The document summarizes the history and growth of ransomware. It describes how early ransomware prototypes in the 1990s laid the groundwork, but the problem was how to securely receive payments. Ransomware then grew with CryptoLocker in 2013, as it combined strong encryption with Bitcoin payments. This sparked copycats and the rise of ransomware-as-a-service affiliates who can easily spread malware for a cut of the profits. The high rewards have fueled the ongoing and massive growth of new ransomware variants.
In the last nine months, crypto-mining malware and crypto-jacking have taken center stage in cybercrime news. We’ll discuss the most recent events and see how this links to ransomware, which dominated the cybercrime news last year, where one outbreak cost seven companies over one billion dollars.
Both crypto-mining malware and ransomware, aside from gathering headlines, demonstrate that cybercriminals and nation state actors are building capabilities for worming malware that could have the ability to do far greater damage than has yet been seen.
Come to this talk, learn what’s been going on, where it’s likely going, and how to avoid being a victim of a headline-generating event.
One of the key methods cybercriminals are using is ransomware, most famously the Cryptolocker malware,
and its numerous variants, which encrypts the files on a user’s computer and demands the user to pay a ransom, usually in Bitcoins, in order to receive the key to decrypt the files. But Cryptolocker is just one approach that criminals are taking to demand ransom, and the techniques are evolving on a daily basis. To guard against ransomware, it is not enough to know the malware that is making the rounds that day. It is vital to have a broader understanding of the topic, so one can take effective countermeasures against this evolving threat.
For those of you who missed it, this is my slide deck from SecTor 2009, "When Web 2.0 Attacks!" ... reference to Web 2.0, and many of the technologies that make up the mish-mash that makes today's web application landscape so impossible to secure.
CryptoJacking and Security: Evolution of a HackBryan Becker
Bryan Becker's talk at the 2018 RMISC discussing the changing types of attacks focusing on "cryptojacking" and the future challenges for blockchain security.
Driven by recent increases in cryptocurrency values, Cryptojacking is poised to be a center of conversation. It’s one of the latest innovations in hacking in which a victim’s computer is enlisted to mine cryptocurrency. Unlike ransomware, this attack steals processor cycles in an attempt to mine Monero and other currencies, typically without the user’s knowledge or consent.
Senior Network Analyst Warren Finch discussed the use of web-based crypto miners and how the crypto miners could be used maliciously for crypto jacking at PacNOG 23 in the Marshall Islands from 3 to 7 December 2018.
In the last nine months, crypto-mining malware and crypto-jacking have taken center stage in cybercrime news. We’ll discuss the most recent events and see how this links to ransomware, which dominated the cybercrime news last year, where one outbreak cost seven companies over one billion dollars.
Both crypto-mining malware and ransomware, aside from gathering headlines, demonstrate that cybercriminals and nation state actors are building capabilities for worming malware that could have the ability to do far greater damage than has yet been seen.
Come to this talk, learn what’s been going on, where it’s likely going, and how to avoid being a victim of a headline-generating event.
One of the key methods cybercriminals are using is ransomware, most famously the Cryptolocker malware,
and its numerous variants, which encrypts the files on a user’s computer and demands the user to pay a ransom, usually in Bitcoins, in order to receive the key to decrypt the files. But Cryptolocker is just one approach that criminals are taking to demand ransom, and the techniques are evolving on a daily basis. To guard against ransomware, it is not enough to know the malware that is making the rounds that day. It is vital to have a broader understanding of the topic, so one can take effective countermeasures against this evolving threat.
For those of you who missed it, this is my slide deck from SecTor 2009, "When Web 2.0 Attacks!" ... reference to Web 2.0, and many of the technologies that make up the mish-mash that makes today's web application landscape so impossible to secure.
CryptoJacking and Security: Evolution of a HackBryan Becker
Bryan Becker's talk at the 2018 RMISC discussing the changing types of attacks focusing on "cryptojacking" and the future challenges for blockchain security.
Driven by recent increases in cryptocurrency values, Cryptojacking is poised to be a center of conversation. It’s one of the latest innovations in hacking in which a victim’s computer is enlisted to mine cryptocurrency. Unlike ransomware, this attack steals processor cycles in an attempt to mine Monero and other currencies, typically without the user’s knowledge or consent.
Senior Network Analyst Warren Finch discussed the use of web-based crypto miners and how the crypto miners could be used maliciously for crypto jacking at PacNOG 23 in the Marshall Islands from 3 to 7 December 2018.
Blockchain technology can revolutionise the provision of decentralised Applications Dapps, as well as help IoT systems to boot to reduce the cost of this development, the stakeholders to determine how to distribute benefits and take into account five basic principles:
• Potential effects of technology on IoT systems
• Organisational changes
• Secure the correct data
• Financing electronic IoT systems
• Security and privacy of user data
RSA 2015 Bitcoin's Future Threats: Expert's Roundtable based on 150 Case StudiesWayne Huang
Bitcoin's future threats: what’s real and what’s not? Audience votes after panelists release a whitepaper and overview key case studies on: remote exploitation(31), mining resources theft(17), wallet theft(10), fraud or scam(10), crime or terrorism(10), insider threat(8), DDoS(7), phishing(6), coin loss(4), software bug or human error(3), social engineering(1), 51% attack(1), government bans(1). - See more at: https://www.rsaconference.com/events/us15/agenda/sessions/1710/bitcoins-future-threats-experts-roundtable-based-on#sthash.MtLRNA1w.dpuf
An overview of blockchain and Distributed Ledger Technologies (DLT) including consensus, PoW, PoS, dBFT, DAG, smart contracts, Ethereum, Stellar, Ripple, Hashgraph Hedera, tokens, tokenomics, cryptocurrencies, ICO... taught during the ITU DLT seminar in Bangkok Thailand in September 2018
Cryptography, as we know, is the study of techniques for secure communication. It is highly impossible to hack a blockchain, or a private key as trying to break an algorithm protected by cryptography would require an unfeasible amount of computational power
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Whitepaper blockchain technology and investmentIbrahim Khatri
After my research of multiple years and going through multiple articles, here is the summary of my all learning.
This is a must read for any technical or financial enthusiast who want to know more about blockchain from technical and financial model perspective.
During last few years, we heard many crypto jargons on daily basis at variety of occasions. If yes, this white paper will help to understand more about those and add value to your future actions, decisions for yourself and for your business.
