BSidesCHS 2016: "The Alma Doesn't Fall Far From the Tree" - Jason Davison & King Salemo

alright so our present I should our presentations on a little bit of overview of ransomware first we're going to talk about that and we're going to kind of then talk about a piece of ransomware that we found via social media monitoring type of thing going on back in late August and we were able to basically perform a man-in-the-middle attack on the ransomware and intercept the key going across and essentially decrypt files without having to pay the ransom so we'll talk about that in the second half for the talk so like I just said we're going to kind of go over the state of ransomware we're going to talk about its profitability what makes it simple in comparison to banking Trojans

really the type of one size fits all thing and then we'll move into ransomware like I said we'll give you guys basically a rundown of network activity encryption decryption and then how we carried out the man in the middle attack and we'll wrap it up and then happily take any questions that anyone has first an introduction who are we my name is Jason Davidson and this is King suhlemah we work at fishlabs and we did play with malware on a regular basis yeah anything the head yeah no I just don't know when I am I'm definitely in the orange suit I got warrants ooh so ransomware the current ransomware pandemic so why is racing where become

so popular in 2016 that's really become the the malware of choice amongst cybercriminals if you will in the end like cyber criminals are just businessman right there trying to make money and they want to make money as efficiently as possible meaning less work on their end while still returning a decent profit for them how can they gain the most money in the shortest amount of time if you will so that goes along with the first point right ransomware is profitable it's also relatively simple in comparison to banking trojan what kind of banking Trojans we'll talk about that a little bit later less moving parts just less less movement of money really overall you can make use of bitcoins and

anonymity in bitcoins in Bitcoin wallets so that makes that makes kind of ransomware more simplistic in the sense of getting paid and making money one size fits all right so you really just have to once you get your encryption right and you have a semi robust infrastructure you just kinda you can kind of tweak your payloads here and there to work on to work on like detection and mitigating detection and things like that to make a little bit more successful but once ransomware runs you've already your are you already successful right you've encrypted their files and then it's either they're going to pay or they're not going to pay so with banking trojans in comparison here

I think for track right you have to open you have to the victim has to open the browser twice before wat wreck will provide web ejects to when they navigate to their banking website and things like that there's just much more much more moving parts and things going on with banking Trojans so like I said bought wreck anything to add I'm banking charge inside mm-hmm good to go everybody well thanks but so I'm moving into profitability ransomware the FBI stated the first three months of 2016 the ransomware had a community 209 million dollars and Lockheed came around locky being the first really major major change in campaign and kind of swing things towards ransomware in 2016 it was

about mid-february februari 12th or 16th somewhere around there was when locky came out and like i like i said on the second point here major campaigns like locky and server are both successful based on spam volume alone now lucky as far as as far as I know as far as nobody else is alluded to walkie being run by multiple groups just by one group who spams out just loads and loads of samples via the neck ears botnet and server is actually probably the most successful ransomware as a service campaign where the original authors will basically lend their code base to people that want to give give a ransomware campaign or give a ransomware run ago so overall profit each locky or

so this Lahti estimation was originally drafted a report provided by the telus group and april i believe this is just to give you an idea of the potential profit that Milwaukee could be could be spinning off we could see here they did two different calculations based on whether victims were paying one Bitcoin or whether victims were paying half a Bitcoin and over 12 months you either make it if your if your victims per day stay the same you're making 393 million dollars or 196 million dollars essentially which is a good chunk of change and I I wish I made that much money work for a year I'm good

so here's an actual from check check why put out a great a great blog and a great white paper on insight into the server the server ring of server group and this this image is actually from from one of their blogs where they have where they are inside the server panel and you can see actual actual infection numbers here and this is like this like hard numbers where the tallest group was estimating based on payment and victims per day these are these are hard numbers this is what the server the server author the person on utilizing the the service at the time these are this is what they're actually making so we can see installs

encryption started good encryption started to have the encryption is completed and then we can see before the far right column we can see the number of payments and we also have a profit column on the very far right where it shows exactly how much money they're making so overall they had 10,000 insult I don't know how long this period is looks like from april 9th to april 23rd so 10,000 installs with a profit of fifty-three thousand dollars which over the course of two weeks is a good chunk of change and these are these are i like this image because like I said they're hard numbers so it gives you an idea of actually what they're making so right

