SlideShare a Scribd company logo
Col Inderjit Singh
Chief Information Officer
Khemist.in
@inderbarara
@inderbarara
Ransomware
Emergence of the Cyber-Extortion Menace
A little bit of History
2008
AIDS Trojan Gpcode 12-2012 02-2014 05-2014 5-2015 -
1989 (1024 Something Cryptode Cryptowall 10-2014 Included
(symmetric) bit) (targeted) fense Oz Post in Kits
2006 09-2012 09-2013 04-2014 06-2014 1-2015 –
Cryzip, Gpcode Reveton Cryptolocker Crytodefense CTB-Locker Crypto
Wall V3
(660 Bit),Others (Lock Only) Variant
Ransomware: Escalating Extortion
Insight Into
Ransomware Campaign
Ransomware
• A type of malware that restricts access to the infected computer system in someway and
Demands that the user pay a ransom to the malware operators to remove the restriction.
• Some of the Malicious actions by Malware:
 Encrypt personal files ( images, movie files, documents, text files)
 Encrypt files on shared network drives/ resources
 Lock system access using login
 Crash system through resource use – eg spawning processes
 Disrupt and annoy – open browser windows, display pornographic images
Stages of Ransomware
• Step 1: Targeting – OS, Geography, banking/ e-Commerce, Consumer
• Step 2: Propagation –phishing, drive-by-download, attachments
• Step 3: Exploit - exploit kits, vulnerability-based, unpatched systems
• Step 4 : Infection – payload delivery, backdoor access
• Step 5: Execution – encryption, disruption, blocked access, Ransom
Office files PDF files Database files
Images & Drawings Games files
Targeted Files
How Ransomware Works?
Step 1 Step 2
Ransom Evolves: Learning New Tricks
Using TOR Network
to Hide C&C
Bitcoin is default
payment method
Mobile and Cloud based
ransomware
Increasingly difficult to detect
and shutdown ransomware
Harder for Law
enforcement to trace
Near impossible to
decrypt
without paying
Onion Routing (ToR)
• By Paul Syverson, Nick Mathewson,
Roger Dingledine in 2004
• Low-latency anonymous network
• Maintained by Free Haven Project
• Hundreds of nodes on all continents
• Supports only TCP
• Uses SOCKS interface
• Continuously encrypt data across a network.
• Data begins in the outermost layer of
encryption and is modified at each individual
stop.
How Tor Works? - Onion Routing
• A circuit is built incrementally one hop by one hop
• Onion-like encryption
• ‘Alice’ negotiates an AES key with each router
• Messages are divided into equal sized cells
• Each router knows only its predecessor and successor
• Only the Exit Router (OR3) can see the message, however it does
not know where the message is from
Alice Bob
OR2
OR
1
M
√M
M
OR3
M
C1 C2
C2 C3
C3 Port
Ransomware: Operation with ToR
Step6
Step 2
• Uses Diffie-Hellman key
exchange
• Distributes data over
several places
• Takes random pathway
• Used with Privoxy
Ransom Evolves: Learning New Tricks
Using TOR Network
to Hide C&C
Bitcoin is default
payment method
Mobile and Cloud based
Ransomware
Increasingly difficult to detect
and shutdown ransomware
Harder for Law
enforcement to trace
Near impossible to
decrypt
without paying
What is Bitcoin
Bitcoin is an digital currency introduced in 2008 by pseudonymous developer
"Satoshi Nakamoto". That can be exchanged for goods and services
Digital: Bitcoins cannot be printed or physically made.
They must be generated through computerized methods.
Decentralized: Bitcoins are not regulated by any government
or banking institution.
Revolutionary: Transactions allow for anonymity and are almost
instantaneous.
Global: Bitcoins are borderless currency and can be used
anywhere.
Bitcoin Wallet
• Bitcoins are stored in your digital wallet.
• When you transfer Bitcoins an electronic signature is added. After a few minutes the
transaction is verified stored in the network
CryptoLocker and
CryptoWall
CryptoLocker
▪ Email attachment is the main method of infection
▪ Targets all versions of Windows
▪ Searches for files with certain extensions: doc, docx, wps, xls, xlsx, ppt,
pptx, mdb, pst, rtf, pdf, eps, jpg, dng, psd, raw, cer, crt, pfx, …
▪ Encrypts files with a 2048-bit RSA key pair
▪ Paying the ransom results in decryption of the files
▪ No way to decrypt the files without the private key
▪ Ransomware done right!
CryptoLocker Details
| 18 |
Some email subject lines related to CryptoLocker:
▪ USPS - Missed package delivery