Cyber Threats & Gaming Networks: From attackers perspective, these networks have huge potential: for identities, money, for communications, and a lot more. This C/DIG Report outlines the potential threat in gamer’s networks – from the perspective of terrorist and criminal hackers.
To download The Cyber Security Whitepaper for free, visit: www.vTechSolution.com
https://vtechsolution.com/cyber-security-whitepaper-2018/
Small businesses usually neglect Cyber Security as an essential function making their IT infrastructure vulnerable.
IT security issues often cost companies a lot of money and downtime every year. Even if the IT infrastructure consists of couple laptops and Devices, Cyber Security should always be a top priority.
This white paper provides Cyber Security Insights that are a must know for all small to midsize business. It describes the current trends in Cyber Security, do & don’ts, and scenarios. Learn how to protect your computers, networks, programs, and data from unauthorized access or attacks that are aimed for exploitation.
[Workshop] Getting Started with Cryptos, NFTs & Web 3.0 for Absolute BeginnersHessan Adnani
We are experiencing massive trends in Cryptos, NFTs, and Web 3.0 everywhere, and sooner or later, we all need to adapt to these new technologies. The DotCom Boom is repeating itself. We have two choices: to wait and be forced to learn about the Cryptos/NFTs when it's too late or to know it now and ride the current waves of opportunities.
In this workshop, we will get you started with Cryptos and NFTs, even if you're an absolute beginner with no technical background. We will be discussing:
The fundamentals of blockchain technology and how Cryptocurrencies, NFTs, and Web 3.0 work
Setting up your digital wallet
Understanding the Cryptos and NFTs markets
How to keep your assets safe and spot scams
How to buy and store cryptocurrency
How to buy your first NFT
How to spot opportunities
Essential investment mindset when it comes to the Crypto world
Crypto communities
And many more...
Lost in the Ether: How Ethereum Hacks Are Shaping the Blockchain FuturePriyanka Aash
Valued at over $24 billion in total, Ether is the second largest crypto currency, only behind Bitcoin. In the last two years, cybercriminals have exploited code flaws, web app vulnerabilities and social engineering to steal over $100 million in Ether crypto currency. This session will cover smart contracts and the Ethereum Virtual Machine as well as a history of how these heists have shaped Ethereum.
Learning Objectives:
1: Gain a basic understanding of the Ethereum Virtual Machine and smart contracts.
2: Understand common security flaws in blockchain technology implementation.
3: Consider the legal implications of attacks against fully distributed entities.
(Source: RSA Conference USA 2018)
Blockchain technology can revolutionise the provision of decentralised Applications Dapps, as well as help IoT systems to boot to reduce the cost of this development, the stakeholders to determine how to distribute benefits and take into account five basic principles:
• Potential effects of technology on IoT systems
• Organisational changes
• Secure the correct data
• Financing electronic IoT systems
• Security and privacy of user data
RSA 2015 Bitcoin's Future Threats: Expert's Roundtable based on 150 Case StudiesWayne Huang
Bitcoin's future threats: what’s real and what’s not? Audience votes after panelists release a whitepaper and overview key case studies on: remote exploitation(31), mining resources theft(17), wallet theft(10), fraud or scam(10), crime or terrorism(10), insider threat(8), DDoS(7), phishing(6), coin loss(4), software bug or human error(3), social engineering(1), 51% attack(1), government bans(1). - See more at: https://www.rsaconference.com/events/us15/agenda/sessions/1710/bitcoins-future-threats-experts-roundtable-based-on#sthash.MtLRNA1w.dpuf
An overview of blockchain and Distributed Ledger Technologies (DLT) including consensus, PoW, PoS, dBFT, DAG, smart contracts, Ethereum, Stellar, Ripple, Hashgraph Hedera, tokens, tokenomics, cryptocurrencies, ICO... taught during the ITU DLT seminar in Bangkok Thailand in September 2018
Cryptography, as we know, is the study of techniques for secure communication. It is highly impossible to hack a blockchain, or a private key as trying to break an algorithm protected by cryptography would require an unfeasible amount of computational power
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Whitepaper blockchain technology and investmentIbrahim Khatri
After my research of multiple years and going through multiple articles, here is the summary of my all learning.
This is a must read for any technical or financial enthusiast who want to know more about blockchain from technical and financial model perspective.
During last few years, we heard many crypto jargons on daily basis at variety of occasions. If yes, this white paper will help to understand more about those and add value to your future actions, decisions for yourself and for your business.
Cyber Threats & Gaming Networks: From attackers perspective, these networks have huge potential: for identities, money, for communications, and a lot more. This C/DIG Report outlines the potential threat in gamer’s networks – from the perspective of terrorist and criminal hackers.
To download The Cyber Security Whitepaper for free, visit: www.vTechSolution.com
https://vtechsolution.com/cyber-security-whitepaper-2018/
Small businesses usually neglect Cyber Security as an essential function making their IT infrastructure vulnerable.
IT security issues often cost companies a lot of money and downtime every year. Even if the IT infrastructure consists of couple laptops and Devices, Cyber Security should always be a top priority.
This white paper provides Cyber Security Insights that are a must know for all small to midsize business. It describes the current trends in Cyber Security, do & don’ts, and scenarios. Learn how to protect your computers, networks, programs, and data from unauthorized access or attacks that are aimed for exploitation.
[Workshop] Getting Started with Cryptos, NFTs & Web 3.0 for Absolute BeginnersHessan Adnani
We are experiencing massive trends in Cryptos, NFTs, and Web 3.0 everywhere, and sooner or later, we all need to adapt to these new technologies. The DotCom Boom is repeating itself. We have two choices: to wait and be forced to learn about the Cryptos/NFTs when it's too late or to know it now and ride the current waves of opportunities.
In this workshop, we will get you started with Cryptos and NFTs, even if you're an absolute beginner with no technical background. We will be discussing:
The fundamentals of blockchain technology and how Cryptocurrencies, NFTs, and Web 3.0 work
Setting up your digital wallet
Understanding the Cryptos and NFTs markets
How to keep your assets safe and spot scams
How to buy and store cryptocurrency
How to buy your first NFT
How to spot opportunities
Essential investment mindset when it comes to the Crypto world
Crypto communities
And many more...
