SlideShare uma empresa Scribd logo

Analysing Ransomware

Napier University
Napier University

https://asecuritysite.com/subjects/chapter87

Educação
1 de 45
Baixar para ler offline
Ransomware
Background
Trend Micro analysis
Trend Micro analysis
https://fatsecurity.com/article/ransomware-protection-guide
Timeline • Reveton (2012)... Police message. • CryptoLocker (2013). First with crypto and download of components. • CryptoDefence (2014). Used 2048-bit RSA. Native APIs. • SimplLocker (2014). Android locking. • CTB-Locker (2014). C&C and deleted shadow files. • Cryptowall (2014). Made $325 million for creator. Registry key. Put in startup files. Persistence. • Chimera (2015). First ‘doxing’ ransomware … threated to publish info online. • TeslaCrypt (2015). Persistence on machine. • 7en3n (2016). 13 BC and destroy Windows system on non-payment. • KeRanger. (2016) Mac OSX malware and uses signed certificate for Mac. • Jigsaw (2016). Ransom note contained characters from the “Saw” movie. Delete files every 60 minutes, 1K files on reboot. • Random32 (2016). First JavaScript ransomware. • Petya (2016). Overwrite MBR. Encrypt files. Double ransom if not paid in seven days. • Locky (2016). Targeted hospitals in US. Healthcare as a ransom. • SamSam (Samas) (2016). Target JBoss server (Red Hat Web/middleware), with ways to communicate with victim. • PowerWare (2016). Uses native tools such as PowerShell to perform bad operations. • ZCrypto ... new worm.
Github source for ransomware
Types • Locker Ransomware. Locks the computer. • Crypto Ransomware. Requires decryption key. • Master Boot Record Ransomware. Attack MBR so that message appears on boot up. • Web Server Encrypting Ransomware. Encrypts defines files on Web sites. • Mobile Device Ransomware.
Ransomware example
Ransomware in UK (2015-2016)
Outline Distributor Delivery of ransomware through phising or drive-by (eg EXE, DOC, VBS, SCR) Unique 128-bit AES key created Public key of ransomware provider C&C A range of files encrypted (eg DOCX, Python, etc) Private key of ransomware provider Service Provider Criminal Encrypted key sent to Command and Control Payment provider (Bitcoin) Typical operation: • Drops executable in users %AppData% and %LocalAppData% folder • Create registry keys to maintain persistence • Search for specific file types • Performs encryption • Deletes Volume Shadow copies • Displays ransom note
Early Ransomware
GpCode Desktop Ransom Message
Reveton/Moneypak ransom message with webcam enabled
Reveton ransom messages based on victim location
CryptoLocker Copy cats: CryptoWall; CTB Locker; TeslaCrypt; CryptoFortress
Cryptolocker
Cryptowall
Anatomy of CryptoWall 3.0 Attack
Ransomware As A Service Tox and Random32
Ransomware as a service (Tox) • In May 2015 Macfee found the Tox site on the ‘dark web’. • Used Tor with no knowledge of malware. • 20% cut from any extorted profits. • Registration was free, and payments to BitCoin address to receive payment. • Executable created for distribution.
Random32 January 2016, Ransom32 – Uses Tor and Bitcoin payments. Written in Javascript ... can affect Linux/Mac OSX It uses NW.js which jumps out of the sandbox and encrypts files on the system with an almost uncrackable 128-bit AES key.
Random32 NW.js (Node-WebKit) was introduced to allow development for Node.js and Chromium, and allows browser-based code to jump out of the sandbox, and directly access the system. It was created as a new way of writing native applications within Web applications, and it was thus only a matter of time that malware writers spotted the opportunity to run their code in a browser, not matter which operating system it was running on.