▪ FW: Invoice <random numbers>
▪ ADP Reference #<random numbers>
▪ Payroll Received by Intuit
▪ Important - attachedform
▪ FW: Last Month Remit
▪ Scanned Image from a Xerox WorkCentre
▪ Fwd: IMG01041_6706015_m.zip
▪ My resume
▪ Voice Message from Unknown Caller (<phone number>)
▪ Important - New Outlook Settings
▪ FW: Payment Advice - Advice Ref:[GB<randomnumbers>]
▪ New contract agreement
▪ Important Notice - Incoming Money Transfer
▪ Payment Overdue - Please respond
▪ FW: Check copy
▪ Corporate eFax message from <phone number>
▪ FW: Case FH74D23GST58NQS
Most of the subject lines
target SMBs who might
not have recent backups
and who might need their
files bad enough to pay
Method of Execution
• Drops executable in users %AppData% and %LocalAppData%
folder
• Create registry keys to maintain persistence
• Search for specific file types
• Performs encryption
• Deletes Volume Shadow copies
• Displays ransom note
CryptoLocker Analysis
- Drops copy of itself in %APPDATA%{random}.exe
- It creates the following autorun key.
HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun "CryptoLocker":<random>.exe
- It creates two processes of itself. The other acts as a watchdog.
Later versions of CryptoLocker create an additional registry entry:
HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunOnce "*CryptoLocker":<random>.exe
Cryptolocker Analysis
• It searches in all local and remote drives for files to encrypt.
• All files that are encrypted are also saved in the following registry for record:
HKEY_CURRENT_USERSoftwareCryptoLockerFiles
The only way to decrypt is to buy the private key from the attackers
CryptoLocker C&C
• Domain Generation Algorithm
It uses any of the following TLD for every generated domain:
.com , .net , .biz, .ru , .org , .co.uk , .info
1 2
3
4
• Encrypt Files with the public key flow
5
6
CryptoLocker Victims
Filename and Extensions Encrypted by CryptoLocker
CryptoLocker Details
Paying ~$300
will get you the
private key
Payment Screen
Payment Methods
Validating Payment Method
CryptoLocker Ransom
Payment options
moneypak, ukash, cashu, bitcoin
Price: $300 USD or 2 BTC
Cryptolocker 2.0
Original Cryptolocker Cryptolocker 2.0
Compiler C++ .NET
Encryption RSA-2048 RSA-4096
C&C servers Employs DGA No DGA
Payment Scheme moneypak, ucash, cashu,
bitcoin
bitcoin only
Around December 2013, a new ransomware emerged claiming to be
Cryptolocker 2.0.
Drops copy of itself in %system%. As msunet.exe
Preventive Tips?
“Strong collaboration between private industries
first and with Global Law Enforcement”
Predictions for 2016
• Ransomware will continue to be a challenge in 2016
• Encrypting Ransomware samples will also have data theft capability
• Targeting Android and iOS platforms
• They are expected to get highly targeted in nature
• They will use extortion tactics with threats to make stolen data public
• It is highly advised to implement backup policies and processes with high-
end encryption
Security Software – Ensure the personal firewall and anti-malware software is working properly and
up-to-date
Patch Management – Update all applications with the latest security patches
Least Privilege Access – Do not use the administrator account for everyday use or while surfing the
Internet
Computer Hardening – Configure the operating system, browser, wireless AP, and router to make it
more secure
Online Security – Choose strong, unique passphrases for online accounts and enter them securely
Content Filtering – Use web, email, and IM filtering as well as a link checker to block unwanted and
malicious content
Asset Protection – Encrypt and regularly backup your important documents and files
How to Protect Your Computer
Follow Best Security Practices
• Do not open and execute attachments received from unknown
senders. Cybercriminals use ‘Social Engineering’ techniques to allure
users to open attachments or to click on links containing malware.
• Keep strong passwords for login accounts and network shares.
• Avoid downloading software from untrusted P2P or torrent sites. At
times, they are Trojanized with malicious software.
• Do not download cracked software as they could propagate the
added risk of opening a backdoor entry for malware into your
system.
• Ensure staff are educated in good computing practices
Thanx

