Ransomware - a malicious software used by hackers to block access to a computer system until a ransom is paid. Attackers contact the user with ransom demands. Most attackers request payment in Bitcoin (the crypto-currency). Even if you pay the ransom, the attackers may not deliver the key to unencrypt files.
As ransomware attacks continue to grow in number and sophistication, individual PC users and organizations should reassess their current security strategy. There is a common misconception that adding layers of automated defence technologies will reduce the risk of falling victim to ransomware attacks. While endpoint security products and secure email gateways can offer some level of protection, sooner or later a phishing email, which is the most widely-used attack vector, will penetrate defences and user will be faced with determining whether or not an email is legitimate or part of an attack.
5. Ransomware
โข A type of malware that restricts access to the infected computer system in someway and
Demands that the user pay a ransom to the malware operators to remove the restriction.
โข Some of the Malicious actions by Malware:
๏ผ Encrypt personal files ( images, movie files, documents, text files)
๏ผ Encrypt files on shared network drives/ resources
๏ผ Lock system access using login
๏ผ Crash system through resource use โ eg spawning processes
๏ผ Disrupt and annoy โ open browser windows, display pornographic images
9. Ransom Evolves: Learning New Tricks
Using TOR Network
to Hide C&C
Bitcoin is default
payment method
Mobile and Cloud based
ransomware
Increasingly difficult to detect
and shutdown ransomware
Harder for Law
enforcement to trace
Near impossible to
decrypt
without paying
10. Onion Routing (ToR)
โข By Paul Syverson, Nick Mathewson,
Roger Dingledine in 2004
โข Low-latency anonymous network
โข Maintained by Free Haven Project
โข Hundreds of nodes on all continents
โข Supports only TCP
โข Uses SOCKS interface
โข Continuously encrypt data across a network.
โข Data begins in the outermost layer of
encryption and is modified at each individual
stop.
11. How Tor Works? - Onion Routing
โข A circuit is built incrementally one hop by one hop
โข Onion-like encryption
โข โAliceโ negotiates an AES key with each router
โข Messages are divided into equal sized cells
โข Each router knows only its predecessor and successor
โข Only the Exit Router (OR3) can see the message, however it does
not know where the message is from
Alice Bob
OR2
OR
1
M
โM
M
OR3
M
C1 C2
C2 C3
C3 Port
12. Ransomware: Operation with ToR
Step6
Step 2
โข Uses Diffie-Hellman key
exchange
โข Distributes data over
several places
โข Takes random pathway
โข Used with Privoxy
13. Ransom Evolves: Learning New Tricks
Using TOR Network
to Hide C&C
Bitcoin is default
payment method
Mobile and Cloud based
Ransomware
Increasingly difficult to detect
and shutdown ransomware
Harder for Law
enforcement to trace
Near impossible to
decrypt
without paying
14. What is Bitcoin
Bitcoin is an digital currency introduced in 2008 by pseudonymous developer
"Satoshi Nakamoto". That can be exchanged for goods and services
Digital: Bitcoins cannot be printed or physically made.
They must be generated through computerized methods.
Decentralized: Bitcoins are not regulated by any government
or banking institution.
Revolutionary: Transactions allow for anonymity and are almost
instantaneous.
Global: Bitcoins are borderless currency and can be used
anywhere.
15. Bitcoin Wallet
โข Bitcoins are stored in your digital wallet.
โข When you transfer Bitcoins an electronic signature is added. After a few minutes the
transaction is verified stored in the network
17. CryptoLocker
โช Email attachment is the main method of infection
โช Targets all versions of Windows
โช Searches for files with certain extensions: doc, docx, wps, xls, xlsx, ppt,
pptx, mdb, pst, rtf, pdf, eps, jpg, dng, psd, raw, cer, crt, pfx, โฆ
โช Encrypts files with a 2048-bit RSA key pair
โช Paying the ransom results in decryption of the files
โช No way to decrypt the files without the private key
โช Ransomware done right!
