Ransomware By Sahil Khan

Null Bhopal Meet October 2016

Ransomware• What is Ransomware?• History..• How does Ransomware Operate?• What can you do about it?• Types of Ransomware• Famous Ransomware• Create Your Own Ransomware• Ransomware Weekend Highlight

Google Trends on Ransomware

What is Ransomware?• Ransomware is a type of malware which is widely

classified as a Trojan.

• It restricts access to or damages the computer for the purpose of extorting money from the victim.

• It also has the capability to encrypt a user’s files, display different threat messages, and force the user to pay ransom via an online payment system.

History...The first known ransomware was the 1989 "AIDS" trojan (also known as "PC Cyborg") written by Joseph Popp.

How does a Ransomware operate?

• Ransomware typically propagates as a Trojan like a conventional computer worm entering a system through; for example, a downloaded file or a vulnerability in a network service.

• Encrypt personal files on the hard drive.

• Locks the computer display and does not allow the user to access any programs.

What can you do about It???

On the one hand, ransomware can be extremely scary – the encrypted files can essentially be considered

damaged and beyond repair. But if you have properly prepared your system, it is really nothing more than a

nuisance.

There are a few things that you can do to keep ransomware from wrecking your day.

Back up your dataThe single most important thing you can do to prepare for emergencies,

including being affected by ransomware, is to have regularly updated backups. Many ransomware variants will encrypt files on drives that are

mapped.

This includes any external drives such as a USB thumb drive, as well as any network or cloud file stores to which you have assigned a drive letter. So your backup needs to be on an external drive or backup service that is

disconnected from your devices and network when not in use, and secured both physically and digitally.

Keep your Software Updated

Malware authors frequently rely on people running outdated software with known vulnerabilities, which they can exploit to get onto systems unobserved. It can

significantly decrease the potential for malware infection if you make a practice of updating your software often. Enable automatic updates if you can, update

through the software’s internal update process, or go directly to the software vendor’s website.

Malware authors sometimes disguise their creations as software update notifications, so by going to well-known and good software repositories you can increase the odds of getting clean, vetted updates. On Windows, you may wish to double-check that old – and potentially vulnerable – versions of the software

are removed by looking in Add/Remove Software within the Control Panel.

Use a Reputable Security Suite

It is always a good idea to have both anti-malware software and a software firewall to help you identify threats or suspicious behavior. Malware authors

frequently update their creations to try to avoid detection, so it is important to have both these layers of protection. If you run across a ransomware variant that

is so new that it gets past anti-malware software, it might still be caught by a firewall when it attempts to connect with its Command and Control (C&C) server

to receive instructions for encrypting your files.

The next few tips are to help you deal with the methods that current ransomware variants have been using – these tips may not help in every case, but they are

inexpensive and minimally intrusive ways to cut off access routes used by a variety of malware families.

Show Hidden File Extension

One popular method malware uses to appear innocent is to name files with double extensions, such as “.PDF.EXE”. By

default, Windows and OSX hide known file extensions; malware takes advantage of this behavior to make a file

appear to be one that would commonly be exchanged. If you enable the ability to see the full file-extension, it can be

easier to spot suspicious file types.

Filter exe in EmailIf your gateway mail scanner has the ability to filter files by extension, you may want to deny mails that arrive with “.EXE” files, or to deny mails sent with files that have two file extensions, the last one being executable (For example, “Filename.PDF.EXE”). If you do legitimately need to exchange

executable files within your environment and are denying emails with “.EXE” files, you can send them within ZIP files or via cloud services.

Sending in ZIP files can also give you an extra layer of assurance, as it allows you to choose an official, universal password for use within your household or company, which can help you identify unofficial files that

don’t use your agreed-upon password.

Disable RDP

Ransomware sometimes accesses machines by using Remote Desktop Protocol (RDP), which is a Windows utility that allows others to access your desktop remotely. If you do not need use RDP in your environment, you can disable it to protect your machines. For instructions on how to do so, visit the appropriate Microsoft Knowledge Base article.