More Related Content

What's hot

WHITE PAPER▶ The Evolution of Ransomware
WHITE PAPER▶ The Evolution of RansomwareWHITE PAPER▶ The Evolution of Ransomware
WHITE PAPER▶ The Evolution of Ransomware
Symantec
 
seminar report on What is ransomware
seminar report on What is ransomwareseminar report on What is ransomware
seminar report on What is ransomware
Jawhar Ali
 
Ransomware
Ransomware Ransomware
Ransomware
Armor
 
Ransomware and tips to prevent ransomware attacks
Ransomware and tips to prevent ransomware attacksRansomware and tips to prevent ransomware attacks
Ransomware and tips to prevent ransomware attacks
dinCloud Inc.
 
Ransomware
RansomwareRansomware
What is Ransomware? A Quick Guide
What is Ransomware? A Quick GuideWhat is Ransomware? A Quick Guide
What is Ransomware? A Quick Guide
Sarah Roberts
 
Your Money or Your Data: Ransomware, Cyber Security and Today’s Threat Landsc...
Your Money or Your Data: Ransomware, Cyber Security and Today’s Threat Landsc...Your Money or Your Data: Ransomware, Cyber Security and Today’s Threat Landsc...
Your Money or Your Data: Ransomware, Cyber Security and Today’s Threat Landsc...
Roger Hagedorn
 
Ransomware
RansomwareRansomware
Ransomware
Akshita Pillai
 
How to Help Your Customers Protect Themselves from Ransomware Attacks
How to Help Your Customers Protect Themselves from Ransomware AttacksHow to Help Your Customers Protect Themselves from Ransomware Attacks
How to Help Your Customers Protect Themselves from Ransomware Attacks
Solarwinds N-able
 
Ransomware: How to avoid a crypto crisis at your IT business
Ransomware: How to avoid a crypto crisis at your IT businessRansomware: How to avoid a crypto crisis at your IT business
Ransomware: How to avoid a crypto crisis at your IT business
Calyptix Security
 
Ransomware Attack
Ransomware AttackRansomware Attack
Ransomware Attack
doiss delhi
 
Ransomware: History, Analysis, & Mitigation - PDF
Ransomware: History, Analysis, & Mitigation - PDFRansomware: History, Analysis, & Mitigation - PDF
Ransomware: History, Analysis, & Mitigation - PDF
Andy Thompson
 
5 Ways to Protect Your Healthcare Organization from a Ransomware Attack - HIM...
5 Ways to Protect Your Healthcare Organization from a Ransomware Attack - HIM...5 Ways to Protect Your Healthcare Organization from a Ransomware Attack - HIM...
5 Ways to Protect Your Healthcare Organization from a Ransomware Attack - HIM...
ClearDATACloud
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomware
Sophos Benelux
 
Ransomware: Emergence of the Cyber-Extortion Menace
Ransomware: Emergence of the Cyber-Extortion MenaceRansomware: Emergence of the Cyber-Extortion Menace
Ransomware: Emergence of the Cyber-Extortion Menace
Zubair Baig
 
Ransomware: Mitigation Through Preparation
Ransomware: Mitigation Through PreparationRansomware: Mitigation Through Preparation
Ransomware: Mitigation Through Preparation
Hostway|HOSTING
 
Ransomware: Prevention, privacy and your options post-breach
Ransomware: Prevention, privacy and your options post-breachRansomware: Prevention, privacy and your options post-breach
Ransomware: Prevention, privacy and your options post-breach
Gowling WLG
 
Blackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of RansomwareBlackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of Ransomware
John Bambenek
 
WannaCry? No Thanks!
WannaCry? No Thanks!WannaCry? No Thanks!
WannaCry? No Thanks!
Roberto Martelloni
 
The rise of malware(ransomware)
The rise of malware(ransomware)The rise of malware(ransomware)
The rise of malware(ransomware)
phexcom1
 

What's hot (20)

