2. WHAT IS RANSOMWARE?
• Ransomware is a type of Malicious Software.
• Block access to data. Retrieve Ransom has to pay.
• Most ransomware today encrypt files using known algorithms like RSA or RC4, or
using custom encryption.
Created By Ajuman Ramzey
3. HOW RANSOMWARE INFECTED ?
• May executed from downloaded files.
• Or by using compromised websites.
• Arrive as a payload either dropped or downloaded by other malware.
Created By Ajuman Ramzey
4. RANSOMWARE BEHAVIOUR
• In an executed system Ransomware encrypt predetermined files, thus, a full-screen
image or notification is displayed on the infected system's screen, which prevents
victims from using their system by providing instructions how pay for the ransom.
• The second type of ransomware prevents access to files to potentially critical or
valuable files like documents and spreadsheets.
• Some ransomware deliver data as attachments from spammed email, downloaded
from malicious pages through malvertisements, or dropped by exploit kits onto
vulnerable systems.
Created By Ajuman Ramzey
5. THE HISTORY AND EVOLUTION OF RANSOMWARE
Early Years 2005 - 2016 Modern Ransomware 2016 -Created By Ajuman Ramzey
6. • Cases of ransomware infection were first
seen in Russia between 2005 – 2006.
• In 2006 a Ransomware variant detected as
TROJ_CRYZIP.A .
• Following years encryption shared to
particular file types such as DOC, .XLS, .JPG,
.ZIP, .PDF, and other commonly used file
extensions.
• In 2011, SMS RANSOMWARE named as
TROJ_RANSOM.QOWA asked users of to
dial a premium SMS number from infected
systems repeatedly displayed until user
paid the ransom by dialing a premium
number.
• By 2012, Ransomware infections was
across Europe and North America.
TROJ_RANSOM.BOV displayed notification
page supposedly from the local police
agency instead of typical ransom note.
EARLY YEARS
Created By Ajuman Ramzey
7. REVETON(2012)
• Reveton a ransomware type that impersonates law enforcement agencies Known as
Police Ransomware or Police Trojans.
• It displays a warning from a law enforcement agency claiming that the computer has
been used for illegal activities. Thus it ask to pay a fine.
• Pretended tracked by law enforcement, by sharing the screen & IP address or share
location of user or display footage of user’s webcam which was recorded.
• Reveton initially began spreading in various European countries in early 2012
followed by USA & Canada.
Created By Ajuman Ramzey
9. CRYPTOLOCKER AND TORRENTLOCKER & CRYPTOWALL
(2013-2014)
• CryptoWall and CryptoLocker is a Trojans, waved in Australia.
• Victims forced to pay the ransom even if the malware deleted as data's are
encrypted. Due to this behavior, it was dubbed as “CryptoLocker”.
• Like previous it demands payment from affected users for a decrypt key to unlock
the encrypted files.
• Spread via fraudulent e-mails claiming failed parcel delivery notices and designed in
a way users visit a web page and enter a CAPTCHA code to download Payroll.
• Ransom note in CryptoLocker & CryptoWall only specifies “RSA-2048” as the
encryption method used, analysis shows that the malware uses AES + RSA
encryption.
Created By Ajuman Ramzey
10. • Introduction of new variants of “CryptoLocker”
• TROJ_UPATRE : Spreads through SPAM MAIL’s
• WORM_CRILOCK.A : Spread via removable drives, a routine unheard of in other CRILOCK
variants.
• TROJ_CRYPTRBIT.H : Deletes backup files to prevent restoration of encrypted files, and
demands payment for a decrypt key for the locked files.
• TorrentLocker is also a Trojans, which was waved in Australia tailed by Turkey.
Created By Ajuman Ramzey
12. INTRODUCTION OF BITCOINS
• Ransomware began incorporate to another element: cryptocurrency (e.g., Bitcoin)
theft.
• In 2014, Two variants of a new malware called BitCrypt.
• The first variant, TROJ_CRIBIT.A, appends “.bitcrypt” to any encrypted files and
displays a ransom note in English.
• The second variant, TROJ_CRIBIT.B, appends the filename with “.bitcrypt 2″ and uses
a multilingual ransom note in 10 languages.
• CRIBIT variants use the encryption algorithms RSA(426)-AES and RSA(1024)-AES to
encrypt the files, and specifies that the payment for unlocking files be made in
Bitcoins.
Created By Ajuman Ramzey
13. • With the exception of some ransomware families that demand high amounts,
ransomware variants typically ask for 0.5−5 Bitcoins (as of 2016) in exchange for a
decrypt key.
• This is important for two reasons
• some variants increase the ransom as more time elapses with nonpayment.
• The Bitcoin exchange rate is on the rise.
• In January 2016, 1 BTC was worth US$431. Bitcoin's value has risen dramatically
since then, topping out at US$1,082.55 at the end of March, 2017.
Created By Ajuman Ramzey
14. • The Angler Exploit Kit
In 2015, the Angler exploit kit was popular exploit kits to spread ransomware. Used in
a series of malvertisment attacks through popular media such as news websites and
localized sites.
