CYBER EXTORTION
Coming to a Computer, near you.
Varun Nair
#whoami• B.Tech from RGPV, Bhopal.
• For food and shelter, I work with Essar Group, Mumbai.
• 5 years of experience in Security.
• Trainer for Mumbai Police, ICAI and other educational institutions.
AGENDA• Introduction to Cyber Extortion.
• Cryptolockers
• Facts and Figures
• Case Study-KRIPTOVOR
• Preventive Measures
What is Cyber Extortion?
History & Types• Extortion in the physical world.
• Cyber Extortion in the business world
• Denial of Service
• Cryptolockers
• Leaking of Data
• Destruction of Data
Who does Cryptolocker target?
• Government
• Corporates
• Individuals
Why is it getting bigger?
Why is it getting bigger?
Why is it getting bigger?
Why is it getting bigger?
Why is it getting bigger?
What percentage of victims pay ransom?
• 0.1%
• 11%
• 25%
• 41%
• 52%
A whopping 41%
Decide
CRYPTOLOCKER OVERVIEW
z
Bitcoin Ransom Sent C&C
Server
Private Key Sent
Locked Files
Unlocked Files
Victims??
Infection Level
Top 10 Infected Countries
Case Study- KRIPTOVOR• It is an Infostealer+Ransomware.
• It was first used to steal cryptocurrency wallets from its victims.
• Then it evolved to include a ransomware component.
• Several victims reported to have lost their files.
• It employs several evasion techniques and it even cleans up after itself whether or not it was successful in stealing or encrypting its targets.
• The malware also checks if the victim belongs to specific network segments.
Case Study- KRIPTOVOR
1. Email to Victim
2. The victim opens the email and the
attached Word document.
3. The Word document contains an
embedded binary file, which the attacker
crafted to look like a PDF file
4.Opening the binary launches a
PDF file containing a
resume
Evasion TechniquesThe malware performs a series of checks as follows (the order varies depending on the variant):
• Check Internet connection by accessing http://www.adobe.com
• Enumerate processes running on the machine and check them against a list
• Obtain the victim’s machine name and checks it against a list.
• Obtain victim’s IP address by going to http://checkip.dyndns.org
• Check registry for certain entries
Infection VectorThe seemingly benign
Word document contains an embedded binary file that is MPRESS packed (other variants are UPX
packed).
Binary file is digitally signed with the same
untrusted certificate they install onto the victim’s
machine later in the process.
Info-stealer Component
Double-clicking on the embedded file
(KRIPTOVOR.Infostealer) launches a decoy
document.
The KRIPTOVOR.Infostealer quits if it detects that it is
running in a virtual environment.
The malware sends an email with the process list and a screenshot of the desktop as an attachment when the running process check passes.
Exit Technique• If KRIPTOVOR.Infostealer discovers that there is no Internet connection or the
system it is running on matches anything on the hard-coded list, it cleans up itself by deleting the decoy document and files in the victim’s temporary folder then exits.
• It also checks if it has been run before by looking up the following registry entry:HKEYCU\Software\Adobe\Installed
• If this key exists with a value of “True,” it goes through the clean up and exits. Otherwise, it places the key value pair in the registry.
Payload Download•It downloads a file from hxxp://plantsroyal[.]org/css/salomon.rar into the user folder as temporary.rar
•The file is then extracted to the %USERPROFILE% folder.
•As soon as this password-protected RAR file has been extracted, it changes the file attribute to hidden.
Payload Download•The extracted file, which is the ransomware component has the following attributes:
File: AdobeSystem.exe
Size: 1596456
MD5: 00e3b69b18bfad7980c1621256ee10fa
•Then an email with the process list and a screenshot of the desktop is sent to notify the attacker that things have gone well with the victim’s machine.
Ransomware- Sending Files
•After sending an email, it goes through every file on the victim’s computer. It is only interested in files with the following extensions:
Ransomware- Encrypting Files
•KRIPTOVOR. also deletes all shadow copies on the machine with the following command. This prevents the victim from going back to a previous state of their machine.
vssadmin.exe Delete Shadows /All /Quiet
•It enumerates through the drive letters and is interested in fixed drives and network drives.
•It then scans the drives for the file types below to encrypt and adds a .JUST extension to them.
Ransomware- Ransom Notes
• It does not have any flashy signs informing the victim that their files have been encrypted.
• It leaves a “MESSAGE.txt” file in every folder that it has traversed including the Desktop and the Startup folders.
Ransomware- Ransom Notes
• The cost of the decryptor can be obtained by writing an email to: [email protected]
• In the subject line please include your ID:6756193866
• Please do not try to decrypt the files using third-party tools.
• You can completely corrupt them, and even the original decryptor will not help.
• Requests will be accepted until 3/18/2015
• After 3/18/2015 requests will be ignored.
• Emails are handled automatically by the system.
• There may be a delay in responses
Preventive Measures• Ensure your operating system and security software are
regularly updated.
• Consider investing in substantial anti-virus tools, including specialist Cryptolocker prevention kits.
• Don't open attachments from unknown sources or from emails that appear to be from a legitimate source but are suspicious.
• Regularly back up important data and keep it within unconnected storage.
• Consider moving more data to cloud services offered by Google and others.
Preventive Measures• Businesses should check incident response and resilience
protocols to monitor for infection.
• Ensure staff are educated in good computing practices and how to spot threats.
• Use software to identify if a computer is infected. If so, disconnect it from networks immediately and seek professional advice.
• If you believe you have been compromised, change online account passwords and network passwords after removing the system from the network.
• Block .exe files over email, including within ZIP files. This can usually be done using an anti-spam system.
Any Questions Other Than