WHITE PAPER▶ The Evolution of Ransomware
WHITE PAPER▶ The Evolution of RansomwareWHITE PAPER▶ The Evolution of Ransomware
WHITE PAPER▶ The Evolution of Ransomware
 
seminar report on What is ransomware
seminar report on What is ransomwareseminar report on What is ransomware
seminar report on What is ransomware
 
Ransomware
Ransomware Ransomware
Ransomware
 
Ransomware and tips to prevent ransomware attacks
Ransomware and tips to prevent ransomware attacksRansomware and tips to prevent ransomware attacks
Ransomware and tips to prevent ransomware attacks
 
Ransomware
RansomwareRansomware
Ransomware
 
What is Ransomware? A Quick Guide
What is Ransomware? A Quick GuideWhat is Ransomware? A Quick Guide
What is Ransomware? A Quick Guide
 
Your Money or Your Data: Ransomware, Cyber Security and Today’s Threat Landsc...
Your Money or Your Data: Ransomware, Cyber Security and Today’s Threat Landsc...Your Money or Your Data: Ransomware, Cyber Security and Today’s Threat Landsc...
Your Money or Your Data: Ransomware, Cyber Security and Today’s Threat Landsc...
 
Ransomware
RansomwareRansomware
Ransomware
 
How to Help Your Customers Protect Themselves from Ransomware Attacks
How to Help Your Customers Protect Themselves from Ransomware AttacksHow to Help Your Customers Protect Themselves from Ransomware Attacks
How to Help Your Customers Protect Themselves from Ransomware Attacks
 
Ransomware: How to avoid a crypto crisis at your IT business
Ransomware: How to avoid a crypto crisis at your IT businessRansomware: How to avoid a crypto crisis at your IT business
Ransomware: How to avoid a crypto crisis at your IT business
 
Ransomware Attack
Ransomware AttackRansomware Attack
Ransomware Attack
 
Ransomware: History, Analysis, & Mitigation - PDF
Ransomware: History, Analysis, & Mitigation - PDFRansomware: History, Analysis, & Mitigation - PDF
Ransomware: History, Analysis, & Mitigation - PDF
 
5 Ways to Protect Your Healthcare Organization from a Ransomware Attack - HIM...
5 Ways to Protect Your Healthcare Organization from a Ransomware Attack - HIM...5 Ways to Protect Your Healthcare Organization from a Ransomware Attack - HIM...
5 Ways to Protect Your Healthcare Organization from a Ransomware Attack - HIM...
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomware
 
Ransomware: Emergence of the Cyber-Extortion Menace
Ransomware: Emergence of the Cyber-Extortion MenaceRansomware: Emergence of the Cyber-Extortion Menace
Ransomware: Emergence of the Cyber-Extortion Menace
 
Ransomware: Mitigation Through Preparation
Ransomware: Mitigation Through PreparationRansomware: Mitigation Through Preparation
Ransomware: Mitigation Through Preparation
 
Ransomware: Prevention, privacy and your options post-breach
Ransomware: Prevention, privacy and your options post-breachRansomware: Prevention, privacy and your options post-breach
Ransomware: Prevention, privacy and your options post-breach
 
Blackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of RansomwareBlackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of Ransomware
 
WannaCry? No Thanks!
WannaCry? No Thanks!WannaCry? No Thanks!
WannaCry? No Thanks!
 
The rise of malware(ransomware)
The rise of malware(ransomware)The rise of malware(ransomware)
The rise of malware(ransomware)
 

Similar to Ransomware- What you need to know to Safeguard your Data

Botnets Attacks.pptx
Botnets Attacks.pptxBotnets Attacks.pptx
Botnets Attacks.pptx
MuhammadRehan856177
 
Meeting02_RoT.pptx
Meeting02_RoT.pptxMeeting02_RoT.pptx
Meeting02_RoT.pptx
othmanomar13
 
AtlSecCon 2016
AtlSecCon 2016AtlSecCon 2016
AtlSecCon 2016
Earl Carter
 
Entrepreneurship & Commerce in IT - 11 - Security & Encryption
Entrepreneurship & Commerce in IT - 11 - Security & EncryptionEntrepreneurship & Commerce in IT - 11 - Security & Encryption
Entrepreneurship & Commerce in IT - 11 - Security & Encryption
Sachintha Gunasena
 
Information about malwares and Attacks.pptx
Information about malwares and Attacks.pptxInformation about malwares and Attacks.pptx
Information about malwares and Attacks.pptx
malikmuzammil2326
 