ransomware makes use of operating system features right it's not like they're they're not doing they're not home brewing their own encryption or if they are chances are it's probably capable of being cracked or broken they make use of operating sister the cryptic cryptographic libraries within the operating system which makes for very simplistic right api called very simplistic yeah and easy easy uh he's got a lot of times when you see on the teeth on movies we see like these mad hackers sitting on the keyboard making the most sophisticated piece of malware you ever seen and it's like uncrackable and they can't trace it or find anything real life that never really happens and in ransomware it's even less so the whole

point of blocky was to make the payload as simple as possible so what they did was they didn't do a lot of anti vm sort of detection or anti analysis detections the reason for that is the more anti analysis intentions you put in the more likely a likelihood a security products going to flag it so if they don't do any any sort of checks at all then the likelihood of it succeeding and encrypting and perhaps scripting encrypting things on shared drives and stuff increases a lot and they don't so they don't care if they're my vm or not a lot of people are running stuff in virtualized environments so they just care that it executes and it's encrypted

yourself like hospitals per se reason hospitals payout is because I say you have a nightly backup right hospital has a lot that's happened since that nightly back up to say if it ran like Oh lunch time so you look at that amount of data within that time that's accumulated there's a reason to hospitals can pay for that kind of it ya llego park but like the targets for those and he's at a hospital I can understand that is that like well I mean the large sums of majority like big industry like impossible o or like early base being it too or is it you know like was a baby um with so a lot of people get hit and

the industry's very the ones that are actually paying our people in hospitals so they have no other option right like your hospital like your you have to get your native a key target at all it's just same their trees many people well that's the thing right with ransomware it's like the more targets you have the higher chance of making money where are the emails are crafted in such a way where sometimes they will send it to hospitals looking like something that the hospital would see on a day-to-day basis so like it'll be some medical terminology for them to elicit user interaction small Sheriff's Office end up paying because I'm usually they're their IT isn't up to snuff and they go

back and look and they have like that goes for like a week ago so there's been plenty of small police offices that have paid out on of who else is paid

years to ethics why would they want to come so yeah so it depends on when the ransomware runs and it depends on the infrastructure there are certain things that you think would be streamlined within a hospital on certain things that may be configured in such a way that it was changed to accommodate some other piece of software it really depends like big hospitals with bait out and it was the first one that I remember was it was hospital to LA right yeah um tic got smacked by Lackey and I think they ended up paying seventeen thousand dollars total to get their files back yeah that's definitely one of the most notable as far as targeting goes I

wouldn't say like some of the lures are crafted or some of the initial email at our likes sent out like so if you're you work at a hospital then like he said medical terminology things like that financial institutions invoice like right invoices and things like that like I want you to look at my invoice or why am I have to pay this much money if it like you're sending one to your bank torrent Locker used to be torrent lock that used to be the most targeted as far as geo regions go they would do some really crazy like geoip blocking where you have to come from that specific region and they would even block some

VPN notes if you wanted to like try to get the payload right so uh though that's probably the most targeted that I've seen yeah I'm not familiar with epic I'm not sure oh how it's actually running so there's I mean within a hospital i know there's many different segments you know the accounting group may be running in a different manner you know as opposed to the ER or other segments so they take advantage of it and I'd have to look more into epic actually question actually yeah that is a great question yeah um a lot of people so a lot of people who don't pay is consumers so that I think what we saw was like two

percent very very low Oh Yancy was like I know I def I have so many computers I mean I'm a little bit of a special case but like I just believe I have a linux distro right and I'm like oh my god just look at it I'm like oh I don't really care about my files time to put a new distro on I was like I like to change distros all the time so sometimes I'll back up sometimes I'm oh I like essentially just blowing away my files because I mean if he's only gonna help you so much I can tell you from personal experience a/v is really really bad I'd say there's certain vendors that are

better than others I could recommend some I don't know if I allowed to do that but uh i would say about three of them are better than most and other than that like I don't even know how you most vectors are going to be through your email right like they're going to be sent to you via email and I I can't put myself in somebody else's mind set based on the things that I know like I delete all my emails like barely read them and I just never click on anything I don't know like if is and there's I can't speak for people when they call my dad yeah yeah so someone got a YouTube video

about getting hit with Iran sworn i was saying that the the backup utility he was using was impenetrable to the ransomware that he that he got infected with it wasn't that it was an impenetrable as a lot of the ransomware that occurs is looking for certain extensions so what happens is when his file is being backed up it was some random extension for that particular piece of software which is not going to be in the list of extensions that is looking to encourage a lot of them is not going to cryptos dot exe dll because they're not going to want to try to corrupt a file that's you know important to the operating system so they're not

