Ransomware: Emergence of the Cyber-Extortion Menace

Security Research Institute
Edith Cowan University
Ransomware
Emergence of the
Cyber-Extortion Menace
Nikolai Hampton1 and Zubair A. Baig1,2
School of Computer and Security Science1,
Security Research Institute2
Perth, Australia
nikolaih@our.ecu.edu.au, z.baig@ecu.edu.au
December, 2015

Ransomware – What is it?
Ransomware: (noun)…
“Ransomware is a type of malware that
prevents or limits users from accessing
their system. This type of malware forces
its victims to pay the ransom through
certain online payment methods in order
to grant access to their systems, or to get
their data back.” (TrendMicro, n.d.)

It’s a hot topic…

Some history
• PC CYBORG (AIDS) Ransomware
emerged in 1989. Distributed on floppy
disks…
Source: https://commons.wikimedia.org/wiki/File:Floppy_disk_2009_G1.jpg
Anyone remember these?

Some history
• PC CYBORG (AIDS Disk)
– Emerged in 1989. Distributed on floppy disks
– Installed from Trojan software
– Lay dormant to allow time for propagation
– Used operating basic encryption and operating
system quirks to “scramble” and hide files
– Demanded a “License Payment” to be sent via
cheque to a post office box in Panama

Some history
• PC CYBORG (AIDS) - 1989
– Not very successful
– Technology was lagging behind the idea

Some history
• Malware continued to develop
1990s – 2000s
– Identity theft
– Phishing scams, stealing passwords
– Bot Nets – Networks of compromised PCs
– Adware
…but where was ransomware?

Some history
Where’s Ransomware 1990s-2000s
Very small percent of Malware!
Too complicated, how to get money?
Too risky, how to stay hidden?
Too weak, how to “Denial of Service” an uncontrolled PC?
Occasional “fake” ransom, or Anti
Virus, easily defeated / removed
Occasional “locker” that affected boot
process, easily defeated / removed
(CC) BitDefender España (2010)
Source: https://www.flickr.com/photos/bitdefenderes/4292753852
Source: http://www.acma.gov.au/~/media/mediacomms/Social%20Media/Images/Ransomware%20Screenshot%20jpg.jpg
Australian Communication and MediaAuthority (2013)

Why is it important now?
• In 2010, something changed…
Google search trends “ransomware” searches
2008 to 2015
• In 2012, something changed, a lot!

Reality Check - Perspective
2008 to 2015
vs “malware” searches 2008 to 2015

So it’s just a pest?
• At the moment yes, but it’s getting a lot of coverage.

Why is it important now?
• Technology has caught up to the idea!
Step 1: Idea! Ransom money from
people!
Step 3: Profit…
Step 2: Use technology to enable the idea!
Image: Jodi Meadows (2011), Flickr
https://www.flickr.com/photos/69585952@N00/

The perfect storm
• Technology has caught up to the idea!
– CTB Locker: Curve, TOR, Bitcoin
 Strong encryption
 Anonymity
 Untraceable crypto-cash payments

So, here we are – our research
Ransomware
Emergence of the Cyber-Extortion Menace

Aim
• Understand the ransomware threat…
• Lay the foundation for extrapolating
future ransomware development
• Focus on the ransomware payload
separately from the dropper
• Extend existing research and ideas
Young, A., & Yung, M. (1996).
Cryptovirology: Extortion-Based Security Threats and Countermeasures.

What we did…
• Propose a nomenclature for ransomware “traits”
• Record the history and traits of ransomware strains
over time
• Developed a ransomware traits database
• Chart the inclusion / exclusion of traits over time
• Examine which traits have conferred benefits
– Impact
– Longevity
– Profitability (for the attackers)

What we did…

What we did…
• An overview of ransomware examined:
– Twenty-nine variants
– Nine ransomware families
(PC Cyborg, GPCode, Reveton, CryptoLocker,
CryptoDefense,CryptoWall, CTB-Locker, TeslaCrypt)
– Twenty-two traits examined
(Encrypts, Strong Cypher, PKI, Autonomous, TOR…)

