Prospecting Ransomware Tech

[Music]

hi everyone my name is Blanca john i working for the defender since 2009 and i got to handle the clean of plans some winners for about two years now together in the next half an hour we're going to self a bit this threat and we're going to see what they're up to i'll try to introduce a bit what happened in 2017 with this this this threat and we're going to see how they got to build an entire business dealt on top of cryptocurrency we're also going to see what mistakes our users usually doing and also learn some words they have their own mistakes and we'll go into those own conclusions in the end so 2017 was a prolific year for ransomware

they got oh we got about 150 different families a at an average at an average rate of about 12 different families per month and these numbers do not include their sub versions so there are actually more and we can actually clean at the moment about 10 percent of all of them we have here a couple of the most widespread families those highlighted in black just can't be recovered but are come on at the moment and widespread those highlighted in green can be recovered and at the moment we have some deck crypto tools for them at least for some of their subversions because they got to update in the meanwhile the one in blue state and

ransomware is known for its strong ransomware as a service interface and it's a choice for a lot of anti analysis tricks in fact this ransomware has more anti analogous tricks than all others together the families in orange have chosen to change the strategy for lateral movement and since the beginning of 2017 we'll see in this white spreaded more on companies and not on common users and they are I believe that they are spread by hand by their owners after they got to brute force some user account through LDP protocol and we have another couple highlighted in red those ones got public attentions and our attention in a special way the starting with wanna cry they include SMB exploits

like eternal blue or eternal romance in fact they kinda inspired one another starting with wanna cry and bad rabbit for instance is also inspired by its predecessors which use disk encryption like not petia also called pear drop and Goldeneye petia in the fur place okay so let's see how this business build up on cryptocurrency because Krypton Quarry currency developed at the same time with this kind of threads everything started with some kind of bad jokes and between 2012 and 2014 we've seen this screen screen lockers which are the roots of the ransomware else this is an example of a screen locker with a message not well formed so at the time when this message come up on when a common user he didn't

know if he need to cry or to laugh because if you have some basic skills of how things works you can easily bypass this kind of windows this is another example of screen Locker we called it ice Paul but in fact it's police split it at 1/2 and reversed because of the fake messages it's more like scareware which had something different than the others it delivered the ransom note in the target users language by checking the location looking on the IP and it's one of those who preferred you cash and paysafecard for the payment because this is not because cryptocurrency bitcoins did not existed at that time but because they were not so popular so I believe

these guys did not know about this kind of monetizing at that time ok we have here another example of ask o the this is both the screen rocker and the cryptolocker the simple yet we called it a CCDF is a in fact it's not us who gave it this name it appeared around 2015 and the guys behind this felt an urge to tell their affected users the victims how things work because they had a lot of troubles with other affected users in previous versions and somehow in this sub versions they pushed an entire post on the ransom note and we see at the top right corner the small scrollbar so you have to read a bit just like reading an

end-user license agreement and this urge for guys to talk to their victims and let them know how things work we were seeing it still today this is this is a series of four screenshots taken from bleeping computer the red link at the top right I believe it's still working if you want to read the entire stream it's about a guy who got affected by a gang club ransomware in March the second version we created a Decrypter for the first version and somehow one of the bad guys behind this ransomware Pearson and tells him there is no way he can decrypt this file he must pay the ransom and while exchanging some data we in fact

the bad guy finds out I don't know if it's visible at the bottom the bad guy finds out from the user information structures send while ransomware gets executed on affected user systems that his PC name contains IT right in the beginning so he knows that the victim is some kind of network administrator and raises the fees and says he has to pay about $800 while we didn't see in users to pay more than five hundred dollars without being special cases anyway in the end the user [Music] knows that he is one of the bad guys and the bad guys admits okay so since the fall of 2016 when after the third big Killick for crisis ransomware when we

thought that they just ended the campaign we've seen in the spring of 2017 that they actually took a break to make some changes and this time they did not delivered the ransomware to common people but to companies and all the cases we have since then are just companies being infected with such kind of transfers and after they did that a lot of ransom words borrowed the strategy and others like lob imposter and BTC we're also spread at the moment like this because they know that a company will pay this ransom and the user can easily choose not to pay so we have on the left side the common users which will most most of them I believe

