Prospecting Ransomware Tech

[Music]

Hi everyone, my name is Blanca John. I working for the defender since 2009 and I got to handle the clean of plans some winners for about two years now. Together in the next half an hour we're going to self a bit this threat and we're going to see what they're up to. I'll try to introduce a bit what happened in 2017 with this this this threat and we're going to see how they got to build an entire business dealt on top of cryptocurrency. We're also going to see what mistakes our users usually doing and also learn some words they have their own mistakes, and we'll go into those own conclusions in the end.

So 2017 was a prolific year for ransomware. They got, oh, we got about 150 different families at an average rate of about 12 different families per month, and these numbers do not include their sub versions, so there are actually more. And we can actually clean at the moment about 10 percent of all of them. We have here a couple of the most widespread families. Those highlighted in black just can't be recovered but are come on at the moment and widespread. Those highlighted in green can be recovered, and at the moment we have some deck crypto tools for them, at least for some of their subversions because they got to update in the meanwhile.

The one in blue state and ransomware is known for its strong ransomware as a service interface and it's a choice for a lot of anti analysis tricks. In fact, this ransomware has more anti analogous tricks than all others together. The families in orange have chosen to change the strategy for lateral movement, and since the beginning of 2017 we'll see in this white spreaded more on companies and not on common users, and they are, I believe that they are spread by hand by their owners after they got to brute force some user account through LDP protocol.

And we have another couple highlighted in red. Those ones got public attentions and our attention in a special way, the starting with WannaCry. They include SMB exploits like EternalBlue or EternalRomance. In fact, they kinda inspired one another, starting with WannaCry. And Bad Rabbit, for instance, is also inspired by its predecessors which use disk encryption, like NotPetya, also called PearDrop, and GoldenEye Petya in the fur place.

Okay, so let's see how this business build up on cryptocurrency, because Krypton Quarry currency developed at the same time with this kind of threads. Everything started with some kind of bad jokes, and between 2012 and 2014 we've seen this screen screen lockers, which are the roots of the ransomware else. This is an example of a screen locker with a message not well formed, so at the time when this message come up on when a common user, he didn't know if he need to cry or to laugh, because if you have some basic skills of how things works, you can easily bypass this kind of windows.

This is another example of screen Locker. We called it Ice Paul, but in fact it's police split it at 1/2 and reversed because of the fake messages. It's more like scareware which had something different than the others: it delivered the ransom note in the target users language by checking the location looking on the IP. And it's one of those who preferred Ukash and Paysafecard for the payment. This is not because cryptocurrency bitcoins did not existed at that time, but because they were not so popular, so I believe these guys did not know about this kind of monetizing at that time.

Okay, we have here another example of asko. This is both the screen rocker and the cryptolocker, the simple yet. We called it ACCDF. It's, in fact, it's not us who gave it this name. It appeared around 2015, and the guys behind this felt an urge to tell their affected users, the victims, how things work, because they had a lot of troubles with other affected users in previous versions. And somehow in this sub versions they pushed an entire post on the ransom note, and we see at the top right corner the small scrollbar, so you have to read a bit, just like reading an end-user license agreement.

And this urge for guys to talk to their victims and let them know how things work, we were seeing it still today. This is a series of four screenshots taken from Bleeping Computer. The red link at the top right, I believe it's still working if you want to read the entire stream. It's about a guy who got affected by a Gang Club ransomware in March, the second version. We created a Decrypter for the first version, and somehow one of the bad guys behind this ransomware Pearson and tells him there is no way he can decrypt this file, he must pay the ransom.

And while exchanging some data, in fact the bad guy finds out — I don't know if it's visible at the bottom — the bad guy finds out from the user information structures send while ransomware gets executed on affected user systems that his PC name contains IT right in the beginning. So he knows that the victim is some kind of network administrator and raises the fees, and says he has to pay about $800, while we didn't see in users to pay more than five hundred dollars without being special cases. Anyway, in the end the user [Music] knows that he is one of the bad guys, and the bad guys admits.

Okay, so since the fall of 2016, when after the third big Killick for crisis ransomware, when we thought that they just ended the campaign, we've seen in the spring of 2017 that they actually took a break to make some changes. And this time they did not delivered the ransomware to common people but to companies, and all the cases we have since then are just companies being infected with such kind of transfers. And after they did that, a lot of ransom words borrowed the strategy, and others like Lob, Imposter and BTC were also spread at the moment like this, because they know that a company will pay this ransom and the user can easily choose not to pay.