trying to bring the system down with their money the Manson so looking for doc xls they're looking for files that they know are going to have important data for you the usual a lot of them have a pre-loaded extension list and those are the extensions are looking to encrypt so they're not going to mass blast and encrypt every single file on your system because nine times out of ten if they do that they're going to hit something important it's not it's not going to run very well so they don't like the system files it so exactly the things that hold value right what took prices photos or like yeah so photos Excel documents I mean head of accounting information well

they lost whitelist those directories like the important system directories so they will go through and do some executables like via games or something they can hit those but then they'll make sure that like they don't hit system 32 and things like that right yeah we are going on the file center thing like if I have I to open and I saved my I the database file the ID because it's dot I DB is the extension that doesn't get encrypted because why would anybody have Ida files on their computer that's getting encrypted by ransomware but i would say depending on like because most people to the other thing like this is kind of changing tides here i don't know

how many of you do banking on your actual computer but a lot of like mobile banking right that's becoming much bigger and so also the mobile attack vector is becoming more and more savory if you will whereas like I don't like I barely sign in to my banking website on my computer to to do anything really like I don't I don't use my computers for critical functions fairly I don't know how do you live yeah I did barely

mobile browser user use desktop browser keys Wow I appreciate you backing me up yes I'm sure you gonna see a lot of this increase in the future towards things like mobile devices are IOT devices like Dropbox it back to the ball this yeah so we were talking about that the other day we're talking about how people have called services but people end up map and drives for the computer and some actually go out and start encrypting stuff on shared drives depending on how the clouds actually use I was actually thinking about someone making you know wouldn't even be like clever you could easily do it we're actually connected to some sort of cloud service star Krypton

so if you have one drive and they had one drive on your computer which is like map to your phone right and then your TV or something like that and if it was able to get up there and even then propagate to all those devices that would be nifty yeah right um but you have to be able to pick up that good yeah yeah so it's a sleep backups but like most people aren't going to back up is that fair yeah I don't ask people that's really the number one but cloud services are getting better as to where like it does it for you so that's that's nice yeah it's the number one thing they

Bank on is backups right this is a consumer you do a nightly back up the next day the a lot of people if I had a nightly back up and also and I can hit at 9am i don't care i'm not paying the ransom just gonna re imager you know so for a consumer i'd say backups are important but they also play on the fact that a lot of people don't and a lot of people who do get hit there just is they sort of wage like oh like is to bitcoins really worth all this data inside the computer I have a USB Drive that I could just reload it with them so my next point hopefully we

answer your question well my next point goes to kind of really is all about all male where right if you have depending on what platform you're trying to target in most cases is windows if you have knowledge of windows and turtles and api's and things like that then you can probably right decent decent malware I think in my opinion I think the knowledge of Windows internals that you need for rent to write ransomware is less than the knowledge of Windows internals that you would need to write a decent banking Trojan because the pending Trojans looking to be more subversive and you're looking to do crazy things with the API and be more crafty if you will going on the

simplicity thing still I bring somewhere projects exists for educational purposes and this is um this is kind of a fiery topic amongst some researchers where I need to know why people like like this malware sources that's leaked and like you can look at the source code and go through line by line and understand what it does right but there's no reason anybody in my mind maybe someone couldn't think of one and let me know there's no reason that I can think of why you would want to give people who don't have the capability to write their own the capability to write their own because I guess the argument is what we're doing now isn't enough to stop

what's going on so let's make it open source and maybe somebody will come up with an idea whereas I think the root of the problem is that it's not in its not that ransomware is complicated and we have no idea how to how to not let it run right it's just that we don't have we this goes back to the kind of what Joe said in the keynote the ability to stop fishing and the initial vector like that's never going to stop and this nine times out of ten ransomware payloads are probably going to be delivered I guess actually exploit kits but range where attempts are going to be delivered through fishing nine times out of ten is a little much I

would say the majority of the time though that ransomware will be delivered through fishing so I don't think that open source ransomware is really a necessity it's not like if I have the source to some if I had sourcing some some code or some web app right and i was able find this year day i would I wouldn't just spammed spam like a proof of concept that's not malicious or something like that but these are in nature for educational purposes they will encrypt your computer whereas most of them have back doors or something that they put in there's no reason just sultana open source ransomware well i see a lot of a lot of malware in the

