Sunil Kumar, profile picture
Uploaded bySunil Kumar
PPTX, PDF523 views

3Es of Ransomware

Ransomware has evolved significantly over time and now poses a major threat to the global economy. Ransomware attacks increased over 300% from Q1 2015 to Q1 2016, averaging 4,000 attacks per day. Ransomware operators can see returns over 1400% for a 30 day campaign, with the ransomware economy estimated to cost $1 billion per year. Early ransomware used encrypted file names and lockers, while modern variants like CryptoLocker and CryptoWall encrypt entire disks and use stolen encryption keys, making file recovery nearly impossible without paying ransoms in bitcoin. Researchers continue developing decryption tools, but education around avoiding risky behaviors remains the best defense against ransomware infections.

Embed presentation

Download to read offline
3Es of Ransomware Economy  Evolution  Evaluation
Who am I? • Threat Researcher for money. • Interested in • Things commonly considered criminal. • Reach me • @_badbot • badboy16a@gmail.com
Ransomware “Never before in the history of human kind have people across the world been subjected to extortion on a massive scale as they are today.”
Why this? • $445 Billion • The amount cybercrime will cost the global economy in 2016. The primary driver of loss will be ransomware. • +300% • The increase in ransomware attacks from Q1 of 2016 compared to Q1 2015. That’s as many as 4,000 ransomware attacks per day. • 60 Seconds • The time it takes a hacker to compromise a computer with ransomware.
Components
Economy • About 1,425% ROI for 30 days campaign. • Investment : $5,900 USD • Delivery • Infection • C&C • Earnings: $90,000 USD • 10% infection • 0.5% payment • $300 Ransom • Profit: $84,100
Economy • About 39% of enterprises were attacked, ~40% paid to the attackers. • $209 million payments in the first three months of 2016. • Estimated to be a $1 billion a year
Evolution
Evolution • AIDS/PC Cyborg : 1989 • Author: Joseph L. Popp • Delivery: 20,000 infected floppies. • Target: Attendees of WHO conference on AIDS. • Payout: $189 USD to PO Box in Panama. • Behavior: Encrypted file names and hide directories after 90 reboots.
Evolution • GPCoder : 2005 • Discovered and Researched by Kaspersky Lab. • First use of PKI. • RC4 + RSA. • Original file is Deleted. • Payout: $100-$200 in E-Gold/Liberty Reserve account. • StopGPCode was released to recover files.
Evolution • WinLock : 2010 • System Locker. • Ransom: 1 premium SMS of ~$10. • Displaying porn. • Unnamed : 2011 • System Locker. • Imitated Windows Activation Dialog. • Asked to call fake activation support phone.
Evolution • Reveton: 2012 • System Locker • Accused user’s of having illegal material. • Threatened action from FBI if “fine” is not paid. • Based on Zeus and Citadel. • Kotver : 2013 • System Lokcer • Waits for certain actions.
Evolution • CryptoLocker : 2013 • Return of encryption. • Generated 2048 bit RSA key pair. • Uploaded private key to server. • Asked payment in Bitcoin. • Taken down by government in 2014. • At least $3 million extortion.
Evolution • CryptoWall: 2014 • Used TOR from v1.0. • Distributed via malvertising. • Used digitally signed payload. • Estimated losses of $18 million by June 2015. • Locky: 2015 • Ransomware for hire. • Adds .locky extension to encrypted files • Mostly distributed via spam emails. • Attachments with macros.
Evaluation
Infection : Dropper • Attachment with macro • Macro activation. • Scripts • js/jse • vbs/vbe • wsf • ps1 • HTML • HTA
Infection : Payload • EXE • Custom Packers • Installer Package • DLL • Python • Fs0ciety • PS1 • PowerWare • Cerber
Setup • No Recovery • vssadmin delete shadows /for=d: /all • WMIC.exe "shadowcopy delete“ • Bcdedit.exe "/set {default} recoveryenabled no“ • Bcdedit.exe "/set {default} bootstatuspolicy ignoreallfailures • Registry Entries • Autorun • key+IV • TypeHandler • Encryption Key • UUID • SerialNumber
Encryption • Targets • File Types • doc, xls, ppt, jpg… • Disks • Extensions • locky, crypt, locked, [random]… • Exclusions • Program Files • Windows • .exe, .dll, .sys
Ransom • Display Note • MessageBox • Window • Wallpaper • Image • HTML/TEXT/URL • Content • Encryption Algorithm • Amount • SystemID/UserID • URL for bitcoin transfer • Proof of decryption
Recovery • Decryption/Eradication Tools • Kaspersky • WildFire, Shade, Rakhni, SMASH, CoinVault, XORIST… • TrendMicro • CryptXXX(1,2,3,4,5), Crysis, TeslaCrypt, Cerber V1, Nemucod… • https://www.nomoreransom.org/decryption-tools.html • Recovery tools • Photorec
Education • Avoid ransomware • Don’t click • Unplug immediately • Don’t pay • Backup • Disconnected • Full Snapshots • Offline restoration • Update
Question?

