how not to code your ransomware liviu itoaf
play

How NOT to code your ransomware Liviu Itoaf About Me $ whoami - PowerPoint PPT Presentation

Feb 14, 2023 •143 likes •392 views

How NOT to code your ransomware Liviu Itoaf About Me $ whoami Security Researcher @ Kaspersky Hands-on work: coding, reverse engineering, vulnerability research Malware analysis trainings T ags: GTD (Getting Things

  1. How NOT to code your ransomware Liviu Itoafă

  2. About Me $ whoami • Security Researcher @ Kaspersky • Hands-on work: coding, reverse engineering, vulnerability research • Malware analysis trainings • T ags: GTD (Getting Things Done)

  3. IS IT REALLY A PROBLEM? Actually YES! Comapnies started to create vaccines for this.

  4. Evolution and techniques • File scramblers, • Traditional ransomware Websites ransomware – CTB-Locker 1 • MacOS - KeRanger 2 • • MBR cryptors - Petya 3 • Mobile ransomware 4 • OS: Windows, Android, Linux, FreeBSD, OSX

  5. Infection • Spam | Malvertising | Exploit kits | Watering hole attacks https://tpzoo.fjles.wordpress.com/2013/02/lion-zebra-water-hole.jpg

  6. Distribution • Partnership programs • “Distributors” can sign up as affjliates – Get a compiled binary containing the AffjliateID and a public key – Can distribute sample to their own target group – Collect 40-70% of the revenues, payable in crypto-currency

  7. Defences against analysis • Obfuscations – Many levels of packing • Anti-forensics – Self-deletion from disk – Erase key from memory – Change time of the module to that of the kernel32.dll 1 • Anti-AV – Tricks signature checks by spawning hollowed explorer.exe (RunPE)

  8. Psychological tactics • Scaremongering victims – Gradually increasing the ransom amount – Warnings to not delete any fjles or run antivirus software ('don't call the police') – Message selected based on victim's country info (geolocation) – Voice warnings using text-to-speach emulator 1 • Gaining buyers' trust – SDLC, customer support and bug fjxing – New features and defenses against malware analysts • Increasing victims' confjdence – Decrypts fjles free – Customer support

  9. Close but no cigar...

  10. Client side fm Client side fm fmaw #1 fmaw #1 – NO encryption

  11. Client side fm Client side fm fmaw #2 fmaw #2 - Weak encryption

  12. Client side fm fmaw #3 – OPSEC fails Recipe Read the source fjle ● Create encrypted version ● Forget to delete the original fjles ● Delete original fjles but not erase them ● Erase the fjles but forget about MFT 1 ● Erase everything but forget about Shodow Copies 2 ● Delete everything but forget the encryption key 3 ●

  13. Client side fm Client side fm fmaw #4 fmaw #4 – Compilation „errors“ • Same ransomware was compiled also for Linux Ransomware family afgecting Linux and FreeBSD servers • My guess: The attacker took the sources from some Internet forum • and Google'ed how to compile them

  14. Client side fm Client side fm fmaw #5 fmaw #5 – Key management

  17. Client side fm fmaw #6

  18. Client side fm fmaw #7

  20. Server side fm fmaw #1

  21. Server side fm fmaw #2 It's not more secure than rand(), it's just faster!

  22. Server side fm fmaw #3 Normal fmow: (1) Read data; (2) Init chipher; (3) Decrypt data; (4) • Write decrypted data; (5) Update fmag • Alterative fmow: (1), (2), (3), (4) + (1), (2), (3), (4) + ...+ (5)

  23. Server side fm fmaw #4

  24. Summary • Crypto is HARD • OPSEC • Don't rush to get the bitcoins • Don't trust everything • Always backup • User education • In-depth protection

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts,

Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts,

Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard Lion Team September 1, 2017 1 Cryptowall 2 This one? 3 Prevalence: Global ransomware Global Ransomware IPS Hits - February

647 views • 49 slides
1 February 4, 2020 Ransomware works Who: Ransomware is a threat vector that is rife for bad

1 February 4, 2020 Ransomware works Who: Ransomware is a threat vector that is rife for bad

Geoff Hale 1 February 4, 2020 Ransomware works Who: Ransomware is a threat vector that is rife for bad actors, both criminal enterprises and nation-states have made use of ransomware. What: Ransomware is a type of malware that encrypts

358 views • 6 slides
Responding To Ransomware Ransomware Nightmares X by Invincea Ransomware is getting more

Responding To Ransomware Ransomware Nightmares X by Invincea Ransomware is getting more

X by Invincea Responding To Ransomware Ransomware Nightmares X by Invincea Ransomware is getting more sophisticated, and shifting to an enterprise threat Ransomware Nightmares X by Invincea To Pay Or Not To Pay? X by Invincea Your money or