will refuse to pay the ransom they will get through with this at some point and I also believe that most of them just don't afford to pay the ransom and on the right side we have companies which are forced somehow to pay this ransom if they don't have backups because they will get to pay more to users after telling them that they just lost their data and lately we also seen some agreements between these ransom wires and coal miners or botnet and we have here a botnet which got to infect an entire network and some of these botnets have some mechanism to expert rate sensitive user data and this is a screenshot taken core bot and a motet

for instance can do such things getting screenshots from time to time and analyzing them for example here we have a screen shot from a billing application it's clear that not every user we will use a billing application you have to have some clients for this and they say hey we got the company we can do something about it if others are interested and the guys behind ransom Wells are forced to sign up for this type of delivery delivery because in the end they make a deal and the botnet infrastructure's only becomes a way to deliver a package just like a courier and the company just get infected with ransomware that way the ransomware owner will have will be sure that they will

pay the ransom okay so since 2015 ideas starting with cryptolocker but more since the beginning of the last year we've seen an interest increased for ransomware as a services this is some kind of noise level I mean that at least that's the way I want to call it because somehow ransom or creators got to bring some noise between them and the affected clients and if someone will try to track back the entire operation we'll eventually got an user of this service and not the creator of the ransomware so you will have a hard time getting your hands on the ransomware creator but you will get at some point to know who delivered the package because the ransomware user ID is found

in binaries are linked with their cryptocurrency accounts and other type of informations which they have and this is some kind of business which transfer owners are making up in order to be motivated like in the position of a ransomware user as a trans man as a service users they got a big percent of all the income about 70% and the hacker the owner of the ransom Maroni gets a small fee about 30 percent about I mean it's a range not every ransomware has the same person so it ranges between 10 and 30% this is an example of the ransomware as a service for Satan ransomware taken a screenshot taken from the dark web the page ends with onion so you need to talk

to access this kind of pages they say clear here I don't know if it's visible but I can share this if required they tell how things work if you roll in as a ransomware as a service user and you just need to sign up for this you don't have to have a PC you on your own you don't have to have money to invest you don't have to have nothing you just need to sign up and you just get 70 percent of all the income this is a suspect I don't know no one asks why do I get 70 percent just like that but I believe this is this noise level which hides basically the ransomware creators and

keeps them at a safe place there are some mistakes which users usually make while conducting this kind of threats and this kind of mistakes made by users also effects company for which they work and everything is based on what we call social engineering basically it's exaggerated curiosity and maybe sometimes a lack of focus when surfing the internet also most of users don't use credentials at all all they have weak ones this is a gateway for those who are trying to brute force these accounts also some companies which are in their beginnings maybe don't afford to hire someone to take care of the network infrastructure and they believe that they can deal with it on your own on their own and not having

someone with experience to face these kind of situations you just end up hacked or you're you get your network penetrated by this kind of search and you just don't know what happened or how to deal with these kind of things there are also users which have some contradictory behaviors so they install some security solutions and the same time they believe that they can use correct applications download torrents disable operating system updates and so on just believing that that okay my security product will protect well things are not called that what would you click if you got this popup on your web browser surfing on a on a usual day the internet I believe that most of the people just want to

live by chance by good luck and bad luck they don't want to face with basics of logic with what follows based on what I'm doing now so maybe they can believe that you can win something without plane I don't know I don't think that's the way things works and I have a couple of hints for users which got affected by these kind of threats and both for companies actually this list is very large but this is only some I'm only highlighting some stat points so users need to be more aware of what they're doing and to base their facts more on logic than on chance and you need to not click anything you see on your website no matter what it says

you need to update your operating system as frequently as possible and also your applications like Flash Player or Java if you're using these kind of applications also credentials are a must for each of us even if it is it only you the one who uses the computer you if you are connected to internet you can be just you it's an entire community and you're available for others and visible at the same time for companies I suggest strong firewall rules also custom administrative policies for instance if you have a technology board with endpoints maybe you want to know if your security security service appliance at an endpoint is malfunction and maybe in this case or you want to isolate that