Random32 Files encrypted: *.jpg, *.jpeg, *.raw, *.tif, *.gif, *.png, *.bmp, *.c, *.cpp, *.cs, *.h, *.php, *.asp, *.rb, *.java, *.jar, *.class, , *.txt, *.doc, *.dot, *.docx, *.docm, *.dotx, *.dotm, *.docb, *.rtf, *.wpd, *.wps, *.msg, *.pdf, *.xls, *.xlt, *.xlm, *.xlsx, *.xlsm, *.xltx, *.xltm, *.xlsb, *.xla, *.xlam, *.xll, *.xlw, *.ppt, *.pot, *.pps, *.pptx, *.pptm, *.potx but will avoid the folders of c:windows, c:programdata, c:temp and $recycle.bin, as these folders are likely to cause problems in booting the computer The maliciousness of the malware is highlighted with the u.vbs script which deletes all the files in a given folder (where the directory is specified when the script is called): On Error Resume Next Set objArgs = WScript.Arguments directory = objArgs(0) Set fso = CreateObject("Scripting.FileSystemObject") Function ShowSum(value1) Set folder = fso.GetFolder(value1) for each f in folder.Files On Error Resume Next f.Delete True Next For Each f In folder.SubFolders On Error Resume Next ShowSum(f) f.Delete True Next End Function Wscript.Sleep 10000 ShowSum(directory) fso.DeleteFolder directory, True
Random32 The encryption uses 128-bit AES with CTR [here], and this key is protected by an RSA key, which protected by a public key provided by the C&C. Only the C&C has the private key to decrypt the key.
Locky
Locky • Locky ... February 2016, infected a Hollywood Medical Centre, infecting systems for CT scans, emergency rooms, lab work and pharmacy operations • TOR and BitCoin payment. • RSA-2048 and AES-128 for file encryption on over 160 file types across virtual disks and databases.
Locky
Cerber
Cerber • 2016. • Black list of countries not to target. • Affiliate program. • Runs encrypted files off-line ... no need to contract C&C. • Wireshark shows UDP requests to predefined IP addresses. • Possible to speak to infected person through text to speech VM macros. • Bypass for User Account Control (UAC). Evidence bag here.
Cerber • 2016. • Black list of countries not to target. • Affiliate program. • Runs encrypted files off-line ... no need to contract C&C. • Wireshark shows UDP requests to predefined IP addresses. • Possible to speak to infected person through text to speech VM macros. • Bypass for User Account Control (UAC). Evidence bag here.
Atom Payload Builder
Evasion Methods
Investigation
Evasion Techniques Process level CreateProcess WriteProcessMemory CreateRemoteThread IP address taskmgr, procexp, regedit, msconfig, cmd.exe
Evasion Techniques Network level RC4 TOR I2P HTTPS http://www.malware-traffic-analysis.net/2015/07/20/
Evasion Techniques Binary level Obfuscated GetCurrentProcess() IsDebuggerPresent() OutputDebugString() Source: http://researchcenter.paloaltonetworks.com/2015/10/latest-teslacrypt-ransomware-borrows-code-from-carberp-trojan/
Encryption Methods • Custom algorithm • AES + Electronic Codebook (ECB) + RSA • AES + Cipher Block Chaining (CBC) + RSA • AES + ECDH + RSA
User Access Control
How to avoid?
Avoiding (Trend Micro advice) • Education. The most common attack vector for ransomware is a phishing attack where a user in a company clicks on a file attachment which contains the malware, and which encrypts their files, and spreads through the network. Users thus need to be educated in spotting malicious emails, as the phisher often knows how to by-pass a filtering system (such as using an encrypted email). • Back-ups. It is important to have backups, but to also make sure they are off-site, so that an on-site infection does not end up encrypting or corrupting the on-site backs. Trend Micro recommend a 3-2-1 rule: at least three copies, in two different formats, with one copy off site/offline. • Layered protection. A key part of any type of network defence is to have layers of security to defend against attack, including both network sensors and end-point security. • Network segmentation. As much as possible, the network should be segmented up, so that different areas of the network are isolated from others. In this way the infection can be constrained. • Application control. Rather than having a black list of programs which are not allowed to run on a computer, increasingly companies operate a white-listing policy, where only applications that are approved can run on devices. This means that malware programs will not have the rights to run or access system files.
Ransomware

