Just as the title says, we go over the humble origins, touch on the notable variants of yesteryear, the big hitters of today, and discuss the future of ransomware. It's no longer just for windows anymore. Linux, Mac and Mobile platforms are all ripe for extortion.
This humorous and entertaining talk teaches everyone, from Mom and Pops to large enterprise organizations what's really happening and how to protect themselves.
2. @R41nM4kr www.MeteorMusic.com
whoami – Andy Thompson
• Strategic Advisor – CyberArk Software
• B.S. MIS – University of Texas at Arlington
• COMPTIA A+ & Sec+
• (ISC)2 SSCP & CISSP
• GIAC – Certified Penetration Tester (GPEN)
• Married, Father of 2 girls.
• Member of Shadow Systems Hacker Collective
• Member of Dallas Hackers Association
3. @R41nM4kr www.MeteorMusic.com
Agenda
• Overview
• In the News
• Timeline
• Technical Analysis
• Analysis of Client Infection
• Command & Control (C2) Architecture
Setup/Design
• Evolved Ransomware
• Mitigation techniques
4. @R41nM4kr www.MeteorMusic.com
Cyber Extortion Defined
• Cyber extortion is an online crime involving an attack or threat
of attack against a person or enterprise, coupled with a
demand to stop the attack.
• Cyber extortions have taken on
multiple forms:
• Encrypting Data and holding it hostage
• Threatening exposure
• Denying access to data or services
6. @R41nM4kr www.MeteorMusic.com
Ransomware Defined…
• Leveraging technical controls to inhibit use
of data.
• Operates under the assumption that the
data is important enough that users are
willing to pay for recovery.
• There is no guarantee of actual recovery,
even after payment is made.
Fraud Investigators Association of Texas October 13-14, 2016
7. @R41nM4kr www.MeteorMusic.com
Ransomware: A lucrative criminal industry
• Harjavec Group states $216
million in just Q1 of 2016.
• Total ransoms paid in 2016
amount to over…
• ONE BILLION DOLLARS.
8. @R41nM4kr www.MeteorMusic.com
Some Scary Stats…
• HIPPAA now considers ransomware a
breach as the organization lost control of its
data.
• Only a quarter of American homes back up
their data on a regular basis.
• Over the past 12 months almost half of all
US companies have been affected by
ransomware.
Much larger ransoms have been demanded into the millions. Some
organizations refuse to pay and suffer the consequences. Others do not
disclose they have actually paid the ransom.
9. @R41nM4kr www.MeteorMusic.com
Largest Ransoms Paid
• Los Angeles Valley College
$30,000
• University of Calgary
$20,000
• Presbyterian Medial Center
$17,000
Fraud Investigators Association of Texas October 13-14, 2016
10. @R41nM4kr www.MeteorMusic.com
Malvertising
• Malicious Banner ads using Exploit Kits
• Angler, Neutrino, RiG, Nuclear, ZaiXin,
Magnitude
• Victim Sites include:
• NYTimes, BBC, MSN AOL
• InfoLinks, Realtor.com, Xfinity
• Answers.com, Spotify, Ebay
• DrudgeReport and many many many others.
12. @R41nM4kr www.MeteorMusic.com
The First Ransomware: The AIDS Virus
• Discovered in 1989
• Replaced Autoexec.bat
• After 90 days, Encrypted
file names on c:/
• Asked to ‘renew the license’
• $189 to a PO box in
Panama
• Dr. Joseph Popp was arrested
by Scotland Yard later that
year and charged with
blackmail
14. @R41nM4kr www.MeteorMusic.com
Internet Era Ransomware: FBI Lockscreen
• Circa 2011
• Reveton Trojan Family
• Impersonates national law
enforcement
• Locks out of PC
• Easily removed
• Boot to safemode
• Remove registry key
17. @R41nM4kr www.MeteorMusic.com
CryptoLocker
• Started to appear around
September 2013
• Delivered mainly though the
GamoverZeus (GoZ) P2P
Botnet
• Used Domain Generated
Algorythms (DGA)
• Produce thousands of domains
• Only 1 or 2 were real
Example: Faoefijawjfaslekf9ejaklja[.]ru
Bitcoin Price
22. @R41nM4kr www.MeteorMusic.com
Torrentlocker: A common naming convention
• "(AUS|NSW)"-
"(POST|GOV)"."(com|org|net|etc)
• Example: enforcement-aus-gov.org
• Example: nsw-post.com
• Easy to block Top Level Domain
(TLD)
Fraud Investigators Association of Texas October 13-14, 2016
26. @R41nM4kr www.MeteorMusic.com
Smell ya Later TeslaCrypt!
