Ransomware in Action · Cerber – Encryption 10 •Generates an RC4 key for each file (128 bits or...

Post on 27-Jul-2020

1 views 0 download

Preview:

Click to see full reader
Report this document
SHARE

transcript

Ransomware in Action

Dorka Palotay Threat Researcher dorka.palotay@sophos.com

2017.03.28.

Agenda

2

• Introduction

•Cerber ransomware

•Demo Cerber

Ransomware

3

• Ransomware restricts access to or damages the computer for the purpose of extorting money from the victim

Types of Ransomware

4

• Locker ransomware

• Crypto-ransomware

Crypto-ransomware

5

777, 7ev3n, 7h9r, 7zipper, 8lock8, ACCDFISA v2.0, AdamLocker, AES_KEY_GEN_ASSIST, AES-NI, Al-Namrood, Al-Namrood 2.0, Alcatraz, Alfa, Alma Locker, Alpha, AMBA, AngryDuck, Anubis, Apocalypse, Apocalypse (New Variant), ApocalypseVM, ASN1 Encoder, AutoLocky, AxCrypter, BadBlock, BadEncript, Bandarchor, BankAccountSummary, Bart, Bart v2.0, BitCrypt, BitCrypt 2.0, BitCryptor, BitStak, Black Feather, Black Shades, Blocatto, Booyah, BrainCrypt, Brazilian Ransomware, BTCamant, BTCWare, Bucbi, BuyUnlockCode, Cancer, Cerber, Cerber 2.0, Cerber 3.0, Cerber 4.0 / 5.0, CerberTear, Chimera, CHIP, CockBlocker, Coin Locker, CoinVault, Comrade Circle, Coverton, Cripton, CrptXXX, Cryakl, CryFile, CryLocker, CrypMic, CrypMic, Crypren, Crypt0, Crypt0L0cker, Crypt38, CryptConsole, CryptFuck, CryptInfinite, CryptoDefense, CryptoDevil, CryptoFinancial, CryptoFortress, CryptoHasYou, CryptoHitman, CryptoJacky, CryptoJoker, CryptoLocker3, CryptoLockerEU, CryptoLuck, CryptoMix, CryptoMix Revenge, CryptON, Crypton, CryptorBit, CryptoRoger, CryptoShield, CryptoShocker, CryptoTorLocker, CryptoWall 2.0, CryptoWall 3.0, CryptoWall 4.0, CryptoWire, CryptXXX, CryptXXX 2.0, CryptXXX 3.0, CryptXXX 4.0, CryPy, CrySiS, CTB-Faker, CTB-Locker, Damage, Deadly, DEDCryptor, DeriaLock, Dharma (.dharma), Dharma (.wallet), Digisom, DirtyDecrypt, DMA Locker, DMA Locker 3.0, DMA Locker 4.0, DMALocker Imposter, Domino, Done, DXXD, DynA-Crypt, ECLR Ransomware, EdgeLocker, EduCrypt, El Polocker, EncrypTile, EncryptoJJS, Encryptor RaaS, Enigma, Enjey Crypter, EnkripsiPC, Erebus, Evil, Exotic, Fabiansomware, Fadesoft, Fantom, FenixLocker, FindZip, FireCrypt, FLKR, Flyper, FS0ciety, FuckSociety, FunFact, GC47, GhostCrypt, Globe, Globe3, GlobeImposter, GlobeImposter 2.0, GOG, GoldenEye, Gomasom, GPCode, HadesLocker, HappyDayzz, Heimdall, HelpDCFile, Herbst, Hermes, Hermes 2.0, Hi Buddy!, HollyCrypt, HolyCrypt, Hucky, HydraCrypt, IFN643, iRansom, Ishtar, Jack.Pot, Jager, JapanLocker, Jigsaw, Jigsaw (Updated), JobCrypter, JuicyLemon, Kaenlupuf, Karma, Karmen, Kasiski, KawaiiLocker, KeRanger, KeyBTC, KEYHolder, KillerLocker, KimcilWare, Kirk, Kolobo, Kostya, Kozy.Jozy, Kraken, KratosCrypt, Krider, Kriptovor, KryptoLocker, L33TAF Locker, LambdaLocker, LeChiffre, LLTP, Lock2017, Lock93, Locked-In, LockLock, Locky, Lortok, LoveServer, LowLevel04, Magic, Maktub Locker, Marlboro, MarsJoke, Matrix, Meteoritan, MirCop, MireWare, Mischa, MNS CryptoLocker, Mobef, MOTD, MRCR1, n1n1n1, NanoLocker, NCrypt, NegozI, Nemucod, Nemucod-7z, Netix, Nhtnwcuf, NMoreira, NMoreira 2.0, Nuke, NullByte, ODCODC, OpenToYou, OzozaLocker, PadCrypt, PayDay, PaySafeGen, PClock, PClock (Updated), Philadelphia, Pickles, PopCornTime, Potato, PowerLocky, PowerShell Locker, PowerWare, PrincessLocker, PrincessLocker 2.0, Project34, Protected Ransomware, PyL33T, R980, RAA-SEP, Radamant, Radamant v2.1, RanRan, RansomCuck, RansomPlus, RarVault, Razy, REKTLocker, RemindMe, RenLocker, Roga, Rokku, RoshaLock, RotorCrypt, Roza, Russian EDA2, Sage 2.0, SamSam, Sanction, Satan, Satana, SerbRansom, Serpent, ShellLocker, Shigo, ShinoLocker, Shujin, Simple_Encoder, Smrss32, SNSLocker, Spora, Sport, SQ_, Stampado, SuperCrypt, Surprise, SZFLocker, Team XRat, Telecrypt, TeslaCrypt 0.x, TeslaCrypt 2.x, TeslaCrypt 3.0, TeslaCrypt 4.0, TowerWeb, ToxCrypt, Trojan.Encoder.6491, Troldesh / Shade, TrueCrypter, TrumpLocker, UCCU, UmbreCrypt, UnblockUPC, Ungluk, Unknown Crypted, Unknown Lock, Unknown XTBL, Unlock26, Unlock92, Unlock92 2.0, UserFilesLocker, USR0, Uyari, V8Locker, VaultCrypt, VenisRansomware, VenusLocker, VindowsLocker, Vortex, VxLock, Wcry, WildFire Locker, Winnix Cryptor, WinRarer, WonderCrypter, X Locker 5.0, XCrypt, Xorist, Xort, XRTN, XTP Locker 5.0, XYZWare, YouAreFucked, YouRansom, zCrypt, Zekwacrypt, ZeroCrypt, ZimbraCryptor, ZinoCrypt, Zyklon

