SlideShare ist ein Scribd-Unternehmen logo

Cryptolocker

C
Cysinfo Cyber Security Community

Cryptolocker

Technologie
1 von 67
Downloaden Sie, um offline zu lesen
Understanding CryptoLocker (ransomware) with a Case Study
Who Am I..? Forensics Investigator M.Tech (Information Security) in 2014, IIIT – Delhi Former Intern at CIRT-India. Interest : Any type of Cyber Forensics Email : adarshagarwal91@gmail.com LinkedIn : https://www.linkedin.com/in/adarshagarwal91
Disclaimer • Entire analysis is done on individual basis. • The information in this presentation and opinion are mine alone and do not reflect those of my current employer.
Ransomware (CryptoLocker)
CryptoLocker a.k.a Ransomware • CryptoLocker is a ransomware Trojan. • Believed to have first been posted to the Internet on 5 September 2013. • Smart enough to travel across your network and encrypt any files located on shared network drives. • Uses AES-265 or RSA public-key cryptography, with the private key stored only on the malware's control servers.
CryptoLocker a.k.a Ransomware • After Encryption, displays a message and popup which offers to decrypt the data if payment is made within stated deadline, and threatened to delete the private key if the deadline passes. • Ransomwares generally has a 48-72 hour deadline which, once passed, causes the ransom to increase or leads to key deletion. • Most ransoms start in the $100-$500 area or 0.5 BTC to 4 BTC. • 1 BTC = $ 430 (approx.) = 28600 INR.
Symptoms • You suddenly cannot open normal files and get errors such as the file is corrupted or has the wrong extension. • An alarming message has been set to your desktop background with instructions on how to pay to unlock your les. • The program warns you that there is a countdown until the ransom increases or you will not be able to decrypt your les. • A window has opened to a ransomware program and you cannot close it. • You have files with names such as HOW TO DECRYPT FILES.TXT or DECRYPT_INSTRUCTIONS.HTML
Symptoms You see a files similar to: • %PUBLIC% desktophelp_restore_files_<random text>.html • %PUBLIC% desktoprestore_files_<random text>.txt • %PUBLIC% documentshelp_restore_files _<random text>.txt • %PUBLIC% documentsrestore_files_<random text>.html • %PUBLIC% favoritesrestore_files_<random text>.html • %PUBLIC% favoritesrestore_files_<random text>.txt • CryptoLocker.lnk • HELP_TO_DECRYPT_YOUR_FILES.TXT • HELP_TO_DECRYPT_YOUR_FILES.BMP • HELP_TO_SAVE_FILES.bmp • HELP_TO_SAVE_FILES.txt • key.dat • log.html
CryptoLocker Propagation • Propagate via phishing emails unpatched programs compromised websites online advertising free software downloads Prior existing Botnet
Droppers file Path • The file paths that have been used by this infection and its droppers are: • C:Users<User>AppDataLocal<random>.exe (Vista/7/8) • C:Users<User>AppDataLocal<random>.exe (Vista/7/8) • C:Documents and Settings<User>Application Data<random>.exe (XP) • C:Documents and Settings<User>Local Application Data<random>.exe (XP)
This ransomware can search for files in all of the folders with the following extensions and then encrypt them
Excluded directories, filenames & extensions Source: Sophos
Variants of CryptoLocker • TeslaCrypt • Cryptowall • Torrent Locker • CTB-Locker • CryptoVault • PowerShell based • Locky • Ransom32 ( JavaScript based) • Petya (Encrypts MBR) • Many many more…
In 2016 (Jan to Mid April)
Week 2 – May, 2016 • May 9th 2016 - CryptXXX 2.0 • May 9th 2016 - The Enigma Ransomware (Russian) • May 10th, 2016 - The Shujin Ransomware (Chinese) • May 11th, 2016 - GNL Locker (German Netherlands Locker) • May 12th, 2016 - CryptoHitman ( Jigsaw v2) • May 12th, 2016 - Crypren Ransomware • May 12th, 2016 - Mischa Ransomware (Petya variant) • May 13th, 2016 - Offering Ransomware as a Service • May 13th, 2016 - Decryptor for CryptXXX Version 2.0
May 9th 2016 - CryptXXX 2.0
May 9th 2016 - The Enigma Ransomware (Russian)