Lost in the Ether: How Ethereum Hacks Are Shaping the Blockchain FuturePriyanka Aash
Valued at over $24 billion in total, Ether is the second largest crypto currency, only behind Bitcoin. In the last two years, cybercriminals have exploited code flaws, web app vulnerabilities and social engineering to steal over $100 million in Ether crypto currency. This session will cover smart contracts and the Ethereum Virtual Machine as well as a history of how these heists have shaped Ethereum.
Learning Objectives:
1: Gain a basic understanding of the Ethereum Virtual Machine and smart contracts.
2: Understand common security flaws in blockchain technology implementation.
3: Consider the legal implications of attacks against fully distributed entities.
(Source: RSA Conference USA 2018)
esta es la versión corregida con los cambios sugeridos por las asesoras de Robótica Educativa de los diseños de los proyectos correspondientes a primero y sexto grado
In CDMA , All user share the same radio channel.If one user take more power than it need, then other will be suffer and capacity will be decreased.
This presentation adresses how to tune The CDMA cellular radio network in order to tolarate interference.
Aws vs. azure key parameters for decision makingAspire Systems
•How new cloud services from Azure & AWS are influencing services?
•Closer look at the pros and cons of AWS and Azure
•What can go wrong and how to prepare for it?
•Get secret blue print of industry best practices on cloud migration.
•Industry best practices and key things to keep in mind while selecting AWS or Azure
Never before in the history of human kind have people across the world been subjected to extortion on a massive scale as they are today. In recent years, personal use of computers and the internet has exploded and, along with this massive growth, cybercriminals have emerged to feed off this burgeoning market, targeting innocent users with a wide range of malware. The vast majority of these threats are aimed at directly or indirectly making money from the victims. Today, ransomware has emerged as one of the most troublesome malware categories of our time.
There are two basic types of ransomware in circulation. The most common type today is crypto ransomware, which aims to encrypt personal data and files. The other, known as locker ransomware, is designed to lock the computer, preventing victims from using it. In this research, we will take a look at how the ransomware types work, not just from a technological point of view but also from a psychological viewpoint. We will also look at how these threats evolved, what factors are at play to make ransomware the major problem that it is today, and where ransomware is likely to surface next.
Ransomware is a PC or Mac-based malicious piece of software that encrypts a user or company’s files and forces them to pay a fee to the hacker in order to regain access to their own files.
Not only can ransomware encrypt the files on your computer; the software is smart enough to travel across your network and encrypt any files located on shared network drives. This can lead to a catastrophic situation whereby one infected user can bring an entire company to a halt.
"While blockchain is immensely popular and sometimes even overrated, this technology still faces some issues due to the immature and inexperienced user community. Without saying, this sets the stage for numerous scam schemes. Our aim is to make the cryptocurrency fraud list of the 5 most common risk factors of blockchain projects. We strive to ensure the security of your crypto interaction by raising your awareness of swindler strategies and market volatility.
This topic will be interested for those who look at:
- cryptocurrency scam risk factors
- cryptocurrency scam
- cryptocurrency fraud
- cryptocurrency fraud list
- is cryptocurrency fraud
This is addopted presentation. To review the longread, visit https://axisbits.com/blog/Cryptocurrency-Scam-Risk-Factors"
A comprehensive survey ransomware attacks prevention, monitoring and damage c...RSIS International
Ransomware is a type of malware that prevents or
restricts user from accessing their system, either by locking the
system's screen or by locking the users' files in the system unless
a ransom is paid. More modern ransomware families,
individually categorize as crypto-ransomware, encrypt certain
file types on infected systems and forces users to pay the ransom
through online payment methods to get a decrypt key. The
analysis shows that there has been a significant improvement in
encryption techniques used by ransomware. The careful analysis
of ransomware behavior can produce an effective detection
system that significantly reduces the amount of victim data loss.
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...AshishDPatel1
Ransomware is a type of malware that prevents or restricts user from accessing their system, either by locking the system's screen or by locking the users' files in the system unless a ransom is paid. More modern ransomware families, individually categorize as crypto-ransomware, encrypt certain file types on infected systems and forces users to pay the ransom through online payment methods to get a decrypt key. The analysis shows that there has been a significant improvement in encryption techniques used by ransomware. The careful analysis of ransomware behavior can produce an effective detection system that significantly reduces the amount of victim data loss.
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...RSIS International
Ransomware is a type of malware that prevents or
restricts user from accessing their system, either by locking the
system's screen or by locking the users' files in the system unless
a ransom is paid. More modern ransomware families,
individually categorize as crypto-ransomware, encrypt certain
file types on infected systems and forces users to pay the ransom
through online payment methods to get a decrypt key. The
analysis shows that there has been a significant improvement in
encryption techniques used by ransomware. The careful analysis
of ransomware behavior can produce an effective detection
system that significantly reduces the amount of victim data loss.
Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хак...HackIT Ukraine
Ник расскажет про типичный день антивирусного специалиста в Кремниевой Долине. Про то, как компании борются с хакерскими атаками. Он расскажет свою историю про то, как работал в Фейсбуке, как туда попасть и какой опыт эта компания даёт. Расскажет про Cyphort, и антивирусы нового поколения. И он поделится новыми трендами кибербезопасности.
THE BITCOINHEIST: CLASSIFICATIONS OF RANSOMWARE CRIME FAMILIESijcsit
Ransomware attacks are on the rise and attackers are hijacking valuable information from different
critical infrastructures and businesses requiring ransom payments to release the encrypted files. Payments
in cryptocurrencies are designed to evade tracing the transactions and the recipients. With anonymity
being paramount, tracing cryptocurrencies payments due to malicious activity and criminal transactions is
a complicated process. Therefore, the need to identify these transactions and label them is crucial to
categorize them as legitimate digital currency trade and exchange or malicious activity operations.
Machine learning techniques are utilized to train the machine to recognize specific transactions and trace
them back to malicious transactions or benign ones. I propose to work on the Bitcoin Heist data set to
classify the different malicious transactions. The different transactions features are analyzed to predict a
classifier label among the classifiers that have been identified as ransomware or associated with malicious
activity. I use decision tree classifiers and ensemble learning to implement a random forest classifier.