Recomendados

Ransomware: History, Analysis, & Mitigation - PDF
Ransomware: History, Analysis, & Mitigation - PDFRansomware: History, Analysis, & Mitigation - PDF
Ransomware: History, Analysis, & Mitigation - PDFAndy Thompson
 
Ransomware
RansomwareRansomware
Ransomwarem3 Networks Limited
 
Ransomware Attack.pptx
Ransomware Attack.pptxRansomware Attack.pptx
Ransomware Attack.pptxIkramSabir4
 
The rise of malware(ransomware)
The rise of malware(ransomware)The rise of malware(ransomware)
The rise of malware(ransomware)phexcom1
 
Ransomware by lokesh
Ransomware by lokeshRansomware by lokesh
Ransomware by lokeshLokesh Bysani
 
Ransomware - The Growing Threat
Ransomware - The Growing ThreatRansomware - The Growing Threat
Ransomware - The Growing ThreatNick Miller
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Lane Huff
 
Ransomware
Ransomware Ransomware
Ransomware Armor
 

Recomendados

Ransomware: History, Analysis, & Mitigation - PDF
Ransomware: History, Analysis, & Mitigation - PDFRansomware: History, Analysis, & Mitigation - PDF
Ransomware: History, Analysis, & Mitigation - PDFAndy Thompson
 
Ransomware
RansomwareRansomware
Ransomwarem3 Networks Limited
 
Ransomware Attack.pptx
Ransomware Attack.pptxRansomware Attack.pptx
Ransomware Attack.pptxIkramSabir4
 
The rise of malware(ransomware)
The rise of malware(ransomware)The rise of malware(ransomware)
The rise of malware(ransomware)phexcom1
 
Ransomware by lokesh
Ransomware by lokeshRansomware by lokesh
Ransomware by lokeshLokesh Bysani
 
Ransomware - The Growing Threat
Ransomware - The Growing ThreatRansomware - The Growing Threat
Ransomware - The Growing ThreatNick Miller
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Lane Huff
 
Ransomware
Ransomware Ransomware
Ransomware Armor
 
Ransomware - Impact, Evolution, Prevention
Ransomware - Impact, Evolution, PreventionRansomware - Impact, Evolution, Prevention
Ransomware - Impact, Evolution, PreventionMohammad Yahya
 
Advanced Persistent Threat
Advanced Persistent ThreatAdvanced Persistent Threat
Advanced Persistent ThreatAmmar WK
 
Ransomware
RansomwareRansomware
RansomwareNick Miller
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware AnalysisPrashant Gupta
 
Ransomware attack
Ransomware attackRansomware attack
Ransomware attackAmna
 
Ransomware
RansomwareRansomware
RansomwareAkshita Pillai
 
What is Ransomware?
What is Ransomware?What is Ransomware?
What is Ransomware?Datto
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Malware- Types, Detection and Future
Malware- Types, Detection and FutureMalware- Types, Detection and Future
Malware- Types, Detection and Futurekaranwayne
 
malware analysis
malware analysismalware analysis
malware analysis20CS201AkashR
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Rihab Chebbah
 
The Rise of Ransomware
The Rise of RansomwareThe Rise of Ransomware
The Rise of RansomwareTharindu Edirisinghe
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)WAJAHAT IQBAL
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3Shawn Croswell
 
Wannacry
WannacryWannacry
WannacryAravindVV
 
Ransomware
RansomwareRansomware
RansomwareChaitali Sharma
 
Advanced persistent threats(APT)
Advanced persistent threats(APT)Advanced persistent threats(APT)
Advanced persistent threats(APT)Network Intelligence India
 
Meeting02_RoT.pptx
Meeting02_RoT.pptxMeeting02_RoT.pptx
Meeting02_RoT.pptxothmanomar13
 
Talk of the hour, the wanna crypt ransomware
Talk of the hour, the wanna crypt ransomwareTalk of the hour, the wanna crypt ransomware
Talk of the hour, the wanna crypt ransomwareshubaira
 

Mais conteúdo relacionado

Mais procurados

Ransomware - Impact, Evolution, Prevention
Ransomware - Impact, Evolution, PreventionRansomware - Impact, Evolution, Prevention
Ransomware - Impact, Evolution, PreventionMohammad Yahya
 
Advanced Persistent Threat
Advanced Persistent ThreatAdvanced Persistent Threat
Advanced Persistent ThreatAmmar WK
 