So we have on the left side the common users, which most of them, I believe, will refuse to pay the ransom. They will get through with this at some point, and I also believe that most of them just don't afford to pay the ransom. And on the right side we have companies, which are forced somehow to pay this ransom if they don't have backups, because they will get to pay more to users after telling them that they just lost their data.

And lately we also seen some agreements between these ransom wires and coal miners or botnet. And we have here a botnet which got to infect an entire network, and some of these botnets have some mechanism to expert rate sensitive user data. And this is a screenshot taken Corebot, and Emotet, for instance, can do such things, getting screenshots from time to time and analyzing them. For example, here we have a screenshot from a billing application. It's clear that not every user will use a billing application; you have to have some clients for this. And they say, hey, we got the company, we can do something about it if others are interested. And the guys behind ransom wells are forced to sign up for this type of delivery, because in the end they make a deal, and the botnet infrastructure's only becomes a way to deliver a package, just like a courier. And the company just get infected with ransomware that way. The ransomware owner will be sure that they will

Pay the ransom. Okay, so since 2015, ideas starting with CryptoLocker, but more since the beginning of the last year, we've seen an interest increased for ransomware as a service. This is some kind of noise level. At least that's the way I want to call it because somehow ransom or creators got to bring some noise between them and the affected clients. If someone will try to track back the entire operation, we'll eventually got a user of this service and not the creator of the ransomware. So you will have a hard time getting your hands on the ransomware creator, but you will get at some point to know who delivered the package because the ransomware user ID is found in binaries, are linked with their cryptocurrency accounts and other type of informations which they have.

This is some kind of business which transfer owners are making up in order to be motivated. In the position of a ransomware user, as a ransomware as a service users, they got a big percent of all the income, about 70%, and the hacker, the owner of the ransomware, gets a small fee about 30 percent. It's a range. Not every ransomware has the same person, so it ranges between 10 and 30%.

This is an example of the ransomware as a service for Satan ransomware, taken a screenshot taken from the dark web. The page ends with onion, so you need to talk to access this kind of pages. They say clear here, I don't know if it's visible, but I can share this if required. They tell how things work. If you roll in as a ransomware as a service user, and you just need to sign up for this, you don't have to have a PC you on your own, you don't have to have money to invest, you don't have to have nothing. You just need to sign up and you just get 70 percent of all the income. This is a suspect. No one asks why do I get 70 percent just like that? But I believe this is this noise level which hides basically the ransomware creators and keeps them at a safe place.

There are some mistakes which users usually make while conducting this kind of threats, and this kind of mistakes made by users also effects company for which they work. Everything is based on what we call social engineering. Basically, it's exaggerated curiosity and maybe sometimes a lack of focus when surfing the internet. Also, most of users don't use credentials at all, or they have weak ones. This is a gateway for those who are trying to brute force these accounts. Also, some companies which are in their beginnings maybe don't afford to hire someone to take care of the network infrastructure, and they believe that they can deal with it on their own, and not having someone with experience to face these kind of situations, you just end up hacked, or you get your network penetrated by this kind of search and you just don't know what happened or how to deal with these kind of things.

There are also users which have some contradictory behaviors. So they install some security solutions and the same time they believe that they can use correct applications, download torrents, disable operating system updates and so on, just believing that okay, my security product will protect. Well, things are not called that. What would you click if you got this popup on your web browser surfing on a usual day the internet? I believe that most of the people just want to live by chance, by good luck and bad luck. They don't want to face with basics of logic, with what follows based on what I'm doing now. So maybe they can believe that you can win something without plane. I don't know. I don't think that's the way things works.

I have a couple of hints for users which got affected by these kind of threats, and both for companies actually. This list is very large, but I'm only highlighting some stat points. So users need to be more aware of what they're doing and to base their facts more on logic than on chance. You need to not click anything you see on your website, no matter what it says. You need to update your operating system as frequently as possible, and also your applications like Flash Player or Java, if you're using these kind of applications. Also, credentials are a must for each of us, even if it is only you the one who uses the computer. If you are connected to internet, you can be just you, it's an entire community, and you're available for others and visible at the same time.

For companies, I suggest strong firewall rules, also custom administrative policies. For instance, if you have a technology board with endpoints, maybe you want to know if your security service appliance at an endpoint is malfunction, and maybe in this case you want to isolate that system, no matter if your productivity lowers for a short amount of time.