May 10th, 2016 - The Shujin Ransomware (Chinese)
May 11th, 2016 - GNL Locker (German Netherlands Locker)
May 12th, 2016 - CryptoHitman
Jigsaw  CryptoHitman with Porno Extension
Jigsaw  CryptoHitman with Porno Extension
May 12th, 2016 - Crypren Ransomware
May 12th, 2016 - Mischa Ransomware (Petya variant)
May 13th, 2016 - Offering Ransomware as a Service
May 13th, 2016 - Decryptor for CryptXXX Version 2.0
http://www.bleepingcomputer.com/news/security/teslacrypt-shuts-down-and-releases-master-decryption-key/
http://www.bleepingcomputer.com/news/security/teslacrypt-shuts-down-and-releases-master-decryption-key/
http://www.bleepingcomputer.com/ne ws/security/emsisoft-releases- decryptors-for-the-xorist-and-777- ransomware/
I’m Infected, Now What? • Disconnect Network, USB, Network Share • Determine the Scope (Level of compromise or encryption) • Determine type of infection • Evaluate Your Responses • Restore from a recent backup • Decrypt your files using a 3rd party decryptor (this is a very slim chance) • Do nothing (lose your data) • Negotiate / Pay the ransom
Understanding CryptoLocker Working
Source: Sophos Anatomy of CryptoLocker
Anatomy of CryptoLocker
CryptoLocker Case Study - Teslacrypt
Generic Questions • The initial infection vector (how the malware got on the system). • The propagation mechanism (how the malware moves between systems, if it does that). • The persistence mechanism (how the malware remains on the system, and survives reboots and when the user logs out). • Artifacts (what traces the malware leaves on a system as a result of its execution) that you can look for during an examination.
Case Study : TeslaCrypt • Malware sample extracted from malwr.com. • Used all open source tool to preform analysis. • Tools used • Volatility Framework 2.4 • “VolDiff” (REMnux OS) • Regshot • Log2timeline (SIFT) • Virustotal.com • Process Explorer (Windows SysInternals)
Case Study : References • [1] Zorabedian, John “Anatomy of a ransomware attack” https://blogs.sophos.com/2015/03/03/anatomy-of-a- ransomware-attack-cryptolocker-cryptowall-and-how-to-stay-safe-infographic/; Last accessed on Oct 25, 2015. • [2] James, Lance & Bambenek, John “The New Scourge of Ransomware: A Study of CryptoLocker and Its Friends” https://www.blackhat.com/us-14/archives.html#the-new-scourge-of-ransomware-a-study-of-cryptolocker-and-its- friends ; Last accessed on Oct 25, 2015. • [3] Mustaca, Sorin "Are your IT professionals prepared for the challenges to come?"Computer Fraud & Seurity 2014.3 (2014): 18-20. • [4] Allievi, Andrea et al. “Threat Spotlight: TeslaCrypt – Decrypt It Yourself” http://blogs.cisco.com/security/talos/teslacrypt ; Last accessed on Oct 25, 2015. • [5] Malwr.com (https://goo.gl/psdf5e) and Virustotal.com (https://goo.gl/D0o78x) analysis.
Prevention Measures • Backup your files. • Apply windows and other software updates regularly. • Avoid clicking untrusted e-mail links or opening unsolicited e-mail attachments. • Disable ActiveX content in Microsoft Office applications such as Word, Excel etc. • Install Firewall and block Tor and restrictions for specific ports. • Disable remote desktop connections. • Block binaries running from %APPDATA%, %TEMP% paths.
"I am your enemy, the first one you've ever had who was smarter than you. There is no teacher but the enemy. No one but the enemy will tell you what the enemy is going to do. No one but the enemy will ever teach you how to destroy and conquer. Only the enemy shows you where you are weak. Only the enemy tells you where he is strong. And the rules of the game are what you can do to him and what you can stop him from doing to you. I am your enemy from now on. From now on I am your teacher.” Source : Ender’s Game Conclusion
• Lots of googling • Trendmicro blog • Sophos • Kaspersky Blog • US – CERT • http://www.bleepingcomputer.com/ • http://www.infoworld.com/ • https://blog.knowbe4.com/ References
Cryptolocker
Cryptolocker