wild people will actually just copy and paste on stack overflow or something like that mm-hm in this particular case i don't think we talked about this in the specification but i did find a post by somebody it was several years ago with almost the exact structure of the source code that appears in this piece of ransomware and it's they modified a few things to make it fit for this particular scenario so I mean it's I mean it's questionable I mean when you're talking about things like proof of concept some people argue that well if we know the number of methods in which they can attack or sort of get our hitter infrastructure than we can

prepare for them really really I don't know a good adequate defense for this other than for the enterprise that we could tell you like a good enterprise start data feed is like key for a consumer for for enterprise like someone could provide you a good like threat data fee like intelligence feed so a lot of companies out there I won't say a lot but a good number of homeworld two you they'll analyze a lot of malware and then in their feet they'll give you a lot of indicators and the reason that's important is because they're probably analyzing them and seeing halos faster than company would so by the time the company gets the payload they're going

to ollie they're going to have those indicators so a couple things are going to happen either they get infected and the payload can't communicate back to the c2 and a lot of these cases if the payload can't communicate it's not going to start encryption another thing that's going to happen is it's not going to allow it through right so if we have those indicators if we have the hashes of the payload we have the indicators to try and communicate with it's not going to get through and even if it does get through we can easily have something like your seam software you know or some IDs isolate that particular machine quickly off the network before it has a

chance to do any more damage so for the enterprise and someone someone with a good threat data feed is definitely help you out consumers a little bit more difficult because those set data feeds costs money you know big companies are paying a lot of running form sometimes some of those companies do share those indicators like a partnership with a navy vendor it doesn't happen as much Holly because people are paying you know people are selling that data yeah

so it's like you pay what for what you get unfortunately moving on a kind of more of the compare and contrast like I said earlier banking charges have many more moving parts the delivery mechanisms really uh I think banking Trojans probably are more consistently delivered through word docs where the ransomware is a solid mixture of word docs and windows script for JavaScript files I think more so and exploit kits with like King had said earlier sometimes sometimes if ransomware can't communicate with the command control server then a molten [ __ ] all the times they don't really care they're getting tripped anyway they just don't want to track the infection but they'll still give you what you need to pay for to get

your files back so commit whereas banking charges I think the control is a little more important because you have you actually updated to exfiltrate and web injects basically what weapons XR is so like you navigate to your banking website right and the banking Trojan will basically script an overlay kind of on the fly so that when you get to the banking website you're logging into their their their scripted overlay and that's how they grab your banking credentials and things like that anything to hit on web and expose the delivery mechanism like i said earlier kind of the one-size-fits-all really once they get the the payload on you're on the victims computer then also thinking to do is get the victim to run

the payload and most people are going to click things regardless so after that it's just uh it's the victim gonna pay or not so characteristics of modern ransomware delivery methods we kind of touched on mostly setzer phishing emails inside zip files what was big over the last three weeks really is like encrypted Word documents where the word documents password-protected those come through with zero detection essentially and they provide you the password in the email to open the word doc and then they have the classic enable macros to view this content or something something along those lines and then the macros will run and download the second stage payload that was really the those the kind of

the coolest things I saw over the last three weeks or four weeks probably a variety of malicious actors as far as skill level goes you have like the full development teams behind Lackey and server and the larger ransomware campaigns and then you have more new threat actors if you will kind of like the the author behind Alma Alma ransomware this is probably their first first run at creating ransomware and there's a lot of a lot of new ransomware out there that isn't done well because even kids new to the block are trying to make money using this vector right that's why 2016 is the year of ransomware because it's really exploded so everybody wants a part of the

potential success that ransomware offers

so going over kind of touching on low quality grants and where this will lead into our more of what we found back in August like I said everybody wants a piece of the chunk everybody wants a piece of the success that ransomware has to offer so like I said you get new variants and new families all the time like even even back in twenty sixteen i remember in 2016 we're still here back in February ah it was the first day lock he was out somebody was able to crack a tour first couple of days and the next the next iteration of the payload came with a string inside and strut inside the palos like f you security

researchers or something similar to that so even you inversions the lock he went through iterations where they weren't perfect Sigma surber checkpoint was a really actually able to supply a decrypter up until I think it was server it was a Persian server to then definitely server to was out I don't think server three was out there but up until when they put that i think it was around August eighteenth fish when they put out their blog in the Decrypter they were able to decrypt files up until then and then shortly after they like the next two days server came out and patched the weakness in their encryption mechanism to mitigate that papua a bunch of a bunch of ransomware families have

