Ransomware

June 9th, 2016Karin Wefald

Types of Ransomware● Locker ransomware (computer locker)

○ Denies access to the computer or device, leaving the underlying system and files untouched.○ Malware could potentially be removed to restore a computer○ Social-engineering techniques to pressure victims into paying

● Crypto ransomware (data locker)○ Prevents access to files or data.

○ Doesn’t necessarily use encryption to stop users from accessing their data, but the vast majority does.

○ Data useless unless the user obtains the decryption key. ○ Malware does not target critical system files or deny access to the computer’s functionality

Include misleading apps, fake antivirus scams.

Public Key Encryption

https://www.youtube.com/watch?v=3QnD2c4Xovk

Symmetric (AES) and asymmetric encryption (RSA) techniques

● AES ( Advanced Encryption Standard )○ Encryption and decryption is done with a single key ○ Brute force is the most effective way to break○ Encryption algorithm used to protect your actual data

● RSA○ Commonly adopted public key cryptography algorithm○ Used to identify TLS/SSL certificates○ Has been the basis for security on the internet for the last 20 years or so○ Use separate keys (public and private keys)○ Factor the modulus into primes and derive the keys - integer factorization algorithm

Targets

History/Evolution

● The AIDS Trojan ○ Released through snail mail

using 5¼” floppy disks in 1989.

○ Disguised as AIDS education software by PC Cyborg Corporation

○ PO box in Panama○ Designed by evolutionary

biologist with a PhD from Harvard: Dr. Joseph L. Popp. Rejected for a job at the WHO

● In 1996, Adam L. Young and Moti Yung improved the AIDS Trojan

○ Public key cryptography○ AIDS Trojan was ineffective due to its use of symmetric cryptography ○ Implemented an experimental proof-of-concept cryptovirus on a Macintosh SE/30 that

used RSA and TEA to hybrid encrypt the victim's data.

● Examples of extortionate ransomware became prominent in May 2005.

● By mid-2006, Trojans such as Gpcode, TROJ.RANSOM.A, Archiveus, Krotten, Cryzip, and MayArchive had more sophisticated RSA encryption schemes, with ever-increasing key-sizes.

● Gpcode.AG, which was detected in June 2006, was encrypted with a 660-bit RSA public key.

● In June 2008, a variant known as Gpcode.AK was detected. Using a 1024-bit RSA key, computationally infeasible to break without a concerted distributed effort

● March 29th, 2016 - Methodist Hospital in Henderson, Kentucky paid a ransom to restore the hospital's systems, reportedly of $17,000.

● June 6th, 2016 - The University of Calgary paid a demanded $20,000 after a "ransomware" cyberattack on its computer systems.

What is vulnerable?● Personal computers running the Windows

operating system.

○ 89 percent the OS market share for desktop computers, with Mac OS X and Linux making up the rest.

○ Leverage system API hooks to block or limit access to controls such as the mouse or keyboard

○ Use of inbuilt encryption libraries or APIs supplied with the operating system to perform the encryption and decryption process itself.

● Mobile devices○ App store iPhones vs. Android

● Servers○ More likely to contain critical data

Propagation

● Traffic distribution system (TDS)- buy redirected web traffic from a Traffic Distribution Service (TDS) vendor and point it to a site hosting an exploit kit.

● Malvertisement- malicious advertisements known as malvertisments can get pushed onto legitimate websites in order to redirect traffic to a site hosting an exploit kit.

● Spam email● Downloaders & botnets - download secondary malware● Social engineering and self-propagation - On the Windows platform, a

variant of the Ransomlock (W32.Ransomlock.AO) screen locker is known to infect other files as a way to spread.

Process● Typically propagates as a Trojan

○ Enters a system through, for example, a downloaded file or a vulnerability in a network service.

○ Then runs a payload, which typically takes the form of a scareware program.

○ Payloads may display a fake warning purportedly by an entity such as a law enforcement agency

○ Falsely claiming that the system has been used for illegal activities, contains content such as pornography and "pirated" media, or runs a non-genuine version of Microsoft Windows

● Payment is virtually always the goal

○ The victim is coerced into paying for the ransomware to be removed

■ which may or may not actually occur

○ Either by supplying a program that can decrypt the files, or by sending an unlock code that undoes the payload's changes.

Bitcoin and Cryptolocker● Bitcoin is completely digital money. ● peer-to-peer payment network, powered by its users with no central authority ● In a process known as mining, individual Bitcoin users attempt to generate new coins by checking the

integrity of the transactions list.● Confirm the previous transactions and attempt to solve a difficult proof-of-work problem which involves

exhaustively trying different solutions. ● By finding the solution, a Bitcoin client confirms the history of previous transactions and moved the

transaction register forward, allowing new debits and credits to form part of the next block that can be mined to earn more coins.

● Example of Usage: ○ A ransomware trojan, when activated, encrypts certain types of files stored on local and mounted

network drives using RSA public-key cryptography, with the private key stored only on the malware's control servers.

○ The malware then displays a message which offers to decrypt the data if a payment (through either bitcoin or a pre-paid cash voucher) is made by a stated deadline, and threatened to delete the private key if the deadline passes.

○ If the deadline is not met, the malware offered to decrypt data via an online service provided by the malware's operators, for a significantly higher price in bitcoin.