Ransomware: How to avoid a crypto crisis at your IT businessCalyptix Security
Cryptolocker and other ransomware brought crisis to thousands of businesses last year. The malware made millions by encrypting victims’ files and demanding ransoms to unlock them. Some companies lost everything. Others, including local police departments, had to pay a hefty ransom to recover their data.
Today, Cryptolocker is gone, but ransomware is growing stronger. New variants such as CryptoWall and Critroni are infecting users, locking their files, and demanding higher ransoms. How can you protect your IT business and clients from this growing threat?
Join Calyptix Security for a conversation on crypto-ransomware, where it’s headed, and how to avoid a ‘crypto crisis’ at your office. You’ll get straight-forward advice on how to stop this threat from impacting your business network security and clients.
Video recording of this webinar took place on March 12, 2015
Malware's Most Wanted: CryptoLocker—The Ransomware TrojanCyphort
The CryptoLocker Malware encrypts certain files with a private key and demands payment to regain access to the files. Nick Bilogorskiy, Director of Security Research, presents this deep dive into CryptoLocker and looks at the latest information around what is called one of the two most sophisticated and destructive forms of malicious software in existence. (The other being Gameover Zeus.)
Malware’s Most Wanted is a monthly series to inform IT security professionals on the details of the most dangerous advanced persistent threats. Attendees receive a special edition t-shirt.
Blackhat USA 2014 - The New Scourge of RansomwareJohn Bambenek
In March of this year, a Romanian man killed himself and his 4-year old son because of a ransomware he received after visiting adult websites. This "police impersonation" malware instructed him to pay a massive fine or else go to jail for 11 years. Ransomware isn't a new threat; however, it introduced new life with CryptoLocker, the very first variant to perform encryption correctly, thussignificantly inhibiting security researchers and their typical countermeasures. Due to its unique nature, CryptoLocker is one of the few current malware campaigns that spawned its own working group focused around remediation. As time progressed, other ransomware copycat campaigns emerged, some of which got media attention even though they were nothing but vaporware.
This talk will focus on what the threat intelligence community did in response to this threat, including the development of near-time tracking of its infrastructure and what can be learned in order to manage new threats as they emerge.
Just as the title says, we go over the humble origins, touch on the notable variants of yesteryear, the big hitters of today, and discuss the future of ransomware. It's no longer just for windows anymore. Linux, Mac and Mobile platforms are all ripe for extortion.
This humorous and entertaining talk teaches everyone, from Mom and Pops to large enterprise organizations what's really happening and how to protect themselves.
No company is safe from a Ransomware attack (malicious forms of software programmed to steal company data and hold it for "ransom"). However, technology has allowed us to mitigate these attacks by implementing proper recovery systems that can ensure that cyber criminals will never see a dime from your business.
Cyber extortion is a crime involving an attack or threat of attack against an enterprise, coupled with a demand for money to stop the attack.
Cyber extortions have taken on multiple forms - encrypting data and holding it hostage, stealing data and threatening exposure, and denying access to data.
Malware locks out the user’s system and demands ransom.
Creates “Zombie Computer” operated remotely.
Individuals and business targeted.
This form of extortion works on the assumption that the data is important enough to the user that they are willing to pay for recovery.
There is however no guarantee of actual recovery, even after payment is made.
The first known ransomware was the 1989 "AIDS" trojan (also known as "PC Cyborg") written by Joseph Popp.
Ransomware: How to avoid a crypto crisis at your IT businessCalyptix Security
Cryptolocker and other ransomware brought crisis to thousands of businesses last year. The malware made millions by encrypting victims’ files and demanding ransoms to unlock them. Some companies lost everything. Others, including local police departments, had to pay a hefty ransom to recover their data.
Today, Cryptolocker is gone, but ransomware is growing stronger. New variants such as CryptoWall and Critroni are infecting users, locking their files, and demanding higher ransoms. How can you protect your IT business and clients from this growing threat?
Join Calyptix Security for a conversation on crypto-ransomware, where it’s headed, and how to avoid a ‘crypto crisis’ at your office. You’ll get straight-forward advice on how to stop this threat from impacting your business network security and clients.
