Ransomware - a malicious software used by hackers to block access to a computer system until a ransom is paid. Attackers contact the user with ransom demands. Most attackers request payment in Bitcoin (the crypto-currency). Even if you pay the ransom, the attackers may not deliver the key to unencrypt files. As ransomware attacks continue to grow in number and sophistication, individual PC users and organizations should reassess their current security strategy. There is a common misconception that adding layers of automated defence technologies will reduce the risk of falling victim to ransomware attacks. While endpoint security products and secure email gateways can offer some level of protection, sooner or later a phishing email, which is the most widely-used attack vector, will penetrate defences and user will be faced with determining whether or not an email is legitimate or part of an attack.

1. Col Inderjit Singh
Chief Information Officer
Khemist.in
@inderbarara
@inderbarara
Ransomware
Emergence of the Cyber-Extortion Menace

2. A little bit of History
2008
AIDS Trojan Gpcode 12-2012 02-2014 05-2014 5-2015 -
1989 (1024 Something Cryptode Cryptowall 10-2014 Included
(symmetric) bit) (targeted) fense Oz Post in Kits
2006 09-2012 09-2013 04-2014 06-2014 1-2015 –
Cryzip, Gpcode Reveton Cryptolocker Crytodefense CTB-Locker Crypto
Wall V3
(660 Bit),Others (Lock Only) Variant

3. Ransomware: Escalating Extortion

4. Insight Into
Ransomware Campaign

5. Ransomware
• A type of malware that restricts access to the infected computer system in someway and
Demands that the user pay a ransom to the malware operators to remove the restriction.
• Some of the Malicious actions by Malware:
 Encrypt personal files ( images, movie files, documents, text files)
 Encrypt files on shared network drives/ resources
 Lock system access using login
 Crash system through resource use – eg spawning processes
 Disrupt and annoy – open browser windows, display pornographic images

6. Stages of Ransomware
• Step 1: Targeting – OS, Geography, banking/ e-Commerce, Consumer
• Step 2: Propagation –phishing, drive-by-download, attachments
• Step 3: Exploit - exploit kits, vulnerability-based, unpatched systems
• Step 4 : Infection – payload delivery, backdoor access
• Step 5: Execution – encryption, disruption, blocked access, Ransom

7. Office files PDF files Database files
Images & Drawings Games files
Targeted Files

8. How Ransomware Works?
Step 1 Step 2

9. Ransom Evolves: Learning New Tricks
Using TOR Network
to Hide C&C
Bitcoin is default
payment method
Mobile and Cloud based
ransomware
Increasingly difficult to detect
and shutdown ransomware
Harder for Law
enforcement to trace
Near impossible to
decrypt
without paying

10. Onion Routing (ToR)
• By Paul Syverson, Nick Mathewson,
Roger Dingledine in 2004
• Low-latency anonymous network
• Maintained by Free Haven Project
• Hundreds of nodes on all continents
• Supports only TCP
• Uses SOCKS interface
• Continuously encrypt data across a network.
• Data begins in the outermost layer of
encryption and is modified at each individual
stop.

11. How Tor Works? - Onion Routing
• A circuit is built incrementally one hop by one hop
• Onion-like encryption
• ‘Alice’ negotiates an AES key with each router
• Messages are divided into equal sized cells
• Each router knows only its predecessor and successor
• Only the Exit Router (OR3) can see the message, however it does
not know where the message is from
Alice Bob
OR2
OR
1
M
√M
M
OR3
M
C1 C2
C2 C3
C3 Port

12. Ransomware: Operation with ToR
Step6
Step 2
• Uses Diffie-Hellman key
exchange
• Distributes data over
several places
• Takes random pathway
• Used with Privoxy

13. Ransom Evolves: Learning New Tricks
Using TOR Network
to Hide C&C
Bitcoin is default
payment method
Mobile and Cloud based
Ransomware
Increasingly difficult to detect
and shutdown ransomware
Harder for Law
enforcement to trace
Near impossible to
decrypt
without paying

14. What is Bitcoin
Bitcoin is an digital currency introduced in 2008 by pseudonymous developer
"Satoshi Nakamoto". That can be exchanged for goods and services
Digital: Bitcoins cannot be printed or physically made.
They must be generated through computerized methods.
Decentralized: Bitcoins are not regulated by any government
or banking institution.
Revolutionary: Transactions allow for anonymity and are almost
instantaneous.
Global: Bitcoins are borderless currency and can be used
anywhere.

