9654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 6000
Ransomware: Emergence of the Cyber-Extortion Menace
1. Security Research Institute
Edith Cowan University
Ransomware
Emergence of the
Cyber-Extortion Menace
Nikolai Hampton1 and Zubair A. Baig1,2
School of Computer and Security Science1,
Security Research Institute2
Edith Cowan University
Perth, Australia
nikolaih@our.ecu.edu.au, z.baig@ecu.edu.au
December, 2015
2. Security Research Institute
Edith Cowan University
Ransomware – What is it?
Ransomware: (noun)…
“Ransomware is a type of malware that
prevents or limits users from accessing
their system. This type of malware forces
its victims to pay the ransom through
certain online payment methods in order
to grant access to their systems, or to get
their data back.” (TrendMicro, n.d.)
4. Security Research Institute
Edith Cowan University
Some history
• PC CYBORG (AIDS) Ransomware
emerged in 1989. Distributed on floppy
disks…
Source: https://commons.wikimedia.org/wiki/File:Floppy_disk_2009_G1.jpg
Anyone remember these?
5. Security Research Institute
Edith Cowan University
Some history
• PC CYBORG (AIDS Disk)
– Emerged in 1989. Distributed on floppy disks
– Installed from Trojan software
– Lay dormant to allow time for propagation
– Used operating basic encryption and operating
system quirks to “scramble” and hide files
– Demanded a “License Payment” to be sent via
cheque to a post office box in Panama
6. Security Research Institute
Edith Cowan University
Some history
• PC CYBORG (AIDS) - 1989
– Not very successful
– Technology was lagging behind the idea
7. Security Research Institute
Edith Cowan University
Some history
• Malware continued to develop
1990s – 2000s
– Identity theft
– Phishing scams, stealing passwords
– Bot Nets – Networks of compromised PCs
– Adware
…but where was ransomware?
8. Security Research Institute
Edith Cowan University
Some history
Where’s Ransomware 1990s-2000s
Very small percent of Malware!
Too complicated, how to get money?
Too risky, how to stay hidden?
Too weak, how to “Denial of Service” an uncontrolled PC?
Occasional “fake” ransom, or Anti
Virus, easily defeated / removed
Occasional “locker” that affected boot
process, easily defeated / removed
(CC) BitDefender España (2010)
Source: https://www.flickr.com/photos/bitdefenderes/4292753852
Source: http://www.acma.gov.au/~/media/mediacomms/Social%20Media/Images/Ransomware%20Screenshot%20jpg.jpg
Australian Communication and MediaAuthority (2013)
9. Security Research Institute
Edith Cowan University
Why is it important now?
• In 2010, something changed…
Google search trends “ransomware” searches
2008 to 2015
• In 2012, something changed, a lot!
10. Security Research Institute
Edith Cowan University
Reality Check - Perspective
Google search trends “ransomware” searches
2008 to 2015
Google search trends “ransomware” searches
vs “malware” searches 2008 to 2015
12. Security Research Institute
Edith Cowan University
Why is it important now?
• Technology has caught up to the idea!
Step 1: Idea! Ransom money from
people!
Step 3: Profit…
Step 2: Use technology to enable the idea!
Image: Jodi Meadows (2011), Flickr
https://www.flickr.com/photos/69585952@N00/
13. Security Research Institute
Edith Cowan University
The perfect storm
• Technology has caught up to the idea!
– CTB Locker: Curve, TOR, Bitcoin
Strong encryption
Anonymity
Untraceable crypto-cash payments
14. Security Research Institute
Edith Cowan University
So, here we are – our research
Ransomware
Emergence of the Cyber-Extortion Menace
15. Security Research Institute
Edith Cowan University
Aim
• Understand the ransomware threat…
• Lay the foundation for extrapolating
future ransomware development
• Focus on the ransomware payload
separately from the dropper
• Extend existing research and ideas
Young, A., & Yung, M. (1996).
Cryptovirology: Extortion-Based Security Threats and Countermeasures.
16. Security Research Institute
Edith Cowan University
What we did…
• Propose a nomenclature for ransomware “traits”
• Record the history and traits of ransomware strains
over time
• Developed a ransomware traits database
• Chart the inclusion / exclusion of traits over time
• Examine which traits have conferred benefits
– Impact
– Longevity
– Profitability (for the attackers)
20. Security Research Institute
Edith Cowan University
Results
• Increasing use of security technology over
time..
0
2
4
6
8
10
12
14
< 2004 2004-2005 2006-2007 2008-2009 2010-2011 2012-2013 2014+
Ransomware strains surveyed and use of new technologies
# of strains surveyed
Bitcoin Uptake
TOR Uptake
21. Security Research Institute
Edith Cowan University
Evolution of GPCode’s encryption
GPCode 2004
Used one byte encryption key, easily defeated
Electronic payments
GPCode.ac (June 2005)
Implemented RSA Public Key Cryptography (PKI)
Very weak key (56bit RSA modulus = 7 bit symmetric key)
GPCode.ad (April 2006)
Longer RSA keys but still poor PKI implementation
GPCode.ag (June 2006)
Finally, a strong RSA key (660 bit = ~60 bit symmetric)
Cracked by Kaspersky, probably a coding error in .ag
GPCode.ak (June 2008)
Properly implemented 1024 bit RSA key
Failed due to implementation of wrong “cipher”
RC4, vulnerable to cryptanalysis
GPCode.ax (December 2010) – A copycat…
Unbreakable encryption
… but still can be stopped (it has flaws)
22. Security Research Institute
Edith Cowan University
Evolution of Command and Control
• GPCode (2004)
– No C&C (C2) Server, just “did its thing”
– Contact malware producer via email for unlock code
• Reveton (2012)
– Doesn’t encrypt but uses C2 server for ‘unlock’
• Cryptolocker (2013)
– Uses C2 server, to retrieve RSA public key (much more secure)
– Pseudo Random “Domain Generation Algorithm” (DGA) to avoid
easy takedowns
(contacts garbage URLs: xxgrradvvzcfyx.biz)
• Cryptowall (2014)
– Uses C2 server on TOR – hidden and anonymous network!
– Improved DGA to make takedown even harder
24. Security Research Institute
Edith Cowan University
What does it mean?
• Ransomware is evolving
• Responding to new defences
• Profit
Virus Image CC BY 2.0
Flickr: NIAID
https://www.flickr.com/photos/niaid/
25. Security Research Institute
Edith Cowan University
Breaking broken news
• CryptoWall 4.0
– New traits (filename scrambling)
– Obliterates restore points
– Improved network security evasion
26. Security Research Institute
Edith Cowan University
What can users do?
• Classic Defense-In-Depth approach
– Multi Layer
– Device Protection
– Network Protection
• Backups
– Still good, but…
27. Security Research Institute
Edith Cowan University
Future work and questions?
• Opportunity to apply some funky statistics
– Through trait impact analysis
– BIA/Longevity/Destructiveness Index
• Machine learning (pattern recognition)
• Improve the naming and reporting of
ransomware
• Collective collaboration
28. Security Research Institute
Edith Cowan University
Conclusion
• We examined the ransomware threat and the
emergence of traits over the last 26 years
• We were able to identify evolutionary patterns in
most strains
• Given the changing risk/reward structure it’s hard
to believe this isn’t going to get much bigger
• This shows it is a threat we can not dismiss