Weapon Of Mass Destruction: A Look At The Ransomware Pandemic

hello everyone and welcome to b-side charlotte this is my talk weapon of mass destruction a look at ransomware academic i'm fernando tomlinson all right so a little bit about myself i've been with the department of defense for about 19 years i'm a cyber security adjunct professor also a technology consultant with reliable cyber solutions and i'm a powershell enthusiast there's a number of sites in which i have a presence on so if you're looking to connect you can find me there all right here's our agenda uh today and then as we begin this and really get started uh i would be remiss if i didn't talk about the different malware types so as we talk about viruses right

nothing more than a piece of code that's capable of copying itself or worms you know items that replicate itself in order to spread across other machines you know we have things like like key loggers right that essentially track and record a person's keystroke and then we kind of get to the point where um we have ransomware and it itself is designed to deny access to a system or data until a ransom is paid now that's a very quick and upfront uh definition of it but really let's look at what other people in our field seem to say about it and as we look at these people all reputable entities in our field they all pretty

much stay the same although their words are slightly different the summary of it all is that it is all the same and they all have had their fair share dealing with ransomware um as a service in which they um provide the people to remediate so targets who are the targets of this ransomware well typically it's home users and businesses why is it home users well because they typically don't have any backups right they have little to no cyber security education um they typically don't keep their software up to date they don't have the need or fail to invest in um cyber security solutions that would prevent such things from happening and then businesses right that's where

all the money is so if i'm an attacker that's where i'm going to get the biggest payoff so it would make sense that businesses would be here smaller businesses are often unprepared to deal with advanced cyber attacks right uh systems and companies are often complex and prone to vulnerabilities that can be exploited and really it becomes businesses having a lot more um to lose as one would say and this is why people tend to target them so why is this ransomware thing even a thing well authors instill fear and panic into their victims this causes people to do things they typically wouldn't do well you're holding my data for ransom and i can no longer access it

i want this feeling to cease so i'm willing to uh pay a ransom or i'm willing to do whatever it is that you want me to do uh intimidating messages could also um instill fearing people hey your computer is has been visiting illegal content and to unlock it you must pay a hundred dollar fine all right wrong right and different people don't want to find themselves in such a position where they're faced with things like that and it's also lucrative when we look at stuff like cyber extortion um that's mainly why ransomware is a thing and the impact of it all well there's temporary permanent loss of sensitive proprietary information disruption to regular operations nobody

wants that especially if i'm an organization where our main revenue is based on a service or good that we provide any disruption to that could have uh fatal consequences to the organization could also harm the organization's uh reputation nobody wants to lose stock or investments or anything having to deal with the organization so again uh the impacts are rather huge and large in this aspect the common vectors well typically spear fishing vulnerability exploitation what is publicly facing that can be exploited to gain a foothold in the organization to then privilege escalate ourselves later on maybe some poorly secured services that you know have uh some remote execution or some other um bounce check that isn't fully done

and then there's a number of other infections but when we look at the breakdown of the top three fission software vulnerability rdp compromise we see rdp overwhelmingly leads the front here anything that's really publicly facing and accessible that people can just continuously try to tag at until they gain access becomes a vector and really when we look at ransomware there's two types we have lockers right they essentially deny access to a specific machine they're more easily removed because they're essentially putting a window in front of the rest of our data uh preventing us from accessing accessing it we have cryptos those are the things that are actually encrypting um the files and stuff on our machine it

requires some reversing of the process to be able to get it back now where crypto really wins out is with people who don't utilize backups in an offline manner right because now people find themselves in such a place where they are more prone to pay the fee because they have no other way to get that data back now with all that being said we'll take a trip back down uh memory lane right because we all recognize ransomware is a thing but let's take a little history lesson to to really understand where it came from well back in 1989 dr joseph popp uh had the aids ransomware and essentially he had 20 000 copies of distributed on a