Video recording of this webinar took place on March 12, 2015
Malware's Most Wanted: CryptoLocker—The Ransomware TrojanCyphort
The CryptoLocker Malware encrypts certain files with a private key and demands payment to regain access to the files. Nick Bilogorskiy, Director of Security Research, presents this deep dive into CryptoLocker and looks at the latest information around what is called one of the two most sophisticated and destructive forms of malicious software in existence. (The other being Gameover Zeus.)
Malware’s Most Wanted is a monthly series to inform IT security professionals on the details of the most dangerous advanced persistent threats. Attendees receive a special edition t-shirt.
Blackhat USA 2014 - The New Scourge of RansomwareJohn Bambenek
In March of this year, a Romanian man killed himself and his 4-year old son because of a ransomware he received after visiting adult websites. This "police impersonation" malware instructed him to pay a massive fine or else go to jail for 11 years. Ransomware isn't a new threat; however, it introduced new life with CryptoLocker, the very first variant to perform encryption correctly, thussignificantly inhibiting security researchers and their typical countermeasures. Due to its unique nature, CryptoLocker is one of the few current malware campaigns that spawned its own working group focused around remediation. As time progressed, other ransomware copycat campaigns emerged, some of which got media attention even though they were nothing but vaporware.
This talk will focus on what the threat intelligence community did in response to this threat, including the development of near-time tracking of its infrastructure and what can be learned in order to manage new threats as they emerge.
Just as the title says, we go over the humble origins, touch on the notable variants of yesteryear, the big hitters of today, and discuss the future of ransomware. It's no longer just for windows anymore. Linux, Mac and Mobile platforms are all ripe for extortion.
This humorous and entertaining talk teaches everyone, from Mom and Pops to large enterprise organizations what's really happening and how to protect themselves.
No company is safe from a Ransomware attack (malicious forms of software programmed to steal company data and hold it for "ransom"). However, technology has allowed us to mitigate these attacks by implementing proper recovery systems that can ensure that cyber criminals will never see a dime from your business.
Cyber extortion is a crime involving an attack or threat of attack against an enterprise, coupled with a demand for money to stop the attack.
Cyber extortions have taken on multiple forms - encrypting data and holding it hostage, stealing data and threatening exposure, and denying access to data.
Malware locks out the user’s system and demands ransom.
Creates “Zombie Computer” operated remotely.
Individuals and business targeted.
This form of extortion works on the assumption that the data is important enough to the user that they are willing to pay for recovery.
There is however no guarantee of actual recovery, even after payment is made.
The first known ransomware was the 1989 "AIDS" trojan (also known as "PC Cyborg") written by Joseph Popp.
Never before in the history of human kind have people across the world been subjected to extortion on a massive scale as they are today. In recent years, personal use of computers and the internet has exploded and, along with this massive growth, cybercriminals have emerged to feed off this burgeoning market, targeting innocent users with a wide range of malware. The vast majority of these threats are aimed at directly or indirectly making money from the victims. Today, ransomware has emerged as one of the most troublesome malware categories of our time.
There are two basic types of ransomware in circulation. The most common type today is crypto ransomware, which aims to encrypt personal data and files. The other, known as locker ransomware, is designed to lock the computer, preventing victims from using it. In this research, we will take a look at how the ransomware types work, not just from a technological point of view but also from a psychological viewpoint. We will also look at how these threats evolved, what factors are at play to make ransomware the major problem that it is today, and where ransomware is likely to surface next.
Ransomware is a PC or Mac-based malicious piece of software that encrypts a user or company’s files and forces them to pay a fee to the hacker in order to regain access to their own files.
Not only can ransomware encrypt the files on your computer; the software is smart enough to travel across your network and encrypt any files located on shared network drives. This can lead to a catastrophic situation whereby one infected user can bring an entire company to a halt.
Ransomware is a type of malicious software that blocks access to data or threatens to publish it until a ransom is paid. Simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse. More advanced malware uses a technique called cryptoviral extortion, in which it encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them and ransomware attacks 2017
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec
Experts from Symantec and MITRE explore the latest research and best practices for detecting targeted ransomware in your environment.
Watch on-demand webinar here: https://symc.ly/2L7ESFI.
