Ransomware - a malicious software used by hackers to block access to a computer system until a ransom is paid. Attackers contact the user with ransom demands. Most attackers request payment in Bitcoin (the crypto-currency). Even if you pay the ransom, the attackers may not deliver the key to unencrypt files.
As ransomware attacks continue to grow in number and sophistication, individual PC users and organizations should reassess their current security strategy. There is a common misconception that adding layers of automated defence technologies will reduce the risk of falling victim to ransomware attacks. While endpoint security products and secure email gateways can offer some level of protection, sooner or later a phishing email, which is the most widely-used attack vector, will penetrate defences and user will be faced with determining whether or not an email is legitimate or part of an attack.
5. Ransomware
• A type of malware that restricts access to the infected computer system in someway and
Demands that the user pay a ransom to the malware operators to remove the restriction.
• Some of the Malicious actions by Malware:
Encrypt personal files ( images, movie files, documents, text files)
Encrypt files on shared network drives/ resources
Lock system access using login
Crash system through resource use – eg spawning processes
Disrupt and annoy – open browser windows, display pornographic images
9. Ransom Evolves: Learning New Tricks
Using TOR Network
to Hide C&C
Bitcoin is default
payment method
Mobile and Cloud based
ransomware
Increasingly difficult to detect
and shutdown ransomware
Harder for Law
enforcement to trace
Near impossible to
decrypt
without paying
10. Onion Routing (ToR)
• By Paul Syverson, Nick Mathewson,
Roger Dingledine in 2004
• Low-latency anonymous network
• Maintained by Free Haven Project
• Hundreds of nodes on all continents
• Supports only TCP
• Uses SOCKS interface
• Continuously encrypt data across a network.
• Data begins in the outermost layer of
encryption and is modified at each individual
stop.
11. How Tor Works? - Onion Routing
• A circuit is built incrementally one hop by one hop
• Onion-like encryption
• ‘Alice’ negotiates an AES key with each router
• Messages are divided into equal sized cells
• Each router knows only its predecessor and successor
• Only the Exit Router (OR3) can see the message, however it does
not know where the message is from
Alice Bob
OR2
OR
1
M
√M
M
OR3
M
C1 C2
C2 C3
C3 Port
12. Ransomware: Operation with ToR
Step6
Step 2
• Uses Diffie-Hellman key
exchange
• Distributes data over
several places
• Takes random pathway
• Used with Privoxy
13. Ransom Evolves: Learning New Tricks
Using TOR Network
to Hide C&C
Bitcoin is default
payment method
Mobile and Cloud based
Ransomware
Increasingly difficult to detect
and shutdown ransomware
Harder for Law
enforcement to trace
Near impossible to
decrypt
without paying
14. What is Bitcoin
Bitcoin is an digital currency introduced in 2008 by pseudonymous developer
"Satoshi Nakamoto". That can be exchanged for goods and services
Digital: Bitcoins cannot be printed or physically made.
They must be generated through computerized methods.
Decentralized: Bitcoins are not regulated by any government
or banking institution.
Revolutionary: Transactions allow for anonymity and are almost
instantaneous.
Global: Bitcoins are borderless currency and can be used
anywhere.
15. Bitcoin Wallet
• Bitcoins are stored in your digital wallet.
• When you transfer Bitcoins an electronic signature is added. After a few minutes the
transaction is verified stored in the network
17. CryptoLocker
▪ Email attachment is the main method of infection
▪ Targets all versions of Windows
▪ Searches for files with certain extensions: doc, docx, wps, xls, xlsx, ppt,
pptx, mdb, pst, rtf, pdf, eps, jpg, dng, psd, raw, cer, crt, pfx, …
▪ Encrypts files with a 2048-bit RSA key pair
▪ Paying the ransom results in decryption of the files
▪ No way to decrypt the files without the private key
▪ Ransomware done right!
18. CryptoLocker Details
| 18 |
Some email subject lines related to CryptoLocker:
▪ USPS - Missed package delivery
▪ FW: Invoice <random numbers>
▪ ADP Reference #<random numbers>
▪ Payroll Received by Intuit
▪ Important - attachedform
▪ FW: Last Month Remit
▪ Scanned Image from a Xerox WorkCentre
▪ Fwd: IMG01041_6706015_m.zip
▪ My resume
▪ Voice Message from Unknown Caller (<phone number>)
▪ Important - New Outlook Settings
▪ FW: Payment Advice - Advice Ref:[GB<randomnumbers>]
▪ New contract agreement
▪ Important Notice - Incoming Money Transfer
▪ Payment Overdue - Please respond
▪ FW: Check copy
▪ Corporate eFax message from <phone number>
▪ FW: Case FH74D23GST58NQS
Most of the subject lines
target SMBs who might
not have recent backups
and who might need their
files bad enough to pay
19. Method of Execution
• Drops executable in users %AppData% and %LocalAppData%
folder
• Create registry keys to maintain persistence
• Search for specific file types
• Performs encryption
• Deletes Volume Shadow copies
• Displays ransom note
20. CryptoLocker Analysis
- Drops copy of itself in %APPDATA%{random}.exe
- It creates the following autorun key.
HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun "CryptoLocker":<random>.exe
- It creates two processes of itself. The other acts as a watchdog.
Later versions of CryptoLocker create an additional registry entry:
HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunOnce "*CryptoLocker":<random>.exe
21. Cryptolocker Analysis
• It searches in all local and remote drives for files to encrypt.
• All files that are encrypted are also saved in the following registry for record:
HKEY_CURRENT_USERSoftwareCryptoLockerFiles
The only way to decrypt is to buy the private key from the attackers
22. CryptoLocker C&C
• Domain Generation Algorithm
It uses any of the following TLD for every generated domain:
.com , .net , .biz, .ru , .org , .co.uk , .info
1 2
3
4
• Encrypt Files with the public key flow
5
6
26. Cryptolocker 2.0
Original Cryptolocker Cryptolocker 2.0
Compiler C++ .NET
Encryption RSA-2048 RSA-4096
C&C servers Employs DGA No DGA
Payment Scheme moneypak, ucash, cashu,
bitcoin
bitcoin only
Around December 2013, a new ransomware emerged claiming to be
Cryptolocker 2.0.
Drops copy of itself in %system%. As msunet.exe
28. Predictions for 2016
• Ransomware will continue to be a challenge in 2016
• Encrypting Ransomware samples will also have data theft capability
• Targeting Android and iOS platforms
• They are expected to get highly targeted in nature
• They will use extortion tactics with threats to make stolen data public
• It is highly advised to implement backup policies and processes with high-
end encryption
29. Security Software – Ensure the personal firewall and anti-malware software is working properly and
up-to-date
Patch Management – Update all applications with the latest security patches
Least Privilege Access – Do not use the administrator account for everyday use or while surfing the
Internet
Computer Hardening – Configure the operating system, browser, wireless AP, and router to make it
more secure
Online Security – Choose strong, unique passphrases for online accounts and enter them securely
Content Filtering – Use web, email, and IM filtering as well as a link checker to block unwanted and
malicious content
Asset Protection – Encrypt and regularly backup your important documents and files
How to Protect Your Computer
30. Follow Best Security Practices
• Do not open and execute attachments received from unknown
senders. Cybercriminals use ‘Social Engineering’ techniques to allure
users to open attachments or to click on links containing malware.
• Keep strong passwords for login accounts and network shares.
• Avoid downloading software from untrusted P2P or torrent sites. At
times, they are Trojanized with malicious software.
• Do not download cracked software as they could propagate the
added risk of opening a backdoor entry for malware into your
system.
• Ensure staff are educated in good computing practices