been able to undergo cracking and decryption by some security researchers and then you have low quality family variants like stampato new trip fading somewhere which i think is like I'm version for in Phoenix locker all of which I don't think they have perfect encryption yet I don't know that to be one hundred percent true but last time I checked that was the case so now talking more about what we have found and are our bread and butter in August take it away so those of you who haven't ever don't know in some Slavic languages and also in Hungarian alma is the word for apple and what we found was the payload itself was masquerading we're trying to trick a

user into thinking that that the file itself belong to Apple we thought that was kind of interesting where they called it Alma with that string in there on the locker or I'm sorry so a lot of people called the Alma locker bleeping computer it was some other ones there is a difference between a locker and ransom lockers just trying to prevent access to computer as opposed to rain storm is actually encrypting the files so when it first came out there's a reason we came out with all the ransomware and everyone kept calling it Alma hawker so you'll see a lot of other blogs out there saying on the locker it's the same thing it's just not a locker I guess some

people don't understand certain types of terminology so this particular one was delivered via rig exploit kit very popular exploit kit so it wasn't a phishing email or anything like that if those of you don't know how fish or exploit kits work basically it's as simple as visiting website I have to do is visit a website and it could cause infection the way this works is the exploit kit determines what your browser is vulnerable to or perhaps you have a plug-in that's vulnerable to something and a bunch of JavaScript rinds and determine its ok that while they're running you know internet explorer with this particular plug-in and what they do is they try to deliver a certain

malicious file or most malicious payload onto the system via that vulnerability and that's why it's hard to defend against exploit kits is because the only thing that you have for yourself is keeping your browser and your plugins up to date that's the only defense you have really no so exploit kit it's it's going to exit provide the execution is complied the drop just complied the execution a lot of people who do these exploit kits it's crime or as a service so they're not actually you can't go out there and buy like your own exploit kit what they're doing is you you rent like like say a day how many days are ours to use the exploit kit right so in

this case which is I thought this was odd that such a new payload or simplistic fela really as far as ransom Burgos was being delivered be a rig because once angler had gotten popped back in June angler was really the premier exploit kit rig kind of took over and tried to fill anglers shoes so I was I was very surprised to see this being delivered by rig okay so it was odd think we calculated that the threat actor paid around five hundred dollars for this particular payload to circulate a break out there yes it is really standard okay nuts

right so there's also a notable too I mean there's a billion UAC bypasses out there right which is that's not hard to craft if you've written an exploit kit you can write you a see bypass but like even like dll sideloading that'll little bypass UAC most of the time so surber I think two months ago a month ago server server didn't get executed with Edmond privileges it would prompt three times I met after a minute each time for you to execute it as admin or for it to bump it's Prince up this is because it couldn't it's like to get the et Cie [ __ ] or not he TC shadow the shadow the shadow copy of the shadow dr yeah yeah

yeah so if it couldn't get to that wasn't running a salmon or some some sensitive files that I want to encrypt and it would prompt you three times and if it didn't get to it it's still encrypt just not just not everything that I wanted yeah that's another thing you have going for yourself that what a lot of rain smears will do is disable the volume shadow service and what that does is you know if you ever booted up windows it says we can there's something wrong try to boot up from the last known good start up and then what it's doing is pulling copies from that volume shadow service de probably try to bring

things back online so the first thing some ransomware will do is just disable it all together and wipe it out you don't think that those

I don't know I don't know about so far yeah I'm not familiar with how that works but if they are backing up sugar heavy them yeah and it can't access it I don't know where the backup goes like that's really it right like if they encrypt the backup then it could be a good defense yeah I'd have to look more into that mm-hmm now the problem here is when we first saw it it was tripped by one vendor and I can remember who that was get remember either basically we checked I think was a month later and it was like I think it was two or three vendors had this flag this malicious so and then only a couple of them actually

knew it was ransomware so I mean he's pretty bad I would say there's two I mean I just go out there and say it hate to say but windows actually has a good anti-virus uh-huh yeah I mean I they don't know they know they know us better than most so like they're their detection rates are actually pretty good I would say malwarebytes does a pretty good job because Persky does a pretty good job the rest of them are questionable that that's basic that based on everything that we see we look at a lot of different stuff mostly ransomware and banking Trojans shameless plugs bud yeah so even throw that out there but I was trying to help out some

consumers but was it was a major three that we seen that have the best so those of you who don't know what address space layout randomization is ASL are basically what happens is it takes a executable and it will load it in a random place of memory in an effort to prevent things like buffer overflows this is more of a defense mechanism so that way people can't perform exploitation what was interesting about this binary is it actually and it's a lot of Mabel's and it's just the sly little trick it's something that's easily disabled if you look inside of the file header the executable file header there is actually if you see where I'm pointing to it says dll can