15. Bitcoin Wallet
• Bitcoins are stored in your digital wallet.
• When you transfer Bitcoins an electronic signature is added. After a few minutes the
transaction is verified stored in the network

16. CryptoLocker and
CryptoWall

17. CryptoLocker
▪ Email attachment is the main method of infection
▪ Targets all versions of Windows
▪ Searches for files with certain extensions: doc, docx, wps, xls, xlsx, ppt,
pptx, mdb, pst, rtf, pdf, eps, jpg, dng, psd, raw, cer, crt, pfx, …
▪ Encrypts files with a 2048-bit RSA key pair
▪ Paying the ransom results in decryption of the files
▪ No way to decrypt the files without the private key
▪ Ransomware done right!

18. CryptoLocker Details
| 18 |
Some email subject lines related to CryptoLocker:
▪ USPS - Missed package delivery
▪ FW: Invoice <random numbers>
▪ ADP Reference #<random numbers>
▪ Payroll Received by Intuit
▪ Important - attachedform
▪ FW: Last Month Remit
▪ Scanned Image from a Xerox WorkCentre
▪ Fwd: IMG01041_6706015_m.zip
▪ My resume
▪ Voice Message from Unknown Caller (<phone number>)
▪ Important - New Outlook Settings
▪ FW: Payment Advice - Advice Ref:[GB<randomnumbers>]
▪ New contract agreement
▪ Important Notice - Incoming Money Transfer
▪ Payment Overdue - Please respond
▪ FW: Check copy
▪ Corporate eFax message from <phone number>
▪ FW: Case FH74D23GST58NQS
Most of the subject lines
target SMBs who might
not have recent backups
and who might need their
files bad enough to pay

19. Method of Execution
• Drops executable in users %AppData% and %LocalAppData%
folder
• Create registry keys to maintain persistence
• Search for specific file types
• Performs encryption
• Deletes Volume Shadow copies
• Displays ransom note

20. CryptoLocker Analysis
- Drops copy of itself in %APPDATA%{random}.exe
- It creates the following autorun key.
HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun "CryptoLocker":<random>.exe
- It creates two processes of itself. The other acts as a watchdog.
Later versions of CryptoLocker create an additional registry entry:
HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunOnce "*CryptoLocker":<random>.exe

21. Cryptolocker Analysis
• It searches in all local and remote drives for files to encrypt.
• All files that are encrypted are also saved in the following registry for record:
HKEY_CURRENT_USERSoftwareCryptoLockerFiles
The only way to decrypt is to buy the private key from the attackers

22. CryptoLocker C&C
• Domain Generation Algorithm
It uses any of the following TLD for every generated domain:
.com , .net , .biz, .ru , .org , .co.uk , .info
1 2
3
4
• Encrypt Files with the public key flow
5
6

23. CryptoLocker Victims
Filename and Extensions Encrypted by CryptoLocker

24. CryptoLocker Details
Paying ~$300
will get you the
private key
Payment Screen
Payment Methods
Validating Payment Method

25. CryptoLocker Ransom
Payment options
moneypak, ukash, cashu, bitcoin
Price: $300 USD or 2 BTC

26. Cryptolocker 2.0
Original Cryptolocker Cryptolocker 2.0
Compiler C++ .NET
Encryption RSA-2048 RSA-4096
C&C servers Employs DGA No DGA
Payment Scheme moneypak, ucash, cashu,
bitcoin
bitcoin only
Around December 2013, a new ransomware emerged claiming to be
Cryptolocker 2.0.
Drops copy of itself in %system%. As msunet.exe

27. Preventive Tips?
“Strong collaboration between private industries
first and with Global Law Enforcement”

28. Predictions for 2016
• Ransomware will continue to be a challenge in 2016
• Encrypting Ransomware samples will also have data theft capability
• Targeting Android and iOS platforms
• They are expected to get highly targeted in nature
• They will use extortion tactics with threats to make stolen data public
• It is highly advised to implement backup policies and processes with high-
end encryption

29. Security Software – Ensure the personal firewall and anti-malware software is working properly and
up-to-date
Patch Management – Update all applications with the latest security patches
Least Privilege Access – Do not use the administrator account for everyday use or while surfing the
Internet
Computer Hardening – Configure the operating system, browser, wireless AP, and router to make it
more secure
Online Security – Choose strong, unique passphrases for online accounts and enter them securely
Content Filtering – Use web, email, and IM filtering as well as a link checker to block unwanted and
malicious content
Asset Protection – Encrypt and regularly backup your important documents and files
How to Protect Your Computer

30. Follow Best Security Practices
• Do not open and execute attachments received from unknown
senders. Cybercriminals use ‘Social Engineering’ techniques to allure
users to open attachments or to click on links containing malware.
• Keep strong passwords for login accounts and network shares.
• Avoid downloading software from untrusted P2P or torrent sites. At
times, they are Trojanized with malicious software.
• Do not download cracked software as they could propagate the
added risk of opening a backdoor entry for malware into your
system.
• Ensure staff are educated in good computing practices

31. Thanx