floppy disk right labeled aids information introductory diskettes it had surveys on it um but it also uh replaced the autoexec.bat right and essentially the autoexec.bat and earlier windows machines um contained instructions of what to execute when an operating system was booting up and it would lay dormant until the 90th reboot at such time it would begin to hide direct the reason renamed now the ransom here was labeled a licensing fee and it was in the sum of roughly 189 or 378 dollars now we didn't have a lot of technology then like we do today so the uh person requested that they send a cashier's check or money order to a po box in panama now this didn't last long and

this guy was actually booked in charge in the united kingdom it was uh extradited to the united states now interesting enough he tried to claim that the money would be donated to the aids research and really it wasn't and that wasn't his plan so as we look at that we had a number of other things happen and then we find ourselves in roughly 2008 and this is when bitcoin started to become a thing anonymous secure instant not regulated super perfect for extortion now we say all this because this starts to lead into um the payment of choice after that and really in present day so we have uh uh this one which we seen in roughly 2012 it exploits the

vulnerability in the browser largely targeted folks who were looking at adult sites and it redirected them to like a beef server of sorts the payment was roughly three hundred dollars they wanted it in the prepaid card uh the tactics right trying to intimidate people so they would be presented with a screenshot kind of like what we see on the right here fbi crime division right just trying to insinuate fear in people now after um it was done with everything it did it would try to harvest passwords right this was post payment so it was bad enough that it will lock you out of your system prevent you from accessing this stuff and that you paid a fee

but following that it would then try to steal um passwords now this one was easily removable because we could boot it to safe mode and remove the registry key and be good to go so essentially um it was just presenting the window which prevented us from accessing our actual machine of sorts now if that screen shot isn't enough for you it also had another one where it tried to act as if it was part of the national security agency again in everything it could to instill fear in the people whose system it was being run on then we had cryptolocker right this was first seen somewhere around 2013. it typically used email as a vector

it began to do encrypting of files this was kind of the first time we started seeing this tactic truly being done it was about 70 types that it looked to do um and it used asymmetric encryption so we had a private key we had a public key of sorts now it also utilized dga uh domain generated algorithm where it had a subset of domains that weren't registered but then at certain times those domains would get registered and then as it would go down this list of domains to try to contact it would get to one that's finally registered and then it would try to communicate with that system as a c2 at the time it uh infected over 250

000 machines and this was really a big deal when we think about the time in which this was happening now it also propagated over the game over zeus botnet but in 2014 this was taken down and the keys were recovered from the c2 server um and given to those who were still following who fell victim to it then we had torrent walker somewhere around 2014 and this was mainly seen overseas australia new zealand um area primarily spread through email it also encrypted but what it looked to do was harbor harvest rather email addresses on the system as a method to then turn around and send emails to other people within your contact list to be able to propagate itself it also

sought to delete volume shadow copies so that's something inherent to windows where they would take essentially snapshots of the volume and fouls of sorts the ransom was somewhere around 500 dollars in bitcoin and then guess what every receiver differs for each victim so there was multiple different variations of this we had tesla somewhere around 2015 and what was interesting about this is this is the first one that actually also targeted gaming of systems or data right it also utilized email and vulnerable servers as vectors this one was somewhere around 185 file extensions that it would try to seek to encrypt um the gaming data that it would look for is about 40 extensions um and then the ransom was

somewhere around 550 dollars in bitcoin so if you found yourself as one of these die hard gamers using pc uh as a gaming platform uh tesla crypt would also look to target you to go after that data imagine a person who's um near the end of world of warcraft and now their system gets encrypted that becomes data that is so valuable maybe to the the person who owns it that they may pay this ransom because they want it back so this this ransomware look to take advantage of that in 2016 though this was decommissioned and it was so abrupt right the developers just stopped propagating it they switched to other efforts the decryption key was uh released um

