fighting ransomware · ransomware is a type of malware which restricts access to the computer...
TRANSCRIPT
FIGHTING
RANSOMWARE
Ștefan Tănase, Senior Security Researcher, Kaspersky Lab Bucharest,
Romania
2 |
Before we start Let me introduce myself!
3 |
GReAT
Elite threats research group.
Established in 2008, the Kaspersky Lab Global Research and Analysis Team
provides leadership in anti-threat intelligence, research and innovation.
Focus: APTs, critical infrastructure threats, banking threats, sophisticated attacks.
4 |
About myself
Ștefan Tănase - Senior Security Researcher
Joined Kaspersky Lab in 2007,
based in Bucharest, Romania.
Expert in web security, web-based
threats and sophisticated attacks.
Honeypots, web crawlers,
distributed computing, AI.
Often speaking at IT security conferences such as SAS, VB, RSA, AVAR
or IDC.
5 |
What is ransomware?
6 |
Definition
Ransomware is a type of malware which restricts access to the computer system that it infects, and demands a ransom paid to the creator(s) of the malware in order for the restriction to be removed. Some forms of ransomware encrypt files on the system's hard drive (cryptoviral extortion, a threat originally envisioned by Adam Young and Moti Yung), while some may simply lock the system and display messages intended to coax the user into paying. Source: wikipedia.org
1. System Lockers 2. Data Encoders
7 |
Why ransomware?
8 |
Ransomware: Cryptors vs Lockers
NOW BEFORE
5 years
LOCKERS CRYPTORS
9 |
Gpcode: 1st ransomware
Gpcode marked the beginning of a
new era in cyber crime
Origin: Russia
December 2004: the first variant of Gpcode
June 2005: new wave of attacks in Russia with more than 25 variants
January 2006: RSA 56 bit encryption
6 June 2006: the key length to 330 bit
7 June 2006: new variant with a key 660 bit
10 |
Cryzip/Mayarchive: forced archiving
Another blackmail technique
Creates password-protected ZIP files
Password exceed 10 characters
Ransom request $ 300
11 |
Krotten: screen blocker
Development of blackmail technique
The Trojan modifies the system registry to limit user actions
Blocking access to the registry editor and task manager
Prevent the closing of browsers
Blocks access to Files and Folders
Changes the menu contents "Start"
Blocks the launch of the prompt DOS command, etc.
12 |
Gpcode: the return
New wave of infection
June 2008: Using RSA 1024 bit
Data decryption not possible with data-recovery software such as PhotoRec
November 2010: new variants are RSA-1024 and AES-256
13 |
Fake messages lockers
Internet surfing victims
Locking full screen (or Browser) and shows a request for ransom
Geographically personalized
Personal information displayed (IP address, country, city, ISP, etc.)
Ransom request € 100
14 |
MBR ransomware
Overwrites the master boot record and demands a ransom to retrieve a password and restore the original
After 3 incorrect passwords, the machine is restarted and the same message appears
The data is not actually encrypted
Ransom request $100
15 |
OSX ransomware
Proof of Concept
No encrypted file
This ransomware encrypts its own files but does not affect those of the user
Displaying a ransom demand but the feature are inoperative