Empfohlen

Email Security Awareness
Email Security AwarenessEmail Security Awareness
Email Security AwarenessDale Rapp
 
Web security
Web securityWeb security
Web securitySubhash Basistha
 
Ransomware
RansomwareRansomware
RansomwareNick Miller
 
Phishing
PhishingPhishing
PhishingSaurabhKantSahu1
 
Ransomware
RansomwareRansomware
RansomwareChaitali Sharma
 
WannaCry Ransomware
WannaCry Ransomware WannaCry Ransomware
WannaCry RansomwareZoho Corporation
 
Email phising and spoofing hurting your business
Email phising and spoofing hurting your businessEmail phising and spoofing hurting your business
Email phising and spoofing hurting your businessMithi SkyConnect
 
Ransomware - The Growing Threat
Ransomware - The Growing ThreatRansomware - The Growing Threat
Ransomware - The Growing ThreatNick Miller
 

Empfohlen

Email Security Awareness
Email Security AwarenessEmail Security Awareness
Email Security AwarenessDale Rapp
 
Web security
Web securityWeb security
Web securitySubhash Basistha
 
Ransomware
RansomwareRansomware
RansomwareNick Miller
 
Phishing
PhishingPhishing
PhishingSaurabhKantSahu1
 
Ransomware
RansomwareRansomware
RansomwareChaitali Sharma
 
WannaCry Ransomware
WannaCry Ransomware WannaCry Ransomware
WannaCry RansomwareZoho Corporation
 
Email phising and spoofing hurting your business
Email phising and spoofing hurting your businessEmail phising and spoofing hurting your business
Email phising and spoofing hurting your businessMithi SkyConnect
 
Ransomware - The Growing Threat
Ransomware - The Growing ThreatRansomware - The Growing Threat
Ransomware - The Growing ThreatNick Miller
 
Computer security risks
Computer security risksComputer security risks
Computer security risksAasim Mushtaq
 
What is malware
What is malwareWhat is malware
What is malwareMalcolm York
 
Hot potato Privilege Escalation
Hot potato Privilege EscalationHot potato Privilege Escalation
Hot potato Privilege EscalationSunny Neo
 
Wannacry
WannacryWannacry
WannacryGunther Clauwaert
 
Tails os
Tails osTails os
Tails osSADEED AMEEN
 
Ransomware attack
Ransomware attackRansomware attack
Ransomware attackAmna
 
Phishing ppt
Phishing pptPhishing ppt
Phishing pptshindept123
 
What is Ransomware?
What is Ransomware?What is Ransomware?
What is Ransomware?Datto
 
Best Cyber Security Projects | The Knowledge Academy
Best Cyber Security Projects | The Knowledge Academy Best Cyber Security Projects | The Knowledge Academy
Best Cyber Security Projects | The Knowledge Academy The Knowledge Academy
 
cyber security and threats.pptx
cyber security and threats.pptxcyber security and threats.pptx
cyber security and threats.pptxVSAM Technologies India Private Limited
 
Ch04 Network Vulnerabilities and Attacks
Ch04 Network Vulnerabilities and AttacksCh04 Network Vulnerabilities and Attacks
Ch04 Network Vulnerabilities and AttacksInformation Technology
 
Malware
MalwareMalware
MalwareAnoushka Srivastava
 
DDoS ATTACKS
DDoS ATTACKSDDoS ATTACKS
DDoS ATTACKSAnil Antony
 
Ransomware Attack.pptx
Ransomware Attack.pptxRansomware Attack.pptx
Ransomware Attack.pptxIkramSabir4
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLFn|u - The Open Security Community
 
Password craking techniques
Password craking techniques Password craking techniques
Password craking techniques أحلام انصارى
 
Forensic imaging tools
Forensic imaging tools Forensic imaging tools
Forensic imaging tools Dr. Richard Adams
 
Hacking And Its Prevention
Hacking And Its PreventionHacking And Its Prevention
Hacking And Its PreventionDinesh O Bareja
 
Linux11 Proxy Server
Linux11 Proxy ServerLinux11 Proxy Server
Linux11 Proxy ServerJainul Musani
 
Malicious
MaliciousMalicious
MaliciousKhyati Rajput
 
Introduction to Binary Exploitation
Introduction to Binary Exploitation Introduction to Binary Exploitation
Introduction to Binary Exploitation Cysinfo Cyber Security Community
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis Cysinfo Cyber Security Community
 

Weitere ähnliche Inhalte

Was ist angesagt?

Computer security risks
Computer security risksComputer security risks
Computer security risksAasim Mushtaq
 
Hot potato Privilege Escalation
Hot potato Privilege EscalationHot potato Privilege Escalation
Hot potato Privilege EscalationSunny Neo
 
Ransomware attack
Ransomware attackRansomware attack
Ransomware attackAmna
 
What is Ransomware?
What is Ransomware?What is Ransomware?
What is Ransomware?Datto
 
Best Cyber Security Projects | The Knowledge Academy
Best Cyber Security Projects | The Knowledge Academy Best Cyber Security Projects | The Knowledge Academy
Best Cyber Security Projects | The Knowledge Academy The Knowledge Academy
 
Ch04 Network Vulnerabilities and Attacks
Ch04 Network Vulnerabilities and AttacksCh04 Network Vulnerabilities and Attacks
Ch04 Network Vulnerabilities and AttacksInformation Technology
 
Ransomware Attack.pptx
Ransomware Attack.pptxRansomware Attack.pptx
Ransomware Attack.pptxIkramSabir4
 
Hacking And Its Prevention
Hacking And Its PreventionHacking And Its Prevention
Hacking And Its PreventionDinesh O Bareja
 
Linux11 Proxy Server
Linux11 Proxy ServerLinux11 Proxy Server
Linux11 Proxy ServerJainul Musani
 

Was ist angesagt? (20)

Computer security risks
Computer security risksComputer security risks
Computer security risks
 
What is malware
What is malwareWhat is malware
What is malware
 
Hot potato Privilege Escalation
Hot potato Privilege EscalationHot potato Privilege Escalation
Hot potato Privilege Escalation
 
Wannacry
WannacryWannacry
Wannacry
 
Tails os
Tails osTails os
Tails os
 
Ransomware attack
Ransomware attackRansomware attack
Ransomware attack
 
Phishing ppt
Phishing pptPhishing ppt
Phishing ppt
 
What is Ransomware?
What is Ransomware?What is Ransomware?
What is Ransomware?
 