move you can all but in this particular section or this application here CFS explore that particular checkbox is what changes that information in the header and basically what that does is if that wasn't checked basically what would happen it was constantly loaded in the same location every time it doesn't really hinder analysis because like I said we can load this up we can uncheck that and we load the executable and when we do our debugging session again it's going to be at the place we expected to amenity so as analysts what we do is we look at a lot of different malicious software and we use things like Ida or Holly x64 dbg buggers a lot of these

things allow us to step through the assembly code to see what the malicious payload is doing and in this case is just my guess a noobish sort of thing to try to prevent analysis for some people and it did trip some people walk we who use more automated fashion so people use sort of automated debugging may have gotten some funky results by this so it was just one thing we noticed with this particular payload about 50 minutes just echoes of them alright alright so the network i could have to be here you see here is from the Crypt ER when you first when it first starts to encrypt your files on your computer and one thing

that Jason alluded to is sometimes they'll rip your files even though they don't have an internet connection and if that's the case a lot of times what they're using is something called symmetric key cryptography and what that is is you have one key used for both encryption and decryption another way someone could do this is a symmetric can you see some of the ransomware see this is you have my pgp right you have to keats and they have a very close mathematical relationship in the fact that if you take one key and in data with this one key only this other key can decrypt it and so on and so forth so that you see this with PGP with

a private and public key so you keep your private key to share your public key so that way people want to send you files that don't get intercepted they can encrypt with your public key and you can do for put your private key so what happens is some of the rain square will take advantage of this asymmetric cryptography in fact that they'll generate the key here on the server send you one part one of the keys encrypt everything so you never actually have the other key on your box so you can there's no way to really decrypt I mean you could potentially do it you drew force it but I mean by the time you get

your dad as about 20 years whether it's important to you then and I I guess that's up to you so in this particular case they're using symmetric key cryptography and a lot of people who haven't seen any sort of data that looks like what we're pointing to there where it says base64 what it is is it's just a simple encoding use you know send messages email attachments over the Internet and whether they're all printable characters and that's the reason why people use this encoding so it's easy to transfer data so this sort of simplistic piece of ring somewhere will send the initial response over the server and if we actually base64 to go to that you're going to see a value

indicated by P and if you see this value here that's actually the encryption key it's actually a yes also known as a ryan dale cipher so they're using that in an effort to encrypt the files on the computer after the encrypter runs you're going to get this with all ransomware you're going to get the bummer message here saying sorry making your files are pretty much locked now so they want you to pay here so they give you instructions downloading the Decrypter and that way you can go and get your files back if you want to extortion I guess so the Decrypter a lot of tools we use in the in the community very how there's

like several different tools to do the same thing this particular tool what it does is it takes signatures this is basically a database of signatures and uses those signatures to try to identify what the file is sort of like AV does it so you have more like y'all so basically you have a bunch of signatures that will identify what made the payload or what kind of hacker was used to make it you know what compiler was used this particular instance Exe info tells us something very interesting says this is a net payload if you see under there where it says visual c visual c sharp basic map it's very important to us because we're going to show you in a

second why there was a Packard play we might see it in there if it was written in Delphie you'll probably see something sitting Borland you know another popular tool that's like this is something called PE ID that was used for many years this is the krypter so they give you instructions to download the Decrypter here they give you a Bitcoin address if you see not on the box for this to my left but to the left second over you see that for sv kju it picked a random extension to encrypt your files with and this is the particular section after our first execution to the right you see how much money we have to pay to

get our files back and here we have our hours remaining to pay a ransom and those of you who are not familiar with grand somewhere if you don't pay the ransom within the time allotted it varies most people just uh priam some they doubled it so instead of paying what bitcoin you got to take two etc so based on this they may give you some some places where you can go buy your bitcoins and pay them off with you can click check pavement and what it does is it tries to see if you paid the ransom or not so when the Decrypter is run it sends some information back to the c2 so what we did was we loaded up

something called Wireshark if there's other tools out there on Microsoft Network Monitor anything that captures traffic will show you stuff like this on the right so what you see here is its using a personal identifier send back and forth between the victim and the c2 and some other some other information you see coming back is the wild ID the extension being used how many hours are left as well as the ransom now and and then once again you'll see on the bottom here I know it's hard of hard to see this here but if you look the response is almost like sort of attached to the first initial request so if you look at it like where the red sort of drops off