Meletis Belsis - Introduction to information security
Meletis Belsis - Introduction to information securityMeletis Belsis - Introduction to information security
Meletis Belsis - Introduction to information security
Meletis Belsis MPhil/MRes/BSc
 
Ransomware : A cyber crime without solution ? by Prashant Mali
Ransomware : A cyber crime without solution ? by Prashant MaliRansomware : A cyber crime without solution ? by Prashant Mali
Ransomware : A cyber crime without solution ? by Prashant Mali
Adv. Prashant Mali ♛ [Bsc(Phy),MSc(Comp Sci), CCFP,CISSA,LLM]
 
Protecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry RansomwareProtecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry Ransomware
Quick Heal Technologies Ltd.
 
Crypto Miners in the Cloud
Crypto Miners in the CloudCrypto Miners in the Cloud
Crypto Miners in the Cloud
Teri Radichel
 
XPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGIC
XPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGICXPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGIC
XPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGIC
The Linux Foundation
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux Security
Rizky Ariestiyansyah
 
Hacking by Pratyush Gupta
Hacking by Pratyush GuptaHacking by Pratyush Gupta
Hacking by Pratyush Gupta
Tenet Systems Pvt Ltd
 
Eradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg
Eradicate the Bots in the Belfry - Information Security Summit - Eric VanderburgEradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg
Eradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg
Eric Vanderburg
 
Malware and Modern Propagation Techniques
Malware and Modern Propagation TechniquesMalware and Modern Propagation Techniques
Malware and Modern Propagation Techniques
Joseph Bugeja
 
Geek Night 15.0 - Touring the Dark-Side of the Internet
Geek Night 15.0 - Touring the Dark-Side of the InternetGeek Night 15.0 - Touring the Dark-Side of the Internet
Geek Night 15.0 - Touring the Dark-Side of the Internet
GeekNightHyderabad
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
Eric Vanderburg
 
3. APTs Presentation
3. APTs Presentation3. APTs Presentation
3. APTs Presentation
isc2-hellenic
 
Malware cryptomining uploadv3
Malware cryptomining uploadv3Malware cryptomining uploadv3
Malware cryptomining uploadv3
Setia Juli Irzal Ismail
 
640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths
hibaehed
 

Similar to Ransomware- What you need to know to Safeguard your Data (20)

Botnets Attacks.pptx
Botnets Attacks.pptxBotnets Attacks.pptx
Botnets Attacks.pptx
 
Meeting02_RoT.pptx
Meeting02_RoT.pptxMeeting02_RoT.pptx
Meeting02_RoT.pptx
 
AtlSecCon 2016
AtlSecCon 2016AtlSecCon 2016
AtlSecCon 2016
 
Entrepreneurship & Commerce in IT - 11 - Security & Encryption
Entrepreneurship & Commerce in IT - 11 - Security & EncryptionEntrepreneurship & Commerce in IT - 11 - Security & Encryption
Entrepreneurship & Commerce in IT - 11 - Security & Encryption
 
Information about malwares and Attacks.pptx
Information about malwares and Attacks.pptxInformation about malwares and Attacks.pptx
Information about malwares and Attacks.pptx
 
Meletis Belsis - Introduction to information security
Meletis Belsis - Introduction to information securityMeletis Belsis - Introduction to information security
Meletis Belsis - Introduction to information security
 
Ransomware : A cyber crime without solution ? by Prashant Mali
Ransomware : A cyber crime without solution ? by Prashant MaliRansomware : A cyber crime without solution ? by Prashant Mali
Ransomware : A cyber crime without solution ? by Prashant Mali
 
Protecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry RansomwareProtecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry Ransomware
 
Crypto Miners in the Cloud
Crypto Miners in the CloudCrypto Miners in the Cloud
Crypto Miners in the Cloud
 
XPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGIC
XPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGICXPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGIC
XPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGIC
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux Security
 
Hacking by Pratyush Gupta
Hacking by Pratyush GuptaHacking by Pratyush Gupta
Hacking by Pratyush Gupta
 
Eradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg
Eradicate the Bots in the Belfry - Information Security Summit - Eric VanderburgEradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg
Eradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg
 