Results are assessed to evaluate accuracy, precision, and recall. I limit the study design to known
ransomware identified previously and made available under the Bitcoin transaction graph from January
2009 to December 2018.
Ransomware attacks are on the rise and attackers are hijacking valuable information from different
critical infrastructures and businesses requiring ransom payments to release the encrypted files. Payments
in cryptocurrencies are designed to evade tracing the transactions and the recipients. With anonymity
being paramount, tracing cryptocurrencies payments due to malicious activity and criminal transactions is
a complicated process. Therefore, the need to identify these transactions and label them is crucial to
categorize them as legitimate digital currency trade and exchange or malicious activity operations.
Machine learning techniques are utilized to train the machine to recognize specific transactions and trace
them back to malicious transactions or benign ones. I propose to work on the Bitcoin Heist data set to
classify the different malicious transactions. The different transactions features are analyzed to predict a
classifier label among the classifiers that have been identified as ransomware or associated with malicious
activity. I use decision tree classifiers and ensemble learning to implement a random forest classifier.
Results are assessed to evaluate accuracy, precision, and recall. I limit the study design to known
ransomware identified previously and made available under the Bitcoin transaction graph from January
2009 to December 2018.
Cyber crime - Understanding the Organised Criminal Group modelInnesGerrard
Keep your friends close and your enemies closer. Very few people are aware of the extent of the online criminal ecosystem that supports and enables cyber attacks and the business model behind it. This is an eye opener!
Ransomware-as-a-Service: The business of distributing cyber attacksΔρ. Γιώργος K. Κασάπης
Ransomware is proving to be a profitable endeavor for cyber criminals. It is also what is fueling a newer trend: the business of offering management of ransomware attacks, or Ransomware-as-a-Service (RaaS).
Fueled in part by the ability to use cryptocurrency to avoid detection, cyber criminals are setting up shop as a managed service provider, helping other cyber criminals conduct business on their platforms for a fee. For that fee, cyber criminal groups get personalize access to platforms, complete with dashboard capabilities, that allow them to easily distribute their ransomware. Also included – technical support. Such full-service offerings mean that nearly anyone with internet access can launch a ransomware attack without any technical knowledge needed.
And why not? The estimated return on investment from ransomware campaigns can easily reach 1400%. The lure of a lucrative return could well attract beginners or anyone with a grudge. For organizations, the threat coming from a well-backed beginner is as damaging as one coming from a career criminal.
Ethical Hacker
Hacking Essay
Ethical Issues In The Workplace Essay
Ethical Hacking From Legal Perspective
Ethical Hacking
Ethical Hacking
Essay on Ethical Computer Hacking
Ethical Hacking
The Pros And Cons Of Hacking
Ethical Hacking Essay
EverSec + Cyphort: Big Trends in CybersecurityCyphort
Advanced threats are changing so often it is getting harder and harder to keep up! In addition to new attacks, hackers are reinventing older ones, making it even more difficult to detect. In this webinar, we will discuss at a high-level some of biggest cybersecurity threats happening right now, including:
--The Resurgence of Ransomware - Locky and other new cryptolockers
--Malvertising, oh My! - No website is safe from unknowingly spreading malware to visitors
--I have RATs - How to defend against Remote Access Trojans stealing your data
Similar to wp-understanding-ransomware-strategies-defeat (20)
2. Understanding Ransomware and Strategies to Defeat It 2
White Paper
Introduction
Held Hostage in Hollywood
In February 2016 the Hollywood Presbyterian Medical Center, in Los Angeles, paid a ransom of
about US$17,000 to hackers who infiltrated and disabled its computer network with ransomware.
The hospital paid the ransom of 40 Bitcoins (currently worth about $16,664) after a “network
infiltration” began on February 5, when employees reported being unable to access the hospital’s
network and electronic medical records system. “The malware locked access to certain computer
systems and prevented us from sharing communications electronically,” said hospital CEO
Allen Stefanek.
Hollywood Presbyterian employees were forced to move back to paper and transmit information to
doctors and others by fax machine while the IT team and outside consultants rushed to restore the
network. Eventually, hospital officials decided that “the quickest and most efficient way to restore
our systems and administrative functions was to pay the ransom and obtain the decryption key,”
Stefanek explained. “In the best interest of restoring normal operations, we did this.”
No one wants to be part of a story like this. What exactly is ransomware? Where did it come from?
Why is it so pervasive? How can we help secure our computing resources today?
“It is said that if you
know your enemies and
know yourself, you will
not be imperiled in a
hundred battles;
If you do not know your
enemies but do know
yourself, you will win
one and lose one;
If you do not know your
enemies nor yourself,
you will be imperiled in
every single battle.”
—Sun Tzu, The Art of War
4. Understanding Ransomware and Strategies to Defeat It 4
White Paper
Ransomware History
It may surprise you to know that ransomware has been around for quite a long time. The first
asymmetric ransomware prototypes were developed in the mid-1990s. The idea of using public-key
cryptography for computer attacks was introduced in 1996 by Adam L. Young and Moti Yung in the
1996 Proceedings of the IEEE Symposium on Security and Privacy. In the abstract, Young and Yung
said their prototype was meant to show how cryptography could be “used to mount extortion-based
attacks that cause loss of access to information, loss of confidentiality, and information leakage,
tasks which cryptography typically prevents.” Young and Yung presented a proof-of-concept
cryptovirus for the Apple Macintosh SE/30 using RSA and TEA asymmetric block ciphers.
What does “asymmetric” mean and why does that matter? The defining characteristic of public-
key cryptography is the use of an encryption key by one party to perform either encryption or
decryption and the use of another key in the counterpart operation. In symmetric-key algorithms,
there is a single key used and shared between receiver and sender, thus the key used by the receiver
and sender is “symmetric” because it is the same. The use of multiple keys in asymmetric public-
key cryptography allows ransomware to encrypt items on a system with a public key while never
exposing the private key, thus keeping it secret. For ransomware, this is essential for “mangling” data
files without exposing anything that someone could use to figure out how to undo the encryption.
Timeline of Some Noteworthy Ransomware Familes
• First asymmetric
ransomware
prototypes
• Bitcoin invented • CryptoWall
• CTB-Locker
• Virlock
• GPCode • Reveton
• CryptoLocker
• CryptoDefense
• TorrentLocker
• CrytoWall
• Ransomware-
as-a-Service
• TeslaCrypt
• AlphaCrypt
1996 2006 2009 2013 2014 2015
Figure 1. Ransomware proofs of concept are 20 years old, but the business really took off in the past three years.
