Pirating Cyber Style Ransomware
Dec 16, 2015
Stops PC from RunningOften Called “FBI Moneypak” or “FBI Virus”Two Types
Lock Screen RansomwareLocks Screen so System Cannot be Used
Encryption RansomwareLocks Files so They Cannot be Accessed
Uses Scare TacticsGoal Extort Money from Victim
Ransomware
PC Cyborg TrojanCreator Dr. Joseph PoppReleased 1989Encrypt All Files on C Drive
KrottenReleased 2006Disabled Nearly All FilesPreyed on Windows Directory
History
WinLockOriginated in RussiaRestricts Access to SystemDisplays Pornographic Images
RevetonFirst Seen in 2012“Police Trojan”Engaged in Illegal ActivitySend Fee
History
CryptoLockerFirst Seen 2013Use 2048-Bit RSA KeyPrivate Key Held Threatened EraseMost Common Infection Mode – E-Mail AttachmentWill Run in Safe Mode
History
Found to have used 2764 unique victim IP's contacting the sinkholed domains
Highest number was recorded on Wednesday October 16, with 1266 unique IP addresses
CryptoLocker
CountermeasuresDo Not Open Attachments Unless Source is VerifiedUp-to-Date Antivirus – Maybe to LateConfigure System so CryptoLocker Cannot Run
Block Executables from Running in %AppData% DirectoryBlock Executables from Running in %AppData%\* DirectoryBlock WinRAR Attachments from Opening %Temp%\Rar\*.exeBlock 7zip Attachments from Opening %Temp%\7z\*.exeBlock WinZip Attachments from Opening %Temp%\wz*\*.exeBlock Built-in Zip Support from Opening %Temp%\*.zip\*.exe
CryptoLocker
Launched in late 2010 – Russian HackerCurrently Most Popular Exploit KitMySQL BackendAuto UpdateContains Many Recent Java ExploitsContains Exploit for CVE-2012-1889 (MS XML)
0-Day at the timeGood JavaScript ObfuscationMany Different Payloads can be Carried
BlackHole Exploit Kit
August to September 2012 Payloads:
BlackHole Exploit Kit
Money Collecting
Information StealingClick Fraud
Best Option, Avoid Getting InfectedKeep Good Backups – Even in HomesAvoid Paying Ransom
Paying Only Encourages More Ransomware / Malware
Conclusions
History:http://www.microsoft.com/security/portal/mmpc/shared/ransomware.aspxhttp://nakedsecurity.sophos.com/2013/02/26/technical-paper-exploring-the-history-and-technology-of-ransomware/http://www.computerweekly.com/news/2240102909/Ransomware-and-computer-blackmail-viruses-a-historyhttp://ezfimblog.com/2013/10/28/cryptolocker-rears-its-ugly-head-a-history-of-ransomware/http://www.theoaklandpress.com/lifestyle/20131103/how-to-break-your-computer-free-of-ransomware
References
Reveton:http://threatpost.com/reveton-ransomeware-adds-password-purloining-functionCryptoLocker:http://www.virusbtn.com/blog/2013/11_18.xml?rsshttp://www.securelist.com/en/blog/208214109/CryptoLocker_Wants_Your_Moneyhttp://www.thirdtier.net/downloads/NewCryptolockerWarning.pdfhttp://www.thirdtier.net/downloads/CryptolockerWaystoaddExemptions.pdf
References
Blackhole:http://nakedsecurity.sophos.com/2012/03/29/exploring-the-blackhole-exploit-kit/http://nakedsecurity.sophos.com/exploring-the-blackhole-exploit-kit/http://krebsonsecurity.com/tag/blackhole-exploit-kit/http://nakedsecurity.sophos.com/2012/11/30/technical-paper-blackhole/http://nakedsecurity.sophos.com/2013/01/16/technical-paper-black-hole-2/http://media.blackhat.com/bh-us-12/Briefings/Jones/BH_US_12_Jones_State_Web_Exploits_Slides.pdf
References