780 views • 23 slides
On Deception-Based Protection Against Cryptographic Ransomware Ziya Alper Gen, Gabriele

On Deception-Based Protection Against Cryptographic Ransomware Ziya Alper Gen, Gabriele

On Deception-Based Protection Against Cryptographic Ransomware Ziya Alper Gen, Gabriele Lenzini, and Daniele Sgandurra June 20, 2019 Ransomware Threat 1 Ransomware Threat 1 Deception-Based Anti-Ransomware In the context of ransomware,

507 views • 22 slides
Redemption: Real-Time Protection Against Ransomware at End-Hosts WRITTEN BY: PRESENTED BY: AMIN

Redemption: Real-Time Protection Against Ransomware at End-Hosts WRITTEN BY: PRESENTED BY: AMIN

Redemption: Real-Time Protection Against Ransomware at End-Hosts WRITTEN BY: PRESENTED BY: AMIN KHARRAZ NICHOLAS BURTON ENGIN KIRDA What is Ransomware? What is Ransomware? u Ransomware is malicious software that encrypts user data, and

718 views • 33 slides
Ransomware Overview Our analysis leads us to expect increased ransomware activity over 2016 (new

Ransomware Overview Our analysis leads us to expect increased ransomware activity over 2016 (new

Ransomware Overview Our analysis leads us to expect increased ransomware activity over 2016 (new attacker entrants, lower cost through kit automation, etc.) Take consumer and enterprise digital assets hostage using high- strength encryption

365 views • 18 slides
Ransomware Eradication using Biomorphic Perimeterisation Introduction Types of

Ransomware Eradication using Biomorphic Perimeterisation Introduction Types of

Ransomware Eradication using Biomorphic Perimeterisation Introduction Types of Ransomware Technology Perspective and Attacked Devices Ransomware Economy Security Conditions Biomorphic Perimeterisation How to generate a

860 views • 61 slides
Update on Ransomware Technology 60 Minutes Video ransomware ( noun) A type of malware that

Update on Ransomware Technology 60 Minutes Video ransomware ( noun) A type of malware that

Update on Ransomware Technology 60 Minutes Video ransomware ( noun) A type of malware that prevents or limits users from accessing their system, either by locking the system's screen or by locking the users files unless a ransom is paid.

517 views • 30 slides
Advances in Liviu Klein MD, MS Pharmacotherapy in Associate Professor Heart Failure with

Advances in Liviu Klein MD, MS Pharmacotherapy in Associate Professor Heart Failure with

12/18/15 Advances in Liviu Klein MD, MS Pharmacotherapy in Associate Professor Heart Failure with Director, Mechanical Circulatory Support and Reduced Ejection Heart Failure Device Programs Fraction Liviu.Klein@ucsf.edu Financial

376 views • 18 slides
Troubling Times: Ransomware Across Texas Deputy Chief Information Security Officer Andy

Troubling Times: Ransomware Across Texas Deputy Chief Information Security Officer Andy

Troubling Times: Ransomware Across Texas Deputy Chief Information Security Officer Andy Bennett 2019 Cybersecurity Awareness Month Event October 22, 2019 2019 Texas Headlines Ransomware Ransomware Cyber criminals holding your data and

450 views • 23 slides
Value of Continuous Liviu Klein MD, MS Monitoring of Associate Professor Pulmonary Artery

Value of Continuous Liviu Klein MD, MS Monitoring of Associate Professor Pulmonary Artery

12/18/15 Value of Continuous Liviu Klein MD, MS Monitoring of Associate Professor Pulmonary Artery Director, Mechanical Circulatory Support and Pressures in Heart Heart Failure Device Programs Failure Liviu.Klein@ucsf.edu Financial

757 views • 21 slides
How To Not Be A Victim Of Ransomware The thoughtful integration of healthcare and technology How

How To Not Be A Victim Of Ransomware The thoughtful integration of healthcare and technology How

How To Not Be A Victim Of Ransomware The thoughtful integration of healthcare and technology How Healthcare IT Differs From General IT Agenda The Growing Threat of Ransomware What You Can Do Today To Protect Your Business How Healthcare IT

440 views • 32 slides
OpenSIPS - an event-driven SIP routing engine Liviu Chircu - 4th Feb 2017 - Outline

OpenSIPS - an event-driven SIP routing engine Liviu Chircu - 4th Feb 2017 - Outline

OpenSIPS - an event-driven SIP routing engine Liviu Chircu - 4th Feb 2017 - Outline Architecture timeline Event subscribe-notify Usage scenarios OpenSIPS scripts Conclusions Liviu Chircu - OpenSIPS Project -

514 views • 27 slides
Tracking Ransomware End-to-end Danny Y. Huang Maxwell Matthaios Aliapoulios, Vector Guo Li Luca

Tracking Ransomware End-to-end Danny Y. Huang Maxwell Matthaios Aliapoulios, Vector Guo Li Luca