Ransomware attack
Ransomware attackRansomware attack
Ransomware attackAmna
 
What is Ransomware?
What is Ransomware?What is Ransomware?
What is Ransomware?Datto
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Malware- Types, Detection and Future
Malware- Types, Detection and FutureMalware- Types, Detection and Future
Malware- Types, Detection and Futurekaranwayne
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Rihab Chebbah
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)WAJAHAT IQBAL
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3Shawn Croswell
 

Mais procurados (20)

Ransomware - Impact, Evolution, Prevention
Ransomware - Impact, Evolution, PreventionRansomware - Impact, Evolution, Prevention
Ransomware - Impact, Evolution, Prevention
 
Advanced Persistent Threat
Advanced Persistent ThreatAdvanced Persistent Threat
Advanced Persistent Threat
 
Ransomware
RansomwareRansomware
Ransomware
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware Analysis
 
Ransomware attack
Ransomware attackRansomware attack
Ransomware attack
 
Ransomware
RansomwareRansomware
Ransomware
 
What is Ransomware?
What is Ransomware?What is Ransomware?
What is Ransomware?
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
Malware- Types, Detection and Future
Malware- Types, Detection and FutureMalware- Types, Detection and Future
Malware- Types, Detection and Future
 
malware analysis
malware analysismalware analysis
malware analysis
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 
Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016
 
The Rise of Ransomware
The Rise of RansomwareThe Rise of Ransomware
The Rise of Ransomware
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3
 
Wannacry
WannacryWannacry
Wannacry
 
Ransomware
RansomwareRansomware
Ransomware
 
Advanced persistent threats(APT)
Advanced persistent threats(APT)Advanced persistent threats(APT)
Advanced persistent threats(APT)
 

Semelhante a Analysing Ransomware

Meeting02_RoT.pptx
Meeting02_RoT.pptxMeeting02_RoT.pptx
Meeting02_RoT.pptxothmanomar13
 
Talk of the hour, the wanna crypt ransomware
Talk of the hour, the wanna crypt ransomwareTalk of the hour, the wanna crypt ransomware
Talk of the hour, the wanna crypt ransomwareshubaira
 
Wannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedWannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedThomas Roccia
 
rensomware final ppt
rensomware final pptrensomware final ppt
rensomware final pptKomal Keshwer
 
Ransomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your DataRansomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your DataInderjeet Singh
 
Why are you still getting CryptoLocker?
Why are you still getting CryptoLocker?Why are you still getting CryptoLocker?
Why are you still getting CryptoLocker?Aaron Lancaster
 
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligenceOrder vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligencePriyanka Aash
 
Linux IoT Botnet Wars and the lack of basic security hardening
Linux IoT Botnet Wars and the lack of basic security hardeningLinux IoT Botnet Wars and the lack of basic security hardening
Linux IoT Botnet Wars and the lack of basic security hardeningMender.io
 
The EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsThe EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsAndrea Bissoli
 
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-INWannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-INVijay Sarathy Rangayyan
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomwareSophos Benelux
 
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha KranjacCSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha KranjacNCCOMMS
 
Chapter 09
Chapter 09Chapter 09
Chapter 09 Google
 
Op Sy 03 Ch 61
Op Sy 03 Ch 61Op Sy 03 Ch 61
Op Sy 03 Ch 61 Google
 
Hacking 1224807880385377-9
Hacking 1224807880385377-9Hacking 1224807880385377-9
Hacking 1224807880385377-9Geoff Pesimo
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2ShapeBlue
 
Ransomware History and Monitoring Tips
Ransomware History and Monitoring TipsRansomware History and Monitoring Tips
Ransomware History and Monitoring TipsNetFort
 

Semelhante a Analysing Ransomware (20)

Meeting02_RoT.pptx
Meeting02_RoT.pptxMeeting02_RoT.pptx
Meeting02_RoT.pptx
 
Talk of the hour, the wanna crypt ransomware
Talk of the hour, the wanna crypt ransomwareTalk of the hour, the wanna crypt ransomware
Talk of the hour, the wanna crypt ransomware
 
Wannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedWannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons Learned
 
rensomware final ppt
rensomware final pptrensomware final ppt
rensomware final ppt
 
Ransomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your DataRansomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your Data
 
Why are you still getting CryptoLocker?
Why are you still getting CryptoLocker?Why are you still getting CryptoLocker?
Why are you still getting CryptoLocker?
 