More Related Content

PPTX
Ransomware - Impact, Evolution, Prevention
byMohammad Yahya
 
PDF
Ransomware: History, Analysis, & Mitigation - PDF
byAndy Thompson
 
PPTX
Ransomware: Mitigation Through Preparation
byHostway|HOSTING
 
PPTX
Ransomware the clock is ticking
byManoj Kumar Mishra
 
PPTX
Malware's Most Wanted: CryptoLocker—The Ransomware Trojan
byCyphort
 
PPTX
Ransomware: How to avoid a crypto crisis at your IT business
byCalyptix Security
 
PPTX
Ransomware
byChaitali Sharma
 
PPTX
Ransomware
byArmor
 
Ransomware - Impact, Evolution, Prevention
byMohammad Yahya
 
Ransomware: History, Analysis, & Mitigation - PDF
byAndy Thompson
 
Ransomware: Mitigation Through Preparation
byHostway|HOSTING
 
Ransomware the clock is ticking
byManoj Kumar Mishra
 
Malware's Most Wanted: CryptoLocker—The Ransomware Trojan
byCyphort
 
Ransomware: How to avoid a crypto crisis at your IT business
byCalyptix Security
 
Ransomware
byChaitali Sharma
 
Ransomware
byArmor
 

What's hot

PPTX
Ransomware: Emergence of the Cyber-Extortion Menace
byZubair Baig
 
PPT
Ransomware - The Growing Threat
byNick Miller
 
PPTX
Ransomware: History, Analysis, & Mitigation
byWhiskeyNeon
 
PDF
Ransomware hostage rescue manual
byRoel Palmaers
 
PPTX
Ransomware by lokesh
byLokesh Bysani
 
PDF
Documento Cisco su Ransomware: come affrontarlo
byMaticmind
 
PPTX
Ransomeware
byAbul Hossain Ripon
 
PDF
The rise of malware(ransomware)
byphexcom1
 
PDF
Analysing Ransomware
byNapier University
 
PPTX
র‌্যানসমওয়্যার
byTitas Sarker
 
PPTX
Security Threat Presentation
byRobert Giannini
 
PPTX
Ransomware 2017: New threats emerge
bySymantec Security Response
 
PPTX
Cynet
byYanivTaieb
 
PPTX
Ransomware History and Monitoring Tips
byNetFort
 
PDF
Emerging Phishing Trends and Effectiveness of the Anti-Phishing Landing Page
byCybersecurity Education and Research Centre
 
PPTX
WannaCry Ransomware
byZoho Corporation
 
PDF
Step FWD IT_Ransomware-Guide
bychrismannering
 
PPT
Wannacry
byGunther Clauwaert
 
PDF
Ransomware: Wannacry
byMikel Solabarrieta
 
Ransomware: Emergence of the Cyber-Extortion Menace
byZubair Baig
 
Ransomware - The Growing Threat
byNick Miller
 
Ransomware: History, Analysis, & Mitigation
byWhiskeyNeon
 
Ransomware hostage rescue manual
byRoel Palmaers
 
Ransomware by lokesh
byLokesh Bysani
 
Documento Cisco su Ransomware: come affrontarlo
byMaticmind
 
Ransomeware
byAbul Hossain Ripon
 
The rise of malware(ransomware)
byphexcom1
 
Analysing Ransomware
byNapier University
 
র‌্যানসমওয়্যার
byTitas Sarker
 
Security Threat Presentation
byRobert Giannini
 
Ransomware 2017: New threats emerge
bySymantec Security Response
 
Cynet
byYanivTaieb
 
Ransomware History and Monitoring Tips
byNetFort
 
Emerging Phishing Trends and Effectiveness of the Anti-Phishing Landing Page
byCybersecurity Education and Research Centre
 