Best Cyber Security Projects | The Knowledge Academy
Best Cyber Security Projects | The Knowledge Academy Best Cyber Security Projects | The Knowledge Academy
Best Cyber Security Projects | The Knowledge Academy
 
cyber security and threats.pptx
cyber security and threats.pptxcyber security and threats.pptx
cyber security and threats.pptx
 
Ch04 Network Vulnerabilities and Attacks
Ch04 Network Vulnerabilities and AttacksCh04 Network Vulnerabilities and Attacks
Ch04 Network Vulnerabilities and Attacks
 
Malware
MalwareMalware
Malware
 
DDoS ATTACKS
DDoS ATTACKSDDoS ATTACKS
DDoS ATTACKS
 
Ransomware Attack.pptx
Ransomware Attack.pptxRansomware Attack.pptx
Ransomware Attack.pptx
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Password craking techniques
Password craking techniques Password craking techniques
Password craking techniques
 
Forensic imaging tools
Forensic imaging tools Forensic imaging tools
Forensic imaging tools
 
Hacking And Its Prevention
Hacking And Its PreventionHacking And Its Prevention
Hacking And Its Prevention
 
Linux11 Proxy Server
Linux11 Proxy ServerLinux11 Proxy Server
Linux11 Proxy Server
 
Malicious
MaliciousMalicious
Malicious
 

Andere mochten auch

Ransonware: introducción a nuevo Virus Informático
Ransonware: introducción a nuevo Virus InformáticoRansonware: introducción a nuevo Virus Informático
Ransonware: introducción a nuevo Virus InformáticoJuan Astudillo
 
Advanced malware analysis training session4 anti-analysis techniques
Advanced malware analysis training session4 anti-analysis techniquesAdvanced malware analysis training session4 anti-analysis techniques
Advanced malware analysis training session4 anti-analysis techniquesCysinfo Cyber Security Community
 

Andere mochten auch (20)

Introduction to Binary Exploitation
Introduction to Binary Exploitation Introduction to Binary Exploitation
Introduction to Binary Exploitation
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis
 
XXE - XML External Entity Attack
XXE - XML External Entity Attack XXE - XML External Entity Attack
XXE - XML External Entity Attack
 
IOT Exploitation
IOT Exploitation IOT Exploitation
IOT Exploitation
 
Ransonware: introducción a nuevo Virus Informático
Ransonware: introducción a nuevo Virus InformáticoRansonware: introducción a nuevo Virus Informático
Ransonware: introducción a nuevo Virus Informático
 
Automating malware analysis
Automating malware analysis Automating malware analysis
Automating malware analysis
 
Breaking into hospitals
Breaking into hospitalsBreaking into hospitals
Breaking into hospitals
 
Malicious Client Detection using Machine learning
Malicious Client Detection using Machine learningMalicious Client Detection using Machine learning
Malicious Client Detection using Machine learning
 
Betabot
BetabotBetabot
Betabot
 
Fingerprinting healthcare institutions
Fingerprinting healthcare institutions Fingerprinting healthcare institutions
Fingerprinting healthcare institutions
 
Bluetooth insecurity
Bluetooth insecurity Bluetooth insecurity
Bluetooth insecurity
 
Emet bypsass
Emet bypsass Emet bypsass
Emet bypsass
 
Buffer overflow Attacks
Buffer overflow AttacksBuffer overflow Attacks
Buffer overflow Attacks
 
Dll preloading-attack
Dll preloading-attackDll preloading-attack
Dll preloading-attack
 
Watering hole attacks case study analysis
Watering hole attacks case study analysisWatering hole attacks case study analysis
Watering hole attacks case study analysis
 
Format string vunerability
Format string vunerabilityFormat string vunerability
Format string vunerability
 
Return address
Return addressReturn address
Return address
 
Advanced malware analysis training session4 anti-analysis techniques
Advanced malware analysis training session4 anti-analysis techniquesAdvanced malware analysis training session4 anti-analysis techniques
Advanced malware analysis training session4 anti-analysis techniques
 
Dissecting Android APK
Dissecting Android APKDissecting Android APK
Dissecting Android APK
 
Dynamic Binary Instrumentation
Dynamic Binary Instrumentation Dynamic Binary Instrumentation
Dynamic Binary Instrumentation
 

