How NOT to code your ransomware Liviu Itoaf About Me $ whoami - - PowerPoint PPT Presentation

how not to code your ransomware liviu itoaf
SMART_READER_LITE
LIVE PREVIEW

How NOT to code your ransomware Liviu Itoaf About Me $ whoami - - PowerPoint PPT Presentation

Feb 14, 2023 143 likes •398 views

How NOT to code your ransomware Liviu Itoaf About Me $ whoami Security Researcher @ Kaspersky Hands-on work: coding, reverse engineering, vulnerability research Malware analysis trainings T ags: GTD (Getting Things

slide-1
SLIDE 1

How NOT to code your ransomware Liviu Itoafă

slide-2
SLIDE 2

About Me

$ whoami

  • Security Researcher @ Kaspersky
  • Hands-on work: coding, reverse

engineering, vulnerability research

  • Malware analysis trainings
  • T

ags: GTD (Getting Things Done)

slide-3
SLIDE 3

IS IT REALLY A PROBLEM?

Actually YES! Comapnies started to create vaccines for this.

slide-4
SLIDE 4
  • File scramblers,
  • Traditional ransomware
  • Websites ransomware – CTB-Locker1
  • MacOS - KeRanger2
  • MBR cryptors - Petya3
  • Mobile ransomware4
  • OS: Windows, Android, Linux, FreeBSD, OSX

Evolution and techniques

slide-5
SLIDE 5
  • Spam | Malvertising | Exploit kits | Watering hole attacks

Infection

https://tpzoo.fjles.wordpress.com/2013/02/lion-zebra-water-hole.jpg

slide-6
SLIDE 6
  • Partnership programs
  • “Distributors” can sign up as affjliates

– Get a compiled binary containing the AffjliateID and a public key – Can distribute sample to their own target group – Collect 40-70% of the revenues, payable in crypto-currency

Distribution

slide-7
SLIDE 7

Defences against analysis

  • Obfuscations

– Many levels of packing

  • Anti-forensics

– Self-deletion from disk – Erase key from memory – Change time of the module to that of the kernel32.dll1

  • Anti-AV

– Tricks signature checks by spawning hollowed explorer.exe (RunPE)

slide-8
SLIDE 8

Psychological tactics

  • Scaremongering victims

– Gradually increasing the ransom amount – Warnings to not delete any fjles or run antivirus software ('don't call the police') – Message selected based on victim's country info (geolocation) – Voice warnings using text-to-speach emulator1

  • Gaining buyers' trust

– SDLC, customer support and bug fjxing – New features and defenses against malware analysts

  • Increasing victims' confjdence

– Decrypts fjles free – Customer support

slide-9
SLIDE 9

Close but no cigar...

slide-10
SLIDE 10

Client side fm fmaw #1 Client side fm fmaw #1 – NO encryption

slide-11
SLIDE 11

Client side fm fmaw #2 Client side fm fmaw #2 - Weak encryption

slide-12
SLIDE 12

Client side fm fmaw #3 – OPSEC fails

Recipe

  • Read the source fjle
  • Create encrypted version
  • Forget to delete the original fjles
  • Delete original fjles but not erase them
  • Erase the fjles but forget about MFT1
  • Erase everything but forget about Shodow Copies2
  • Delete everything but forget the encryption key3
slide-13
SLIDE 13
  • Same ransomware was compiled also for Linux
  • Ransomware family afgecting Linux and FreeBSD servers
  • My guess: The attacker took the sources from some Internet forum

and Google'ed how to compile them

Client side fm fmaw #4 Client side fm fmaw #4 – Compilation „errors“

slide-14
SLIDE 14

Client side fm fmaw #5 Client side fm fmaw #5 – Key management

slide-15
SLIDE 15
slide-16
SLIDE 16
slide-17
SLIDE 17

Client side fm fmaw #6

slide-18
SLIDE 18

Client side fm fmaw #7

slide-19
SLIDE 19
slide-20
SLIDE 20

Server side fm fmaw #1

slide-21
SLIDE 21

Server side fm fmaw #2

It's not more secure than rand(), it's just faster!

slide-22
SLIDE 22

Server side fm fmaw #3

  • Normal fmow: (1) Read data; (2) Init chipher; (3) Decrypt data; (4)

Write decrypted data; (5) Update fmag

  • Alterative fmow: (1), (2), (3), (4) + (1), (2), (3), (4) + ...+ (5)
slide-23
SLIDE 23

Server side fm fmaw #4

slide-24
SLIDE 24

Summary

  • Crypto is HARD
  • OPSEC
  • Don't rush to get the bitcoins
  • Don't trust everything
  • Always backup
  • User education
  • In-depth protection