Hospitals, school districts, state and local governments, law enforcement agencies, small businesses, large businesses—these are just some of the entities impacted recently by ransomware, an insidious type of malware that encrypts, or locks, valuable digital files and demands a ransom to release them. And, of course, home computers are just as susceptible to ransomware, and the loss of access to personal and often irreplaceable items—including family photos, videos, and other data—can be devastating for individuals as well.
5 Ways to Protect Your Healthcare Organization from a Ransomware Attack - HIM...ClearDATACloud
Sophisticated ransomware attacks on healthcare organizations by ruthless cybercriminals are on the rise. Savvy HIT leaders are taking immediate action to protect their IT systems and data. During this webinar you’ll gain insight into the 5 most important precautions that healthcare providers should take and what steps should be followed in event your system is compromised to minimize the impact on patient care and restore your systems as quickly as possible.
In this presentation you’ll learn:
- 5 most important ways to protect your organizations from a ransomware attack
- What steps to take in the event your system is compromised by a ransomware attack
Link to On-Demand Webinar: https://www.cleardata.com/knowledge-hub/5-ways-to-protect-your-healthcare-organization-from-a-ransomware-attack/
Secure your system from Ransomware virus by acquiring knowledge about the same. Our experts at doiss aims to protect your system from this harmful virus.
Over the last few months, there has been tremendous growth in the number of ransomware attacks in the wild. What was once an attack technique aimed at susceptible individual users can now infiltrate advanced enterprise networks as well. In this presentation, you will learn how ransomware attacks propagate and what steps your organization can take to prevent them.
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Andrew Morris
It’s not just you. The frequency of severe vulnerabilities in internet-facing enterprise software being massively exploited at scale has increased drastically. The amount of time between disclosure and exploitation of these vulnerabilities has been reduced to near-zero, leaving defenders with less time to react and respond. While combating internet-wide opportunistic exploitation is a sprawling and complex problem, there is both an art and a science to staying ahead of large exploitation events such as Log4J.
In this talk we will share insights and challenges from operating a huge, shifting, adaptive, distributed sensor network listening to internet background noise and opportunistic exploitation traffic over the past four years. We will give a blunt state of the universe on mass exploitation. We will share patterns and unexplainable phenomena we’ve experienced across billions of internet scans. And we will make recommendations to defenders for preparing for the next time the cyber hits the fan.
Ransomware has become one of the most widespread and damaging threats that internet users face. Since the infamous CryptoLocker first appeared in 2013, we’ve seen a new era of file-encrypting ransomware variants delivered through spam messages and Exploit Kits, extorting money from home users and businesses alike.
The Certified Ethical Hacker (CEH) program is the core of the most desired information security training system any information security professional will ever want to be in.
Never before in the history of human kind have people across the world been subjected to extortion on a massive scale as they are today. In recent years, personal use of computers and the internet has exploded and, along with this massive growth, cybercriminals have emerged to feed off this burgeoning market, targeting innocent users with a wide range of malware. The vast majority of these threats are aimed at directly or indirectly making money from the victims. Today, ransomware has emerged as one of the most troublesome malware categories of our time.
There are two basic types of ransomware in circulation. The most common type today is crypto ransomware, which aims to encrypt personal data and files. The other, known as locker ransomware, is designed to lock the computer, preventing victims from using it. In this research, we will take a look at how the ransomware types work, not just from a technological point of view but also from a psychological viewpoint. We will also look at how these threats evolved, what factors are at play to make ransomware the major problem that it is today, and where ransomware is likely to surface next.
Ransomware is a PC or Mac-based malicious piece of software that encrypts a user or company’s files and forces them to pay a fee to the hacker in order to regain access to their own files.
Not only can ransomware encrypt the files on your computer; the software is smart enough to travel across your network and encrypt any files located on shared network drives. This can lead to a catastrophic situation whereby one infected user can bring an entire company to a halt.
Ransomware is a type of malicious software that blocks access to data or threatens to publish it until a ransom is paid. Simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse. More advanced malware uses a technique called cryptoviral extortion, in which it encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them and ransomware attacks 2017
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec
Experts from Symantec and MITRE explore the latest research and best practices for detecting targeted ransomware in your environment.
Watch on-demand webinar here: https://symc.ly/2L7ESFI.