WannaCry Ransomware
byZoho Corporation
 
Step FWD IT_Ransomware-Guide
bychrismannering
 
Wannacry
byGunther Clauwaert
 
Ransomware: Wannacry
byMikel Solabarrieta
 

Viewers also liked

PDF
Buffer overflow null
bynullowaspmumbai
 
PPTX
Http2 Security Perspective
bySunil Kumar
 
PPTX
Security certifications
byManas Deep
 
ODP
Web Application Firewall
byChandrapal Badshah
 
ODP
Secure coding in C#
bySiddharth Bezalwar
 
PPTX
Beginner talk physical security - manasdeep
byManas Deep
 
PDF
Owasp top 10
byveerababu penugonda(Mr-IoT)
 
PPTX
Metasploit For Beginners
byRamnath Shenoy
 
PDF
Network discovery - Inside out by Aakash Goel
byOWASP Delhi
 
Buffer overflow null
bynullowaspmumbai
 
Http2 Security Perspective
bySunil Kumar
 
Security certifications
byManas Deep
 
Web Application Firewall
byChandrapal Badshah
 
Secure coding in C#
bySiddharth Bezalwar
 
Beginner talk physical security - manasdeep
byManas Deep
 
Owasp top 10
byveerababu penugonda(Mr-IoT)
 
Metasploit For Beginners
byRamnath Shenoy
 
Network discovery - Inside out by Aakash Goel
byOWASP Delhi
 

Similar to 3Es of Ransomware

PDF
Ransomware - Rameez Shahzada
byRAMEEZ SHAHZADA
 
PDF
Your money or your files
byRoel Palmaers
 
PPTX
Ransomware Attack.pptx
byIkramSabir4
 
PDF
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
byNCCOMMS
 
PPTX
Meeting02_RoT.pptx
byothmanomar13
 
PPTX
How to stay protected against ransomware
bySophos Benelux
 
PDF
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
byAshishDPatel1
 
PDF
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
byRSIS International
 
PDF
A comprehensive survey ransomware attacks prevention, monitoring and damage c...
byRSIS International
 
PDF
Ransomware (1).pdf
byHiYeti1
 
PDF
Ransomware is Coming to a Desktop Near You
byCybereason
 
PDF
3. Ransomware (cyber awareness series)
byIsaac Feliciano
 
PDF
wp-understanding-ransomware-strategies-defeat
byRobert Leong
 
PPTX
The malware effects
byViral Parmar
 
PPTX
Evolution of ransomware
byCharles Steve
 
PDF
Ransomware Trends 2017 & Mitigation Techniques
byAvinash Sinha
 
PPTX
Ransomware
byAkshita Pillai
 
PPTX
MMW April 2016 Ransomware Resurgence
byCyphort
 
PDF
Ransomware ly
byLisa Young
 
PDF
Combating RANSOMWare
byUmer Saeed
 
Ransomware - Rameez Shahzada
byRAMEEZ SHAHZADA
 
Your money or your files
byRoel Palmaers
 
Ransomware Attack.pptx
byIkramSabir4
 
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
byNCCOMMS
 
Meeting02_RoT.pptx
byothmanomar13
 
How to stay protected against ransomware
bySophos Benelux
 
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
byAshishDPatel1
 
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
byRSIS International
 
A comprehensive survey ransomware attacks prevention, monitoring and damage c...
byRSIS International
 