Ähnlich wie Cryptolocker

Ransomware History and Monitoring Tips
Ransomware History and Monitoring TipsRansomware History and Monitoring Tips
Ransomware History and Monitoring TipsNetFort
 
Why are you still getting CryptoLocker?
Why are you still getting CryptoLocker?Why are you still getting CryptoLocker?
Why are you still getting CryptoLocker?Aaron Lancaster
 
SMB Guide-to-Ransomware
SMB Guide-to-RansomwareSMB Guide-to-Ransomware
SMB Guide-to-RansomwareDave Augustine
 
Saiyed_Crypto_Article_ISSA
Saiyed_Crypto_Article_ISSASaiyed_Crypto_Article_ISSA
Saiyed_Crypto_Article_ISSACarl Saiyed
 
Meeting02_RoT.pptx
Meeting02_RoT.pptxMeeting02_RoT.pptx
Meeting02_RoT.pptxothmanomar13
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
Ransomware: WanaCry, WanCrypt
Ransomware: WanaCry, WanCryptRansomware: WanaCry, WanCrypt
Ransomware: WanaCry, WanCryptYash Diwakar
 
Ransomware by lokesh
Ransomware by lokeshRansomware by lokesh
Ransomware by lokeshLokesh Bysani
 
Ransomware hostage rescue manual
Ransomware hostage rescue manualRansomware hostage rescue manual
Ransomware hostage rescue manualRoel Palmaers
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsAaron ND Sawmadal
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsAaron ND Sawmadal
 
rensomware final ppt
rensomware final pptrensomware final ppt
rensomware final pptKomal Keshwer
 
How to Help Your Customers Protect Themselves from Ransomware Attacks
How to Help Your Customers Protect Themselves from Ransomware AttacksHow to Help Your Customers Protect Themselves from Ransomware Attacks
How to Help Your Customers Protect Themselves from Ransomware AttacksSolarwinds N-able
 
WHITE PAPER▶ The Evolution of Ransomware
WHITE PAPER▶ The Evolution of RansomwareWHITE PAPER▶ The Evolution of Ransomware
WHITE PAPER▶ The Evolution of RansomwareSymantec
 
Get Smart about Ransomware: Protect Yourself and Organization
Get Smart about Ransomware: Protect Yourself and OrganizationGet Smart about Ransomware: Protect Yourself and Organization
Get Smart about Ransomware: Protect Yourself and OrganizationSecurity Innovation
 
Top Ransomware decryption tools-PART-01.pdf
Top Ransomware decryption tools-PART-01.pdfTop Ransomware decryption tools-PART-01.pdf
Top Ransomware decryption tools-PART-01.pdfGaibandhar Chele Raton
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston HeckerEC-Council
 

Ähnlich wie Cryptolocker (20)

Ransomware History and Monitoring Tips
Ransomware History and Monitoring TipsRansomware History and Monitoring Tips
Ransomware History and Monitoring Tips
 
Why are you still getting CryptoLocker?
Why are you still getting CryptoLocker?Why are you still getting CryptoLocker?
Why are you still getting CryptoLocker?
 
SMB Guide-to-Ransomware
SMB Guide-to-RansomwareSMB Guide-to-Ransomware
SMB Guide-to-Ransomware
 
Saiyed_Crypto_Article_ISSA
Saiyed_Crypto_Article_ISSASaiyed_Crypto_Article_ISSA
Saiyed_Crypto_Article_ISSA
 
Meeting02_RoT.pptx
Meeting02_RoT.pptxMeeting02_RoT.pptx
Meeting02_RoT.pptx
 
The Rise of Ransomware
The Rise of RansomwareThe Rise of Ransomware
The Rise of Ransomware
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Ransomware: WanaCry, WanCrypt
Ransomware: WanaCry, WanCryptRansomware: WanaCry, WanCrypt
Ransomware: WanaCry, WanCrypt
 
Ransomware by lokesh
Ransomware by lokeshRansomware by lokesh
Ransomware by lokesh
 
Ransomware hostage rescue manual
Ransomware hostage rescue manualRansomware hostage rescue manual
Ransomware hostage rescue manual
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
 
Ransomware : A cyber crime without solution ? by Prashant Mali
Ransomware : A cyber crime without solution ? by Prashant MaliRansomware : A cyber crime without solution ? by Prashant Mali
Ransomware : A cyber crime without solution ? by Prashant Mali
 
rensomware final ppt
rensomware final pptrensomware final ppt
rensomware final ppt
 
How to Help Your Customers Protect Themselves from Ransomware Attacks
How to Help Your Customers Protect Themselves from Ransomware AttacksHow to Help Your Customers Protect Themselves from Ransomware Attacks
How to Help Your Customers Protect Themselves from Ransomware Attacks
 
WHITE PAPER▶ The Evolution of Ransomware
WHITE PAPER▶ The Evolution of RansomwareWHITE PAPER▶ The Evolution of Ransomware
WHITE PAPER▶ The Evolution of Ransomware
 