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligenceOrder vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
 
Linux IoT Botnet Wars and the lack of basic security hardening
Linux IoT Botnet Wars and the lack of basic security hardeningLinux IoT Botnet Wars and the lack of basic security hardening
Linux IoT Botnet Wars and the lack of basic security hardening
 
The EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsThe EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systems
 
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-INWannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomware
 
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha KranjacCSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
 
Chapter 09
Chapter 09Chapter 09
Chapter 09
 
Op Sy 03 Ch 61
Op Sy 03 Ch 61Op Sy 03 Ch 61
Op Sy 03 Ch 61
 
Hacking 1224807880385377-9
Hacking 1224807880385377-9Hacking 1224807880385377-9
Hacking 1224807880385377-9
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 
603535ransomware
603535ransomware603535ransomware
603535ransomware
 
Ransomware History and Monitoring Tips
Ransomware History and Monitoring TipsRansomware History and Monitoring Tips
Ransomware History and Monitoring Tips
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux Security
 
Hacking by Pratyush Gupta
Hacking by Pratyush GuptaHacking by Pratyush Gupta
Hacking by Pratyush Gupta
 

Mais de Napier University

10. Data to Information: NumPy and Pandas
10. Data to Information: NumPy and Pandas10. Data to Information: NumPy and Pandas
10. Data to Information: NumPy and PandasNapier University
 
The Road Ahead for Ripple, Marjan Delatinne
The Road Ahead for Ripple, Marjan DelatinneThe Road Ahead for Ripple, Marjan Delatinne
The Road Ahead for Ripple, Marjan DelatinneNapier University
 
Delivering The Tel Aviv Stock Exchange Securities, Duncan Johnston-Watt
Delivering The Tel Aviv Stock Exchange Securities, Duncan Johnston-Watt Delivering The Tel Aviv Stock Exchange Securities, Duncan Johnston-Watt
Delivering The Tel Aviv Stock Exchange Securities, Duncan Johnston-WattNapier University
 
RMIT Blockchain Innovation Hub, Chris Berg
RMIT Blockchain Innovation Hub, Chris BergRMIT Blockchain Innovation Hub, Chris Berg
RMIT Blockchain Innovation Hub, Chris BergNapier University
 
Browser-based Crypto M, C. F Mondschein
Browser-based Crypto M, C. F MondscheinBrowser-based Crypto M, C. F Mondschein
Browser-based Crypto M, C. F MondscheinNapier University
 
Should we transform or adapt to blockchain - a public sector perspective?, Al...
Should we transform or adapt to blockchain - a public sector perspective?, Al...Should we transform or adapt to blockchain - a public sector perspective?, Al...
Should we transform or adapt to blockchain - a public sector perspective?, Al...Napier University
 
IoT device attestation system using blockchain, Alistair Duke
IoT device attestation system using blockchain, Alistair DukeIoT device attestation system using blockchain, Alistair Duke
IoT device attestation system using blockchain, Alistair DukeNapier University
 
Robust Programming of Smart Contracts in Solidity+, RK Shyamasundar
Robust Programming of Smart Contracts in Solidity+, RK ShyamasundarRobust Programming of Smart Contracts in Solidity+, RK Shyamasundar
Robust Programming of Smart Contracts in Solidity+, RK ShyamasundarNapier University
 
Using Blockchain for Evidence Purpose, Rafael Prabucki
Using Blockchain for Evidence Purpose, Rafael PrabuckiUsing Blockchain for Evidence Purpose, Rafael Prabucki
Using Blockchain for Evidence Purpose, Rafael PrabuckiNapier University
 
Cryptocurrencies and cyberlaundering- the need for regulation, Gian Marco Bov...
Cryptocurrencies and cyberlaundering- the need for regulation, Gian Marco Bov...Cryptocurrencies and cyberlaundering- the need for regulation, Gian Marco Bov...
Cryptocurrencies and cyberlaundering- the need for regulation, Gian Marco Bov...Napier University
 
Emerging Regulatory Approaches to Blockchain-based Token Economy, Agata Fereirra
Emerging Regulatory Approaches to Blockchain-based Token Economy, Agata FereirraEmerging Regulatory Approaches to Blockchain-based Token Economy, Agata Fereirra
Emerging Regulatory Approaches to Blockchain-based Token Economy, Agata FereirraNapier University
 

Mais de Napier University (20)

Intrusion Detection Systems
Intrusion Detection SystemsIntrusion Detection Systems
Intrusion Detection Systems
 
Networks
NetworksNetworks
Networks
 
Memory, Big Data and SIEM
Memory, Big Data and SIEMMemory, Big Data and SIEM
Memory, Big Data and SIEM
 
What is Cyber Data?
What is Cyber Data?What is Cyber Data?
What is Cyber Data?
 