• May 18th
• Distributors Switching to
CryptXXX & other variants
• Researcher asked in chat for the
master decryption key.
30. @R41nM4kr www.MeteorMusic.com
Petya – The MBR Encryptor
• Rewrites systems MBR and forces BSOD.
• Fake “check disk” runs and encrypts Master
File Table.
• Blocks access to entire machine, not just
your files.
31. @R41nM4kr www.MeteorMusic.com
PowerWare – Using your own tools against you.
• Leverages MS Word and Native
PowerShell.
• Does not pull down any additional
binaries, and leverages PowerShell
(already on the system and approved to
be there) to do the dirty work.
32. @R41nM4kr www.MeteorMusic.com
Jigsaw – I want to play a game.
• Ransom payment of $150
• Serious about its threats
• Every hour it deletes 100 files
permanently.
• Every reboot it deletes 1000 files.
• Decrypter available now.
33. @R41nM4kr www.MeteorMusic.com
• Exploits known
vulnerabilities in unpatched
servers.
• Specifically JBOSS.
• 3.2 Million Servers
vulnerable.
• Once in, laterally moves to
cause the most amount of
destruction
Samas/Samsam/MSIL.B/C
SAMSAM/MAKTUB
37. @R41nM4kr www.MeteorMusic.com
SATAN - Continued.
• Customize your ransomware:
• Pick your ransom amount.
• Add your own BTC address.
• Choose the multiplier.
• Authors keep 30%
42. @R41nM4kr www.MeteorMusic.com
The RAW IP Address
• Used for Geolocation
• Exclude code execution or perform
different operation based on global
position
• Attempt to display message in native
language
• Unique Identifier
• Added hash with other system info.
• Can restrict one infection per IP address
• Identify possible analysis attempts
44. @R41nM4kr www.MeteorMusic.com
Linux.Encoder Ransomware
• Targets Linux powered web servers by encrypting
MySQL, Apache, and home/root
folders associated with the target
• Asks for 1 bitcoin to decrypt
crucial files.
• 3 versions currently. All have been
already decrypted
• Written by this guy.
45. @R41nM4kr www.MeteorMusic.com
OSX KeRanger
• Discovered March 4, 2016
• Downloaded 6000 times before it was shut down.
• Variant of Linux.encoder & “Educational” Hidden Tear Ransomware
• Recompiled into the Open Source Bit torrent client Transmission.
• Published on their site with updated MD5 Hash.
• Turkish Developer Key was used to bypass Apple’s Gatekeeper
Security Feature
46. @R41nM4kr www.MeteorMusic.com
IOS “Ransomware”
• May 2014 Australian iPhone users
were victims of Ransomware attack.
• Actually victims iCloud accounts were
phished.
• Devices were put in Lost (LOCKED) mode
w/ ransom message.
• Failure to pay resulted in wiped device.
• Russian Officials Arrested 2 People a
month later.
47. @R41nM4kr www.MeteorMusic.com
SIPLockr – 1st Android Encrypting Ransomware
• Detected June 1st, 2014
• Lots of Android Screen Lockers, but
this was the first file encrypter.
• Encrypts *.jpg, *.jpeg, & *.png
to *.enc
• Communicates to C2 via Tor network
• Decrypter is currently available.
Fraud Investigators Association of Texas October 13-14, 2016
48. @R41nM4kr www.MeteorMusic.com
Adult Player – Extortion at its Finest
• Masquerades as a Porn Movie player.
• Takes photos using the front facing camera
while in use.
• Initiate Lock screen with photos and ransom
message.
• If ransom is not paid, send message and photos
to all contacts on phone.
• Easy to fix
50. @R41nM4kr www.MeteorMusic.com
Internet of Things
• Institute for Critical
Infrastructure Technology
– “IoT presents an Infinite
attack surface”.
• What’s next?
• Pacemakers/Insulin pumps
• Automobiles
• Your house
51. @R41nM4kr www.MeteorMusic.com
THE FUTURE IS NOW!
• Pen Test Partners at DEF CON
24 successfully compromised a
connected thermostat
• Locked out of device until
ransom paid
• Can also turn up/turn down
temperature as part of the
extortion process
54. @R41nM4kr www.MeteorMusic.com
Mitigation Techniques
• Backup often
• Keep disconnected when not in use
• Review and restrict access to shared
resources
• Disconnect from Network Shares when not
in use.