• POSHCODER: PowerShell Abuse
New variant of Ransomware and Cryptolocker threats surfaced that leverages the
Windows PowerShell feature to encrypt files. TROJ_POSHCODER.A. Windows
PowerShell is a built-in feature in Windows 7 and higher.
POSHCODER uses AES encryption and an RSA 4096 public key to encrypt the said AES
key. Once all files on the infected system are encrypted, it displays the following image:
Created By Ajuman Ramzey
15. RANSOMWARE EVOLVED: MODERN RANSOMWARE
• After the shift to crypto-ransomware, the extortion malware has evolved, adding
following features :
1. Countdown timers,
2. Ransom amounts that increase over time,
3. Infection routines that enable them to spread across networks and servers.
• The latest developments show how threat actors are experimenting with new
features, such as offering alternative payment platforms to make ransom payments
easier, routines that threaten to cause potentially crippling damage to non-paying
victims, or new distribution methods.
Created By Ajuman Ramzey
18. LOCKY (RANSOM_LOCKY.A)
• Discovered in February 2016.
• Locky was notable for its distribution methods.
• First seen arriving as a macro in a Word document, and then spotted being spread
via Adobe Flash and Windows Kernel Exploits. One of the most actively-updated
ransomware families.
• Locky ransomware is known for deleting shadow copies of files to make local
backups useless, and is notorious for being used in multiple high-profile attacks on
healthcare facilities.
Created By Ajuman Ramzey
20. PETYA
• Discovered in March 2016.
• Unlike other ransomware, infect the Master Boot Record, installing a payload which
encrypts file tables of the NTFS file system is blocked from booting into Windows at
unless ransom is paid.
• Recent Attacks on UKRAIN & INDIA
Created By Ajuman Ramzey
21. CERBER (RANSOM_CERBER.A)
• First seen in early March 2016,
• CERBER was notable for having a ‘VOICE’ feature that reads out the ransom message.
• CERBER was also found to have a customizable configuration file that allows
distributors to modify its components—a feature common for malware that's being
sold in underground markets.
• CERBER is also notorious for being used in an attack that potentially exposed
millions of Microsoft Office 365 users to the infection.
Created By Ajuman Ramzey
23. SAMSAM (RANSOM_CRYPSAM.B) & JIGSAW
(RANSOM_JIGSAW.I)
• Discovered in March 2016, SAMSAM is installed after the attackers exploit
vulnerabilities on unpatched servers—instead of the usual malicious URLs and spam
emails—and uses these to compromise other machines.
• JIGSAW seen in April 2016 .
• Jigsaw's ransom note features a countdown timer to pressure its victims into
paying—with a promise to increase the ransom amount while deleting portions of
the encrypted files every time the timer runs out. Recent Jigsaw variants also
featured a chat support feature that allows victims to contact the cybercriminal.
Created By Ajuman Ramzey
24. FUSOB
• Major mobile ransomware virus.
• It employs scare tactics to extort people to pay a ransom.
• FUSOB pretends an accusatory authority, demanding to pay a fine from $100 to $200
or otherwise face a fictitious charge.
• Reported about 56 % mobile was affected since from April 2015 and March 2016.
• Also bluffed by suggests using iTunes gift cards for payment or a timer clicking down
on the screen to the user’s by exciting deals.
Created By Ajuman Ramzey
25. WANNACRY WORM
• WANNACRY RANSOMWARE infected more than 230,000 computers in over 150
countries in May 2017 .
• Attack spread through the Internet via malicious Dropbox URLs embedded in spam.
• Exploiting a recently patched vulnerability in the SMB Server, thus resulting in the
biggest ransomware attack to date.
• Used 20 different languages to demand money from users using - an cryptocurrency
called Bitcoin
• Demanded US$300 per computer.
Created By Ajuman Ramzey
28. • No particular way to stop ransomware, but a multi-layered approach can prevents it
from reaching networks and systems to minimize the risk.
• For Enterprises: Email and web gateway solutions such as Email Inspector and
InterScan Web Security prevent virus from reaching end users.
• At the endpoint level, Smart Protection Suites features behavior monitoring and
application control, as well as vulnerability shielding to minimize the risk of getting
infected .
• Deep Discovery Inspector detects and blocks ransomware on networks, Deep Security
stops ransomware from reaching enterprise servers—whether physical, virtual or in
the cloud.
RANSOMWARE DEFENCE
Created By Ajuman Ramzey
29. • For small and medium-sized businesses: Worry-Free Services Advanced softwares
offers cloud-based email gateway security through Hosted Email Security.
• Its endpoint protection also delivers several capabilities such as behavior
monitoring and a real-time web reputation service that detects and blocks.
• For home users: Anti Virus Security Providers, provides robust protection by
blocking malicious websites, emails, and files associated with this threat.
Created By Ajuman Ramzey
30. RANSOMWARE PREVENTION
• Avoid opening unverified emails or clicking links embedded in them.
• Back up important files using the 3-2-1 rule - Create 3 backup copies on 2 different
media with 1 backup in a separate location.
• Regularly update software, programs, and applications to protect against the latest
vulnerabilities.
Created By Ajuman Ramzey