so it became something readily accessible to those who fell victim to it 2016 we see in lockheed lockey really focused on microsoft office products now this was interesting because when we look at the screenshot there we clearly see that macros have been disabled right and we see the option there that we can check to re-enable them but within the document in red we see enable macro if the data encoded is incorrect well the authors of this purposely typed that in so no matter what it would look jar ruled up which then would have people enable macros thinking that they were actually fixing the problem and instead what they were doing were infecting themselves now this document distributed via botnet

had over five million act devices right what's interesting is that this is one piece of ransomware like many others that doesn't affect certain language um packs right so trying to stay away from geographic areas and or certain dialects in languages that people speak now again this was interesting because the the macros is already disabled the machine is trying to get you to disable i'm sorry enable it for the sake of infecting your machine and largely how this whole scheme uh of maneuver if you will worked is the attacker would send an email the user would uh open the email any attachment the user would enable the macro right the system would already be protecting you because it would have macros

disabled um likely and then you would be infecting yourself by enabling macros a binary is downloaded and executed your backups are deleted and files are encrypted right and then we see the the ransom note uh that's presented to you when this happens pena seen in 2016 um we wrote over the master boot record and then um blue screened you forcing you to restart a fake check this would then run and at that time it would seek to encrypt the master file table this would black access to the entire machine not just your files so this was kind of interesting because you had the same effect of encrypting specific files as you would with just denying

access to the whole drive this was given a ransom of roughly 300 or so and what's interesting when we look at the uh the chart there is there is overwhelmingly one country that was infected more than some of the other ones so we might seek to think that um this was a targeted uh type of attack or or or maybe not so also from that we had wannacry so this was shortly after 2017 affected over 300 000 machines in roughly 150 countries and it is propagated via smb exploit of 17010 uh to be exact right caused over a billion dollars in damages primarily focused with windows 7 and we see the ransom now what's interesting is you had like an

introductory rate when it came to the ransom because uh days after that that fee would go up right it would almost double uh it also threatened to delete your data if your payment wasn't received within a week and what was really significant about this and really how it uh died off somewhat quickly was a reverse engineer was able to find the kill switch domain in the code and he went out there and and registered that domain right it was the biggest outbreak in history but it could have been a lot worse if it wasn't for that and this breakdown is as such right it arrives via exploit against 17010 the file delivered via exploit it runs

as a service drops the malware and then it encrypts the local and shared files somewhere around 176 file extensions you'll know kind of clearly what you've been hit with because the extension will be uh wn cry right for one o'clock then we have maze right first scene in 2019 delivery through spammy mill exploit kits and then really here fair recently um it was delivered through post compromise right so post exploitation if you will they also have the capability to encrypt via a virtual machine so instead of this payload running directly on a system it would deploy a virtual machine somewhere to the tune of like 1.5 1.9 gigs and virtual box and then it would

have access to the host machine and then encrypt um like that as a method of of bypassing measures and going undetected now it nearly targeted every industry of source and we can kind of see that with the chart off to to the right uh or not necessarily the chart off to the right that's going to speak more to uh the countries that are were affected by this ransomware but more interesting than not the actors maintain a public-facing website as a method to further embarrass if you will of companies so they will post stolen data from victims that refuse to pay so you're either going to pay and we're going to give you the decryption key

and you're going to get your data back possibly or you're not going to pay and we're going to post your data online that is root list and we still see maze being used today now i'll stop here for a minute all right and we'll address the definition of pandemic all right because to this point we've talked a little bit about uh the significance of ransomware we've talked about history of it now there are hundreds maybe thousands of variants of ransomware we only talked about uh eight or so of them but really with this talk being um talking about ransomware in a pandemic well what are we talking about here looking at the definition pandemic adjective

prevalent throughout an entire country continent or the whole world so when we look at what ransomware is hitting it isn't specific to a state in the united states it isn't specific to the united states as a whole it is something that the entire world is dealing with and it's only gonna progressively get worse as it has really over the last five years so some numbers from the fbi 2015 8 000 complaints reported loss of 275 million 2017 301 000 complaints 1.4 billion just last year 467 thousand 3.5 billion it's just gonna keep getting worse now here's some statistics from 2019 50 of surveyed 582 cyber professionals don't believe their organizations are prepared to even deal with the ransomware attack