• Train end-users about social engineering
techniques.
• Phishing
• PHISHING
• PHISHING!
55. @R41nM4kr www.MeteorMusic.com
More Mitigation Techniques
• Antivirus
• Actually keep it updated.
• Patch the OS and software.
• Can’t exploit vulnerabilities
that have been patched.
• Prevent Malvertising/injection
• Adblock/ublock Orgin/AdFender
• Noscript
• Sandboxie
• End of Life – It’s called that for a
reason
56. @R41nM4kr www.MeteorMusic.com
Even More Mitigation Techniques
• Only install software from trusted
sources
• Follow the pack
• Apple store is safe
• Bad code still falls through
• Android marketplace still iffy
• You have to trust the developer
• Avoid Open Source Software
• Validate Hashes from external
sites
Fraud Investigators Association of Texas October 13-14, 2016
57. @R41nM4kr www.MeteorMusic.com
Will this guy ever stop?
• Intrusion Prevention Systems
• Actually implement block mode.
• Web Content Providers host their
own ad content
• Probably unrealistic, but it’s a real
possibility for small/medium
businesses.
• Macros.
• Do I really have to say it?
• Disassociate Dangerous Extensions.
• js,jse,wsf,wsh,hte,lng,ps1,cmd,bat,
vbs,vbe
58. @R41nM4kr www.MeteorMusic.com
Advanced Mitigation Techniques
• Prevent Lateral Movement in your environment.
• No password reuse.
• Frequent Password Rotation.
• Enable Least Privilege
• Not everyone needs administrative rights.
• Even better, implement Application Control
• Restrict the binaries from ever executing
• AC can prevent ransomware entirely
• Isolate your Critical Resources
Ransomware no longer wants to infect a single machine. Isolate the infection.
60. @R41nM4kr www.MeteorMusic.com
Reasons why you SHOULD pay.
• You get your files back. (maybe)
• It’s in their best interest to deliver.
• FBI previously stated, “easiest path
is to pay”.
• It might be cheaper.
61. @R41nM4kr www.MeteorMusic.com
Reasons why you Shouldn't pay.
• US-CERT & FBI clearly say no.
• It might be cheaper, but it’s really
not.
• Disclosure is not cheap.
• There’s a target on your back.
• Copycat attacks are real.
• No guarantee you get your files
back.
• The Criminals win.
“The FBI does not condone
payment of ransom, as payment
of extortion monies may
encourage continued criminal
activity ... or be used to facilitate
serious crimes.”
- Chris Stangl, a section chief in the FBI's cyber
division
62. @R41nM4kr www.MeteorMusic.com
Help! I’ve been ransomwared!
What do you recommend?
• Contact your friendly neighborhood hacker.
• Research the variant.
• Take the machine offline.
• Change ALL the passwords!
• Wait…wait as long as you have to.
Fraud Investigators Association of Texas October 13-14, 2016
In July 2013, a 21-year-old man from Virginia, whose computer coincidentally did contain pornographic photographs of underaged girls with whom he had conducted sexualized communications, turned himself in to police after receiving and being deceived by ransomware purporting to be an FBI message accusing him of possessing child pornography. An investigation discovered the incriminating files, and the man was charged with child sexual abuse and possession of child pornography
January 2015, A 17 year old boy from Windsor, Berkshire hanged himself after having been locked out of his system, thinking the police were pursuing him.
Cisco/Talos security stated on Friday April 15th, that 4.2 million servers were still vulnerable to the jboss exploit responsible for the sam.sam string of ransomware.
The Federal Financial Institutions Examination Council’s CyberSecurity Assessment Tool actually rates organizations with large amounts of open source software in their organizations.
Directly from the CERT Advisory:
Restrict users’ ability (permissions) to install and run unwanted software applications, and apply the principle of “Least Privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the network.
Use application whitelisting to help prevent malicious software and unapproved programs from running. Application whitelisting is one of the best security strategies as it allows only specified programs to run, while blocking all others, including malicious software.
On October 21, 2015 at the Cyber Security Summit at Boston’s Back Bay Events Center, Joseph Bonavolonta, the Assistant Special Agent in Charge of the FBI’s CYBER and Counterintelligence Program in Boston stated, “The ransomware is that good. To be honest, we often advise people just to pay the ransom.”
The United States Computer Emergency Readiness Team seems to disagree with the FBI in their March 31st Alert on Ransomware.
“Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information,” the advisory says. “In addition, decrypting files does not mean the malware infection itself has been removed.”