Even though this first asymmetric ransomware prototype was well publicized, there was a
logistical problem. How could the ransom be paid without exposing the malware author to risk?
Send payments to a post office box? The “AIDS” Trojan ransomware author tried that and law
enforcement officials tracked the money and arrested him. Thus until a usable ransomware “food
chain” could be created, there wasn’t much point in trying to leverage the idea of malicious
encryption for making money.
As a result, things were pretty quiet until 2005, when GPCode, also called PGPCoder, was launched.
It was a relatively simple Trojan encrypting common user files that matched the extensions matching
those in its code. (These extensions included .doc, .html, .jpg, .xls, .zip, and .rar.) The Trojan would
drop a text file that demanded payment in each directory with affected files. Back then, the payment
was typically between $100–$200 in e-gold or a Liberty Reserve account. The security industry
was able to come up with a variety of solutions to this Trojan (such as virus detection and utilities
to combat GPCode). GPCode was considered modestly successful in that the malware author(s)
behind GPCode and its variants were able to collect some money, but many variants had flaws (using
symmetric encryption, deleting the unencrypted files in a way that allowed disk scanners to recover
the files, etc.) that permitted users to recover data without paying the ransom.
5. Understanding Ransomware and Strategies to Defeat It 5
White Paper
CryptoLocker CopyCats
TorrentLocker CTB-LockerCryptoDefense
CryptoWall v1
CryptoWall v2
CryptoWall v3
CryptoWall v4
Tesla Crypt v1
AlphaCrypt
Tesla Crypt v2
Mimic
Figure 2.The incestuous nature of ransomware.
CryptoLocker was a ransomware Trojan that launched in September 2013. By combining capabilities
such as more powerful asymmetric encryption methods and using the new cyber currency of
Bitcoin as payment, ransomware started to really take off. (In Figure 1, we see a dotted line leading
from Bitcoin to CryptoLocker, which was the first of a new generation of ransomware using Bitcoin
for payments.) CryptoLocker was estimated to have earned its author $27 million in Bitcoin before
it was shut down. Law enforcement working together with the threat intelligence community
succeeded in taking down the botnet that was spreading CryptoLocker, but not before other
malware authors saw the promise of CryptoLocker and spawned variants that persist to this day.
Many new variants of ransomware are directly related to CryptoLocker. As seen in Figure 2,
CryptoLocker has spawned whole families of derivative ransomware, including CryptDefense,
TorrentLocker, CTB-Locker, CryptoWall, TeslaCrypt, and AlphaCrypt. McAfee Labs has confirmed that
code from CryptoLocker exists in all of these derivatives.
In summary, the success of CryptoLocker plus the combination of business models, digital currency,
and evasion techniques has led to the pervasiveness of ransomware in today’s threat landscape.
The World of Digital Currency Payments
This brings us to the subject of ransomware payment methods. The first payment methods for
ransomware were e-gold and Liberty Reserve, as used by GPCode. E-gold was the world’s first digital
currency that was backed by hard assets of gold and silver bullion. E-gold was shut down in large
part because the US Secret Service caught wind of criminals using it to transact illegal commerce.
However, the invention of Bitcoin really sparked the imagination of the hacker community. Bitcoin is
essentially a digital asset and payment system invented by Satoshi Nakamoto and released as open-
source software in 2009. Bitcoin is the first decentralized digital currency. It is unique in that it solves
a number of problems that plagued earlier attempts to produce this kind of currency.
6. Understanding Ransomware and Strategies to Defeat It 6
White Paper
■■ Bitcoin owners can prove they have funds without risk to the owner.
■■ There is no central bank or authority for the currency, which eliminates the ability of the
currency’s value to be manipulated by that authority.
■■ Transactions on the Bitcoin network are pseudonymous, meaning that although a
currency transaction is announced on the network, there is no easy way to link Bitcoin
account addresses to real-world identities, so the people conducting the transaction
have a significant amount of privacy.
■■ Transactions are not location-specific, so currency can be seamlessly sent across borders.
■■ Basic transactions are irreversible. Once a transfer is made, there is no way for a third
party to force a chargeback (as with a credit card).
■■ Here’s the really clever part: There are no hard assets (such as gold) backing Bitcoin.
Rather than relying on hard assets, Bitcoin miners use Bitcoin mining software to solve
Bitcoin algorithms and earn Bitcoins. The algorithms are extremely hard to solve and
require a lot of computation. Thus the number of Bitcoins being generated is relatively
steady but low, similar to mining gold. Here’s a video about how it works. (The ability to
create value has led to “Bitcoin mining” malware, in which malware authors secretly take
over your computer and force it to help solve the Bitcoin algorithms.)
These characteristics make Bitcoin very attractive to ransomware developers as a payment method
for their schemes.
Why Ransomware Has Such Strong Growth
Massive Ransomware Growth
Unique Ransomware Binaries Discovered
1 400 000
1 200 000
1 000 000
800 000
600 000
400 000
200 000
Q
1-2010Q
2
Q
3
Q
4
Q
1-2011Q
2
Q
3
Q
4
Q
1-2012Q
2
Q
3
Q
4
Q
1-2013Q
2
Q
3
Q
4
Q
1-2014Q
2
Q
3
Q
4
Q
1-2015Q
2
Q
3
Q
4
0
Figure 3. Ransomware grew considerably in 2015. Source: McAfee Labs, 2016.
Looking at ransomware overall, McAfee Labs has measured a massive spike in new unique
ransomware binaries starting in Q4 of 2014. This is due primarily to two things: Ransomware
authors figured out how to make it ridiculously easy to get involved in the ransomware food chain;
and ransomware authors have made it harder to detect ransomware binaries.
McAfee Labs predicted this
rise in 2014 based on trends
in the Dark Web.
■■ Explosive increase in
new, unique ransomware
in 2015.
■■ Affiliate programs make
it easy for amateurs to
earn thousands of dollars
per week.
■■ Polymorphic technique
with minor changes leads
to unknown malware and
greater obfuscation.