Check to see if decrypter is available

Sometimes malware authors make mistakes and decryptors can be created. Other times, malware authors feel remorse

for their actions or stop development on a particular ransomware family, and then release a decryption key. It’s worth a quick internet search to see if the solution to your

problem is available for free, from a reputable source.

Use System RestoreSometimes malware authors make mistakes and decryptors can be created. Other times, malware authors feel remorse

for their actions or stop development on a particular ransomware family, and then release a decryption key. It’s worth a quick internet search to see if the solution to your

problem is available for free, from a reputable source.

Use System RestoreSometimes malware authors make mistakes and decryptors can be created. Other times, malware authors feel remorse

for their actions or stop development on a particular ransomware family, and then release a decryption key. It’s worth a quick internet search to see if the solution to your

problem is available for free, from a reputable source.

Set BIOS Clock backSome ransomware variants have a payment timer that

increases the price for your decryption key after a set time. You may be able to give yourself additional time by setting

the BIOS clock back to a time before the deadline window is up.

Types Of Ransomware

Locker Ransomware – Denies access to computer or device. Crypto Ransomware – Prevents access to files or Data

Famous Ransomware

• Reveton

• CryptoLocker

• CryptoLocker.F and TorrentLocker

Reveton In 2012, a major ransomware worm known as Reveton began to spread. It is also known as "police trojan". Its payload displays a warning from a law enforcement agency. Claiming that the computer had been used for illegal activities, such as

downloading pirated software, promoting terrorism, copyright etc. The warning informs the user that to unlock their system they would

have to pay a fine. To increase the illusion that the computer is being tracked by law

enforcement, the screen also displays the computer's IP address and footage from a computer's webcam.

CryptoLocker A Encrypting ransomware reappeared in 2013. Distributed either as an attachment to a malicious e-mail. Cryptolocker was also propagated using the Gameover ZeuS. Encrypts certain types of files stored on local drives using RSA public-key

cryptography. The private key stored only on the malware's control servers. Offers to decrypt the data if a payment is made by a stated deadline. Threatens to delete the private key if the deadline passes. It was isolated in May 2014,when a Gameover botnet was knocked out.

Tox Free Ransomware Toolkit

Continue……. 'Tox' Offers Free build-your-own Ransomware Malware Toolkit. Tox is completely free to use. One dark web hacker has released this for anyone to download

and set up their own ransomware for free. Tox, which runs on TOR, requires not much technical skills to use. It is designed in such a way that almost anyone can easily deploy

ransomware in three simple steps.

Continue……. 'Tox' Offers Free build-your-own Ransomware Malware Toolkit. Tox is completely free to use. One dark web hacker has released this for anyone to download

and set up their own ransomware for free. Tox, which runs on TOR, requires not much technical skills to use. It is designed in such a way that almost anyone can easily deploy

ransomware in three simple steps.

Make your own RansomwareOnce a user register with the site, follow these three simple steps to creating your own malware:Type a desired ransom amount you want to ask victims for.Provide an additional note in the "Cause", the message that will alert victims that they are being held hostage to a piece of malware.Finally, you are prompted to fill out a captcha, and click "Create".

"This process creates an executable of about 2MB that is disguised as a .scr file. Then the Tox [users] distribute and install as they see fit. The Tox site (runs on the TOR network) will track the installs and profit. To withdraw funds, you need only supply a receiving Bitcoin address.“

- McAfee explains..

Ransomware Weekend Highlights• Kostya Ransomware targets Czech Victims• A new in-the-wild ransomware was discovered by security researcher Jack• The Comrade Circle Ransomware uses a fake Windows Update Screen while

Encrypting• New variant of the Enigma Ransomware was Released• EvilTwin's Exotic Ransomware targets Executable Files• Decryptor for Version 2 of the DXXD Ransomware is Available• New variant of the Nuke Ransomware uses the .nuclear55 Extension• Cisco's Talos Group releases the LockyDump Tool for Researchers

Thank You…….