that's scary that's also interesting average cost of rental worry tackled businesses was a hundred and thirty three thousand fishing emails as we've articulated is invector initial vector increased by 109 from 2017. now of all the malware attacks rental wear is behind 56 of them 99 of ransoms were paid in bitcoin we've already articulated why that is the case now if this is from 2019 this year is only gonna get worse it has been worse the pandemic on coronavirus and everything else happening hasn't had people just stop trying to do ransomware attacks it's actually increased right so here's some more staggering statistics the average incident lasts 9.6 days the decrypter supplied 96 of the time after payment let's digest that for a

minute so somebody could get hit with ransomware they could pay the ransom and 96 of the time they would even get the decrypter wow imagine that that has successfully recovered 93 of the time with the decrypt even worse so i don't have a 100 chance of getting the decrypter after payment but even if i get it there's a 93 chance that it will actually work now those are high numbers but what if you're in that four percent or in that seven percent that's gotta hurt now a new organization fell victim every 14 seconds in 2019 it was projected that by 2021 11 seconds of sorts let's look at some of the united states industries that are affected

all right we got roughly 966 organizations that we'll use here of those 11.7 were state and municipal governments and agencies 79 were health care providers right which would kind of make sense you hit them the hardest because they may have the biggest to or the largest amount to lose now some of the outcomes emergency patients had to be redirected to other hospitals wow medical records were inaccessible and in some cases permanently lost 911 services were interrupted surveillance systems went offline jail doors could not be remotely open schools could not access data about students medication or allergies i would tell you you already know this ransomware authors are ruthless they only see money so here's some state governments that

were affected city of atlanta march 2018 the ransom two thousand dollars they didn't pay they did not want to set this the president's that that they would conceive to such behavior instead the recovery uh cost them roughly or over 17 million dollars right jackson county georgia ransom 400 000 they paid it had an effect on law enforcement database and control city of baltimore 75 thousands they did not pay the recovery cost 18 million dollars right they added an insurance plan um to cover uh 20 million dollars riviera beach florida 600 000 they paid it the attack shut down city websites email server building system they ended up investing 900 000 into new hardware to rebuild

the i.t infrastructures although they paid it they still had other issues and now they call themselves posturing themselves um for the next time lake city florida 460 thousand dollars they paid it email system 911 dispatches affected new bedford massachusetts 5.3 million 5.3 million they did not pay it they actually attempted to negotiate here um but that didn't work out it was 158 workstations that were affected that turned into roughly four percent of the city's uh computers if you will now when we look at private sector health care education um we have stuff like the wood ranch medical facility the ransom amount was unknown over five i'm sorry 5800 records accessible backup server was encrypted organization ended up going out of

business campbell health campbell county health unknown ransom don't even know if they paid it surgeries were canceled er patients were transferred they were forced to stop accepting new impatient ad admissions right the heritage group ransom amount on no after 60 years of business they ended up having to close their doors 300 employees left without a job just before christmas let's look at the school system louisiana public schools several public schools hit affected 10 percent of the 5 000 servers and over 1500 computers we got the rockville school district ransom 176 000 they negotiated to 88 000. the insurance cost about 10 000 in deductible right but again these things that are being hit our key infrastructure key items

that um take a toll on our daily lives you know our government the healthcare schools again ransomware authors are ruthless it's just gonna keep getting worse now there's a group of people who are looking at this and they're like man this is horrible i want to help i want to do something about it awesome there's also another group of people that's like man that's awesome i wish i had the skills and ability to really do this and it's kind of sad but if you're the latter um group of folks there's something for you there's ransomware for the less skilled so there's open source ransomware and then there's ransomware as a service right so when we look at stuff like