7. Understanding Ransomware and Strategies to Defeat It 7
White Paper
In Figure 3, we see that there was a spike of ransomware building to a peak in Q2 of 2013, and
then dying down until mid-to-late 2014, when the pace picked up again. The initial surge,
subsequent decrease, and then sustained surge can be explained: During 2013 and 2014, the
security community was very good at working with each other as well as with law enforcement to
identify specific ransomware threat families, tracking down how they were being distributed and
how the control systems worked, and then shutting them down. That explains the initial peak and
subsequent decrease in activity. Now let’s look at why there is a sustained surge.
Starting in late 2014, ransomware toolkit authors opened up revenue sharing and created a
lucrative, automated business model that has grown virally and is very easy to participate in. The
financial rewards are significant. The affiliate programs generally split money (Bitcoin) 70/30 in
favor of the affiliate. So for a $400 ransom, the affiliate will receive $280. You read that right: The
script kiddie (distributor) makes more than the author. Why? Because the script kiddie takes all the
risk, with payment credentials in the open, and they do the work of spreading the malware. (Some
affiliates brag that they make $70,000–$80,000 per week.) According to the FBI’s Internet Crime
Complaint Center (IC3), more than 992 CryptoWall-related complaints were received between April
2014 and June 2015. During that period, victims reported more than $18 million in losses. Based
on the McAfee Labs detection of unique ransomware binaries, we estimate that the value of losses
on a rolling 15-month average will easily surpass this figure during 2015–2016. It is clear that the
financial rewards are significant with the new business models. The other aspect of these affiliate
programs is the notion of “Ransomware-as-a-Service.”
Ransomware Authors Appeal to Affiliates
Figure 4. An example of Ransomware-as-a-Service.
“Ransomware-as-a-Service” means that the affiliate does not need any special programming skill,
simply the willingness to spread the ransomware (typically through email botnets that are easy
for a nonprogrammer to set up). The affiliate can sign up as an affiliate and simply download a
customized ransomware binary (see Figure 4). The malware has custom payment instructions and
payment credentials and allows the affiliate to easily take part in the ransomware game. Some new
variants of ransomware even have customizable malware actions. Check out these customization
options from Ransom32, the world’s first ransomware written in JavaScript:
Advanced programming
knowledge is not needed to
distribute ransomware and
become a criminal.
8. Understanding Ransomware and Strategies to Defeat It 8
White Paper
■■ Fully lock the computer: By default the lock screen will pop up each xx seconds after
being minimized. The affiliate can configure it so the victim will not be able to minimize
the lock screen, further exacerbating the user’s frustration.
■■ Reduce CPU capabilities: The ransomware will encrypt files at 0%–25% speed while the
lock window is not shown, so the process will be less noticeable in the Task Manager due
to high CPU consumption.
■■ Latent timeout: The ransomware will go into a dormant state and wake up, connect to
the server, and start encrypting only after a certain number of seconds has passed after
installing. The ransomware won’t connect to the server until it wakes up, which allows
ransomware to escape detection. This is a particularly nasty evasion technique, as it is
simple and will fool many security sandboxing techniques that assume that malware will
start its malicious activities immediately after installation.
■■ Show lock screen before encrypting: By default the ransomware will show the lock
screen after encrypting many files in the computer (file size under 50MB) and will
continue encrypting in the background. The affiliate can program the ransomware to
show the lock screen immediately after installing, before encrypting any files in the
background. Some affiliates feel that this gets results more quickly without having
to wait hours or days for encryption to be mostly completed. The downside is that
if the victim tries to check files just as the window pops up, he or she will notice that
files are being manipulated in the background, which may cause the victim to take
immediate action (stopping the program, shutting down the computer) thus making the
ransomware less effective.
■■ Show a message box: This box will be shown before installing and before any latent
timeout is applied.
Ransomware authors are now officially organized crime, and they have made it easy for wannabees
and affiliates to participate in their crime wave and spread this malware.
Telemetry Tracks Revenues
Figure 5. Ransomware offers sophisticated telemetry. Source: McAfee Labs 2016.
The automated ransomware business model includes sophisticated tools such as the telemetry
dashboard. (See Figure 5.) It reports all kinds of useful information, such as the price for the
campaign, the amount paid per binary, the operating system that is infected, time zone, and more.
Affiliates now have detailed capabilities to see how effective their campaigns are and can tune their
efforts to extract the maximum benefit for themselves without leaving the comfort of their homes.
9. Understanding Ransomware and Strategies to Defeat It 9
White Paper
Another reason for the growth in unique binaries is that ransomware authors now use
polymorphism, a technique that allows ransomware to use a different, unique signature on each
targeted system. Thus, one family of ransomware can theoretically create an unlimited number of
unique ransomware binaries with a single ransomware toolkit and fuel the growth we see in Figure 3.
Polymorphism has been around for decades, and endpoint security technology can be highly
effective against it. The main differentiator between technologies that are effective and those that
are not is where the polymorphic engine resides.
■■ If the polymorphic engine is local (on the host or endpoint), then the engine activity
can be analyzed and beaten in a straightforward way because the actions taken by the
polymorphic engine can be observed on the endpoint.
■■ However, if the engine is on the server, then defeating the engine is more problematic
because the engine is a “black box” in its actions.
The real explosion in ransomware binaries is from the family PolyRansom, which uses host-side
polymorphism and can be defeated by strong signature-based antimalware. (Thus keeping your
security content up to date is both effective and essential.) Although PolyRansom accounts for the
largest number of binaries detected and the best signature coverage, it is not representative of what
causes the most harm, which is families that use server-side polymorphism.
From a Few Come Many
Unique Ransomware Binaries Discovered
1 400 000
1 200 000
1 000 000
800 000
600 000
400 000
200 000
Q
1-2010Q
2
Q
3
Q
4
Q
1-2011Q
2
Q
3
Q
4
Q
1-2012Q
2
Q
3
Q
4
Q
1-2013Q
2
Q
3
Q
4
Q
1-2014Q
2
Q
3
Q
4
Q
1-2015Q
2
Q
3
Q
4
0
Figure 6. A handful of toolkits leads to millions of unique binaries. Source: McAfee Labs, 2016.
Ransomware that employs server-side polymorphism does not prevent today’s security from
being highly effective, however. We will discuss a number of steps you can take to improve your
current posture.