Tracking Ransomware End-to-end Danny Y. Huang Maxwell Matthaios Aliapoulios, Vector Guo Li Luca Invernizzi, Elie Bursztein, Kylie McRoberts, Jonathan Levin Kirill Levchenko, Alex C. Snoeren, Damon McCoy Ransomware causes financial damages

798 views • 54 slides
UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware Paul Weliczko

UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware Paul Weliczko

UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware Paul Weliczko https://arstechnica.com/information-technology/2012/11/mushrooming-growth-of-ransomware- extorts-5-million-a-year/

298 views • 13 slides
to Defend Against Encryption Ransomware Jian Huang Jun Xu Xinyu Xing Peng Liu

to Defend Against Encryption Ransomware Jian Huang Jun Xu Xinyu Xing Peng Liu

FlashGuard: Leveraging Intrinsic Flash Properties to Defend Against Encryption Ransomware Jian Huang Jun Xu Xinyu Xing Peng Liu Moinuddin K. Qureshi Encryption Ransomware Is Becoming More Aggressive May 12,

772 views • 75 slides
RSE 2.0 RSE 2.0 Mark Woodbridge, Imperial College London deRSE19 Potsdam 6 June 2019

RSE 2.0 RSE 2.0 Mark Woodbridge, Imperial College London deRSE19 Potsdam 6 June 2019

RSE 2.0 RSE 2.0 Mark Woodbridge, Imperial College London deRSE19 Potsdam 6 June 2019 INTRODUCTION INTRODUCTION I lead the RSE team at Imperial College London I have previously been a Computer Scientist, soware engineer and

1.3k views • 98 slides
Verification Based on Unfoldings of Petri Nets with Read Arcs C esar Rodr guez PhD

Verification Based on Unfoldings of Petri Nets with Read Arcs C esar Rodr guez PhD

Verification Based on Unfoldings of Petri Nets with Read Arcs C esar Rodr guez PhD Thesis defense Ecole Normale Sup erieure de Cachan LSV EDSP December 12, 2013 Concurrent and Distributed Systems System are today increasingly

1.3k views • 106 slides
XSLT Web Data Management and Distribution Serge Abiteboul Ioana Manolescu Philippe Rigaux

XSLT Web Data Management and Distribution Serge Abiteboul Ioana Manolescu Philippe Rigaux

XSLT Web Data Management and Distribution Serge Abiteboul Ioana Manolescu Philippe Rigaux Marie-Christine Rousset Pierre Senellart Web Data Management and Distribution http://webdam.inria.fr/textbook March 20, 2013 WebDam (INRIA) XSLT

295 views • 29 slides
Making the Pitch: NBC Asian America Media Training May 10, 2016 HOUSEKEEPING | 2

Making the Pitch: NBC Asian America Media Training May 10, 2016 HOUSEKEEPING | 2

Making the Pitch: NBC Asian America Media Training May 10, 2016 HOUSEKEEPING | 2 Making the Pitch: NBC Asian America AAPCHO Member-Only Media Training SUBMITTING QUESTIONS If you have any questions, please click the

346 views • 15 slides
and their impact on research led teaching in Classics. Simon Mahony (University College London)

and their impact on research led teaching in Classics. Simon Mahony (University College London)

Open Education, Open Educational Resources, and their impact on research led teaching in Classics. Simon Mahony (University College London) s.mahony@ucl.ac.uk With thanks and acknowledgements to Ulrich Tiedau (University College London)

772 views • 73 slides
Relevant Persons of Northern Ireland and the EU Settlement Scheme Statement of changes in

Relevant Persons of Northern Ireland and the EU Settlement Scheme Statement of changes in

Relevant Persons of Northern Ireland and the EU Settlement Scheme Statement of changes in Immigration Rules CP232 14/05/20 On the 24th August 2020, Appendix EU of the immigration rules will change to allow a relevant person of

653 views • 11 slides
Labour market integration in Ireland: migration channels, ethnicity and Irish citizenship DATE

Labour market integration in Ireland: migration channels, ethnicity and Irish citizenship DATE

Labour market integration in Ireland: migration channels, ethnicity and Irish citizenship DATE Friday 19 th of September 2020 EVENT Conference talk AUTHORS Fran McGinnity Ivan Privalko amonn Fahey Shannen Enright www.esri.ie

784 views • 14 slides
State of Reliability Report Preview of Key Findings Mark Lauby, Senior Vice President and Chief

State of Reliability Report Preview of Key Findings Mark Lauby, Senior Vice President and Chief

State of Reliability Report Preview of Key Findings Mark Lauby, Senior Vice President and Chief Reliability Officer Summary of Key Findings Excluding weather, the bulk-power system (BPS) remains within Adequate Level of Reliability (ALR)

384 views • 9 slides

More recommend