understanding ransomware - sector · understanding ransomware: clear and present danger october...
TRANSCRIPT
© Copyright Fortinet Inc. All rights reserved.
Understanding Ransomware: Clear and Present Danger October 17-19, 2016
Raul Alvarez
About Me
3
About Me
Senior Security
Researcher @ Fortinet
22 published articles in
Virus Bulletin
Regular contributor in our
company blog
Confidential
Agenda
5
Agenda
Confidential
Basic Terms
Ransomwares In The Wild
Minimizing The Impact Of Ransomware
Basic Terms
7
Basic Terms - Malware
Confidential
malware
virus/
file infectors trojan
worm
keylogger
password
stealer
dropper
downloader
ransomware
POS malware
macro
script malware
bot/botnet
8
Basic Terms - Ransomware
Confidential
Ransomware
*google search*
9
Basic Terms - BitCoin
Confidential
crypto-currency
digital money
10
Basic Terms - Tor
Confidential
How Tor Works
12
How Tor Works
Confidential
Image taken from torproject.org
13
How Tor Works
Confidential
Image taken from torproject.org
14
How Tor Works
Confidential
Image taken from torproject.org
Ransomwares in the Wild
16 Confidential
Friendly but Deadly
CryptoWall 3.0 and 4.0
18
Cryptowall 3.0
Confidential
Encrypts files
Comes via phishing email and exploit kits
Injects its code to a running process
Connects to CnC (Command and Control)
Holds the computer for ransom
Requires bitcoin for payment
Asks users to use TOR browser
19
Cryptowall 4.0
Confidential
Similar with Cryptowall 3.0
Encrypts file names
Gives more instructions and information
CryptoWall 3.0
21
Cryptowall 3.0 – Instruction list (jpg)
Confidential
22
Cryptowall 3.0 – Instruction list (html)
Confidential
Cryptowall 3.0 – Decryption Service
24
Cryptowall 3.0 – Decryption Service
Confidential
25
Cryptowall 3.0 – Decryption Service
Confidential
Cryptowall 4.0
27
Cryptowall 4.0 – Instruction List
Confidential
28
Cryptowall 4.0 – Package Deal
Confidential
29
Cryptowall 4.0 – Walkthrough
Confidential
30
Cryptowall 4.0 – Options
Confidential
31
Cryptowall 4.0 – We Are Here To Help
Confidential
32
Cryptowall 4.0 – Again, You Are Late
Confidential
33
Cryptowall 4.0 – Additional Information
Confidential
Cryptowall 4.0 – Decryption Service
35
Cryptowall 4.0 – Decryption Service
Confidential
36
Cryptowall 4.0 – Decryption Service (Tor)
Confidential
37
Cryptowall 4.0 – wrong code
Confidential
38
Cryptowall 4.0 – Your key not found
Confidential
39
Cryptowall 4.0 – Count Down Timer
Confidential
40
Cryptowall 4.0 – Count Down Timer
Confidential
41
Cryptowall 4.0 – Oooops!
Confidential
42
Cryptowall 4.0 – Oooops! Try Again
Confidential
43
Cryptowall 4.0 – Please Wait …
Confidential
44
Cryptowall 4.0 – Ooopss! Invalid Payment
Confidential
45
Cryptowall 4.0 – FAQ
Confidential
46
Cryptowall 4.0 – Customer Support
Confidential
47
Cryptowall 4.0 – Customer Support
Confidential
48 Confidential
Encryption + Infection
Virlock
50
Virlock
Confidential
Locks your screen for ransom
Infects files
Uses metamorphic algorithm
Uses on-demand polymorphic algorithm
51
52
53
54
55
56 Confidential
Just kidding!