Here’s an example of the effect of polymorphism. Figure 6 shows that although McAfee Labs
detected millions of unique ransomware binaries in 2015, our malware research team estimates
that only about 12 to 15 toolkits are responsible for all of these unique samples.
McAfee Labs researchers
estimate that the millions of
unique samples are derived
from only 12 to 15 toolkits.
10. Understanding Ransomware and Strategies to Defeat It 10
White Paper
Primer: How Ransomware Works
1. Distribution: Standard methods
of email attachments, website
compromises.
2. Infection: Arrives on user’s
computer and starts processes. 3. Communication: Process
talks to encryption-key servers.
6. Ransom demand: System ready
to demand payment. 5. Encryption: Typically done
through rename, encrypt,
rename again.
4. File search: Process searches
for important files on the system,
e.g. JPG, DOCX, XLSX, PPTX, PDF.
PPTX PDF
XLSXJPG DOCX
DOCX
DOCXDOCXDOCX
DOCX
Figure 7. Ransomware follows a number of typical steps to success. Source: McAfee Labs, 2016.
We have described the technologies that ransomware leverages, and the business model and
evasion techniques that fuel its growth and success. Let’s take a look at the basic model of operation.
There are six steps that ransomware generally uses to accomplish its goals. (See Figure 7.)
The first step is distribution: Ransomware uses standard methods of distribution. Generally it is
spread through phishing schemes involving email attachments or downloads and installs on an
endpoint through website compromises. The old ways are still the best ways.
They’re being
targeted
They’re being
fooled
It happens
quickly
70%-90%
of malware samples are
unique to an organization.
23%
of recipients now open
phishing messages and
11% click on attachments.
50%
Nearly half open emails and
click on phishing links within
the first hour.
Figure 8. Examples of why phishing is so successful. Source: Verizon 2015 Data Breach Investigations Report.
Lest you think that this approach is old school and not effective, consider this: Almost one out
of four recipients open phishing messages and, shockingly, more than one out of 10 click on
attachments to phishing messages. In addition, nearly half of all recipients open phishing emails
11. Understanding Ransomware and Strategies to Defeat It 11
White Paper
and click on the links within the first 60 minutes of receiving the emails. Despite all the corporate
training, news articles, and public awareness, the “human operating system” is still the weakest link.
Drive-by downloads are still very effective as well. CryptoWall 3 uses compromised WordPress sites
combined with the Angler Exploit Kit to invisibly direct a user’s browser to a malicious website that
hosts an exploit kit with ransomware. Attracting victims can occur with “malvertisements,” or simply
from a legitimate site that has been compromised.
The second step is infection. The binary arrives on the user’s computer and starts the processes
it needs to complete its malicious activities. These may include quite a bit of new, sophisticated
behaviors. For example, CryptoWall 3 will do the following:
■■ Generate a unique computer identifier.
■■ Ensure “reboot survival” by installing the program to run at start-up
(through service entry, scheduled task, AutoRun key, etc.).
■■ Deactivate shadow copies, start-up repair, and Windows error recovery.
■■ Stop Windows Security Center, Windows Defender, Windows Update Service, error
reporting, and BITS.
■■ Inject itself into explorer.exe and svchost.exe.
■■ Retrieve the external IP address.
■■ Then move to Step 3.
The third step is communications. The ransomware process will talk to encryption-key servers
to retrieve the public key needed to encrypt data. CryptoWall 3, for example, connects to a
compromised WordPress site and reports its status. All control server traffic is encrypted using the
RC4 encryption algorithm.
The fourth step is file search. The ransomware process searches for files on the system in a
systematic fashion. It typically looks for files that are important to the user and cannot be easily
replicated, such as files with extensions of jpg, docx, xlsx, pptx, and pdf.
The fifth step is encryption. This is typically done through moving and renaming the targeted files,
then encrypting and renaming the files after a successful encryption.
The sixth and final step is the ransom demand, typically through taking over the screen of the
infected endpoint and demanding payment.
Figure 9. Example of a ransomware demand screen.
12. Understanding Ransomware and Strategies to Defeat It 12
White Paper
At this point, the user typically has no choice but to pay the ransom and hope for the delivery of a
usable key to unlock the files, or pursue other remediation strategies such as an image restoration of
the endpoint using a known-good snapshot.
The Latest in Ransomware Tricks
Ransomware authors have developed a number of clever tricks to make it hard to undo their work.
McAfee Labs also predicts a few techniques ransomware developers may soon employ.
■■ Name encryption: The latest versions of ransomware now encrypt names of files
along with each file’s data. Encrypted files have names made up of random numbers
and letters:
Figure 10. Encrypted filenames make finding important files just about impossible.
■■ Backup and publish: Some ransomware now claims that copies of the files have been
moved to the attackers’ servers and, if you don’t pay, they will publish the files on the
Internet.
■■ PCs, and Windows, and websites: Ransomware such as Linux.Encoder.1 will inject itself
into websites with known vulnerabilities (such as shopping cart programs) and once
on the host machine will encrypt all the files in the home directories and many of the
directories referenced by typical websites (site images, scripts, code libraries, etc.).
Predictions from McAfee Labs
■■ Delayed ransom demands: Ransomware will encrypt in the background, so that backup
and archive programs pick up the encrypted files and overwrite the backups. Once the
encryption key expires, both the data and the backups will be held hostage.
■■ Hold the network hostage: Ransomware will use worm technologies to spread
and remain dormant before initiating encryption, using networks, using shares, etc.
Combined with a Stuxnet approach, an attacker could hijack an entire network.
■■ Encryption on the fly: Ransomware will use kernel components to hook the file system
and encrypt files on the fly as they are accessed by the user to ensure maximum damage.
■■ Asymmetric encryption without the need for a centralized repository: Ransomware
authors realize that using a centralized repository for the encryption keys is a weak
13. Understanding Ransomware and Strategies to Defeat It 13
White Paper
point in their strategy because it gives an attack point for security defenses. McAfee
Labs predicts that we will see asymmetric encryption that does not use a centralized
repository.
Intel Security Malware Operations
What is Intel Security doing proactively to shift the balance in the good guys’ favor?
Intel Security malware research:
■■ Intel Security is working with law enforcement agencies on operations against a number
of ransomware families. We can’t tell you the details, but stay tuned. Here’s an example
of the kinds of things this effort involves.
