© Copyright Fortinet Inc. All rights reserved.

Understanding Ransomware: Clear and Present Danger October 17-19, 2016

Raul Alvarez

About Me

3

About Me

Senior Security

Researcher @ Fortinet

22 published articles in

Virus Bulletin

Regular contributor in our

company blog

Confidential

Agenda

5

Agenda

Confidential

Basic Terms

Ransomwares In The Wild

Minimizing The Impact Of Ransomware

Basic Terms

7

Basic Terms - Malware

Confidential

malware

virus/

file infectors trojan

worm

keylogger

password

stealer

dropper

downloader

ransomware

POS malware

macro

script malware

bot/botnet

8

Basic Terms - Ransomware

Confidential

Ransomware

*google search*

9

Basic Terms - BitCoin

Confidential

crypto-currency

digital money

10

Basic Terms - Tor

Confidential

How Tor Works

12

How Tor Works

Confidential

Image taken from torproject.org

13

How Tor Works

Confidential

Image taken from torproject.org

14

How Tor Works

Confidential

Image taken from torproject.org

Ransomwares in the Wild

16 Confidential

Friendly but Deadly

CryptoWall 3.0 and 4.0

18

Cryptowall 3.0

Confidential

Encrypts files

Comes via phishing email and exploit kits

Injects its code to a running process

Connects to CnC (Command and Control)

Holds the computer for ransom

Requires bitcoin for payment

Asks users to use TOR browser

19

Cryptowall 4.0

Confidential

Similar with Cryptowall 3.0

Encrypts file names

Gives more instructions and information

CryptoWall 3.0

21

Cryptowall 3.0 – Instruction list (jpg)

Confidential

22

Cryptowall 3.0 – Instruction list (html)

Confidential

Cryptowall 3.0 – Decryption Service

24

Cryptowall 3.0 – Decryption Service

Confidential

25

Cryptowall 3.0 – Decryption Service

Confidential

Cryptowall 4.0

27

Cryptowall 4.0 – Instruction List

Confidential

28

Cryptowall 4.0 – Package Deal

Confidential

29

Cryptowall 4.0 – Walkthrough

Confidential

30

Cryptowall 4.0 – Options

Confidential

31

Cryptowall 4.0 – We Are Here To Help

Confidential

32

Cryptowall 4.0 – Again, You Are Late

Confidential

33

Cryptowall 4.0 – Additional Information

Confidential

Cryptowall 4.0 – Decryption Service

35

Cryptowall 4.0 – Decryption Service

Confidential

36

Cryptowall 4.0 – Decryption Service (Tor)

Confidential

37

Cryptowall 4.0 – wrong code

Confidential

38

Cryptowall 4.0 – Your key not found

Confidential

39

Cryptowall 4.0 – Count Down Timer

Confidential

40

Cryptowall 4.0 – Count Down Timer

Confidential

41

Cryptowall 4.0 – Oooops!

Confidential

42

Cryptowall 4.0 – Oooops! Try Again

Confidential

43

Cryptowall 4.0 – Please Wait …

Confidential

44

Cryptowall 4.0 – Ooopss! Invalid Payment

Confidential

45

Cryptowall 4.0 – FAQ

Confidential

46

Cryptowall 4.0 – Customer Support

Confidential

47

Cryptowall 4.0 – Customer Support

Confidential

48 Confidential

Encryption + Infection

Virlock

50

Virlock

Confidential

Locks your screen for ransom

Infects files

Uses metamorphic algorithm

Uses on-demand polymorphic algorithm

51

52

53

54

55

56 Confidential

Just kidding!

Virlock – File Infection

58

Cleaning: Extracting The Host File

Confidential

Decrypts the

HOST file

DecryptionKey

Original Host

Filename Encrypted Host File

Decrypted Host File

59 Confidential

Armoring Techniques

Virlock - Metamorphic

61

Metamorphic Algorithm (sample 1)

Confidential

irrelevant bytes

decrypted bytes

first DWORD

second DWORD

third DWORD

62

Metamorphic Algorithm (sample 2)

Confidential

irrelevant bytes

first DWORD

second DWORD

third DWORD

decrypted bytes

Virlock – Polymorphic Algorithm

64

NewKeyGenerator

Confidential

location of the

bytes needed to

generate the

new key

starting location

is one byte

before the first

DWORD value

from RDTSC

EAX = DWORD value

NEW KEY

65

NewKeyGenerator

Confidential

NEW KEY

old key

new key

location of the NEW KEY

66

Sample On-demand Polymorphic Values

Confidential

1C B0 19 99

F4 C7 7E 64

E2 40 7B 9A

F4 00 7B F1

E8 B0 62 02

00 C7 05 FF

16 40 00 01

00 00 00 6A

75 EB 89 E2

9D 9C EE 1F

8B 1B EB E1

9D 5B EB 8A

encrypted with OLD KEY

decrypted code

encrypted with NEW KEY

67

Detection

Confidential

1C B0 19 99

F4 C7 7E 64

E2 40 7B 9A

F4 00 7B F1

E8 B0 62 02

00 C7 05 FF

16 40 00 01

00 00 00 6A

75 EB 89 E2

9D 9C EE 1F

8B 1B EB E1

9D 5B EB 8A

encrypted with OLD KEY

decrypted code

encrypted with NEW KEY

68

Detection

Confidential

location of the

bytes needed to

generate the

new key

starting location

is one byte

before the first

DWORD value

from RDTSC

EAX = DWORD value

NEW KEY

69

Detection

Confidential

location of the

bytes needed to

generate the

new key

starting location

is one byte

before the first

DWORD value

from RDTSC

EAX = DWORD value

NEW KEY

70 Confidential

The Guardian

Petya

72

Petya

Confidential

Overwrites the MBR(Master Boot Record)

Where do we get them?

74

Sources of Ransomware

Confidential

Drive-by download

Phishing emails

Exploit kits

Other Trojans and Malware

0-day attacks

Minimizing The Impact Of Ransomware

76

Minimizing Impact of Ransomware

Confidential

Install security applications

Always update

Perform regular backup

Be aware of malicious

attachments

Always prefer to use lower level

access

Be sure to setup up a firewall

Always train your users

77

Minimizing Impact of Ransomware

Confidential

Install security applications

Always update

Perform regular backup

Be aware of malicious

attachments

Always prefer to use lower level

access

Be sure to setup up a firewall

Always train your users

78

Minimizing Impact of Ransomware

Confidential

Install security applications

Always update

Perform regular backup

Be aware of malicious

attachments

Always prefer to use lower level

access

Be sure to setup up a firewall

Always train your users

79

Minimizing Impact of Ransomware

Confidential

Install security applications

Always update

Perform regular backup

Be aware of malicious

attachments

Always prefer to use lower level

access

Be sure to setup up a firewall

Always train your users

80

Minimizing Impact of Ransomware

Confidential

Install security applications

Always update

Perform regular backup

Be aware of malicious

attachments

Always prefer to use lower

level access

Be sure to setup up a firewall

Always train your users

81

Minimizing Impact of Ransomware

Confidential

Install security applications

Always update

Perform regular backup

Be aware of malicious

attachments

Always prefer to use lower level

access

Be sure to setup up a firewall

Always train your users

82

Minimizing Impact of Ransomware

Confidential

Install security applications

Always update

Perform regular backup

Be aware of malicious

attachments

Always prefer to use lower level

access

Be sure to setup up a firewall

Always train your users

83

Wrap Up

Confidential

We learned a few basic terms.

We saw some ransomwares found in the wild.

We learned some tips to minimize the impact

of ransomwares

84 Confidential

Should we pay the

ransom?