https://id-ransomware.malwarehunterteam.com

Cerber

Cerber – Infection Vector

7

• Email attachment – Microsoft Office document

– Zip file containing: JScript, Windows Script File, VBScript

• Exploit kit – infected websites

• Ransomware-as-a-service

Cerber – Infection

8

• wscript.exe connects to C&C server and downloads payload (C:\users\worker\appdata\local\temp\exe1.exe)

• wscript.exe creates new process (C:\users\worker\appdata\local\temp\exe1.exe)

Cerber – Encryption

9

"encrypt": { "files": […], "encrypt": 1, "max_block_size": 128, "multithread": 1, "rsa_key_size": 880, "min_file_size": 3072, "threads_per_core": 1, "bytes_skip": 1792, "divider": 262144, "network": 1 } "global_public_key": " -----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvkty5qhqEydR9076Fevp0uMP7IZNms1AA7GPQUThMWbYiEYIhBKcT0/nwYrBq0Ogv79K1tta04EHTrXgcAp/OJgBhz9N58aewd4yZBm2coeaDGvcGRAc9e72ObFQ/TME/Io7LZ5qXDWzDafI8LA8JQmSz0L+/G+LPTWg7kPOpJT7WSkRb9T8w5QgZRJuvvhErHM83kO3ELTH+SoEI53p4ENVwfNNEpOpnpOOSKQobtIw56CsQFrhac0sQlOjek/muVluxjiEmc0fszk2WLSnqryiMyzaI5DWBDjYKXA1tp2h/ygbkYdFYRbAEqwtLxT2wMfWPQI5OkhTa9tZqD0HnQIDAQAB -----END PUBLIC KEY----- "

Cerber – Encryption

10

• Generates an RC4 key for each file (128 bits or 256 bits)

• Generates a 880 bits local RSA key pair (earlier versions 576 bits)

• Using the local RSA public key it encrypts the RC4 key

• Using the hard-coded global RSA-2048 key, it encrypts the generated local RSA-880 private key