■■ Cyber Threat Alliance: Intel Security is one of the founding partners of the CTA and was
heavily involved in an operation around the CryptoWall 3 ransomware family.
Figure 11. A connectivity map showing an example of ransomware research.
■■ Figure 11 illustrates an example of malware research. This connectivity map shows a
combination of data around a ransomware family. The dots and lines indicate how a
hash is associated with an IP address, which is hosted on a certain server, and the server
is based in a certain country, and the location of certain Bitcoin wallets, and how many
transactions took place with that wallet, and how the money was distributed, which
email addresses are involved, and so on. The point of this image is to illustrate the
massive complexity and spread of a single campaign. Here’s what the research team
found out:
–– The team monitored Bitcoin wallets involved from February–October 2015, and
estimated an average Bitcoin “ransomware-paid” value during this time.
–– The actor group gained $30 million through the Angler exploit kit.
–– The total amount traced was about $321 million alone paid to infections.
–– The analysis of the transactions coupled with other data resulted in evidence of
actors involved in multiple ransomware campaigns.
14. Understanding Ransomware and Strategies to Defeat It 14
White Paper
–– Read the CTA report that details how CryptoWall 3 works and indicators of
compromise.
■■ Proactive hunting: The McAfee Labs malware research team hunts with several tools
and systems explicitly for ransomware. In many cases, the team will manually analyze
ransomware samples to determine how families are related (a bit like ancestry research,
though ransomware is highly incestuous in its reuse of code). We also analyze spam and
phishing campaigns for common traits and mechanisms. The team verifies whether a
ransomware signature is up to date. For example:
–– When the team receives a ransomware sample, they also receive a notification that
a sample was submitted.
–– The team checks whether we already have this sample. If yes, we ignore the sample;
if no, the team ensures that the ransomware signature can detect the new sample,
and we categorize the sample. (What family does it belong to? Is the signature
successful at detecting it?)
■■ Analysis of behavior and spotting new indicators: This is basic analysis of new
ransomware actions. For example, if a new ransomware family control server is detected,
we pass this information to the threat intelligence team to ensure that Intel Security
protections act correctly when the new ransomware families show up on a network. The
team employs multiple approaches, including:
–– SSDeep
–– Imp-hash
–– Static analysis
–– Dynamic analysis
–– Memory analysis
–– Machine learning
Primer: Ransomware Remediation Strategies
What can you do to protect your systems and networks? Let’s take a brief look at a number
of ransomware remediation ideas. We’ll cover some basics and how they could be applied,
emphasizing steps you can take today with current technologies or as general antimalware IT
actions. (For example, an archival cloud-based backup is always a good defense against all malware.)
Understand how ransomware works.
■■ The distribution stage:
–– Build a “human firewall”: The biggest threat is users who let the ransomware on
their endpoints. People are the weakest link.
–– Stop ransomware before the endpoint: The most-proactive method of protecting
a network from ransomware attack (other than the human firewall) is to keep
ransomware from reaching the endpoint in the first place. Consider a web-filtering
technology.
–– Apply all current operating system and application patches: Many ransomware
strategies take advantage of vulnerabilities in the operating system or in
applications to infect an endpoint. Having the latest operating system and
application versions and patches will reduce the attack surface to a minimum.
–– Spam filtering and web gateway filtering: Again, the ideal approach is to keep
ransomware off the network and the endpoint. Spam filtering and web gateway
filtering are great ways to stop ransomware that tries to reach the endpoint through
malicious IPs, URLs, and email spam.
To learn more about the
role of social engineering
within cybersecurity,
read Hacking the Human
Operating System.
15. Understanding Ransomware and Strategies to Defeat It 15
White Paper
–– Allow only whitelisted items to execute: Use an “application control” method that
offers centrally administered whitelisting to block unauthorized executables on
servers, corporate desktops, and fixed-function devices, thus dramatically reducing
the attack surface for most ransomware.
–– Limit privileges for unknown processes: This can be done easily by writing rules
for host intrusion prevention systems or access protection rules.
■■ The infection stage:
–– Don’t turn on macros unless you know what’s happening: In general, do not
enable macros in documents received via email. Notice that Microsoft Office turns
off autoexecution of macros for Office documents by default. Office macros are a
popular way for ransomware to infect your machine, so if a document “asks” you to
enable macros, don’t do it.
–– Make yourself “weaker” when working: Don’t give yourself more login power than
you need. If you allow yourself administrator rights during normal usage, consider
restricting this. Surfing the web, opening applications and documents, and generally
doing a lot of work while logged in with administrative rights is very dangerous.
If you get hit with malware while you have fewer rights, you will reduce your risk
because malware will also execute with fewer rights, which will reduce the threat’s
attack surface.
–– Use access protection rules on software installs: Write access control rules
against targeted file extensions that deny writes by unapproved applications. This
complements host intrusion prevention systems rules with a similar strategy.
–– Use sandboxing for suspicious processes: If a process is flagged as suspicious (due
to low age and prevalence, for example), that process should be sent to a security
sandboxing appliance for further study.
–– Block “unapproved” processes from changing files: Block these by writing rules for
host intrusion prevention systems or access protection.
■■ The communications stage:
–– Firewall rules can block known malicious domains: Writing rules to block
malicious domains is a standard capability of network firewalls.
–– Block access to Tor: Tor is an anonymous Internet communication system based
on a distributed network. Tor is a toolset for organizations and people who want to
improve their safety and security on the Internet. Tor is also used by ransomware
to obfuscate control server communications. For organizations that do not
need access to Tor (and other anonymous Internet communication systems)
administrators should consider blocking access to these unneeded networks.
Current ransomware will stop if it can’t establish control, so blocking Tor will cause
ransomware that uses Tor to stop itself at the communications stage.
–– Proxy/gateway scanner signatures for known traffic: For those with proxy and
gateway appliances, these technologies can be configured to scan for known
ransomware control server traffic and block it. Most ransomware cannot continue
operations if it cannot retrieve the public encryption key needed for asymmetric
encryption.
■■ The encryption stage:
–– Back up and restore files locally: By creating a storage volume and running archival
differential-based file backups to that storage volume, remediation is as easy as
removing the ransomware, going back in time with the backup to a point before the
ransomware affected the files, and restoring all the affected files. This can be done
today by network administrators who could either use external storage volumes