stampedeo lifetime access cost you philadelphia 380 for unlimited license and they even have a youtube video right we have stuff like satan you can customize your ransomware pick your amount add your bitcoin address what have you the sky's the limit now the authors of this are going to keep 30 and then here's a close-up of our configurations of what we can do so as somebody who's not skilled in this i can keep 70 of my profits and i'm paying 30 to the makers of this service that i'm going to be utilizing now some may feel hey you know what ransomware is dangerous not really a thing i'm concerned about because um i don't use windows so i'm safe

well that's false right and what we see here is that there's a ransomware for nearly every barrier all right so we see some linux mac os ios we see android so mac os patcher somewhere around 2017 disguised itself as a patch for applications like um microsoft office adobe pro things that you probably wouldn't get off a torrent site and want to get for free so this patch would essentially be um patching the software so you could have uh access as if you paid for it but instead it would be uh holding your system for ransom ransom was roughly 300 we have key ranger right it essentially utilized the transmission application and this is nothing more than like a bittorrent for

mac os so they had compromised it and on the version of transmission on the site the official site with the developer signed certificate when you download it and installed it it would um hold your system for ransom of sorts so again taking over a legitimate binary from a legitimate site with a developer certificate download install your system wouldn't think anything about it because it has a legitimate certificate from a trusted entity um and that's how it was getting around uh things so if you're now terrified because of ransomware as a whole understanding that there's different uh operating systems and variants uh as far as systems you can go after and uh you know you're like wow okay

well what's next here's some more for you ransomware of the future right the internet of things so when we look in the picture we got stuff like microwaves you know vacuum cleaners thermostats cameras all these things that are connected you know there's a reason why we don't see security in like internet of things because one would argue that they're not secure but they have so much access and they become so much a part of our lives that we could envision that this would be the next wave of things and when i say the future of ransomware i mean the now of ransomware so there was a pen tester at defcon 24 that successfully compromised the connected

thermostat they locked out the device until the ransom was paid they had the ability to change the temperature on the device wow if that's not enough for you let's check this out so we had an lg tv that is running android os and it was hit with ransomware this ransomware would pretend to come from the fbi the rental would charge you 500 in ransom but lg would charge you 340. okay 340 for lg to help me 500 for the ransom in the end lg just provided the reset steps because they didn't want to lose customers and everything else but your tv is hit with ransomware wow the future is now right and if that's not scary

enough let's look at the breakdown of internet of things by the year 2025. we see business and manufacturing leading the weight essentially with approximately 40 transportation with 4.1 this is only going to increase technology is a great thing for the user but it's also a great thing for ransomware authors and really criminals at large so if now you're you're you're not feeling safe right because ransomware is literally everywhere right and you're trying to tell yourself you'll be okay um i i think not right so let me now help you let's talk about the five stages of ransomware the first one denial right what do you mean we got hit with wrestling where you're joking right

nobody will find out about this we can keep it under wraps you're in denial that it actually happened and then you get to the point where you're just angry you're telling me this worm didn't sway into every system including the backups right you went from denial to anger about it then you kind of start bargaining can the fbi help with this please god help us get our data back right because you you become almost desperate a little bit then you fall into depression oh this is probably the end of my career our share price is down 30 and then the last one you just become accepting of right let's go ahead and pay them we all

follow these stages of grief in the number of things in our life but they ring true when it comes to wrenching now here's the mitigation techniques or some call this the playbook this is going to sound cliche you probably have heard this before but it's the simple things that work take backups test the backups store them offline do not store them on the same network in which um your data is traditionally flowing because if it gets infected they're just going to move laterally to affect your backups again they're going to try to get rid of those backups because they don't want you to be able to revert back to them so quickly don't click on links attachments

anything unknown unexpected um in emails right you want to implement filters you want to educate users you want to do it regularly and you want to do it very often you want to utilize some type of security software to give multi-layered protection employ application white listing if you can that way you can explicitly say these binaries can execute nothing more nothing less where applicable were possible employ least privileged that way we don't have things like privileged uh crete or people being able to do more than what they should you want to make sure you enforce unique and strong passwords don't allow them to be reused and you want to rotate those frequently and last but not least we

