2. Malware just got personal
Ransomware is unlike other types of
malware – it affects victims in a very direct,
immediate and personal way
3. Are you worried you might be infected
with ransomware?
Don’t worry – you’ll know!
4. A brief historical overview
• The first “ransomware” is considered to be the
AIDS virus from 1989
– Distributed on infected floppy disks during the
World Health Organization’s international AIDS
conference
• GPCode (2006) – first public-key ransomware
• Then, everything was quiet for 7 years...
• CryptoLocker (2013) – first bitcoin-based
ransomware
• 2014-2016 exponential explosion of attacks!
5. Ransomware is here to stay
• Effects are immediate and irreversible
• Personal damage increases the chance
victims will pay
• Modern developments allow for
untrackable and irrevocable payments
Bottom line:
Ransomware is an
excellent business plan!
6. Evolution of payment methods
• The AIDS ransomware required victims to
send $189 to a post office box in Panama
• GPCode required them to pay $200 to an
e-gold or Liberty Reserve account
• CryptoLocker was the first to use Bitcoin,
demanding between $100 and $500
(1-2BTC)
• Bitcoin is now de-facto currency of
ransomware attacks
– Anonymous
– Irrevocable
– Perfect for paying ransom!
10. CryptoLocker
• First seen in 2013
• Considered to be the first modern ransomware
• Distributed using the Zeus Gameover infrastructure
11. CryptoWall
• First seen in 2013
• First ransomware malvertising distribution
– Malicious ads infected unsuspecting visitors to
popular websites (including one.co.il and J.post)
12. TeslaCrypt
• First seen in 2015
• Became the dominant ransomware of 2015
• Also targeted gaming files (WoW, Call-of-Duty, etc.)
• Inexplicably shut down by its own operators on May
2016 (decryption keys were released)
13. Locky
• First seen in 2016
• Distributed over the Dridex infrastructure
• First to target healthcare sector specifically
14. Cerber (Cerberus)
• First seen in 2016
• Uses text-to-speech to talk to victims
• https://clyp.it/ovwyvomj
15. Powerware
• First seen in 2016
• Written purely as a PowerShell script
• Part of a wider “fileless malware” trend
16. RAA
• Written purely in Javascript
• Can potentially run from inside the browser
• Potentially cross-platform
18. Ransomware-as-a-Business
• As the market grows, ransomware attacks
developed into ransomware operations
• Sporadic infections became streamlined
campaigns
• The clear monetary incentive is an engine
that drives this “industry” to constantly
improve and evolve
19. A full-scale evolution
• Delivery methods
• Encryption algorithms
• Key generation and infrastructure
• C&C communication
• Monetization
• Code quality
• Self protection
20. • Some ransomware authors offer their code
to willing partners through a criminal-to-
criminal affiliate program
– Programmers write the code and maintain the
servers and keys
– Crime organizations distribute the payload to victims
and share the ransom with the programmers
• High quality ransomware is available to non-
technical but well-established criminals
• Pseudo-random variants are easily
generated to create an infinite number of
payloads
Ransomware-as-a-Service
23. Ransomware modus operandi
• Step #1 - get a public key (usually RSA)
– Pre-generated public key hard-coded into
ransomware
– Server generates public key-pair on demand,
sends it to ransomware
• Step #2 - get a symmetric key (usually AES)
– Generated randomly on victim’s machine
– Server generates key, sends it to ransomware
encrypted with private key
• Step #3 - encrypt files with symmetric key
– File names are often modified
– All your files are belong to us!
24. Ransomware modus operandi
• Step #4 - encrypt symmetric key with
public key and destroy original key
– Send encrypted key to server
– Store encrypted key with files
• Step #5 - post encryption
– Show threatening ransom note
– Direct victim to pay the ransom to get the
private key or decrypt the symmetric key
• Step #6 - profit!
26. Always have a backup plan
• Backup often, backup early
• Many commercial solutions available
• Microsoft’s own Volume Shadow Copy
Service is built into the OS…
– ...and is also the first victim of ransomware
• So have a backup for your backup
27. The (obvious) approach
• Filter emails
• Filter attachments
• Enforce UAC
• Don’t persist network drives’ credentials
• Show file extensions (disabled by default)
28. The signature-based approach
• Hash-based solutions cannot protect
against randomly-generated samples
• More than half a million new hashes since
Jan 2016
– ...that we know of
• A heuristic solution is needed...
29. Ransomware research
• Find ransomware samples
• Put them in a cage
• Give them something to chew on
• Observe closely…
• What do they all have in common?
30. Execution method?
• Most ransomware simply run from the
original executable file
• Some ransomware use randomized process
names
– Both completely random or word-based
• Some mimic existing process names
• Some inject code into explorer.exe,
svchost.exe, iexplore.exe etc.
• Some are fileless and script-based
31. Shadow-copy deletion?
• Some use vssadmin.exe to delete all
shadow copies
– vssadmin.exe delete shadows /all /quiet
• Others use wmic.exe, Powershell, VB or
even Windows API directly
– IVssBackupComponents::DeleteSnapshots
• This is a good idea in general, but about
50% of ransomware samples do not touch
the shadow-copy in any way
32. External communications?
• New domains constantly registered and
then abandoned
– Maintaining blacklists is an impossible mission
• DGA is now the standard
• Path and parameters used in URLs
constantly change
• Some use TOR
• Many do not need a C&C server at all
– Emails
– Deep-web domains
– Bitcoin wallet addresses
33. Encrypted file names?
• Original filename, new extensions
– .encrypted
– .breaking_bad & .heisenberg
– .mp3
– .id-5685627508968728-wisemind@zmail.com
– Random extension per execution (e.g, .afsqyse)
• Mangled filenames
– 1.R5A
• Files converted into self-extracting
executables with a .exe extension
• Some do not change filenames at all
34. Ransom notes?
• Opens HOW_TO_RESTORE_FILES.html
• Creates !Decrypt-All-Files-afsqyse.txt in all
directories
• Changes desktop background image to
ransom note
• Runs dedicated unkillable ransomnote
process
• Locks screen using iexplore.exe in Kiosk-
mode (not a bug - a feature!)
35. The common factor
No matter how a ransomware got there,
no matter how it generates keys,
no matter how it communicates home,
no matter how it was written,
no matter how it’s being executed...
...it must encrypt important files,
and this creates predictable file activity
patterns which cannot be avoided
36. File encryption methods
• Write into original file +
Rename original file
• Create a new file +
Delete original file
• Create a new temporary file +
Rename temporary file +
Delete original file
• … not many other combinations
37. Watching existing files
• Which files should be watched?
• How do we know they’re being encrypted?
– And not simply modified by a benign program?
• What about legitimate encryption
programs?
– Or even the simple & loveable WinRAR?
• What should be considered a “critical
mass” of encrypted files?
– Isn’t it too late by then? Ransomware may encrypt
as many as 100 files per second!
• This is often not enough...
40. • Create multiple disposable Canary files
• Monitor file activity for these files
• If the canaries got encrypted - we got a
suspect!
– No reason for legitimate programs to modify them
• Determine whether the
source was automated
and malicious
The proactive approach