Virlock – File Infection
58
Cleaning: Extracting The Host File
Confidential
Decrypts the
HOST file
DecryptionKey
Original Host
Filename Encrypted Host File
Decrypted Host File
59 Confidential
Armoring Techniques
Virlock - Metamorphic
61
Metamorphic Algorithm (sample 1)
Confidential
irrelevant bytes
decrypted bytes
first DWORD
second DWORD
third DWORD
62
Metamorphic Algorithm (sample 2)
Confidential
irrelevant bytes
first DWORD
second DWORD
third DWORD
decrypted bytes
Virlock – Polymorphic Algorithm
64
NewKeyGenerator
Confidential
location of the
bytes needed to
generate the
new key
starting location
is one byte
before the first
DWORD value
from RDTSC
EAX = DWORD value
NEW KEY
65
NewKeyGenerator
Confidential
NEW KEY
old key
new key
location of the NEW KEY
66
Sample On-demand Polymorphic Values
Confidential
1C B0 19 99
F4 C7 7E 64
E2 40 7B 9A
F4 00 7B F1
E8 B0 62 02
00 C7 05 FF
16 40 00 01
00 00 00 6A
75 EB 89 E2
9D 9C EE 1F
8B 1B EB E1
9D 5B EB 8A
encrypted with OLD KEY
decrypted code
encrypted with NEW KEY
67
Detection
Confidential
1C B0 19 99
F4 C7 7E 64
E2 40 7B 9A
F4 00 7B F1
E8 B0 62 02
00 C7 05 FF
16 40 00 01
00 00 00 6A
75 EB 89 E2
9D 9C EE 1F
8B 1B EB E1
9D 5B EB 8A
encrypted with OLD KEY
decrypted code
encrypted with NEW KEY
68
Detection
Confidential
location of the
bytes needed to
generate the
new key
starting location
is one byte
before the first
DWORD value
from RDTSC
EAX = DWORD value
NEW KEY
69
Detection
Confidential
location of the
bytes needed to
generate the
new key
starting location
is one byte
before the first
DWORD value
from RDTSC
EAX = DWORD value
NEW KEY
70 Confidential
The Guardian
Petya
72
Petya
Confidential
Overwrites the MBR(Master Boot Record)
Where do we get them?
74
Sources of Ransomware
Confidential
Drive-by download
Phishing emails
Exploit kits
Other Trojans and Malware
0-day attacks
Minimizing The Impact Of Ransomware
76
Minimizing Impact of Ransomware
Confidential
Install security applications
Always update
Perform regular backup
Be aware of malicious
attachments
Always prefer to use lower level
access
Be sure to setup up a firewall
Always train your users
77
Minimizing Impact of Ransomware
Confidential
Install security applications
Always update
Perform regular backup
Be aware of malicious
attachments
Always prefer to use lower level
access
Be sure to setup up a firewall
Always train your users
78
Minimizing Impact of Ransomware
Confidential
Install security applications
Always update
Perform regular backup
Be aware of malicious
attachments
Always prefer to use lower level
access
Be sure to setup up a firewall
Always train your users
79
Minimizing Impact of Ransomware
Confidential
Install security applications
Always update
Perform regular backup
Be aware of malicious
attachments
Always prefer to use lower level
access
Be sure to setup up a firewall
Always train your users
80
Minimizing Impact of Ransomware
Confidential
Install security applications
Always update
Perform regular backup
Be aware of malicious
attachments
Always prefer to use lower
level access
Be sure to setup up a firewall
Always train your users
81
Minimizing Impact of Ransomware
Confidential
Install security applications
Always update
Perform regular backup
Be aware of malicious
attachments
Always prefer to use lower level
access
Be sure to setup up a firewall
Always train your users
82
Minimizing Impact of Ransomware
Confidential
Install security applications
Always update
Perform regular backup
Be aware of malicious
attachments
Always prefer to use lower level
access
Be sure to setup up a firewall
Always train your users
83
Wrap Up
Confidential
We learned a few basic terms.
We saw some ransomwares found in the wild.
We learned some tips to minimize the impact
of ransomwares
84 Confidential
Should we pay the
ransom?