Malware and Modern Propagation Techniques
Malware and Modern Propagation TechniquesMalware and Modern Propagation Techniques
Malware and Modern Propagation Techniques
 
Geek Night 15.0 - Touring the Dark-Side of the Internet
Geek Night 15.0 - Touring the Dark-Side of the InternetGeek Night 15.0 - Touring the Dark-Side of the Internet
Geek Night 15.0 - Touring the Dark-Side of the Internet
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
 
3. APTs Presentation
3. APTs Presentation3. APTs Presentation
3. APTs Presentation
 
Malware cryptomining uploadv3
Malware cryptomining uploadv3Malware cryptomining uploadv3
Malware cryptomining uploadv3
 
640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths
 

More from Inderjeet Singh

Perils of social media
Perils of social mediaPerils of social media
Perils of social media
Inderjeet Singh
 
Combating Cyber Security Using Artificial Intelligence
Combating Cyber Security Using Artificial IntelligenceCombating Cyber Security Using Artificial Intelligence
Combating Cyber Security Using Artificial Intelligence
Inderjeet Singh
 
Bitcoin and Ransomware Analysis
Bitcoin and Ransomware AnalysisBitcoin and Ransomware Analysis
Bitcoin and Ransomware Analysis
Inderjeet Singh
 
E governance and digital india by col inderjit singh
E governance  and digital india by col inderjit singhE governance  and digital india by col inderjit singh
E governance and digital india by col inderjit singh
Inderjeet Singh
 
E Commerce -Security Threats and Challenges
E Commerce -Security Threats and ChallengesE Commerce -Security Threats and Challenges
E Commerce -Security Threats and Challenges
Inderjeet Singh
 
Challenges in implementating cyber security
Challenges in implementating cyber securityChallenges in implementating cyber security
Challenges in implementating cyber security
Inderjeet Singh
 
Fixed Mobile Convergence
Fixed Mobile ConvergenceFixed Mobile Convergence
Fixed Mobile Convergence
Inderjeet Singh
 

More from Inderjeet Singh (7)

Perils of social media
Perils of social mediaPerils of social media
Perils of social media
 
Combating Cyber Security Using Artificial Intelligence
Combating Cyber Security Using Artificial IntelligenceCombating Cyber Security Using Artificial Intelligence
Combating Cyber Security Using Artificial Intelligence
 
Bitcoin and Ransomware Analysis
Bitcoin and Ransomware AnalysisBitcoin and Ransomware Analysis
Bitcoin and Ransomware Analysis
 
E governance and digital india by col inderjit singh
E governance  and digital india by col inderjit singhE governance  and digital india by col inderjit singh
E governance and digital india by col inderjit singh
 
E Commerce -Security Threats and Challenges
E Commerce -Security Threats and ChallengesE Commerce -Security Threats and Challenges
E Commerce -Security Threats and Challenges
 
Challenges in implementating cyber security
Challenges in implementating cyber securityChallenges in implementating cyber security
Challenges in implementating cyber security
 
Fixed Mobile Convergence
Fixed Mobile ConvergenceFixed Mobile Convergence
Fixed Mobile Convergence
 

Recently uploaded

Gen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needsGen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needs
Laura Szabó
 
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
uehowe
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
Donato Onofri
 
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
fovkoyb
 
[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024
hackersuli
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
3a0sd7z3
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
davidjhones387
 
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
uehowe
 
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalmanuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
wolfsoftcompanyco
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
3a0sd7z3
 
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
ysasp1
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
xjq03c34
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
Paul Walk
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
k4ncd0z
 
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
bseovas
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
uehowe
 
Design Thinking NETFLIX using all techniques.pptx
Design Thinking NETFLIX using all techniques.pptxDesign Thinking NETFLIX using all techniques.pptx
Design Thinking NETFLIX using all techniques.pptx
saathvikreddy2003
 
Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!
Toptal Tech
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
rtunex8r
 

Recently uploaded (19)

Gen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needsGen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needs
 
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
 
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
 
[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
 
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
 
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalmanuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
 
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
 
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
 
Design Thinking NETFLIX using all techniques.pptx
Design Thinking NETFLIX using all techniques.pptxDesign Thinking NETFLIX using all techniques.pptx
Design Thinking NETFLIX using all techniques.pptx
 
Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
 

Ransomware- What you need to know to Safeguard your Data

  • 1. Col Inderjit Singh Chief Information Officer Khemist.in @inderbarara @inderbarara Ransomware Emergence of the Cyber-Extortion Menace
  • 2. A little bit of History 2008 AIDS Trojan Gpcode 12-2012 02-2014 05-2014 5-2015 - 1989 (1024 Something Cryptode Cryptowall 10-2014 Included (symmetric) bit) (targeted) fense Oz Post in Kits 2006 09-2012 09-2013 04-2014 06-2014 1-2015 – Cryzip, Gpcode Reveton Cryptolocker Crytodefense CTB-Locker Crypto Wall V3 (660 Bit),Others (Lock Only) Variant
  • 5. Ransomware • A type of malware that restricts access to the infected computer system in someway and Demands that the user pay a ransom to the malware operators to remove the restriction. • Some of the Malicious actions by Malware:  Encrypt personal files ( images, movie files, documents, text files)  Encrypt files on shared network drives/ resources  Lock system access using login  Crash system through resource use – eg spawning processes  Disrupt and annoy – open browser windows, display pornographic images
  • 6. Stages of Ransomware • Step 1: Targeting – OS, Geography, banking/ e-Commerce, Consumer • Step 2: Propagation –phishing, drive-by-download, attachments • Step 3: Exploit - exploit kits, vulnerability-based, unpatched systems • Step 4 : Infection – payload delivery, backdoor access • Step 5: Execution – encryption, disruption, blocked access, Ransom
  • 7. Office files PDF files Database files Images & Drawings Games files Targeted Files
  • 9. Ransom Evolves: Learning New Tricks Using TOR Network to Hide C&C Bitcoin is default payment method Mobile and Cloud based ransomware Increasingly difficult to detect and shutdown ransomware Harder for Law enforcement to trace Near impossible to decrypt without paying
  • 10. Onion Routing (ToR) • By Paul Syverson, Nick Mathewson, Roger Dingledine in 2004 • Low-latency anonymous network • Maintained by Free Haven Project • Hundreds of nodes on all continents • Supports only TCP • Uses SOCKS interface • Continuously encrypt data across a network. • Data begins in the outermost layer of encryption and is modified at each individual stop.
  • 11. How Tor Works? - Onion Routing • A circuit is built incrementally one hop by one hop • Onion-like encryption • ‘Alice’ negotiates an AES key with each router • Messages are divided into equal sized cells • Each router knows only its predecessor and successor • Only the Exit Router (OR3) can see the message, however it does not know where the message is from Alice Bob OR2 OR 1 M √M M OR3 M C1 C2 C2 C3 C3 Port
  • 12. Ransomware: Operation with ToR Step6 Step 2 • Uses Diffie-Hellman key exchange • Distributes data over several places • Takes random pathway • Used with Privoxy
  • 13. Ransom Evolves: Learning New Tricks Using TOR Network to Hide C&C Bitcoin is default payment method Mobile and Cloud based Ransomware Increasingly difficult to detect and shutdown ransomware Harder for Law enforcement to trace Near impossible to decrypt without paying
  • 14. What is Bitcoin Bitcoin is an digital currency introduced in 2008 by pseudonymous developer "Satoshi Nakamoto". That can be exchanged for goods and services Digital: Bitcoins cannot be printed or physically made. They must be generated through computerized methods. Decentralized: Bitcoins are not regulated by any government or banking institution. Revolutionary: Transactions allow for anonymity and are almost instantaneous. Global: Bitcoins are borderless currency and can be used anywhere.
  • 15. Bitcoin Wallet • Bitcoins are stored in your digital wallet. • When you transfer Bitcoins an electronic signature is added. After a few minutes the transaction is verified stored in the network
  • 17. CryptoLocker ▪ Email attachment is the main method of infection ▪ Targets all versions of Windows ▪ Searches for files with certain extensions: doc, docx, wps, xls, xlsx, ppt, pptx, mdb, pst, rtf, pdf, eps, jpg, dng, psd, raw, cer, crt, pfx, … ▪ Encrypts files with a 2048-bit RSA key pair ▪ Paying the ransom results in decryption of the files ▪ No way to decrypt the files without the private key ▪ Ransomware done right!
