"There's a pot of Bitcoins behind the ransomware rainbow"
•
2 likes•2,114 views
Slides presented at Microsoft's BlueHat conference in January 2016 around ransomware and the analysis approaches of ransomware.
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Similar to "There's a pot of Bitcoins behind the ransomware rainbow"
Similar to "There's a pot of Bitcoins behind the ransomware rainbow" (20)
Recently uploaded
Recently uploaded (20)
"There's a pot of Bitcoins behind the ransomware rainbow"
- 1. “There’s a pot of behind the RansomWare rainbow”
- 2. @ChristiaanBeek Daily business: From IR to HR and some Panda’s in between Disclaimer: “The opinions in this presentation are those of the speaker and do not necessarily reflect those of past, present employers, partners or customers”
- 3. Agenda • Genesis of ransomware • Insights into a ransomware campaign • Analyzing pattern in ransomware families • Thoughts around prevention
- 4. Genesis of Ransomware 2015 1996 2006 2009 2013 2014 Bitcoin invented Reveton CryptoLocker GPcode First A-symmetric ransomware prototypes CryptoDefense CryptoWall CTB-Locker Virlock TorrentLocker CryptoWall Ransomware As A Service TeslaCrypt AlphaCrypt
- 5. It’s all CryptoLocker CryptoDefense CryptoWall v1 CryptoWall v2 CryptoWall v3 CryptoWall v4 TorrentLocker CTBLocker TeslaCrypt v1 TeslaCrypt v2 AlphaCrypt Mimic
- 6. Ransomware Kill-chain Btc wallet2 Exploit Kits URL URL URL URL Many transactions Btc wallet1 Final Wallets Delivery Infrastructure Infection Back end Infrastructure Payment Infra Phishing URL Attachment Victim infected Proxy servers Proxy URL 1 Proxy URL 2 Proxy URL X Distribution servers Btc wallet3
- 7. “Insights in a ransomware campaign: CryptoWall v3”
- 8. CW3 – let’s take a selfie….
- 9. CW3 – campaign ID’s • Malware connects with compromised WordPress sites • All C2 traffic is RC4 encrypted Decrypted: {1|hotcrypt|4FB7C15E303D1AA21721B2089ABA17E0|2|1|2|11X.2XX.XX}
- 10. CW3 - Infra Campaign-ID Infrastructure Bitcoin Wallets
- 11. #who s behind ransomware? Wannabee Affiliate Organized Crime
- 12. Wannabee
- 13. Wannabee
- 14. Affiliate
- 15. Ransomware as a Service Botnet Affiliate/Service Provider RAAS Operator Cash Management
- 16. Organized Crime • Experienced group • Involved in multiple (ransomware) campaigns • Fast response times • Server image for fast deployment • Cautious in affiliate program • Tracking news, forums around their ‘product’ and adjust
- 18. Follow the money… and this is only 2 layers..
- 19. CryptoWall v3 campaign • Feb – Oct 2015 => monitored bitcoin wallets involved • We took average bitcoin-value from Feb – Oct 2015 • Actor-group gained $30 million through Angler Exploit Kit • Total amount we traced $321 million alone on CW3 • Analysis of transactions and other data resulted in evidence of actors involved in multiple ransomware campaigns. Cyberthreatalliance.org
- 20. “Analyzing patterns in ransomware families”
- 21. Different approaches…. • SSDeep • Imp-hash • Static analysis • Dynamic Analysis • Memory analysis • Machine Learning
- 22. Machine Learning Approach • Extract features • Research best models by using different ML algorithms • Use models as classifier for ransomware set
- 23. Machine Learning Approach - tools RANSOMWARE SAMPLE-SET CLEAN FILES SET
- 24. Machine Learning Approach - tools Unpack Files with in-house tool Extract features Classifier Model & select algorithm Evaluate results
- 25. Remember this slide? – Let’s look at API calls
- 26. Procdot written by Christian Wojner
- 27. API calls, command and patterns
- 28. API calls, command and patterns
- 29. API calls, command and patterns Software used: Graphiti
- 30. Memory Analysis Approach • Create a baseline memory print of the analysis machine • Execute ransomware sample • Take memory-dump • Compare memory-dump with baseline • Analyze results • Execute X times for Ransomware family Result: Yara-memory rule that cover complete family from v1 – v4
- 32. Ransomware will chase us in the next year(s)
- 33. To Prevent…... No Brainer Alert • Understand how ransomware spreads and adjust your security settings/policy accordingly. • (Off-line) backups • Patch your third party software • Is Tor really needed in your network..? • Push a Group Policy preventing files running from certain directories • Blacklisting bitcoin-addresses is a problem
- 34. To Prevent…... “Strong collaboration between private industries first and with Global Law Enforcement”
- 35. Take-Down….. Thoughtfull Approach needed
- 36. Thank You!
Editor's Notes
- Difference between ‘Locker-ware” and ‘crypto’ reanomware.
- Command|campaign-ID|Unique-ID-generatedfor-computer|OS|CPUs|Usermode|External-IP
- Results in a 23 MB file with a .scr file extention
- Example: after releasing CW3 report from cyber-threat-alliance – next day CW4 sample Talk about sinus-wave movement of campaigns
- Many legitimate wallets are stolen and repurposed by bad-guys and sold in ways like on carder forums.
- Exploit kits like RIG and