Results
Complete√
X
O
Broken
Partial
Traits Expressed

Results
• Increasing use of security technology over
time..
0
2
4
6
8
10
12
14
< 2004 2004-2005 2006-2007 2008-2009 2010-2011 2012-2013 2014+
Ransomware strains surveyed and use of new technologies
# of strains surveyed
Bitcoin Uptake
TOR Uptake

Evolution of GPCode’s encryption
GPCode 2004
Used one byte encryption key, easily defeated
Electronic payments
GPCode.ac (June 2005)
Implemented RSA Public Key Cryptography (PKI)
Very weak key (56bit RSA modulus = 7 bit symmetric key)
GPCode.ad (April 2006)
Longer RSA keys but still poor PKI implementation
GPCode.ag (June 2006)
Finally, a strong RSA key (660 bit = ~60 bit symmetric)
Cracked by Kaspersky, probably a coding error in .ag
GPCode.ak (June 2008)
Properly implemented 1024 bit RSA key
Failed due to implementation of wrong “cipher”
RC4, vulnerable to cryptanalysis
GPCode.ax (December 2010) – A copycat…
Unbreakable encryption
… but still can be stopped (it has flaws)

Evolution of Command and Control
• GPCode (2004)
– No C&C (C2) Server, just “did its thing”
– Contact malware producer via email for unlock code
• Reveton (2012)
– Doesn’t encrypt but uses C2 server for ‘unlock’
• Cryptolocker (2013)
– Uses C2 server, to retrieve RSA public key (much more secure)
– Pseudo Random “Domain Generation Algorithm” (DGA) to avoid
easy takedowns
(contacts garbage URLs: xxgrradvvzcfyx.biz)
• Cryptowall (2014)
– Uses C2 server on TOR – hidden and anonymous network!
– Improved DGA to make takedown even harder

New command and control
Compromised
System
Encrypted
I2P‘darknet’link
AnonymousC2
Server
Upload infected PC details (registration)
Acknowledgement
Initialisation
Download encryption key request
Public key response
Request for ransom image and text resources
Image and decryption text instructions
Dataencryption/
destruction begins
Keyverificationandimport
usingWindowscryptoAPIs
CryptoWall execution
I2Pproxy connection
to C2 server
I2P
proxy
Malspam
or Angler EK
Dropper
*
* Angler Exploit Kit may use single
phase malware installation without dropper
!
!
!
!
!
!
potential contact points
for attack disruption
© Ni kol ai Hampt on, 2015 - Thi s wor k i s l i cens ed under CC BY ( ht t p: / / cr eat i vecommons . or g/ l i cens es / by/ 3. 0/ )

What does it mean?
• Ransomware is evolving
• Responding to new defences
• Profit
Virus Image CC BY 2.0
Flickr: NIAID
https://www.flickr.com/photos/niaid/

Breaking broken news
• CryptoWall 4.0
– New traits (filename scrambling)
– Obliterates restore points
– Improved network security evasion

What can users do?
• Classic Defense-In-Depth approach
– Multi Layer
– Device Protection
– Network Protection
• Backups
– Still good, but…

Future work and questions?
• Opportunity to apply some funky statistics
– Through trait impact analysis
– BIA/Longevity/Destructiveness Index
• Machine learning (pattern recognition)
• Improve the naming and reporting of
ransomware
• Collective collaboration

Conclusion
• We examined the ransomware threat and the
emergence of traits over the last 26 years
• We were able to identify evolutionary patterns in
most strains
• Given the changing risk/reward structure it’s hard
to believe this isn’t going to get much bigger
• This shows it is a threat we can not dismiss

Thanks for your time!
?

Ransomware: Emergence of the Cyber-Extortion Menace

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Ransomware: Emergence of the Cyber-Extortion Menace

Similar to Ransomware: Emergence of the Cyber-Extortion Menace (20)

Recently uploaded

Recently uploaded (20)

Ransomware: Emergence of the Cyber-Extortion Menace

Editor's Notes