• New extension: .cerber, .cerber2, .cerber3, 4 characters from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

• Encrypts 493 different extensions

Cerber – Encryption

11

Unencrypted bytes

Random bytes

RC4 encrypted file (file size – unencrypted bytes – random bytes)

RC4 encrypted information (file name, file creation time, last access time, last modification time)

Local RSA encrypted information (RC4 key, filename length, number of blocks, bytes replaced by random)

Global RSA encrypted local RSA key (256 bytes)

• Earlier versions used custom random number generator

• Weak RC4 keys

• It was possible to decrypt RC4 encrypted parts

• But RSA encrypted parts couldn’t be decrypted

• In newer versions this flaw is corrected

Cerber – C&C

12

• Cerber can encrypt offline

• Sends statistics "servers":

{ "statistics": { "data_finish":"{MD5_KEY}", "data_start":"{MD5_KEY}{PARTNER_ID}{OS}{IS_X64} {IS_ADMIN}{COUNT_FILES}{STOP_REASON} {STATUS}", "ip": ["149.202.64.0/27", "149.202.122.0/27", "149.202.248.0/22"] "port":6892, "send_stat":1, "timeout":255 } }

Cerber – Configuration File

13

• Blacklist "blacklist": { "files": ["bootsect.bak","iconcache.db","ntuser.dat","thumbs.db"], "folders": [ ":\\$getcurrent\\", ":\\$recycle.bin\\", ":\\$windows.~bt\\", ":\\$windows.~ws\\", ":\\boot\\", ":\\documents and settings\\all users\\", ":\\documents and settings\\default user\\", ":\\documents and settings\\localservice\\", ":\\documents and settings\\networkservice\\", ":\\intel\\", ":\\msocache\\", ":\\perflogs\\", ":\\program files (x86)\\", ":\\program files\\", ":\\programdata\\", ":\\recovery\\", ":\\recycled\\", ":\\recycler\\", ":\\system volume information\\", ":\\temp\\", ":\\windows.old\\", ":\\windows10upgrade\\", ":\\windows\\", ":\\winnt\\", "\\appdata\\local\\", "\\appdata\\locallow\\", "\\appdata\\roaming\\", "\\local settings\\", "\\public\\music\\sample music\\", "\\public\\pictures\\sample pictures\\", "\\public\\videos\\sample videos\\", "\\tor browser\\"],

"extensions": [".bat", ".cmd", ".com", ".cpl", ".dll", ".exe", ".hta", ".msc", ".msi", ".msp", ".pif", ".scf", ".scr", ".sys"], "languages": [1049,1058,1059,1064,1067,1068,1079,1087,1088,1090,1091,1092,2072,2073,2092,2115] }

• Languages : Russian, Ukrainian, Belarusian, Tajik, Armenian, Azerbaijani, Georgian, Kazakh, Kyrgyz, Turkmen, Uzbek, Tatar

Cerber – Configuration File

14

• Closes processes

"close_process": { "close_process":1, "process": [ "agntsvc.exeagntsvc.exe", "agntsvc.exeencsvc.exe", "agntsvc.exeisqlplussvc.exe", "dbeng50.exe", "dbsnmp.exe", "fbserver.exe", "firefoxconfig.exe", "msftesql.exe", "mydesktopqos.exe", "mydesktopservice.exe", "mysqld-nt.exe", "mysqld-opt.exe", "mysqld.exe", "ocautoupds.exe", "ocomm.exe", "ocssd.exe", "oracle.exe", "sqbcoreservice.exe", "sqlagent.exe", "sqlbrowser.exe", "sqlservr.exe", "sqlwriter.exe", "synctime.exe", "tbirdconfig.exe", "xfssvccon.exe" ] }

• Stop database processes

Cerber – Configuration File

15

• Deletes shadow copies: "remove_shadows":1

• Deletes itself: "self_deleting":1

• Ransom note:

"help_files": { "files":[ {"file_body": …, "file_extension":".hta"}, {"file_body": …, "file_extension": ".jpg"} ], "files_name":" _READ_THIS_FILE_{RAND}_", "run_by_the_end":1 }

"speaker": { "speak":1, "text":[ { "repeat":1, "text":"Attention! Attention! Attention!" }, { "repeat":5, "text":"Your documents, photos, databases and other important files have been encrypted!" }]},