Hospitals, school districts, state and local governments, law enforcement agencies, small businesses, large businesses—these are just some of the entities impacted recently by ransomware, an insidious type of malware that encrypts, or locks, valuable digital files and demands a ransom to release them. And, of course, home computers are just as susceptible to ransomware, and the loss of access to personal and often irreplaceable items—including family photos, videos, and other data—can be devastating for individuals as well.
5 Ways to Protect Your Healthcare Organization from a Ransomware Attack - HIM...ClearDATACloud
Sophisticated ransomware attacks on healthcare organizations by ruthless cybercriminals are on the rise. Savvy HIT leaders are taking immediate action to protect their IT systems and data. During this webinar you’ll gain insight into the 5 most important precautions that healthcare providers should take and what steps should be followed in event your system is compromised to minimize the impact on patient care and restore your systems as quickly as possible.
In this presentation you’ll learn:
- 5 most important ways to protect your organizations from a ransomware attack
- What steps to take in the event your system is compromised by a ransomware attack
Link to On-Demand Webinar: https://www.cleardata.com/knowledge-hub/5-ways-to-protect-your-healthcare-organization-from-a-ransomware-attack/
Secure your system from Ransomware virus by acquiring knowledge about the same. Our experts at doiss aims to protect your system from this harmful virus.
Over the last few months, there has been tremendous growth in the number of ransomware attacks in the wild. What was once an attack technique aimed at susceptible individual users can now infiltrate advanced enterprise networks as well. In this presentation, you will learn how ransomware attacks propagate and what steps your organization can take to prevent them.
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Andrew Morris
It’s not just you. The frequency of severe vulnerabilities in internet-facing enterprise software being massively exploited at scale has increased drastically. The amount of time between disclosure and exploitation of these vulnerabilities has been reduced to near-zero, leaving defenders with less time to react and respond. While combating internet-wide opportunistic exploitation is a sprawling and complex problem, there is both an art and a science to staying ahead of large exploitation events such as Log4J.
In this talk we will share insights and challenges from operating a huge, shifting, adaptive, distributed sensor network listening to internet background noise and opportunistic exploitation traffic over the past four years. We will give a blunt state of the universe on mass exploitation. We will share patterns and unexplainable phenomena we’ve experienced across billions of internet scans. And we will make recommendations to defenders for preparing for the next time the cyber hits the fan.
Ransomware has become one of the most widespread and damaging threats that internet users face. Since the infamous CryptoLocker first appeared in 2013, we’ve seen a new era of file-encrypting ransomware variants delivered through spam messages and Exploit Kits, extorting money from home users and businesses alike.
The Certified Ethical Hacker (CEH) program is the core of the most desired information security training system any information security professional will ever want to be in.
Scot-Tech Engagement's Cyber Security Conference for Scottish Business, held 30th April 2015, Edinburgh. For more information contact ray@scot-tech.com.
Please note further presentations will be added once speakers have approved
Our researcher Aryeh Goretsky took a look at some of the more interesting pieces of malware and threats that have occurred over the first six months of the year 2014. And what a year it has been, with some serious new developments as well as persistence of numerous older threats.
Future-proofing maritime ports against emerging cyber-physical threatsSteven SIM Kok Leong
First presented at Cybersecurity for Maritime Summit 2017 in Oct 2017. Subsequently presented at Temasek Polytechnic ISACA Day in Nov 2017. Audience comprises of cybersecurity professionals in the maritime sector and also cybersecurity students who are keen to learn more about cybersecurity considerations in a shipping port environment.
Lessons learnt from the 2012 cyber security audit of Western Australian State...Edith Cowan University
Slides from the ECU Security Research Institute seminar Tuesday 16 October 2012, presented by Dr Andrew Woodward.
This year saw the Security Research Centre at ECU complete a second round of cyber security testing for the State Office of the Auditor General.
The previous audit highlighted numerous deficiencies and a lack of basic network defences across all agencies. Whilst the results this year revealed that the situation has improved somewhat, there are still issues.
This talk will discuss the methodology used by the team at Edith Cowan University, generic vulnerabilities and findings, and will speculate on the role of the Common Usage Agreement and Office of the Chief Information Officer.
Speaker Profile
Dr Andrew Woodward has over 15 years experience in the IT industry and consults to industry and government on network security and digital forensics issues. His main consultancy focus is securing networks and critical infrastructure through vulnerability assessment and penetration testing. Andrew is also involved in research in network security, cyber forensics research with a focus on computer and network forensics, and data recovery.
