FIGHTING

RANSOMWARE

Ștefan Tănase, Senior Security Researcher, Kaspersky Lab Bucharest,

Romania

2 |

Before we start Let me introduce myself!

3 |

GReAT

Elite threats research group.

Established in 2008, the Kaspersky Lab Global Research and Analysis Team

provides leadership in anti-threat intelligence, research and innovation.

Focus: APTs, critical infrastructure threats, banking threats, sophisticated attacks.

4 |

About myself

Ștefan Tănase - Senior Security Researcher

Joined Kaspersky Lab in 2007,

based in Bucharest, Romania.

Expert in web security, web-based

threats and sophisticated attacks.

Honeypots, web crawlers,

distributed computing, AI.

Often speaking at IT security conferences such as SAS, VB, RSA, AVAR

or IDC.

5 |

What is ransomware?

6 |

Definition

Ransomware is a type of malware which restricts access to the computer system that it infects, and demands a ransom paid to the creator(s) of the malware in order for the restriction to be removed. Some forms of ransomware encrypt files on the system's hard drive (cryptoviral extortion, a threat originally envisioned by Adam Young and Moti Yung), while some may simply lock the system and display messages intended to coax the user into paying. Source: wikipedia.org

1. System Lockers 2. Data Encoders

7 |

Why ransomware?

8 |

Ransomware: Cryptors vs Lockers

NOW BEFORE

5 years

LOCKERS CRYPTORS

9 |

Gpcode: 1st ransomware

Gpcode marked the beginning of a

new era in cyber crime

Origin: Russia

December 2004: the first variant of Gpcode

June 2005: new wave of attacks in Russia with more than 25 variants

January 2006: RSA 56 bit encryption

6 June 2006: the key length to 330 bit

7 June 2006: new variant with a key 660 bit

10 |

Cryzip/Mayarchive: forced archiving

Another blackmail technique

Creates password-protected ZIP files

Password exceed 10 characters

Ransom request $ 300

11 |

Krotten: screen blocker

Development of blackmail technique

The Trojan modifies the system registry to limit user actions

Blocking access to the registry editor and task manager

Prevent the closing of browsers

Blocks access to Files and Folders

Changes the menu contents "Start"

Blocks the launch of the prompt DOS command, etc.

12 |

Gpcode: the return

New wave of infection

June 2008: Using RSA 1024 bit

Data decryption not possible with data-recovery software such as PhotoRec

November 2010: new variants are RSA-1024 and AES-256

13 |

Fake messages lockers

Internet surfing victims

Locking full screen (or Browser) and shows a request for ransom

Geographically personalized

Personal information displayed (IP address, country, city, ISP, etc.)

Ransom request € 100

14 |

MBR ransomware

Overwrites the master boot record and demands a ransom to retrieve a password and restore the original

After 3 incorrect passwords, the machine is restarted and the same message appears

The data is not actually encrypted

Ransom request $100

15 |

OSX ransomware

Proof of Concept

No encrypted file

This ransomware encrypts its own files but does not affect those of the user

Displaying a ransom demand but the feature are inoperative