Ransomwares also have their mistakes, and I'm going to highlight two of them. One of them appeared in June last year in NotPetya or Pay Drop. Some might say that they intended to do so, but if this was by intention to damage the user data, then they would have continued with this kind of threat, but that was not the case. They did not correlate well the user IDs with what actually happened on encryption. Another case is GandCrab, appeared in mid-January this year, and this ransomware affected only files larger than 4 gigabytes because they did not read well the Microsoft documentation for foreign RP API.

So at the bottom right, it says something taken from the Microsoft site which tells that you have to use some parameters in the SetFilePointer function, both set to some values when doing operation on files larger than 2 gigabytes, because the parameters are signed, and they did not listen or do not read this at all. They're only increasing the file pointers, because they're doing read/write operation and encryption on the same file. They're only increasing file pointers by what read and write functions are increasing, and the operations are taking place on one megabyte blocks. They're reading after 4 gigabytes 1 megabyte and they're encrypting and writing it on the second megabyte. So you're losing that data, and this process continues, and you're losing the odd chunks of one megabyte. It's kind of a redundant information. When we created the tool for decryption and restore the data, we found out that user had on his larger files this kind of information two times: one time not encrypted, and right after encrypted. So the old chunks were lost for good.

Further, we're trying to see some kind of template where this encryption is moving around these threads, and we're trying to see how we try to identify these lengths. So one of these templates is based on creating a random key, uploading it to a server, and if this operation is successful, then start the encryption. This or one of these runs no risk react, and at the left bottom corner we have a graphical user interface for this threat. Another type of template is downloading a key and applying it at the encryption, and we've seen this on LockCrypt ransomware. This is how encryption work on WannaCry. This third template is based on RSA, AES, and WannaCry had three layers of encryption. The three layers were: first one, a pair of keys used to encrypt a few files so user can test decryption and see that it

Really works. And a second layer is a public key shift with the malware, and it is used to encrypt another third key generated locally. The private key is actually encrypted, and the public key is used to encrypt all the files. So if you want to decrypt your files, the application will upload the private encrypted key we dedicated on the mother server, and when you will get back your private decrypted key. Another template is using this kind of brute force where hackers try to penetrate systems for weeks or month, and they don't hurry, and they eventually get some granted access when they manually deploy and bring down security products. And the final one is more a consequence

and not specific type, is based more on lack of knowledge of new ransomware creators and their hurry to bring their binaries to their user. This is Nemec code ransomware, which we got to the creep by analyzing only the encrypted data. We see here a repeating key which was used to encrypt only the first kilobytes of the file. This is a page online available for identifying ransomware. You basically will upload ransom note or an encrypted file. We also have our tool for ransom recognition tool, where you must provide the ransom note and possible an encrypted file, and the application will give you some percent. And if we have decryption tool available, you'll see a blue link the right side. These are two

type of identifying these ransom words. In the left, we have a ransom note from BTC where, and at the bottom we have a user ID, which is actually the encryption key encrypted with an NSA 1,024 bits. At the right, we have structure from a file encrypted by Crisis ransomware. We see the original file name in the middle in Unicode format, and there is a six letters lower which identified the subversion.

Well, we further expect this randomness to increase, mainly because more and more users and role in this trans mother service program. Also, new model creators show up and try to express their knowledge by introducing new threads. And we're also seeing a trend in automating this kind of threads by increasing the productivity of binary deployment using, for instance, botnets, and also monetizing mechanism. Thank you.

I think we have time for just one question.

Hey, great talk summarizing all the kinds of ransomware. I just had a question about persistence of ransomware. So what is the guarantee that after you have paid, the ransomware is out of your system? It's not hooked into any of your internal structures, and it's not sitting there to decrypt — I mean encrypt — a file six months later on. How does it persist? How do you ensure that after paying, you have removed your infection, and it's not persisting on your system still?

If you don't have a security solution installed, maybe — well, ransomware creators don't remove their threads after infection, but more than 90% of them just delete themselves after or including our system. I don't know if we can talk about persistence, because they just want your money and they got the job done. If you cutting it at the second time, you most probably don't get invited by the same ransomware.

Okay, so most of the randomized are not persistent?

Most of them not. They don't use persistence mechanism because they don't want to use you or extort you at maximum. They just want something small from you.

Okay, cool. Thank you.

You're welcome. If there any further questions, feel free to go and approach the speaker after. Well, let's thank our speaker again. [Applause]