where I have that first arrow then you'll see the response so like the hcp 200 there's a response from the server and there's another post from us and then the next response from the server it's kind of hard you should probably look yeah yeah so the Decrypter does two posts the first post to i dot PHP is just the victims identifier to inform the c2 which victim is trying to communicate to dig to form the CT which victim is trying to communicate with it and the decrypt or the c2 will then respond with like King had said the Bitcoin wallet address the four character extension just the things that we saw populated in the Decrypter on the

previous slide and then again it posts to see dot PHP or what I believe stands for check to see in CF the victim has paid check of the victim is paid and it just responds with them the wallet address so the assert the community control was on tour yeah well it's communicating overt or wherever that server was somewhere right so towards just like an anonymizing service so it was communicating with onion yeah sorry onion dot link so it's a way of getting at tour services without having a tor browser so that's what they were doing yeah because if you try to go straight on Ian without reception I believe in the initial infection page like if you

can't navigate to one of these four four nodes or whatever they gave you then they provide you with the link to download tour so the reason I was talking about before why it's important that the payload Fitness is because there's some very popular tools out there that allow there's some very popular tools out there that allow you to sort of pull a lot of metadata out of there and with net it's similar to java so when you compile Java code it turns into something called bytecode so it's not straight native native code that's running on the CPU or so basically what happens is it will compile something called intermediate language or IL and I elf contains so much metadata that we

get pretty much almost the same exact source code that the developer road and in this case you can see we got pretty much everything back they had a little bit obfuscation but not much and so this right here you're seeing is the initial post from the Decrypter to the command control checking to see if we paid our ransom so you say you have a file on your computer a txt file once it's encrypted and you try to you're going to see something like this this is just the result of the aes encryption happening with the key we showed earlier now those of you took Jason Gilliam's class learn about things like for these all these other different

tools fiddler is another tool that we can do sort of me in the middle Tex so what we can do here is as you can see when we run the Decrypter on the right there the first box you see where he says decrypt traffic what we're selecting there is the Decrypter that's running and then what we do towards the bottom here is break upon post because what happens is decrypter is crimes are going to try to do an HTTP POST back to the c2 in an effort to sort of communicate playing on playing on the effect that this actor then in my opinion wasn't was new to the scene of malware really shortly after the

campaign went live the traumatic troll went down and you were no longer to able the Decrypter you no longer able to download the Decrypter which just goes to show how really not robust the infrastructure was in this case so like being said in this in what we're about to do basically is act as the sea tube and provide the Decrypter with the data necessary to decrypt the victims files so you see it we hit the break it posted and what we do here is we are supplying a DAT file reason we do that is in the bottom right there you can really type stuff in to fiddler so you have to supply a file with our data and here

we're sending back data pretending where the command and control center back to the Decrypter running on the victims machine what'd he do like he said we're gonna break on post so as the post goes through initially we crafted a dot DAT file and you can choose response there Carly can read that checkbox checkbox or drop down box but we were able to populate the data file with the data necessary for the Decrypter to believe that we were the c2 and it was a lot of fun at first like I was like making like 500 bitcoins in like negative seven hours to pay and doing all these crazy things to see what the Decrypter would do so those uh we had a little fun with

it first the next response that we assumed was going to go back to the Decrypter since we weren't sure exactly since the c2 went offline was the key so all we did was send back the key to the krypter and that's what you're seeing here in the bottom right we choose after another break on post we choose a deck file that contains the S key and populates on the bottom right there and then we can click run to completion and when we do that you'll notice that on the bottom now we have the what we didn't have been able before where you see the Crypt single bond for the files you have the ability to start hard

decryption process so basically what what you just saw there is similar technique a lot of hackers use to do man the middle attack except instead of doing it to a victim we're actually doing it to this piece of ransomware and if you see the decryption key that's been populated up there sort of put a box around it and after running it we can see that we can get our text back from our particular file that was in cryptid earlier the reason this is important is because you can see some sort of sort of the weaknesses that exist in some of the malware obviously this might help some people out there who actually in the field there are

certain ways that you can sort of protect users by knowing the sort of information is one of the reasons that we release information like this sort of share with the community what we found it might be useful for others and you know as I go through and see some of these ransomware variants we've seen a rise dramatic increase in a number of low quality ransomware such as this what I said before is this particular piece of ransomware had source code from a Microsoft forum that was straight copied and pasted with a little bit of variations a lot of people are not doing much work they're taking some of those proof of concepts and they're taking them making them into

