Ransomware

2

Speaker

● Kin (Sam) Wong, CEHv9

● Worked in

Public and Private Sectors

● Ethical Hacking w/ AI

3

Learn

● Ransomware

– Who

– What

– Where

– When

– Why

– How

4

Ransomware(NOUN)

● “A type of malicious software designed to block access to a computer system until a sum of money is paid.”

– https://en.oxforddictionaries.com/defnition/ransomware

5

Ransomware - When

2017 - WannaCry

Symmetric

Asymmetric

6

Ransomware - Who

HACKER

Business

VICTIMS

Medical

Home

.Gov

Hacker Wannabe

7

Ransomware - WhatFootprint

DesignMalware

Send to Victims

Exploit System(Max $$$)

Lock System

Pay-Per-view(Public Key)

8

Ransomware Algorithm

● Symmetric Key– One-time pad (Encrypt Data)

● Asymmetric Keys – Public Key (Encrypt One-time pads)– Private Key (Decrypt Public Key List)

STARTEND

LOCK FILE w/ OTP

LOCK OTP w/ Public-K

Unlock Public-K w/Private-K

9

Ransomware Source Code

10

Ransomware - Where

Exploit

Phishing E-MAIL

Download

11

Phishing Email

PLZ Sign in?

OK

Got U,$%&#!

HACKER

HACKER

USER

12

Exploit

● Exploit– Hack the Web Browser (Entry Point)

● Bufer/Heap Overfow● Web Application Injection

● Privilege Escalation– Weak File Privilege– Entered → Run Exploit →

Get Root → Domain Admin

CEO

HACKERUSER

13

Advanced Exploit

● Jackpot– Obtains Domain Admin privilege then

infects all enterprise computers. ● Saudi Arabia State Oil Company (Cover-Up)

– Malfunction Oil Grids = Oil Price (>$80)– Record Deleted = Free Oil (Millions $$$)

14

DownloadStep 1

Step 2

Step 3

Download

15

Ransomware - Why

FTP

SICK

GF

16

Ransomware - How

● Bitcoin(Entry) → Shapshift.IO(Money Laundering)*7X(TOR) → Bitcoin(Exit)

● Bitcoin(Ransom) → Etherum(Silkroad) →Litecoin(Blackdeath) → Monero(Childporn) → Bitcoin(Clean Money???) → Cash (Exit)

● Math– Fee (5%)– 7*5% = 35% commission

LESS IS MORE?? FACE ↔ FACE

7X

VPN

17

Easy Ransomware Prevention

● Antivirus (Best Practice?)– Drive-by Download– Embedded In Pirate Software

● Patch Management/Exploit Mitigation– Web Browser Exploit– System Exploit (Priv.Esc.)

● Training– Phishing Email / Weak Password

18

Bypass AV

● Compiler (Maybe)– VS .NET(C#), VSCC and GCC(C and C++)

● Interpreter (Maybe)– Powershell,Ruby,Python,Perl,Java,NodeJS

● More Tricks– 7-ZIP(SFX) +UPX (Packer)

“Our AV does not cover all assembly types” -AV Sales Guy

19

Windows AppLocker

https://youtu.be/Z2-Sjw9UYdUHow to Confgure Applocker in Windows Server 2012 R2

20

BackupRecovery

CLOUD

OFFSITE

INTERNAL

21

Bye Bye

● Questions/Comments● Contact

– Email: Kin.Wong@jjay.cuny.edu– Text: 646.461.0067

Ethical Hacker