Scribd
Upload
128 views44 pages

RANSOMWARE

Ransomware is a type of malicious software that encrypts a victim's files and demands ransom in order to decrypt them. It has evolved significantly since its origins in the 1980s. There are different categories including locker ransomware and crypto/encrypting ransomware. Ransomware authors are increasingly using techniques like TOR and bitcoin to evade detection while demanding ransom. Mitigation involves frequent backups, awareness of the threats, and vigilance against phishing attempts that can enable ransomware infections. Ransomware poses an ongoing threat as criminals continue developing new variants to profit from this billion dollar criminal industry.

Uploaded by

Saleem Javed Khan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
128 views44 pages

RANSOMWARE

Ransomware is a type of malicious software that encrypts a victim's files and demands ransom in order to decrypt them. It has evolved significantly since its origins in the 1980s. There are different categories including locker ransomware and crypto/encrypting ransomware. Ransomware authors are increasingly using techniques like TOR and bitcoin to evade detection while demanding ransom. Mitigation involves frequent backups, awareness of the threats, and vigilance against phishing attempts that can enable ransomware infections. Ransomware poses an ongoing threat as criminals continue developing new variants to profit from this billion dollar criminal industry.

Uploaded by

Saleem Javed Khan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 44

RANSOMWARE

Agenda

• Brief Intro

• Basic Categorization & Operational Anatomy

• History, Evolution & Future

• Mitigation
Brief Intro
• Malware
• Ransom , Kidnap
• Malware + Ransom = Ransomware

ˈrans(ə)mwɛː/
noun
a type of malicious software designed to block access to a computer system until a sum of money
is paid.

• Symmetric & Asymmetric Encryption


• Bit coins/LiteCoins/Ukash etc
• Phishing & Spam
• Tor
Basic Categorization…
• Locker /Non-encrypting Ransomware

• Crypto/Encrypting Ransomware
…Operational Anatomy


• MBR – Master Boot Record Ransomware
History & Evolution
• 1986 – “Brain”

• 1989 – AIDS/ PC Cyborg
– Joseph Popp – via Floppy Diskettes – DOS based

• 2005 – 08 : GPCode/ PGPCoder

• 2008 - GPCode.AK – RSA- 1024 bit


• TROJ.RANSOM.A, Archiveus, Krotten, Cryzip, and MayArchive.

• 2010 – WINLOCK or SMS Virus

• 2011 – First large scale ransomware outbreak.


– New detections double to 60,000 .
– Rise of anonymous payment services another aiding factor.

• 2012 - Citadel ~ Lyposit -> Revton & Urausy - Police Ransomware


• 2013 – Sept – Cryptolocker

• 2013 – CryptorBit

• 2013 – Dec – CryptoLocker 2.0

• 2014 – Feb – CryptoDefence

• 2014- March-April – CTB Locker – Curve~Tor~Bitcoin

• 2014 – April – CryptoWall

• May-July 2014 – Operation Tovar & Game Over ZeuS

• July 2014 – GoZ resurfaces – with TOR or other layered encryption



• 2014 – July – CryptoBlocker
– Friendly ransomware, did not harm files >100MB and skips Windows files
– Used AES, no instruction .txt
– Complier files were intact

• Late 2014 – TorrentLocker


– Mix of CryptoLocker + Cryptowall, but still a fully different code
– Spread via spam and used Rijandel algorithm
– Bitcoins

• Early 2015 – CryptoWall replaces CryptoLocker as leading RW.
• April 2015 – Cryptolocker localized in Asia; reports of attacks in
Malaysia, Korea & Japan.
• May 2015 – RaaS – Ransomware As A Service

• May 2015 - CryptoLocker.S version

• June 2015 – Resume Ransomware, Cryptowall 3.0


• Sept 2015 – RW starts targeting small – medium businesses
rather than consumers
• Oct 2015 - $325 million – due to CryptoWall alone
• Late 2015 – Cryptowall 4.0 & Chimera Ransomware



• 2016 – Jan – along with TOX – Fakben, Radament for Raas

• 2016-Jan – RaaS Ransom32 – fully developed in javascript,


enabling multi-platform

• 7ev3n – demanded 13bitcoins ==$5000.

• 2016 Feb – Wordpress Hack

• 2016 Feb – Locky – Infected word files

• 2016 April – CryptoHost

• They continue to evolve…



• Locky – 2016


• July 2013 – svpeng – android mobiles

• April 2014 – Angler Exploit Kit & Koler.A – Android phones & PCs
– infected around 200,000 Android users, 3⁄4 in the US

• Aug 2014 – Synolocker

• TeslaCrypt
– Targeted games and modified game files like user profiles, custom maps
– Example Call of Duty series, World of War craft, Minecraft
– Resembles Cryptolocker but was developed independently, uses
Symmetric algo.
– Newer version TeslaCrypt 2.0 rendered initial flaws
– Nov 2015 – Kaspersky found weaknesses in 2.0, but keeps it secret
– However, Jan 2016 – ver 3.0 released
– May 2016 – developers shut down TeslaCrypt and released the master
decryption key. Phew!

• Sept 2015 – LockerPin , Android locker ransomware

• Sept 2015 – LinuxEncoder.1
– Using a flaw in Magneto, Uses RSA & AES
– Infiltrated British Parliament

• March 2016 – KeRanger for Mac
– Discovered by PA Networks
– “Transmission” – a bit-torrent client
– RSA encryption
– 7000 infections

• …Ransom32 - First RW in javascript
Multi-platform
Future
• TrueCrypter (late April)
• CryptXXX (mid April)
• 7ev3n-HONE$T (mid April)
• AutoLocky (mid April)
• Jigsaw (early April)
• CryptoHost (early April)
• Rokku (late March)
• KimcilWare (late March)
• Coverton (late March)
• Petya (late March)
• Maktub Locker (mid March)
• Nemucod .CRYPTED (mid March)
• Samas/Kazi (mid March)
• The Surprise (mid March)
• Pompous (early March)
• KeRanger (early March)
• Cerber (early March)
• CTB-Locker for web sites (mid February)
• Padcrypt (mid February)
• Locky (mid February)
• Umbrecrypt (early February)
• DMA Locker (early February)
• NanoLocker (late January)
• 7ev3n (late January)
• LeChiffre (mid January)
• Magic (mid January)
• CryptoJoker (early January)
• …


• Cryptoworms are a very real possibility

• As of April 2016 – FBI declared Ransomware was a Billion dollar


business.

Mitigation
• Backup , backup & backup

• 3-2-1 Rule - create 3 backup copies on 2 different media with 1


backup in a separate location.

• Awareness & vigilance

You might also like