The ECU Security Research Institute (ECUSRI) is a research unit with Edith Cowan University.
As soluções da NetWitness capturam todos os dados que circulam na rede e os contextualizam, filtrando o que pode ser crítico ou não. O usuario pode ver quem está indo aonde e vendo o quê.
Behind the Curtain: Exposing Advanced ThreatsCisco Canada
Today's advanced threats hide in plain sight, patiently waiting to strike, challenging security teams to track their progress across their network and endpoints. Meanwhile, executive and board-level reporting requirements are increasing as leadership demands in-depth answers that are unavailable from today’s block/allow security tools. With 55% of organizations unable to identify the origin of their last security breach, it’s time to stop relying on tools that define security based on what they see ‘out there’ and instead hunt for threats by tracking files, file relationships, and both endpoint and network behavior ‘in here’—inside your environment. In the first part of this interactive session, learn how Cisco’s Advanced Malware Protection (AMP) solutions use big data analytics to compare a real-time, dynamic history of your environment to the global threat landscape, automatically uncovering and blocking advanced threats before they strike. Then watch workflow examples demonstrating how your security team can use this advanced visibility and control to dramatically improve their efficiency and finally deliver the business 100% confidence answers.
Title: Welcome to the world of Cyber Threat Intelligence!
Abstract: Welcome to the world of Cyber Threat Intelligence (CTI)! During this presentation, we will discuss about some of the basic concepts within CTI domain and we will have a look at the current threat landscape as observed from the trenches. The presentation is split into 3 parts: a) Intro to CTI, b) A view at the current threat landscape, and c) CTI analyst skillset.
Short Bio: Andreas Sfakianakis is a Cyber Threat Intelligence and Incident Response professional and works for Standard and Poors' CTI team. He is also a member of ENISA’s CTI Stakeholders’ Group and Incident Response Working Group. He is the author of a number of CTI reports and an instructor of CTI. In the past, Andreas has worked within the Financial and Oil & Gas sectors as well as an external reviewer for European Commission. Andreas' Twitter handle is @asfakian and his website is www.threatintel.eu
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...APNIC
APNIC Senior Security Specialist Adli Wahid provides some useful findings of lessons learned from security incidents at the UMS Cybersecurity Awareness Seminar, held online on 25 October 2021.
Developing a Protection Profile for Smart TVSeungjoo Kim
Developing a PP(Protection Profile) for Smart TV @ ICCC 2014 (International Common Criteria Conference), which is a major conference for the community of experts involved in security evaluation (September 9, 2014)
Similar to Ransomware: Emergence of the Cyber-Extortion Menace (20)
This presentation explores a brief idea about the structural and functional attributes of nucleotides, the structure and function of genetic materials along with the impact of UV rays and pH upon them.
Richard's entangled aventures in wonderlandRichard Gill
Since the loophole-free Bell experiments of 2020 and the Nobel prizes in physics of 2022, critics of Bell's work have retreated to the fortress of super-determinism. Now, super-determinism is a derogatory word - it just means "determinism". Palmer, Hance and Hossenfelder argue that quantum mechanics and determinism are not incompatible, using a sophisticated mathematical construction based on a subtle thinning of allowed states and measurements in quantum mechanics, such that what is left appears to make Bell's argument fail, without altering the empirical predictions of quantum mechanics. I think however that it is a smoke screen, and the slogan "lost in math" comes to my mind. I will discuss some other recent disproofs of Bell's theorem using the language of causality based on causal graphs. Causal thinking is also central to law and justice. I will mention surprising connections to my work on serial killer nurse cases, in particular the Dutch case of Lucia de Berk and the current UK case of Lucy Letby.
Seminar of U.V. Spectroscopy by SAMIR PANDASAMIR PANDA
Spectroscopy is a branch of science dealing the study of interaction of electromagnetic radiation with matter.
Ultraviolet-visible spectroscopy refers to absorption spectroscopy or reflect spectroscopy in the UV-VIS spectral region.
Ultraviolet-visible spectroscopy is an analytical method that can measure the amount of light received by the analyte.
What is greenhouse gasses and how many gasses are there to affect the Earth.moosaasad1975
What are greenhouse gasses how they affect the earth and its environment what is the future of the environment and earth how the weather and the climate effects.