Get Smart about Ransomware: Protect Yourself and Organization
Get Smart about Ransomware: Protect Yourself and OrganizationGet Smart about Ransomware: Protect Yourself and Organization
Get Smart about Ransomware: Protect Yourself and Organization
 
Top Ransomware decryption tools-PART-01.pdf
Top Ransomware decryption tools-PART-01.pdfTop Ransomware decryption tools-PART-01.pdf
Top Ransomware decryption tools-PART-01.pdf
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston Hecker
 

Mehr von Cysinfo Cyber Security Community

Understanding Malware Persistence Techniques by Monnappa K A
Understanding Malware Persistence Techniques by Monnappa K AUnderstanding Malware Persistence Techniques by Monnappa K A
Understanding Malware Persistence Techniques by Monnappa K ACysinfo Cyber Security Community
 
Understanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
Understanding & analyzing obfuscated malicious web scripts by Vikram KharviUnderstanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
Understanding & analyzing obfuscated malicious web scripts by Vikram KharviCysinfo Cyber Security Community
 
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TKGetting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TKCysinfo Cyber Security Community
 
A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
A look into the sanitizer family (ASAN & UBSAN) by Akul PillaiA look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
A look into the sanitizer family (ASAN & UBSAN) by Akul PillaiCysinfo Cyber Security Community
 
Reversing and Decrypting Malware Communications by Monnappa
Reversing and Decrypting Malware Communications by MonnappaReversing and Decrypting Malware Communications by Monnappa
Reversing and Decrypting Malware Communications by MonnappaCysinfo Cyber Security Community
 
Understanding evasive hollow process injection techniques monnappa k a
Understanding evasive hollow process injection techniques monnappa k aUnderstanding evasive hollow process injection techniques monnappa k a
Understanding evasive hollow process injection techniques monnappa k aCysinfo Cyber Security Community
 
Security challenges in d2d communication by ajithkumar vyasarao
Security challenges in d2d communication by ajithkumar vyasaraoSecurity challenges in d2d communication by ajithkumar vyasarao
Security challenges in d2d communication by ajithkumar vyasaraoCysinfo Cyber Security Community
 

Mehr von Cysinfo Cyber Security Community (20)

Understanding Malware Persistence Techniques by Monnappa K A
Understanding Malware Persistence Techniques by Monnappa K AUnderstanding Malware Persistence Techniques by Monnappa K A
Understanding Malware Persistence Techniques by Monnappa K A
 
Understanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
Understanding & analyzing obfuscated malicious web scripts by Vikram KharviUnderstanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
Understanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
 
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TKGetting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
 
Emerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar PrustyEmerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar Prusty
 
A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
A look into the sanitizer family (ASAN & UBSAN) by Akul PillaiA look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
 
Closer look at PHP Unserialization by Ashwin Shenoi
Closer look at PHP Unserialization by Ashwin ShenoiCloser look at PHP Unserialization by Ashwin Shenoi
Closer look at PHP Unserialization by Ashwin Shenoi
 
Unicorn: The Ultimate CPU Emulator by Akshay Ajayan
Unicorn: The Ultimate CPU Emulator by Akshay AjayanUnicorn: The Ultimate CPU Emulator by Akshay Ajayan
Unicorn: The Ultimate CPU Emulator by Akshay Ajayan
 
The Art of Executing JavaScript by Akhil Mahendra
The Art of Executing JavaScript by Akhil MahendraThe Art of Executing JavaScript by Akhil Mahendra
The Art of Executing JavaScript by Akhil Mahendra
 
Reversing and Decrypting Malware Communications by Monnappa
Reversing and Decrypting Malware Communications by MonnappaReversing and Decrypting Malware Communications by Monnappa
Reversing and Decrypting Malware Communications by Monnappa
 
DeViL - Detect Virtual Machine in Linux by Sreelakshmi
DeViL - Detect Virtual Machine in Linux by SreelakshmiDeViL - Detect Virtual Machine in Linux by Sreelakshmi
DeViL - Detect Virtual Machine in Linux by Sreelakshmi
 
Analysis of android apk using adhrit by Abhishek J.M
Analysis of android apk using adhrit by Abhishek J.M Analysis of android apk using adhrit by Abhishek J.M
Analysis of android apk using adhrit by Abhishek J.M
 
Understanding evasive hollow process injection techniques monnappa k a
Understanding evasive hollow process injection techniques monnappa k aUnderstanding evasive hollow process injection techniques monnappa k a
Understanding evasive hollow process injection techniques monnappa k a
 
Security challenges in d2d communication by ajithkumar vyasarao
Security challenges in d2d communication by ajithkumar vyasaraoSecurity challenges in d2d communication by ajithkumar vyasarao
Security challenges in d2d communication by ajithkumar vyasarao
 
