21
Ransomware
Ransomware
2
Speaker
● Kin (Sam) Wong, CEHv9
● Worked in
Public and Private Sectors
● Ethical Hacking w/ AI
3
Learn
● Ransomware
– Who
– What
– Where
– When
– Why
– How
4
Ransomware(NOUN)
● “A type of malicious software designed to block access to a computer system until a sum of money is paid.”
– https://en.oxforddictionaries.com/defnition/ransomware
5
Ransomware - When
2017 - WannaCry
Symmetric
Asymmetric
6
Ransomware - Who
HACKER
Business
VICTIMS
Medical
Home
.Gov
Hacker Wannabe
7
Ransomware - WhatFootprint
DesignMalware
Send to Victims
Exploit System(Max $$$)
Lock System
Pay-Per-view(Public Key)
8
Ransomware Algorithm
● Symmetric Key– One-time pad (Encrypt Data)
● Asymmetric Keys – Public Key (Encrypt One-time pads)– Private Key (Decrypt Public Key List)
STARTEND
LOCK FILE w/ OTP
LOCK OTP w/ Public-K
Unlock Public-K w/Private-K
9
Ransomware Source Code
10
Ransomware - Where
Exploit
Phishing E-MAIL
Download
11
Phishing Email
PLZ Sign in?
OK
Got U,$%&#!
HACKER
HACKER
USER
12
Exploit
● Exploit– Hack the Web Browser (Entry Point)
● Bufer/Heap Overfow● Web Application Injection
● Privilege Escalation– Weak File Privilege– Entered → Run Exploit →
Get Root → Domain Admin
CEO
HACKERUSER
13
Advanced Exploit
● Jackpot– Obtains Domain Admin privilege then
infects all enterprise computers. ● Saudi Arabia State Oil Company (Cover-Up)
– Malfunction Oil Grids = Oil Price (>$80)– Record Deleted = Free Oil (Millions $$$)
14
DownloadStep 1
Step 2
Step 3
Download
15
Ransomware - Why
FTP
SICK
GF
16
Ransomware - How
● Bitcoin(Entry) → Shapshift.IO(Money Laundering)*7X(TOR) → Bitcoin(Exit)
● Bitcoin(Ransom) → Etherum(Silkroad) →Litecoin(Blackdeath) → Monero(Childporn) → Bitcoin(Clean Money???) → Cash (Exit)
● Math– Fee (5%)– 7*5% = 35% commission
LESS IS MORE?? FACE ↔ FACE
7X
VPN
17
Easy Ransomware Prevention
● Antivirus (Best Practice?)– Drive-by Download– Embedded In Pirate Software
● Patch Management/Exploit Mitigation– Web Browser Exploit– System Exploit (Priv.Esc.)
● Training– Phishing Email / Weak Password
18
Bypass AV
● Compiler (Maybe)– VS .NET(C#), VSCC and GCC(C and C++)
● Interpreter (Maybe)– Powershell,Ruby,Python,Perl,Java,NodeJS
● More Tricks– 7-ZIP(SFX) +UPX (Packer)
“Our AV does not cover all assembly types” -AV Sales Guy
19
Windows AppLocker
https://youtu.be/Z2-Sjw9UYdUHow to Confgure Applocker in Windows Server 2012 R2
20
BackupRecovery
CLOUD
OFFSITE
INTERNAL
21
Bye Bye
● Questions/Comments● Contact
– Email: [email protected]– Text: 646.461.0067
Ethical Hacker