Open Source Intelligence
Open Source IntelligenceOpen Source Intelligence
Open Source Intelligence
 
10. Data to Information: NumPy and Pandas
10. Data to Information: NumPy and Pandas10. Data to Information: NumPy and Pandas
10. Data to Information: NumPy and Pandas
 
2. Defence Systems
2. Defence Systems2. Defence Systems
2. Defence Systems
 
1. Cyber and Intelligence
1. Cyber and Intelligence1. Cyber and Intelligence
1. Cyber and Intelligence
 
The Road Ahead for Ripple, Marjan Delatinne
The Road Ahead for Ripple, Marjan DelatinneThe Road Ahead for Ripple, Marjan Delatinne
The Road Ahead for Ripple, Marjan Delatinne
 
Delivering The Tel Aviv Stock Exchange Securities, Duncan Johnston-Watt
Delivering The Tel Aviv Stock Exchange Securities, Duncan Johnston-Watt Delivering The Tel Aviv Stock Exchange Securities, Duncan Johnston-Watt
Delivering The Tel Aviv Stock Exchange Securities, Duncan Johnston-Watt
 
ARTiFACTS, Emma Boswood
ARTiFACTS, Emma BoswoodARTiFACTS, Emma Boswood
ARTiFACTS, Emma Boswood
 
RMIT Blockchain Innovation Hub, Chris Berg
RMIT Blockchain Innovation Hub, Chris BergRMIT Blockchain Innovation Hub, Chris Berg
RMIT Blockchain Innovation Hub, Chris Berg
 
Keynote, Naseem Naqvi
Keynote, Naseem Naqvi Keynote, Naseem Naqvi
Keynote, Naseem Naqvi
 
Browser-based Crypto M, C. F Mondschein
Browser-based Crypto M, C. F MondscheinBrowser-based Crypto M, C. F Mondschein
Browser-based Crypto M, C. F Mondschein
 
Should we transform or adapt to blockchain - a public sector perspective?, Al...
Should we transform or adapt to blockchain - a public sector perspective?, Al...Should we transform or adapt to blockchain - a public sector perspective?, Al...
Should we transform or adapt to blockchain - a public sector perspective?, Al...
 
IoT device attestation system using blockchain, Alistair Duke
IoT device attestation system using blockchain, Alistair DukeIoT device attestation system using blockchain, Alistair Duke
IoT device attestation system using blockchain, Alistair Duke
 
Robust Programming of Smart Contracts in Solidity+, RK Shyamasundar
Robust Programming of Smart Contracts in Solidity+, RK ShyamasundarRobust Programming of Smart Contracts in Solidity+, RK Shyamasundar
Robust Programming of Smart Contracts in Solidity+, RK Shyamasundar
 
Using Blockchain for Evidence Purpose, Rafael Prabucki
Using Blockchain for Evidence Purpose, Rafael PrabuckiUsing Blockchain for Evidence Purpose, Rafael Prabucki
Using Blockchain for Evidence Purpose, Rafael Prabucki
 
Cryptocurrencies and cyberlaundering- the need for regulation, Gian Marco Bov...
Cryptocurrencies and cyberlaundering- the need for regulation, Gian Marco Bov...Cryptocurrencies and cyberlaundering- the need for regulation, Gian Marco Bov...
Cryptocurrencies and cyberlaundering- the need for regulation, Gian Marco Bov...
 