S2 e (selective symbolic execution) -shivkrishna a
S2 e (selective symbolic execution) -shivkrishna aS2 e (selective symbolic execution) -shivkrishna a
S2 e (selective symbolic execution) -shivkrishna a
 
Dynamic binary analysis using angr siddharth muralee
Dynamic binary analysis using angr siddharth muraleeDynamic binary analysis using angr siddharth muralee
Dynamic binary analysis using angr siddharth muralee
 
Bit flipping attack on aes cbc - ashutosh ahelleya
Bit flipping attack on aes cbc - ashutosh ahelleyaBit flipping attack on aes cbc - ashutosh ahelleya
Bit flipping attack on aes cbc - ashutosh ahelleya
 
Security Analytics using ELK stack
Security Analytics using ELK stack Security Analytics using ELK stack
Security Analytics using ELK stack
 
Linux Malware Analysis
Linux Malware Analysis Linux Malware Analysis
Linux Malware Analysis
 
ATM Malware: Understanding the threat
ATM Malware: Understanding the threat ATM Malware: Understanding the threat
ATM Malware: Understanding the threat
 
Image (PNG) Forensic Analysis
Image (PNG) Forensic Analysis Image (PNG) Forensic Analysis
Image (PNG) Forensic Analysis
 

Kürzlich hochgeladen

What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 

Kürzlich hochgeladen (20)