Ransomware (1).pdf
byHiYeti1
 
Ransomware is Coming to a Desktop Near You
byCybereason
 
3. Ransomware (cyber awareness series)
byIsaac Feliciano
 
wp-understanding-ransomware-strategies-defeat
byRobert Leong
 
The malware effects
byViral Parmar
 
Evolution of ransomware
byCharles Steve
 
Ransomware Trends 2017 & Mitigation Techniques
byAvinash Sinha
 
Ransomware
byAkshita Pillai
 
MMW April 2016 Ransomware Resurgence
byCyphort
 
Ransomware ly
byLisa Young
 
Combating RANSOMWare
byUmer Saeed
 

More from Sunil Kumar

PPTX
Basics of Cryptography
bySunil Kumar
 
PPTX
Memory forensics
bySunil Kumar
 
PPTX
n|u Dharamsala Humla : Memory Forensic by Tenzin Chokden
bySunil Kumar
 
PPTX
Jsonp null-meet-02-2015
bySunil Kumar
 
PPTX
Dt5 varenni win_pcapdosdonts
bySunil Kumar
 
PDF
Nullcon 2011- Behaviour Analysis with DBI
bySunil Kumar
 
Basics of Cryptography
bySunil Kumar
 
Memory forensics
bySunil Kumar
 
n|u Dharamsala Humla : Memory Forensic by Tenzin Chokden
bySunil Kumar
 
Jsonp null-meet-02-2015
bySunil Kumar
 
Dt5 varenni win_pcapdosdonts
bySunil Kumar
 
Nullcon 2011- Behaviour Analysis with DBI
bySunil Kumar
 

3Es of Ransomware

  • 1.
    3Es of Ransomware Economy Evolution  Evaluation
  • 2.
    Who am I? •Threat Researcher for money. • Interested in • Things commonly considered criminal. • Reach me • @_badbot • badboy16a@gmail.com
  • 3.
    Ransomware “Never before inthe history of human kind have people across the world been subjected to extortion on a massive scale as they are today.”
  • 4.
    Why this? • $445Billion • The amount cybercrime will cost the global economy in 2016. The primary driver of loss will be ransomware. • +300% • The increase in ransomware attacks from Q1 of 2016 compared to Q1 2015. That’s as many as 4,000 ransomware attacks per day. • 60 Seconds • The time it takes a hacker to compromise a computer with ransomware.
  • 5.
  • 6.
    Economy • About 1,425%ROI for 30 days campaign. • Investment : $5,900 USD • Delivery • Infection • C&C • Earnings: $90,000 USD • 10% infection • 0.5% payment • $300 Ransom • Profit: $84,100
  • 7.
    Economy • About 39%of enterprises were attacked, ~40% paid to the attackers. • $209 million payments in the first three months of 2016. • Estimated to be a $1 billion a year
  • 8.
  • 9.
    Evolution • AIDS/PC Cyborg: 1989 • Author: Joseph L. Popp • Delivery: 20,000 infected floppies. • Target: Attendees of WHO conference on AIDS. • Payout: $189 USD to PO Box in Panama. • Behavior: Encrypted file names and hide directories after 90 reboots.
  • 10.
    Evolution • GPCoder :2005 • Discovered and Researched by Kaspersky Lab. • First use of PKI. • RC4 + RSA. • Original file is Deleted. • Payout: $100-$200 in E-Gold/Liberty Reserve account. • StopGPCode was released to recover files.
  • 11.
    Evolution • WinLock :2010 • System Locker. • Ransom: 1 premium SMS of ~$10. • Displaying porn. • Unnamed : 2011 • System Locker. • Imitated Windows Activation Dialog. • Asked to call fake activation support phone.
  • 12.
    Evolution • Reveton: 2012 •System Locker • Accused user’s of having illegal material. • Threatened action from FBI if “fine” is not paid. • Based on Zeus and Citadel. • Kotver : 2013 • System Lokcer • Waits for certain actions.
  • 13.
    Evolution • CryptoLocker :2013 • Return of encryption. • Generated 2048 bit RSA key pair. • Uploaded private key to server. • Asked payment in Bitcoin. • Taken down by government in 2014. • At least $3 million extortion.
  • 14.
    Evolution • CryptoWall: 2014 •Used TOR from v1.0. • Distributed via malvertising. • Used digitally signed payload. • Estimated losses of $18 million by June 2015. • Locky: 2015 • Ransomware for hire. • Adds .locky extension to encrypted files • Mostly distributed via spam emails. • Attachments with macros.
  • 15.
  • 16.
    Infection : Dropper •Attachment with macro • Macro activation. • Scripts • js/jse • vbs/vbe • wsf • ps1 • HTML • HTA
  • 17.
    Infection : Payload •EXE • Custom Packers • Installer Package • DLL • Python • Fs0ciety • PS1 • PowerWare • Cerber
  • 18.
    Setup • No Recovery •vssadmin delete shadows /for=d: /all • WMIC.exe "shadowcopy delete“ • Bcdedit.exe "/set {default} recoveryenabled no“ • Bcdedit.exe "/set {default} bootstatuspolicy ignoreallfailures • Registry Entries • Autorun • key+IV • TypeHandler • Encryption Key • UUID • SerialNumber
  • 19.
    Encryption • Targets • FileTypes • doc, xls, ppt, jpg… • Disks • Extensions • locky, crypt, locked, [random]… • Exclusions • Program Files • Windows • .exe, .dll, .sys
  • 20.
    Ransom • Display Note •MessageBox • Window • Wallpaper • Image • HTML/TEXT/URL • Content • Encryption Algorithm • Amount • SystemID/UserID • URL for bitcoin transfer • Proof of decryption
  • 21.
    Recovery • Decryption/Eradication Tools •Kaspersky • WildFire, Shade, Rakhni, SMASH, CoinVault, XORIST… • TrendMicro • CryptXXX(1,2,3,4,5), Crysis, TeslaCrypt, Cerber V1, Nemucod… • https://www.nomoreransom.org/decryption-tools.html • Recovery tools • Photorec
  • 22.
    Education • Avoid ransomware •Don’t click • Unplug immediately • Don’t pay • Backup • Disconnected • Full Snapshots • Offline restoration • Update
  • 23.

