Embed Size (px)
Citation preview
ResurgenceNick BilogorskiyCyphort
@belogor
Your speakers today
Nick Bilogorskiy@belogor
Director of Security Research
Marci KusanovichMarketing Communications Manager
Agenda
o History of Digital Extortiono Cryptolocker, Cryptowall, Lockyo How Ransomware workso Tips to protect yourselfo Wrap-up and Q&A
Cyph
ort L
abs T
-shi
rt
Housekeeping
• You are on mute• Enter questions• Can order t-shirt
Threat Monitoring & Research team
________24X7 monitoring for
malware events
________Assist customers with
their Forensics and Incident Response
We enhance malware detection accuracy
________False positives/negatives
________Deep-dive research
We work with the security ecosystem
________Contribute to and learn
from malware KB
________Best of 3rd Party threat
data
cyphort.com/blog
What is Ransomware
Ransomware is any malware that demands the user pay a ransom.
There are two types of ransomware: lockers and crypters.
Kovter Lockers
o More IOT (Internet Of Things) security incidents
Prediction #4 Crypters
• easy to use, • fast, • publicly available, • decentralized, and • Provides anonymity, which
serves to encourage extortion.
Bitcoin Primer
The Ransomware Business Model
o Data Theft in placeo Anonymity (TOR, Bitcoin)o Operating with impunity in Eastern Europeo Extortiono Focus on ease of use to maximize
conversion
o Currently 50% pay the ransom, it was 41% 2 years ago
z
Bitcoin Ransom Sent C&C
Server
Private Key Sent
Locked Files
Unlocked Files
The Ransomware Business Model
HOSPITALSHollywood Presbyterian Medical Center , Kentucky Methodist Hospital, Alvarado Hospital Medical Center and King's Daughters' Health, Kentucky Methodist Hospital, Chino Valley Medical Center and Desert Valley Hospital, Baltimore’s Union Memorial Hospital, and many others
POLICETewksbury Police Department Swansea Police DepartmentChicago suburb of Midlothian Dickson County, TennesseeDurham, N.H Plainfield, N.JCollinsville, Alabama,hackers in Detroit demanded $800,000 in bitcoin after they had encrypted the city's database.
Known Victims… So far
SCHOOLS GOVERNMENT321 incident reports of "ransomware-related activity" affecting 29 different federal networks since June 2015, according to the Department of Homeland Security.
South Carolina school district paid $10,000 . A New Jersey school district was hit, holding up the computerized PARCC exams.Follett Learning's Destiny library management software, which is used in US schools is vulnerable to SamSam ransomware.
Recorded Future
Stats
500% growth last year
Google Trends: “ransomware” search interest
20
100
10
Stats
500% growth last year
Ransomware: The Price You Pay
2014 - $24 M. | 2015 - $24 M. | 2016 - $209 M in Q1
o network mitigationo network countermeasureso loss of productivityo legal feeso IT serviceso purchase of credit monitoring services for
employees or customerso Potential harm to an organization’s reputation.
Ransomware: Additional Costs
Ransomware poses a threat “to everyday Americans, law enforcement, government agencies and infrastructure, and sectors of our economy like healthcare and financial services.”
– Representative Derek Kilmer (D-WA)
“I am concerned that by hospitals paying these ransoms, we are creating a perverse incentive for hackers to continue these dangerous attacks”
–Senator Barbara Boxer
Ransomware Resurgence Timeline: Explosion of Variants in 2016
Endgame
What is Cryptolocker?
o Began September 2013 o Encrypts victim’s files, asks for $300 ransomo Impossible to recover files without a keyo Ransom increases after deadlineo Goal is monetary via Bitcoino 250,000+ victims worldwide
(According to Secureworks)
Cryptolocker Mastermind
According to the FBI, losses are “more than $100 million.”
Image source: FBI
AttributionEvgeniy Mikhailovich Bogachev, 30, of Anapa, Russia. nickname “Slavik” ,indicted for conspiracy, computer hacking, wire fraud, bank fraud, and money laundering .
Bogachev is identified as a leader of a cyber gang of criminals based in Russia and Ukraine that is responsible both GameOver Zeus and Cryptolocker.
Cryptodefense aka Cryptowall
o Cryptodefense is a newer variant of Cryptolocker.o appeared in Feb 2014o no GUIo pops up a webpage, drops text file
o Uses TOR for anonymous payments
Locky
o Installed by Dridex gango Word documents with
macros over emailo Also used JavaScript,
Powershell
o over 400,000 victims in hours Palo Alto Networks Unit 42
o First seen: Nov 2014, new versions throught 2015
o Target: North American and European Banks
o Distribution: Spam mails with Word Documents
o Some version use p2p over http for carrying out botnet communication
o Uses web injects to carry out man-in-browser attack, Uses VNC
Dridex Gang
Locky Ransom Note
G
KeRanger
o First ransomware on OS Xo Appeared in March 2016o 1BTC - $400 ransomo Signed!o Infected Transmission
BitTorrent client installer
I
Android SimpleLocker
May 2014 – Simplelocker appears in Ukraine- Asks for $22 USD using Monexy- Uses TOR for C&C
Checks SD card for:jpeg, jpg, png, bmp, gif, pdf, doc, docx, txt, avi, mkv, 3gp, mp4
Unlike Cryptolocker, Encryption key is hardcoded on the malware. Encrypted files are appended with “.enc”.
2016 Ransomware tricks
o Encrypting the whole drive (Petya)o Encrypting network driveso Deleting cloud backupso Encrypting web servers (Kimcilware)o Ransomware as a Service (RAAS)
How do Users get Ransomware?
Osterman research
Tips to Avoid Ransomware Infection
o Install the latest patches for your software, especially Adobe, Microsoft and Oracle apps
o Use network protectiono Use a comprehensive endpoint security
solution with behavioral detectiono Turn Windows User Access Control on
Tips to Avoid Ransomware Infection
o Be skeptical: Don’t click on anything suspicious
o Block popups and use an ad-blockero Override your browser’s user-agent*o Consider Microsoft Office viewers
Tips to Avoid Ransomware Infection
o Be skeptical: Don’t click on anything suspicious
o Block popups and use an ad-blockero Override your browser’s user-agent*o Consider Microsoft Office viewers
On a Mac - RansomWhere
Tips to Avoid Ransomware Infection
o Identify Ransomware and look for a decryptor:
o Shadow Copieso Turn off computer at first signs of infection
o Remember: the only effective ransomware defense is backup
https://id-ransomware.malwarehunterteam.com/
Tips to Avoid Ransomware Infection
o List of free decryptors: http://bit.ly/decryptors
Summary1. Ransomware evolved into a major threat allowing criminals
to easily monetize malware infections via Bitcoin
2. Every platform is vulnerable to ransomware.
3. Due to current geopolitical situation, Eastern European attackers will likely continue the barrage against US businesses and individuals while enjoying safe haven in their home country.
4. Backup your files! Since decrypting encrypted files is not always possible frequent backups become even more critical. And keep your backup offline.
Q&A
Thank You!Twitter: @belogor
Previous MMW slides onhttp://cyphort.com/labs/malwares-wanted/
