCrypt was a ransomware trojan. It is
now defunct, and its master key was
released by the developers.
In its early forms, TeslaCrypt targeted
game-play data for specific computer
games.
Crypto Ransomware (Cont…)
11. Locker Ransomware
WinLock did not use encryption.
Instead, WinLock trivially
restricted access to the system
by displaying pornographic
images and asked users to send
a premium-rate SMS (costing
around US$10) to receive a code
that could be used to unlock
their machines.
DMA Locker targets Windows OS and one
known method of distribution is through
Remote Desktop. Once an infection occurs
and the executable is launched, DMA Locker
terminates any applications used for backing
up data and adds registry keys to maintain
persistence. It then whitelists all system and
executable files and proceeds to encrypt all
other files located on local drives, mapped
network shares, and even unmapped
network shares. Unlike other variants, DMA
Locker does not add a custom extension to
encrypted files but, instead, adds an
identifier into the file headers. In earlier
versions of DMA Locker, one AES key was
used for all encrypted files but the most
recent version generates a new random key
for each file. DMA Locker demands a ransom
of 4 Bitcoin (approximately $1700 USD at
the time of this publication)
CTB-Locker ransomware is part
of the crypto-ransomware
family. This type of virus
infiltrates operating systems
via infected email messages
and fake downloads (e.g.,
rogue video players or fake
Flash updates). After
successful infiltration, this
malicious program encrypts
various files (*.doc, *.docx,
*.xls, *.ppt, *.psd, *.pdf, *.eps,
*.ai, *.cdr, *.jpg, etc.) stored
on computers and demands a
ransom payment of in Bitcoins
to decrypt them (encrypted
documents receive the .ctbl
files extension).
12. Locker Ransomware (Cont…)
The Locky ransomware commonly
encrypts files on Windows OSes. Once
encrypted, the files are inaccessible
and unusable. Hackers demand a
ransom.
Locky spreads through the use of social
engineering techniques. The targets of
the cyber criminals typically receive
fraudulent emails. Such emails appear
as payment invoices. Past subject lines
have included “Upcoming Payment—1
Month Notice
TorrentLocker is spread through infected spam
emails or emails that claim that the victim has
to pay for an invoice, a package in the mail, or a
speeding ticket fine. And to make things more
interesting, the creators of TorrentLocker are
mainly targeting specific countries with these
infected emails rather than as many countries
around the world as possible
13. History of Ransomware
Name of attack Launch year Attribute of attacks
PC Cybrog / AIDS 1989 Through using Floppy Disks
Gpcode 2005-2008
Harmful threat that will spread via emails
and encrypt media and MS Office files.
DirtyDecrypt 2013
Encrypt some eight types of files
Formats.
Linux.Encoder Nov 2015
Encrypt Linux home and any
other web directories.
Petya Apr 2016
Targets Microsoft Windows-based systems,
infecting the master boot record to execute a
payload that encrypts a hard drive's file
system table and prevents Windows from
booting.
WannaCry 2017
Ransomware cryptoworm, which targeted
computers running the Microsoft Windows
OS by encrypting data and demanding
ransom payments in the Bitcoin
cryptocurrency.
14. 2016 is considered as “The Year of Ransomware”
2017 could be call as “The Year of Jackware”.
Block access to a computer system until a sum of
money is paid.
Lock up a car or another device
until you pay up.
Goal of Jackware
Goal of Ransomware
16. WannaCry
Ransomware
The largest ransomware attack to
date, WannaCry infected more
than 230,000 computers in over
150 countries, using 20 different
languages demanding $300 from
every infected computer.
17.
18. • Attackers can intercept
CDN traffic in the
back-end edge
networks and at the
front-end IoT devices.
• Malvertisement ,the
advertised material
through CDN seems
legitimate but contains
malware, which users
erroneously install on
their devices and
compromise
data/device security
• Ransomware can also be
penetrated using botnets
that silently roam inside
IoT networks.
• Attackers may use
phishing emails, in
which users are asked to
download the attached
files or click on certain
links.
• Once a botnet gets
activated in result of user
or device the entire IoT
network is compromised.
• IoT devices usually do
not provide direct
interaction with external
users.
• Ransomware attacks in
this case could be
launched by external
users by presenting
themselves as legitimate
users/devices within the
IoT network.
• IoT devices heavily
depend on applications
services and cloud data
centers, attackers can
intercept device-cloud
traffic and inject
ransomware.
• When the IoT device
uses the infected
services, the entire IoT
network is under threat.
Content Delivery Network
and Malvertisement
1
Botnets Social Engineering Ransomware-as-a-Service
2 3 4
Ransomware of things Penetration Methods
19. 1. Thermosta
t Hacking
To prove that IoT
devices could be
hacked
for ransom.
The researchers
had no malicious
intent
Create
awareness
against malicious
attacks.
The idea to
highlight the
importance of
IoT device
security
Then revealed to a
thermostat
vendor to fix for
future devices.
They found that
the thermostat
device was not
checking and
verifying the files
that were being
executed
Thus creating an
opportunity to
execute the
ransomware and
control device
operations.
IoT related ransomware attacks
The ransomware
was downloaded
by exploiting an
undisclosed bug
in an IoT
application.
21. 2. Flocker
• Frantic Locker is a locker ransomware that penetrates in smart
TV systems and locks the display screen.
• The ransomware was in a fake movie screening application, and
then activated when the user installed the application in a smart
TV.
• It not only locks the screen but also disables the factory reset
option.
• Flocker asks $500 USD with a strict deadline of three days.
22. Mitigation strategies
• Educate and inform
• Patching software
• Adobe
• Microsoft
• Oracle
• Use a layered defense approach
• Use a comprehensive endpoint security solution
• Use network protection
• Make backups and have a plan
23. • Secure booting
• Secure code updates
• Access control
• Device
authentication
• The gateway that is
deployed between the
IoT devices and the
Internet.
• The network
designers should
ensure that the IoT
gateway is protected
from malware and
intrusions by applying
access control lists,
filtering.
• The service layer
handles the
communication
between device and
gateway layer.
• Dynamic auditing
mechanisms should be
implemented to enable
the security at the
service layer.
Device Layer Security Gateway Layer Security Service Layer Security
C
B
A
An IoT framework can be divided into three layers: device, gateway, and service.
Requirements For Securing IoT