want to make sure we keep our operating system up to date make sure we're updating from trusted resources validate hashes were applicable now here's some other mitigations and techniques that we can use from the perspective of resources online know before it has the ability to install a ransomware simulator on your machine it doesn't encrypt anything but it tests for 16 types of scenarios this works with windows 7 and newer if we look at the screenshot here it will go through your system and identify um files that it could encrypt if it was actually ransomware gives you an idea of the uh state in which you reside in whether your intrusion detection system detected it or nothing was detected of

sorts so giving you a glimpse into that we also have no more ransom this assists with identification of it so you're likely always going to have your files encrypted there's probably going to be some ransom note but if you have no idea what's what you can take um aspects of those things and be able to upload them to no more ransom and it will help you identify it there's also about 123 um decrypters on there um that will help you decrypt um your ransomware if you've been hit i need ransomware same thing helps you with the identification of the ransomware that has hit you roughly over 800 uh rest wear variants on there so you

can quickly uh identify the ransom uh that's hit your system now we've all seen this pyramid of pain right how do we get after this pandemic right because it's not going anywhere well again at the bottom the larger um the easier it is right we want to get to the top of that pyramid of pain to really affect um ransomware and really the tactics that people use right well how could we do that well we can start to nest really that um cycle if you will use miter or whatever you feel most comfortable with to really map out some of the things that rents aware authors do we'll see in some cases they utilize the

same ttps in other cases it may slightly vary so as we look at this example initial access we have maze ransomware and then we also have uh robin hood using rdp brute force okay do i have anything um rdp accessible uh where somebody could take advantage of this right same thing with credential theft uh lateral movement persistent right if you're lucky enough you'll see stuff like many cats being used and you'd be able to not only identify it but stop it and then you'd be able to say what stage in the campaign somebody is at by the time they get to the payload part it's already too late because that's the point where they're doing the payload of the

ransomware but if we could identify it early on we may be able to stop it and this is where this uh cyber security programs with multi-layered defense come into play so as we round this out and really sum everything up here why should you pay well fbi has previously stated easiest path is to pay but you you'll get your files back and i put there maybe because we've already articulated that um there's cases in which uh those decrypters don't work right it might be cheaper in the long run it's articulated with uh atlanta in a number of other cases now conversely why should you not pay well the us cert and fbi clearly say no which contradicts the previous one i

recognize that it seems cheaper but it's really not because you'll have to do some form of the closure and that's not cheap right you're probably going to lose some stock there probably going to lose uh some customers um so and there's also a target on your back if you pay once you'll probably pay again whether it's the same people coming back at you or somebody else now trying to target you and again there's no guarantee you'll get your files back and when we do this the criminals they win all right so what to do if you've been hit with ransomware contact the cyber security specialist research the variant on your own check out some of those sites i

mentioned and a number of other things online you may be able to um kind of service yourself if you will take the machine offline make sure you change all passwords and wait wait as long as you have to right it may feel like a knee-jerk reaction to hurry up and try to get your data back and pay or do whatever it takes but you need an opportunity to really think it through the best avenue but lastly if you take heed to things like you know the passwords the updates um making sure you're not downloading stuff from specific sites and the attack surface reducing that you may not find yourself in this position i'll say this

2020 has been a trying gear for all of us so many people are affected by the coronavirus in many many ways ransomware is really no different whether we're affected with it firsthand we're probably two to three if not five entities removed from it there's no end in sight with ransomware but each of us can do our part to limit its success with that i'll bring it to the end this presentation will be on my website at that link um any other programs and stuff that i make you'll see on my github and if you want to keep in touch and just have like-minded conversations about anything cyber security related um you can find me on twitter

at wired posts with that thanks for your time i look forward to meeting each one each and every one of you one day thanks