system no matter if your productivity lowers for a short amount of time ransom words also have their mistakes and I'm going to highlight two of them one of them appeared in June last year in not patio or pay drop some might say that they intended to do so but if this was by intention intention to damage the user data then they would have continued with this kind of threat but that was not the case they did not correlate well the user IDs with what actually happened on encryption another case is gang club appeared in January in mid-january this year and this ransomware affected only files larger than 4 gigabytes because they did not read well the Microsoft

documentation for foreign RP API so it's at the bottom right it says it's the it's something taken from the Microsoft site which tells that you have to use some parameters in the set file pointer function both set to some values when doing operation on files larger than 2 gigabytes because the parameters are signed and they did not listen or do not read this at all and the only there only increasing the file pointers because they're doing read/write operation and encryption on the same file they're only increasing file pointers by what read and write functions are increasing and the operations are taking place on one megabyte blocks and they're reading after 4 gigabytes 1 megabyte and

they're encrypting and writing it on the second megabyte so you're losing that data and this process continues and you're you're losing the odd chunks of one megabyte it's kind of a redundant information if we when we created the tool for decryption and restore the data we found out that user had on his large file his larger files this kind of information two times one time not in Krypton and right after encrypted so the old chunks were lost for good further we're trying to see some kind of template where this encryption is moving around these threads and we're trying to see how we try to identify these lengths so one of these templates is based on

creating a random key uploading it to a server if this operation is to say successful then start the encryption this or one of these runs no risk react and at the left bottom corner we have a graphical user interface for this threat another type of template is downloading a key and applying it at the encryption and we've seen this on lock crypt ransomware this is how encryption work on wanna cry and this third template is based on arias 80s and wanna cry had three layers of encryption and the three layers were first one a pair of a pair of keys used to encrypt a few files so user can test decryption and see that it

really works and a second layer is a public key shift with the malware and it is used to encrypt another third key generated locally the private key is actually encrypted and the public key is used to encrypt all the files so if you want to decrypt your files you will the application will upload the private see encrypted key we dedicated on the mother server and when you will get back your private decrypted key another template is using this kind of brute force where hackers try to penetrate systems for weeks or month and they don't hurry and they eventually get some grant granted access when they manually deploy and bring down security products and the final one is more a consequence

and not specific type is based more on lack of knowledge of new ransomware creators and their hurry to bring their binaries to their user this is Nemec code ransomware which we got to the creep by analyzing only the encrypted data we see here a repeating key which was used to encrypt only the first kilobytes of the file this is a page online available for identifying ransomware you basically will upload ransom note or a an encrypted file we also have our tool for ransom recognition tool where you must provide the ransom note and possible an encrypted file and the application will give you some percent and if we have decryption tool available you'll see a blue link the right side these are two

type of identifying these ransom words in the left we have a ransom note from BTC where and at the top at the bottom we have a user ID which is actually the encryption key encrypted with an NSA 1,024 bits at the right we have structure from a file encrypted by crisis ransomware we see the original file name in the middle in Unicode format and there is a six letters lower which identified the subversion well we further expect this randomness to increase mainly because more and more users and role in this trans mother service program also new model creators show up and try to express their knowledge by introducing new threads and we're also seeing a

trend in automating automating this kind of threads by increasing the productivity of binary deployment using for instance botnets and also monetizing mechanism thank you I think we have time for just one question Hey great talk summarizing all the kinds of ransomware I just had a question about persistence of ransomware so what is the guarantee that after you have paid the ransomware is out of your system it's not hooked into any of your internal structures and it's not sitting there to decrypt I mean encrypt a file six months later on how does it persist yeah how do you ensure that after paying you have removed your infection and it's not persisting on your system still if

you don't have a security solution installed maybe well ransomware creators don't remove their threads after infection but more than 90% of them just delete themselves after or including our system I don't know if we can talk about persistence because they just want your money and they got the job done if you cutting it at the second time you most probably don't get invited by the same ransomware okay so most of the randomized are not persistent most of them not they don't use persistence mechanism because they don't want to use you or extort you at maximum they just want something small from you okay cool thank you you're welcome if there any further questions feel free

to go and approach the speaker after well let's thank our speaker again [Applause]