Comparing Evolved Extractive Text Summary Scores of Bidirectional Encoder Rep...University of Maribor
Slides from:
11th International Conference on Electrical, Electronics and Computer Engineering (IcETRAN), Niš, 3-6 June 2024
Track: Artificial Intelligence
https://www.etran.rs/2024/en/home-english/
THE IMPORTANCE OF MARTIAN ATMOSPHERE SAMPLE RETURN.Sérgio Sacani
The return of a sample of near-surface atmosphere from Mars would facilitate answers to several first-order science questions surrounding the formation and evolution of the planet. One of the important aspects of terrestrial planet formation in general is the role that primary atmospheres played in influencing the chemistry and structure of the planets and their antecedents. Studies of the martian atmosphere can be used to investigate the role of a primary atmosphere in its history. Atmosphere samples would also inform our understanding of the near-surface chemistry of the planet, and ultimately the prospects for life. High-precision isotopic analyses of constituent gases are needed to address these questions, requiring that the analyses are made on returned samples rather than in situ.
Ransomware: Emergence of the Cyber-Extortion Menace
1. Security Research Institute
Edith Cowan University
Ransomware
Emergence of the
Cyber-Extortion Menace
Nikolai Hampton1 and Zubair A. Baig1,2
School of Computer and Security Science1,
Security Research Institute2
Edith Cowan University
Perth, Australia
nikolaih@our.ecu.edu.au, z.baig@ecu.edu.au
December, 2015
2. Security Research Institute
Edith Cowan University
Ransomware – What is it?
Ransomware: (noun)…
“Ransomware is a type of malware that
prevents or limits users from accessing
their system. This type of malware forces
its victims to pay the ransom through
certain online payment methods in order
to grant access to their systems, or to get
their data back.” (TrendMicro, n.d.)
4. Security Research Institute
Edith Cowan University
Some history
• PC CYBORG (AIDS) Ransomware
emerged in 1989. Distributed on floppy
disks…
Source: https://commons.wikimedia.org/wiki/File:Floppy_disk_2009_G1.jpg
Anyone remember these?
5. Security Research Institute
Edith Cowan University
Some history
• PC CYBORG (AIDS Disk)
– Emerged in 1989. Distributed on floppy disks
– Installed from Trojan software
– Lay dormant to allow time for propagation
– Used operating basic encryption and operating
system quirks to “scramble” and hide files
– Demanded a “License Payment” to be sent via
cheque to a post office box in Panama
6. Security Research Institute
Edith Cowan University
Some history
• PC CYBORG (AIDS) - 1989
– Not very successful
– Technology was lagging behind the idea
7. Security Research Institute
Edith Cowan University
Some history
• Malware continued to develop
1990s – 2000s
– Identity theft
– Phishing scams, stealing passwords
– Bot Nets – Networks of compromised PCs
– Adware
…but where was ransomware?
8. Security Research Institute
Edith Cowan University
Some history
Where’s Ransomware 1990s-2000s
Very small percent of Malware!
Too complicated, how to get money?
Too risky, how to stay hidden?
Too weak, how to “Denial of Service” an uncontrolled PC?
Occasional “fake” ransom, or Anti
Virus, easily defeated / removed
Occasional “locker” that affected boot
process, easily defeated / removed
(CC) BitDefender España (2010)
Source: https://www.flickr.com/photos/bitdefenderes/4292753852
Source: http://www.acma.gov.au/~/media/mediacomms/Social%20Media/Images/Ransomware%20Screenshot%20jpg.jpg
Australian Communication and MediaAuthority (2013)
9. Security Research Institute
Edith Cowan University
Why is it important now?
• In 2010, something changed…
Google search trends “ransomware” searches
2008 to 2015
• In 2012, something changed, a lot!
10. Security Research Institute
Edith Cowan University
Reality Check - Perspective
Google search trends “ransomware” searches
2008 to 2015
Google search trends “ransomware” searches
vs “malware” searches 2008 to 2015
12. Security Research Institute
Edith Cowan University
Why is it important now?
• Technology has caught up to the idea!
Step 1: Idea! Ransom money from
people!
Step 3: Profit…
Step 2: Use technology to enable the idea!