Emerging Regulatory Approaches to Blockchain-based Token Economy, Agata Fereirra
Emerging Regulatory Approaches to Blockchain-based Token Economy, Agata FereirraEmerging Regulatory Approaches to Blockchain-based Token Economy, Agata Fereirra
Emerging Regulatory Approaches to Blockchain-based Token Economy, Agata Fereirra
 

Último

How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17Celine George
 
DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersDATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersSabitha Banu
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...Nguyen Thanh Tu Collection
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Celine George
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxAnupkumar Sharma
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Mark Reed
 
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONTHEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONHumphrey A Beña
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxCarlos105
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Celine George
 
Gas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxGas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxDr.Ibrahim Hassaan
 
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfAMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfphamnguyenenglishnb
 
ENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomnelietumpap1
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatYousafMalik24
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxiammrhaywood
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxHumphrey A Beña
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPCeline George
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPCeline George
 
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYKayeClaireEstoconing
 

Último (20)

How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17
 
DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersDATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginners
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)
 
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONTHEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17
 
Gas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxGas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptx
 
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfAMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
 
ENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choom
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice great
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERP
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERP
 
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
 

Analysing Ransomware

  • 2.
  • 7. Timeline • Reveton (2012)... Police message. • CryptoLocker (2013). First with crypto and download of components. • CryptoDefence (2014). Used 2048-bit RSA. Native APIs. • SimplLocker (2014). Android locking. • CTB-Locker (2014). C&C and deleted shadow files. • Cryptowall (2014). Made $325 million for creator. Registry key. Put in startup files. Persistence. • Chimera (2015). First ‘doxing’ ransomware … threated to publish info online. • TeslaCrypt (2015). Persistence on machine. • 7en3n (2016). 13 BC and destroy Windows system on non-payment. • KeRanger. (2016) Mac OSX malware and uses signed certificate for Mac. • Jigsaw (2016). Ransom note contained characters from the “Saw” movie. Delete files every 60 minutes, 1K files on reboot. • Random32 (2016). First JavaScript ransomware. • Petya (2016). Overwrite MBR. Encrypt files. Double ransom if not paid in seven days. • Locky (2016). Targeted hospitals in US. Healthcare as a ransom. • SamSam (Samas) (2016). Target JBoss server (Red Hat Web/middleware), with ways to communicate with victim. • PowerWare (2016). Uses native tools such as PowerShell to perform bad operations. • ZCrypto ... new worm.
  • 8. Github source for ransomware
  • 9. Types • Locker Ransomware. Locks the computer. • Crypto Ransomware. Requires decryption key. • Master Boot Record Ransomware. Attack MBR so that message appears on boot up. • Web Server Encrypting Ransomware. Encrypts defines files on Web sites. • Mobile Device Ransomware.
  • 11. Ransomware in UK (2015-2016)
  • 12. Outline Distributor Delivery of ransomware through phising or drive-by (eg EXE, DOC, VBS, SCR) Unique 128-bit AES key created Public key of ransomware provider C&C A range of files encrypted (eg DOCX, Python, etc) Private key of ransomware provider Service Provider Criminal Encrypted key sent to Command and Control Payment provider (Bitcoin) Typical operation: • Drops executable in users %AppData% and %LocalAppData% folder • Create registry keys to maintain persistence • Search for specific file types • Performs encryption • Deletes Volume Shadow copies • Displays ransom note
  • 15. Reveton/Moneypak ransom message with webcam enabled
  • 16. Reveton ransom messages based on victim location
  • 17. CryptoLocker Copy cats: CryptoWall; CTB Locker; TeslaCrypt; CryptoFortress
  • 20. Anatomy of CryptoWall 3.0 Attack