  • 18. CryptoLocker Details | 18 | Some email subject lines related to CryptoLocker: ▪ USPS - Missed package delivery ▪ FW: Invoice <random numbers> ▪ ADP Reference #<random numbers> ▪ Payroll Received by Intuit ▪ Important - attachedform ▪ FW: Last Month Remit ▪ Scanned Image from a Xerox WorkCentre ▪ Fwd: IMG01041_6706015_m.zip ▪ My resume ▪ Voice Message from Unknown Caller (<phone number>) ▪ Important - New Outlook Settings ▪ FW: Payment Advice - Advice Ref:[GB<randomnumbers>] ▪ New contract agreement ▪ Important Notice - Incoming Money Transfer ▪ Payment Overdue - Please respond ▪ FW: Check copy ▪ Corporate eFax message from <phone number> ▪ FW: Case FH74D23GST58NQS Most of the subject lines target SMBs who might not have recent backups and who might need their files bad enough to pay
  • 19. Method of Execution • Drops executable in users %AppData% and %LocalAppData% folder • Create registry keys to maintain persistence • Search for specific file types • Performs encryption • Deletes Volume Shadow copies • Displays ransom note
  • 20. CryptoLocker Analysis - Drops copy of itself in %APPDATA%{random}.exe - It creates the following autorun key. HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun "CryptoLocker":<random>.exe - It creates two processes of itself. The other acts as a watchdog. Later versions of CryptoLocker create an additional registry entry: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunOnce "*CryptoLocker":<random>.exe
  • 21. Cryptolocker Analysis • It searches in all local and remote drives for files to encrypt. • All files that are encrypted are also saved in the following registry for record: HKEY_CURRENT_USERSoftwareCryptoLockerFiles The only way to decrypt is to buy the private key from the attackers
  • 22. CryptoLocker C&C • Domain Generation Algorithm It uses any of the following TLD for every generated domain: .com , .net , .biz, .ru , .org , .co.uk , .info 1 2 3 4 • Encrypt Files with the public key flow 5 6
  • 23. CryptoLocker Victims Filename and Extensions Encrypted by CryptoLocker
  • 24. CryptoLocker Details Paying ~$300 will get you the private key Payment Screen Payment Methods Validating Payment Method
  • 25. CryptoLocker Ransom Payment options moneypak, ukash, cashu, bitcoin Price: $300 USD or 2 BTC
  • 26. Cryptolocker 2.0 Original Cryptolocker Cryptolocker 2.0 Compiler C++ .NET Encryption RSA-2048 RSA-4096 C&C servers Employs DGA No DGA Payment Scheme moneypak, ucash, cashu, bitcoin bitcoin only Around December 2013, a new ransomware emerged claiming to be Cryptolocker 2.0. Drops copy of itself in %system%. As msunet.exe
  • 27. Preventive Tips? “Strong collaboration between private industries first and with Global Law Enforcement”
  • 28. Predictions for 2016 • Ransomware will continue to be a challenge in 2016 • Encrypting Ransomware samples will also have data theft capability • Targeting Android and iOS platforms • They are expected to get highly targeted in nature • They will use extortion tactics with threats to make stolen data public • It is highly advised to implement backup policies and processes with high- end encryption
  • 29. Security Software – Ensure the personal firewall and anti-malware software is working properly and up-to-date Patch Management – Update all applications with the latest security patches Least Privilege Access – Do not use the administrator account for everyday use or while surfing the Internet Computer Hardening – Configure the operating system, browser, wireless AP, and router to make it more secure Online Security – Choose strong, unique passphrases for online accounts and enter them securely Content Filtering – Use web, email, and IM filtering as well as a link checker to block unwanted and malicious content Asset Protection – Encrypt and regularly backup your important documents and files How to Protect Your Computer
  • 30. Follow Best Security Practices • Do not open and execute attachments received from unknown senders. Cybercriminals use ‘Social Engineering’ techniques to allure users to open attachments or to click on links containing malware. • Keep strong passwords for login accounts and network shares. • Avoid downloading software from untrusted P2P or torrent sites. At times, they are Trojanized with malicious software. • Do not download cracked software as they could propagate the added risk of opening a backdoor entry for malware into your system. • Ensure staff are educated in good computing practices
  • 31. Thanx