Editor's Notes

  • #3 Sean Murray
  • #4 Symantec-08/2015 “Ransom”: A sum of money demanded or paid for the release of a captive. Captive: Files/Systems Ransomware is a tool to facilitate Ransom. F-s0ciety http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-evolution-of-ransomware.pdf
  • #5 https://fightransomware.com/
  • #7 Return On Investment. Stats by Trustwave, CTBLoker as example. http://www.darkreading.com/analytics/cybercrime-can-give-attackers-1425--return-on-investment/d/d-id/1320756
  • #8 *2 : byFBI, based on reported cases. https://go.malwarebytes.com/OstermanRansomwareSurvey.html
  • #9  http://centracomm.net/wp-content/uploads/2016/06/the-rise-of-ransomware.png
  • #10 1. Harvard-trained evolutionary biologist Joseph L. Popp. 4. PO Box in name of PC Cyborg Corp. 5. Ransom was asked as license fee to use the software.
  • #11 1st in 2004. Custom symmetric encryption, 1 byte key. Easily defeated. GPCoder.ak proper 1024bit RSA+RC4. Deleted, so undelete was possible. RC4 => Easy cryptoanalysis.
  • #13 Police themed ransomware. Ransomware for OSX. Used webpage and clickjacking. Jay Matthew Riley, 21, of Woodbridge, Va, turned himself to police.
  • #14 Primarily distributed by the Gameover Zeus botnet Operation Tovar
  • #15 Cryptowall started as clone of Cryptolocker These variants have evolved. Clones/Mixed. Random extensions.
  • #16 Infection Key-Setup Encryption Ransom Demand
  • #18 Custom packers: Locky, TeslaCrypt DLL: Locky
  • #19 Autorun: Locky Key+iv: NoobLocker PricessLocker adds ransom note as .locked type handler.
  • #20 Cerber targets 294 different file extensions HDDCryptor uses component of open source tool.
  • #21 They usually display name of ransomware.
  • #22 Almost all AV vendors have some ransomware recovery. Not all versions are decryptable. NoMoreRansom: Kaspersky, Intel, Law Enforcement Recover Tools: TestDisk. Recuva
  • #23 Don’t pay : don’t listen to FBI Mount backups in ReadOnly mode while restoring.