"wallpaper": { "change_wallpaper":1, "background": 139, "color": 16777215, "size":13, "text":"... " }

Cerber – Ransom Demand

16

Cerber – Ransom Payment

17

Cerber – Ransom Payment

18

Top related

Analysis of Cerber Ransomware - Attila Suszter of Cerber Ransomware.pdf · Symptoms of compromise The following symptoms were observed on a computer compromised by Cerber ransomware.
Documents
Bits are just bits (no inherent meaning) …class.ece.iastate.edu/arun/Cpre381_Sp06/lectures/arithmetic.pdf · 1 • Bits are just bits (no inherent meaning) —conventions define
Documents
Bits is Bits? Right? Check Again.
Documents
Custom-Designed PDC Bits Steerable PDC Bits Tri-Cone Bits Product Catalogue Online.pdf · Product Catalogue Custom-Designed PDC Bits Steerable PDC Bits Tri-Cone Bits Stable, Durable
Documents
Cerber & KeRanger: The Latest Examples of Weaponized ... · Cerber uses a JSON configuration file to determine what extensions to target, what nationalities of victims to not target,
Documents
“2 bits, 4 bits, 6 bits a Byte”Comp411 – Spring 2013 1/14/13 L02 –Information Theory 1 4-1-1 Information “2 bits, 4 bits, 6 bits a Byte” - Representing information using
Documents
BITS Pilani Hyderabad Campus BITS Pilani presentation D. Powar Lecturer, BITS-Pilani, Hyderabad Campus.
Documents
256M bits DDR SDRAM - Intel · 256M bits DDR SDRAM EDD2508AKTA (32M words × 8 bits) Description The EDD2508AK is a 256M bits DDR SDRAM organized as 8,388,608 words × 8 bits × 4
Documents
DLX Instruction Formatmeseec.ce.rit.edu/eecc551-winter2001/551-12-5-2001.pdf · DLX Instruction Format 6 bits 5 bits 5 bits 16 bits Opcode rs1 rd Immediate 6 bits 5 bits 5 bits 5
Documents
Bosch Recording Stationresource.boschsecurity.us/documents/BRS_8.11...– Windows 7 (32 bits/64 bits) – Windows Server 2008 R2 (64 bits) – Windows Server 2008 (32 bits) – Windows
Documents
NetSupport Managerresources.netsupportsoftware.com/resources/getting-started/NetSup… · 2012, Windows 7 (32 bits y 64 bits), Windows 2008 (32 bits, 64 bits y R2), Vista (32 bits
Documents
Cerber C612 user guide
Documents
Router Bits - CMT Woodworking Cutting Tools · Router Bits Solid Cabide Spiral Bits 6 12 14 18 20 24 25 26...Straight Bits...Slot Cutters...Dovetail Bits...Flush Trim Bits...Trimmer
Documents
Breaking)The)GSMA5/1)Cryptography) …A5/1)structure)&)operaFon) • 64 bitstate,!3!LFSRs,!3!designated!“clock”!bits.! Their!majority!generates!a“clock”!signal! • Process:
Documents
Network and Architectures Branch Overview (Bits are Bits)
Documents
Invasion Generates Periodic Traveling Waves (Wavetrains ... · Invasion Generates Periodic Traveling Waves (Wavetrains) ... Sherratt, J. A. (2016). Invasion Generates Periodic Traveling
Documents
NINE CIRCLES OF CERBER GitHub Stanislav …...NINE CIRCLES OF CERBER SKURATOVICH & RONA 2 VIRUS BULLETIN CONFERENCE OCTOBER 2017 The FileStolenHeader contains RC4_KEY, which can be
Documents
Bit Manipulation Chapter Five - Plantation … · Bit manipulation generally consists of six activities: setting bits, clearing bits, inverting bits, testing and comparing bits, extracting
Documents
COMMUNICATION SEMICONDUCTORS DATA BULLETIN · A circuit which generates (in transmit mode) or checks (in receive mode) the Cyclic Redundancy Checksum bits, which are included in transmitted
Documents
Detection and Analysis Cerber Ransomware Based on Network ...ijns.jalaxy.com.tw/contents/ijns-v20-n5/ijns-2018-v20-n5-p836-843.pdf · Keywords: Cerber; Detection; Malware; Network
Documents

Copyright © 2018 DOCUMENTS