their own ransom or campaigns in an effort you know to make a quick buck so the second and third point I I'll point out that they're not really contradictory because in what I what I wanted to get at here was that teams of teams of malicious actors will work together to continually progress their payloads with lower detection and once there once i like i said earlier once they have the encryption correct also really need to worry about is getting it and onto the victims computer getting a run while i do expect to see more and more ransomware of lower quality as newer actors try to basically make money or get a chunk of a chunk of the

ransomware our cake yeah it's a mask last thing right they don't care who they encrypt it's when people to get encrypted they want it's just the reason people are banking on it now and is so much of it it's because it's working and since it's working everybody's trying to get a piece of the pie so sending out halos like crazy and effort to get so if you have even if they get for bitcoins they don't care and if what's funny is if you actually go back and negotiate with that I mean can be like wow I'll have for bitcoins how about I pay you to like a lot of them will actually take it and give you the decryption key so keep

that in mind so our non shameless plugs shadows Charleston b-sides for having us to really appreciate it guys thanks to fishlips for letting us take the time and giving us the resources to do the do the investigation on Alma and thanks to all of you for coming out here and checking out our talk today we really appreciate it quick references questions suffer um try to figure out her understand how to bonanzaville attack back so how so so as we saw the initial key go across right because it was using symmetric encryption so we saw the key go across during the original encryption so it was trying to tell the sea to say in the base64 encoded data 12 right here

yeah so this first chunk right here is this p equals is that first chunk I was probably hard for you to see but it's CDX or whatever goes across there so if you base64 decode that it's the first value is the key along with other metadata about the victims computer there is also a weakness in the algorithm we didn't publish this but we did find out there's about five different artifacts that uses on the user's computer to generate the key so knowing that as well we don't necessarily need the key from this as well there's a there's another way we could get at the key by knowing certain information about the computer um it will be the same head some of the like

the mac address was taken into account yeah who's the system time I feel like so yeah there were certainly took valleys several values into account to basically basically threw them into a vendor and spit IES key wonder my phone please like and harder and you think they don't do that because well an asymmetric right the key would the private key or the key you need to decrypt would probably be on the server yeah so so it's just a noobish way it's easier to deal with symmetric key encryption comes to it so I think they're just copy and pasting code and in this effort they didn't need you to connect to the internet to start encrypting a lot of those asymmetric

things they what they do is they generate the key pair of the community control sets server and then they grab a key from there and then they start encrypting so in this particular case maybe they were worried that they wouldn't be able to encrypt certain I don't know well we thought about it we released a generic decrypter that sort of helps if we had might do a follow-up blog but if we had the particular machine that was infected with certain other information say at the time of affection which we could easily get we could recreate the key that was used to encrypt so was this is sold as I programmer you think the person I feel

as if that was a solo operation I just like I'm not gonna say but I I'm pretty sure I know who wrote it and the reason is is because it is someone in the community in the field yeah so you see that too right you see a lot of people in the field like some some people may be like oh like the Jason pointed out and making like all this money I'm gonna try to get in on that so you have like you have your white hats and black hats and you have the gray hat sort of this white hat hacker job and by night their writing cheating ransom or it is it would be of the shittiest quality right

yeah like I said like a lot of ransom or even if you look at locky locky has made probably the most wanting in the ransom or field blocky is not a complicated palest it's not very complicated at all and the reason is is because a lot of malware authors even with banking trojans they're going to take the least amount of effort for it to run and get as many victims as possible so like say they expect their campaign to run for a day or two and most of the victims are going to get my first day so say it takes you three days to reverse their halo they don't care but at time they've already spit out another binary with new

see two so they don't care if you reverse it or not I was gay so these are guys that you know instead of doing a 95 job that's throughout the pictures to do infinity rather you know was plenty of money for it you know so I've done a lot of mobile in the past year like actual mobile stuff and the coolest mobile Android exploits that I've seen so I haven't seen much iOS stuff there's stuff out there but it was an exploit kit delivering geo hots throw a towel root exploit which was a silent route back in 2014 so the problem of the Android is right like a lot of them they're stuck on previous versions so

they were able to basically silently root the phone and then execute the payload US route which was able doing like I think was a locker so the encrypted the phone so mobile platforms are being targeted more with craftier craft your payloads coming out which kind of cool yeah you can see a lot of the usage nowadays most people use a mobile device as stated earlier so we expect to receive a rise in those things like io t mobile devices though your bluetooth toilets probably the sure push initiating situation thanks guys