18. CryptoLocker Details
| 18 |
Some email subject lines related to CryptoLocker:
โช USPS - Missed package delivery
โช FW: Invoice <random numbers>
โช ADP Reference #<random numbers>
โช Payroll Received by Intuit
โช Important - attachedform
โช FW: Last Month Remit
โช Scanned Image from a Xerox WorkCentre
โช Fwd: IMG01041_6706015_m.zip
โช My resume
โช Voice Message from Unknown Caller (<phone number>)
โช Important - New Outlook Settings
โช FW: Payment Advice - Advice Ref:[GB<randomnumbers>]
โช New contract agreement
โช Important Notice - Incoming Money Transfer
โช Payment Overdue - Please respond
โช FW: Check copy
โช Corporate eFax message from <phone number>
โช FW: Case FH74D23GST58NQS
Most of the subject lines
target SMBs who might
not have recent backups
and who might need their
files bad enough to pay
19. Method of Execution
โข Drops executable in users %AppData% and %LocalAppData%
folder
โข Create registry keys to maintain persistence
โข Search for specific file types
โข Performs encryption
โข Deletes Volume Shadow copies
โข Displays ransom note
20. CryptoLocker Analysis
- Drops copy of itself in %APPDATA%{random}.exe
- It creates the following autorun key.
HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun "CryptoLocker":<random>.exe
- It creates two processes of itself. The other acts as a watchdog.
Later versions of CryptoLocker create an additional registry entry:
HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunOnce "*CryptoLocker":<random>.exe
21. Cryptolocker Analysis
โข It searches in all local and remote drives for files to encrypt.
โข All files that are encrypted are also saved in the following registry for record:
HKEY_CURRENT_USERSoftwareCryptoLockerFiles
The only way to decrypt is to buy the private key from the attackers
22. CryptoLocker C&C
โข Domain Generation Algorithm
It uses any of the following TLD for every generated domain:
.com , .net , .biz, .ru , .org , .co.uk , .info
1 2
3
4
โข Encrypt Files with the public key flow
5
6
26. Cryptolocker 2.0
Original Cryptolocker Cryptolocker 2.0
Compiler C++ .NET
Encryption RSA-2048 RSA-4096
C&C servers Employs DGA No DGA
Payment Scheme moneypak, ucash, cashu,
bitcoin
bitcoin only
Around December 2013, a new ransomware emerged claiming to be
Cryptolocker 2.0.
Drops copy of itself in %system%. As msunet.exe
28. Predictions for 2016
โข Ransomware will continue to be a challenge in 2016
โข Encrypting Ransomware samples will also have data theft capability
โข Targeting Android and iOS platforms
โข They are expected to get highly targeted in nature
โข They will use extortion tactics with threats to make stolen data public
โข It is highly advised to implement backup policies and processes with high-
end encryption
29. Security Software โ Ensure the personal firewall and anti-malware software is working properly and
up-to-date
Patch Management โ Update all applications with the latest security patches
Least Privilege Access โ Do not use the administrator account for everyday use or while surfing the
Internet
Computer Hardening โ Configure the operating system, browser, wireless AP, and router to make it
more secure
Online Security โ Choose strong, unique passphrases for online accounts and enter them securely
Content Filtering โ Use web, email, and IM filtering as well as a link checker to block unwanted and
malicious content
Asset Protection โ Encrypt and regularly backup your important documents and files
How to Protect Your Computer
30. Follow Best Security Practices
โข Do not open and execute attachments received from unknown
senders. Cybercriminals use โSocial Engineeringโ techniques to allure
users to open attachments or to click on links containing malware.
โข Keep strong passwords for login accounts and network shares.
โข Avoid downloading software from untrusted P2P or torrent sites. At
times, they are Trojanized with malicious software.
โข Do not download cracked software as they could propagate the
added risk of opening a backdoor entry for malware into your
system.
โข Ensure staff are educated in good computing practices