cyber extortion · #whoami • b.tech from rgpv, bhopal. • for food and shelter, i work with...

CYBER EXTORTION

Coming to a Computer, near you.

Varun Nair

#whoami• B.Tech from RGPV, Bhopal.

• For food and shelter, I work with Essar Group, Mumbai.

• 5 years of experience in Security.

• Trainer for Mumbai Police, ICAI and other educational institutions.

AGENDA• Introduction to Cyber Extortion.

• Cryptolockers

• Facts and Figures

• Case Study-KRIPTOVOR

• Preventive Measures

What is Cyber Extortion?

History & Types• Extortion in the physical world.

• Cyber Extortion in the business world

• Denial of Service

• Cryptolockers

• Leaking of Data

• Destruction of Data

Who does Cryptolocker target?

• Government

• Corporates

• Individuals

Why is it getting bigger?

Why is it getting bigger?

Why is it getting bigger?

Why is it getting bigger?

Why is it getting bigger?

What percentage of victims pay ransom?

• 0.1%

• 11%

• 25%

• 41%

• 52%

A whopping 41%

Decide

CRYPTOLOCKER OVERVIEW

z

Bitcoin Ransom Sent C&C

Server

Private Key Sent

Locked Files

Unlocked Files

Victims??

Infection Level

Top 10 Infected Countries

Case Study- KRIPTOVOR• It is an Infostealer+Ransomware.

• It was first used to steal cryptocurrency wallets from its victims.

• Then it evolved to include a ransomware component.

• Several victims reported to have lost their files.

• It employs several evasion techniques and it even cleans up after itself whether or not it was successful in stealing or encrypting its targets.

• The malware also checks if the victim belongs to specific network segments.

Case Study- KRIPTOVOR

1. Email to Victim

2. The victim opens the email and the

attached Word document.

3. The Word document contains an

embedded binary file, which the attacker

crafted to look like a PDF file

4.Opening the binary launches a

PDF file containing a

resume

Evasion TechniquesThe malware performs a series of checks as follows (the order varies depending on the variant):

• Check Internet connection by accessing http://www.adobe.com

• Enumerate processes running on the machine and check them against a list

• Obtain the victim’s machine name and checks it against a list.

• Obtain victim’s IP address by going to http://checkip.dyndns.org

• Check registry for certain entries

Infection VectorThe seemingly benign

Word document contains an embedded binary file that is MPRESS packed (other variants are UPX

packed).

Binary file is digitally signed with the same

untrusted certificate they install onto the victim’s

machine later in the process.

Info-stealer Component

Double-clicking on the embedded file

(KRIPTOVOR.Infostealer) launches a decoy

document.

The KRIPTOVOR.Infostealer quits if it detects that it is

running in a virtual environment.

The malware sends an email with the process list and a screenshot of the desktop as an attachment when the running process check passes.

Exit Technique• If KRIPTOVOR.Infostealer discovers that there is no Internet connection or the

system it is running on matches anything on the hard-coded list, it cleans up itself by deleting the decoy document and files in the victim’s temporary folder then exits.

• It also checks if it has been run before by looking up the following registry entry:HKEYCU\Software\Adobe\Installed

• If this key exists with a value of “True,” it goes through the clean up and exits. Otherwise, it places the key value pair in the registry.

Payload Download•It downloads a file from hxxp://plantsroyal[.]org/css/salomon.rar into the user folder as temporary.rar

•The file is then extracted to the %USERPROFILE% folder.

•As soon as this password-protected RAR file has been extracted, it changes the file attribute to hidden.

Payload Download•The extracted file, which is the ransomware component has the following attributes:

File: AdobeSystem.exe

Size: 1596456

MD5: 00e3b69b18bfad7980c1621256ee10fa

•Then an email with the process list and a screenshot of the desktop is sent to notify the attacker that things have gone well with the victim’s machine.

Ransomware- Sending Files

•After sending an email, it goes through every file on the victim’s computer. It is only interested in files with the following extensions:

Ransomware- Encrypting Files

•KRIPTOVOR. also deletes all shadow copies on the machine with the following command. This prevents the victim from going back to a previous state of their machine.

vssadmin.exe Delete Shadows /All /Quiet

•It enumerates through the drive letters and is interested in fixed drives and network drives.

•It then scans the drives for the file types below to encrypt and adds a .JUST extension to them.

Ransomware- Ransom Notes

• It does not have any flashy signs informing the victim that their files have been encrypted.

• It leaves a “MESSAGE.txt” file in every folder that it has traversed including the Desktop and the Startup folders.

Ransomware- Ransom Notes

• The cost of the decryptor can be obtained by writing an email to: payment.cashery@gmail.com

• In the subject line please include your ID:6756193866

• Please do not try to decrypt the files using third-party tools.

• You can completely corrupt them, and even the original decryptor will not help.

• Requests will be accepted until 3/18/2015

• After 3/18/2015 requests will be ignored.

• Emails are handled automatically by the system.

• There may be a delay in responses

Preventive Measures• Ensure your operating system and security software are

regularly updated.

• Consider investing in substantial anti-virus tools, including specialist Cryptolocker prevention kits.

• Don't open attachments from unknown sources or from emails that appear to be from a legitimate source but are suspicious.

• Regularly back up important data and keep it within unconnected storage.

• Consider moving more data to cloud services offered by Google and others.

Preventive Measures• Businesses should check incident response and resilience

protocols to monitor for infection.

• Ensure staff are educated in good computing practices and how to spot threats.

• Use software to identify if a computer is infected. If so, disconnect it from networks immediately and seek professional advice.

• If you believe you have been compromised, change online account passwords and network passwords after removing the system from the network.

• Block .exe files over email, including within ZIP files. This can usually be done using an anti-spam system.

Any Questions Other Than

धन्यवाद

Contact @ +91-8879 3577 21

varun13hunky@gmail.com