  • 21. Ransomware As A Service Tox and Random32
  • 22. Ransomware as a service (Tox) • In May 2015 Macfee found the Tox site on the ‘dark web’. • Used Tor with no knowledge of malware. • 20% cut from any extorted profits. • Registration was free, and payments to BitCoin address to receive payment. • Executable created for distribution.
  • 23. Random32 January 2016, Ransom32 – Uses Tor and Bitcoin payments. Written in Javascript ... can affect Linux/Mac OSX It uses NW.js which jumps out of the sandbox and encrypts files on the system with an almost uncrackable 128-bit AES key.
  • 24. Random32 NW.js (Node-WebKit) was introduced to allow development for Node.js and Chromium, and allows browser-based code to jump out of the sandbox, and directly access the system. It was created as a new way of writing native applications within Web applications, and it was thus only a matter of time that malware writers spotted the opportunity to run their code in a browser, not matter which operating system it was running on.
  • 25.
  • 26.
  • 27. Random32 Files encrypted: *.jpg, *.jpeg, *.raw, *.tif, *.gif, *.png, *.bmp, *.c, *.cpp, *.cs, *.h, *.php, *.asp, *.rb, *.java, *.jar, *.class, , *.txt, *.doc, *.dot, *.docx, *.docm, *.dotx, *.dotm, *.docb, *.rtf, *.wpd, *.wps, *.msg, *.pdf, *.xls, *.xlt, *.xlm, *.xlsx, *.xlsm, *.xltx, *.xltm, *.xlsb, *.xla, *.xlam, *.xll, *.xlw, *.ppt, *.pot, *.pps, *.pptx, *.pptm, *.potx but will avoid the folders of c:windows, c:programdata, c:temp and $recycle.bin, as these folders are likely to cause problems in booting the computer The maliciousness of the malware is highlighted with the u.vbs script which deletes all the files in a given folder (where the directory is specified when the script is called): On Error Resume Next Set objArgs = WScript.Arguments directory = objArgs(0) Set fso = CreateObject("Scripting.FileSystemObject") Function ShowSum(value1) Set folder = fso.GetFolder(value1) for each f in folder.Files On Error Resume Next f.Delete True Next For Each f In folder.SubFolders On Error Resume Next ShowSum(f) f.Delete True Next End Function Wscript.Sleep 10000 ShowSum(directory) fso.DeleteFolder directory, True
  • 28. Random32 The encryption uses 128-bit AES with CTR [here], and this key is protected by an RSA key, which protected by a public key provided by the C&C. Only the C&C has the private key to decrypt the key.
  • 29. Locky
  • 30. Locky • Locky ... February 2016, infected a Hollywood Medical Centre, infecting systems for CT scans, emergency rooms, lab work and pharmacy operations • TOR and BitCoin payment. • RSA-2048 and AES-128 for file encryption on over 160 file types across virtual disks and databases.
  • 31. Locky
  • 33. Cerber • 2016. • Black list of countries not to target. • Affiliate program. • Runs encrypted files off-line ... no need to contract C&C. • Wireshark shows UDP requests to predefined IP addresses. • Possible to speak to infected person through text to speech VM macros. • Bypass for User Account Control (UAC). Evidence bag here.
  • 34. Cerber • 2016. • Black list of countries not to target. • Affiliate program. • Runs encrypted files off-line ... no need to contract C&C. • Wireshark shows UDP requests to predefined IP addresses. • Possible to speak to infected person through text to speech VM macros. • Bypass for User Account Control (UAC). Evidence bag here.
  • 40. Evasion Techniques Binary level Obfuscated GetCurrentProcess() IsDebuggerPresent() OutputDebugString() Source: http://researchcenter.paloaltonetworks.com/2015/10/latest-teslacrypt-ransomware-borrows-code-from-carberp-trojan/
  • 41. Encryption Methods • Custom algorithm • AES + Electronic Codebook (ECB) + RSA • AES + Cipher Block Chaining (CBC) + RSA • AES + ECDH + RSA
  • 44. Avoiding (Trend Micro advice) • Education. The most common attack vector for ransomware is a phishing attack where a user in a company clicks on a file attachment which contains the malware, and which encrypts their files, and spreads through the network. Users thus need to be educated in spotting malicious emails, as the phisher often knows how to by-pass a filtering system (such as using an encrypted email). • Back-ups. It is important to have backups, but to also make sure they are off-site, so that an on-site infection does not end up encrypting or corrupting the on-site backs. Trend Micro recommend a 3-2-1 rule: at least three copies, in two different formats, with one copy off site/offline. • Layered protection. A key part of any type of network defence is to have layers of security to defend against attack, including both network sensors and end-point security. • Network segmentation. As much as possible, the network should be segmented up, so that different areas of the network are isolated from others. In this way the infection can be constrained. • Application control. Rather than having a black list of programs which are not allowed to run on a computer, increasingly companies operate a white-listing policy, where only applications that are approved can run on devices. This means that malware programs will not have the rights to run or access system files.