Image: Jodi Meadows (2011), Flickr
https://www.flickr.com/photos/69585952@N00/
13. Security Research Institute
Edith Cowan University
The perfect storm
• Technology has caught up to the idea!
– CTB Locker: Curve, TOR, Bitcoin
Strong encryption
Anonymity
Untraceable crypto-cash payments
14. Security Research Institute
Edith Cowan University
So, here we are – our research
Ransomware
Emergence of the Cyber-Extortion Menace
15. Security Research Institute
Edith Cowan University
Aim
• Understand the ransomware threat…
• Lay the foundation for extrapolating
future ransomware development
• Focus on the ransomware payload
separately from the dropper
• Extend existing research and ideas
Young, A., & Yung, M. (1996).
Cryptovirology: Extortion-Based Security Threats and Countermeasures.
16. Security Research Institute
Edith Cowan University
What we did…
• Propose a nomenclature for ransomware “traits”
• Record the history and traits of ransomware strains
over time
• Developed a ransomware traits database
• Chart the inclusion / exclusion of traits over time
• Examine which traits have conferred benefits
– Impact
– Longevity
– Profitability (for the attackers)
20. Security Research Institute
Edith Cowan University
Results
• Increasing use of security technology over
time..
0
2
4
6
8
10
12
14
< 2004 2004-2005 2006-2007 2008-2009 2010-2011 2012-2013 2014+
Ransomware strains surveyed and use of new technologies
# of strains surveyed
Bitcoin Uptake
TOR Uptake
21. Security Research Institute
Edith Cowan University
Evolution of GPCode’s encryption
GPCode 2004
Used one byte encryption key, easily defeated
Electronic payments
GPCode.ac (June 2005)
Implemented RSA Public Key Cryptography (PKI)
Very weak key (56bit RSA modulus = 7 bit symmetric key)
GPCode.ad (April 2006)
Longer RSA keys but still poor PKI implementation
GPCode.ag (June 2006)
Finally, a strong RSA key (660 bit = ~60 bit symmetric)
Cracked by Kaspersky, probably a coding error in .ag
GPCode.ak (June 2008)
Properly implemented 1024 bit RSA key
Failed due to implementation of wrong “cipher”
RC4, vulnerable to cryptanalysis
GPCode.ax (December 2010) – A copycat…
Unbreakable encryption
… but still can be stopped (it has flaws)
22. Security Research Institute
Edith Cowan University
Evolution of Command and Control
• GPCode (2004)
– No C&C (C2) Server, just “did its thing”
– Contact malware producer via email for unlock code
• Reveton (2012)
– Doesn’t encrypt but uses C2 server for ‘unlock’
• Cryptolocker (2013)
– Uses C2 server, to retrieve RSA public key (much more secure)
– Pseudo Random “Domain Generation Algorithm” (DGA) to avoid
easy takedowns
(contacts garbage URLs: xxgrradvvzcfyx.biz)
• Cryptowall (2014)
– Uses C2 server on TOR – hidden and anonymous network!
– Improved DGA to make takedown even harder
24. Security Research Institute
Edith Cowan University
What does it mean?
• Ransomware is evolving
• Responding to new defences
• Profit
Virus Image CC BY 2.0
Flickr: NIAID
https://www.flickr.com/photos/niaid/
25. Security Research Institute
Edith Cowan University
Breaking broken news
• CryptoWall 4.0
– New traits (filename scrambling)
– Obliterates restore points
– Improved network security evasion
26. Security Research Institute
Edith Cowan University
What can users do?
• Classic Defense-In-Depth approach
– Multi Layer
– Device Protection
– Network Protection
• Backups
– Still good, but…
27. Security Research Institute
Edith Cowan University
Future work and questions?
• Opportunity to apply some funky statistics
– Through trait impact analysis
– BIA/Longevity/Destructiveness Index
• Machine learning (pattern recognition)
• Improve the naming and reporting of
ransomware
• Collective collaboration
28. Security Research Institute
Edith Cowan University
Conclusion
• We examined the ransomware threat and the
emergence of traits over the last 26 years
• We were able to identify evolutionary patterns in
most strains
• Given the changing risk/reward structure it’s hard
to believe this isn’t going to get much bigger
• This shows it is a threat we can not dismiss