What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 

Cryptolocker

  • 2. Who Am I..? Forensics Investigator M.Tech (Information Security) in 2014, IIIT – Delhi Former Intern at CIRT-India. Interest : Any type of Cyber Forensics Email : adarshagarwal91@gmail.com LinkedIn : https://www.linkedin.com/in/adarshagarwal91
  • 3. Disclaimer • Entire analysis is done on individual basis. • The information in this presentation and opinion are mine alone and do not reflect those of my current employer.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 15.
  • 16.
  • 17.
  • 18. CryptoLocker a.k.a Ransomware • CryptoLocker is a ransomware Trojan. • Believed to have first been posted to the Internet on 5 September 2013. • Smart enough to travel across your network and encrypt any files located on shared network drives. • Uses AES-265 or RSA public-key cryptography, with the private key stored only on the malware's control servers.
  • 19. CryptoLocker a.k.a Ransomware • After Encryption, displays a message and popup which offers to decrypt the data if payment is made within stated deadline, and threatened to delete the private key if the deadline passes. • Ransomwares generally has a 48-72 hour deadline which, once passed, causes the ransom to increase or leads to key deletion. • Most ransoms start in the $100-$500 area or 0.5 BTC to 4 BTC. • 1 BTC = $ 430 (approx.) = 28600 INR.
  • 20. Symptoms • You suddenly cannot open normal files and get errors such as the file is corrupted or has the wrong extension. • An alarming message has been set to your desktop background with instructions on how to pay to unlock your les. • The program warns you that there is a countdown until the ransom increases or you will not be able to decrypt your les. • A window has opened to a ransomware program and you cannot close it. • You have files with names such as HOW TO DECRYPT FILES.TXT or DECRYPT_INSTRUCTIONS.HTML
  • 21. Symptoms You see a files similar to: • %PUBLIC% desktophelp_restore_files_<random text>.html • %PUBLIC% desktoprestore_files_<random text>.txt • %PUBLIC% documentshelp_restore_files _<random text>.txt • %PUBLIC% documentsrestore_files_<random text>.html • %PUBLIC% favoritesrestore_files_<random text>.html • %PUBLIC% favoritesrestore_files_<random text>.txt • CryptoLocker.lnk • HELP_TO_DECRYPT_YOUR_FILES.TXT • HELP_TO_DECRYPT_YOUR_FILES.BMP • HELP_TO_SAVE_FILES.bmp • HELP_TO_SAVE_FILES.txt • key.dat • log.html
  • 22.
  • 23.
  • 24.
  • 25.
  • 26.
  • 27.
  • 28. CryptoLocker Propagation • Propagate via phishing emails unpatched programs compromised websites online advertising free software downloads Prior existing Botnet
  • 29. Droppers file Path • The file paths that have been used by this infection and its droppers are: • C:Users<User>AppDataLocal<random>.exe (Vista/7/8) • C:Users<User>AppDataLocal<random>.exe (Vista/7/8) • C:Documents and Settings<User>Application Data<random>.exe (XP) • C:Documents and Settings<User>Local Application Data<random>.exe (XP)
  • 30. This ransomware can search for files in all of the folders with the following extensions and then encrypt them
  • 31. Excluded directories, filenames & extensions Source: Sophos
  • 32. Variants of CryptoLocker • TeslaCrypt • Cryptowall • Torrent Locker • CTB-Locker • CryptoVault • PowerShell based • Locky • Ransom32 ( JavaScript based) • Petya (Encrypts MBR) • Many many more…
  • 33.
  • 34. In 2016 (Jan to Mid April)
  • 35. Week 2 – May, 2016 • May 9th 2016 - CryptXXX 2.0 • May 9th 2016 - The Enigma Ransomware (Russian) • May 10th, 2016 - The Shujin Ransomware (Chinese) • May 11th, 2016 - GNL Locker (German Netherlands Locker) • May 12th, 2016 - CryptoHitman ( Jigsaw v2) • May 12th, 2016 - Crypren Ransomware • May 12th, 2016 - Mischa Ransomware (Petya variant) • May 13th, 2016 - Offering Ransomware as a Service • May 13th, 2016 - Decryptor for CryptXXX Version 2.0
  • 36. May 9th 2016 - CryptXXX 2.0
  • 37. May 9th 2016 - The Enigma Ransomware (Russian)
  • 38. May 10th, 2016 - The Shujin Ransomware (Chinese)
  • 39. May 11th, 2016 - GNL Locker (German Netherlands Locker)
  • 40. May 12th, 2016 - CryptoHitman
  • 41. Jigsaw  CryptoHitman with Porno Extension
  • 42. Jigsaw  CryptoHitman with Porno Extension
  • 43. May 12th, 2016 - Crypren Ransomware
  • 44. May 12th, 2016 - Mischa Ransomware (Petya variant)
  • 45. May 13th, 2016 - Offering Ransomware as a Service
  • 46. May 13th, 2016 - Decryptor for CryptXXX Version 2.0
  • 50. I’m Infected, Now What? • Disconnect Network, USB, Network Share • Determine the Scope (Level of compromise or encryption) • Determine type of infection • Evaluate Your Responses • Restore from a recent backup • Decrypt your files using a 3rd party decryptor (this is a very slim chance) • Do nothing (lose your data) • Negotiate / Pay the ransom
  • 53.
  • 54.
  • 55.
  • 57.
  • 59. Generic Questions • The initial infection vector (how the malware got on the system). • The propagation mechanism (how the malware moves between systems, if it does that). • The persistence mechanism (how the malware remains on the system, and survives reboots and when the user logs out). • Artifacts (what traces the malware leaves on a system as a result of its execution) that you can look for during an examination.
  • 60. Case Study : TeslaCrypt • Malware sample extracted from malwr.com. • Used all open source tool to preform analysis. • Tools used • Volatility Framework 2.4 • “VolDiff” (REMnux OS) • Regshot • Log2timeline (SIFT) • Virustotal.com • Process Explorer (Windows SysInternals)
  • 61.
  • 62. Case Study : References • [1] Zorabedian, John “Anatomy of a ransomware attack” https://blogs.sophos.com/2015/03/03/anatomy-of-a- ransomware-attack-cryptolocker-cryptowall-and-how-to-stay-safe-infographic/; Last accessed on Oct 25, 2015. • [2] James, Lance & Bambenek, John “The New Scourge of Ransomware: A Study of CryptoLocker and Its Friends” https://www.blackhat.com/us-14/archives.html#the-new-scourge-of-ransomware-a-study-of-cryptolocker-and-its- friends ; Last accessed on Oct 25, 2015. • [3] Mustaca, Sorin "Are your IT professionals prepared for the challenges to come?"Computer Fraud & Seurity 2014.3 (2014): 18-20. • [4] Allievi, Andrea et al. “Threat Spotlight: TeslaCrypt – Decrypt It Yourself” http://blogs.cisco.com/security/talos/teslacrypt ; Last accessed on Oct 25, 2015. • [5] Malwr.com (https://goo.gl/psdf5e) and Virustotal.com (https://goo.gl/D0o78x) analysis.
  • 63. Prevention Measures • Backup your files. • Apply windows and other software updates regularly. • Avoid clicking untrusted e-mail links or opening unsolicited e-mail attachments. • Disable ActiveX content in Microsoft Office applications such as Word, Excel etc. • Install Firewall and block Tor and restrictions for specific ports. • Disable remote desktop connections. • Block binaries running from %APPDATA%, %TEMP% paths.
  • 64. "I am your enemy, the first one you've ever had who was smarter than you. There is no teacher but the enemy. No one but the enemy will tell you what the enemy is going to do. No one but the enemy will ever teach you how to destroy and conquer. Only the enemy shows you where you are weak. Only the enemy tells you where he is strong. And the rules of the game are what you can do to him and what you can stop him from doing to you. I am your enemy from now on. From now on I am your teacher.” Source : Ender’s Game Conclusion
  • 65. • Lots of googling • Trendmicro blog • Sophos • Kaspersky Blog • US – CERT • http://www.bleepingcomputer.com/ • http://www.infoworld.com/ • https://blog.knowbe4.com/ References