smoking the locky ransomware code
play

Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven - PowerPoint PPT Presentation

Mar 09, 2023 •156 likes •647 views

Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard Lion Team September 1, 2017 1 Cryptowall 2 This one? 3 Prevalence: Global ransomware Global Ransomware IPS Hits - February

  1. Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard Lion Team September 1, 2017 1

  2. Cryptowall 2

  3. This one? 3

  4. Prevalence: Global ransomware Global Ransomware IPS Hits - February 19 to September 15 2016 50.00% 45.00% 40.00% 35.00% 30.00% 25.00% 20.00% 15.00% 10.00% 5.00% 0.00% CryptoWall Locky Cerber TorrentLocker CryptXXX Series1 45.53% 45.13% 8.93% 0.35% 0.06% 4

  5. Prevalence: Top countries Locky Ransomware IPS Hits – Locky-est February 19 to September 15 2016 US 11,858,085 FR 6,959,892 Total Hits: 36,314,789 JP 3,071,596 KW 2,732,454 TW 1,338,216 AR 970,339 CL 890,784 PR 709,372 IT 556,602 IL 540,992 5

  6. Prevalence: Affiliate program The following is a list of affiliate methods that have been observed: affid Method 1 Spam email containing an attached JavaScript, MS Office Macro downloader or Windows Script File 3 Spam email containing an attached JavaScript or Microsoft Office Macro downloader 5 Spam email containing an attached JavaScript downloader 13 Compromised sites that redirects to Nuclear or Neutrino Exploit Kit 15 Spam email containing an attached JavaScript or HTA downloader 6

  7. Locky Developments 7

  8. Timeline of Developments: 2016 8

  9. Timeline of Developments: 2016  No packer  “ Locky ” registry key  Configuration: { AffiliateID; ccservers; } 9

  10. Timeline of Developments: 2016  Packed  Registry key based on VolumeGUID  Configuration(encrypted): { AffiliateID; DGASeed; delaySeconds; FakeSvchost; Persistence; IgnoreRussian; ccServers; 10 }

  11. Timeline of Developments: 2016  Encrypted HTTP communication  Configuration: { AffiliateID; DGASeed; delaySeconds; FakeSvchost; Persistence; IgnoreRussian; urlPath; ccServers; 11 }

  12. Timeline of Developments: 2016  New URI used  Encrypted HTTP POST data is now encoded using percent encoding 12

  13. Timeline of Developments: 2016  Requires argument. (e.g “123”, “321”) 13

  14. Timeline of Developments: 2016 14

  15. Timeline of Developments: 2016  Offline Mode encryption 15

  16. Timeline of Developments: 2016 16

  17. Timeline of Developments: 2016 17

  18. Technical Analysis 18

  19. Configuration Autorun: 01 Skip: 00 Drop svchost.exe : 01 Check RU: 01 Skip: 00 Skip: 00 Delay(Sleep) C&C offset DGA Seed Affiliate ID 19

  20. Configuration URI for its C&C C&Cs • • main.php /upload/_dispatch.php • • submit.php /php/upload.php • • userinfo.php /data/info.php • • access.cgi /apache_handler.php 20

  21. Configuration 21

  22. Configuration: Offline Online mode No C&C offset No DGA Seed Offline mode Offline mode No C&Cs and URI 22

  23. Configuration: Offline Offline mode Embedded Public RSA key 23

  24. Configuration: Offline Embedded Ransom Text Embedded HTML Ransom Text 24

  25. Victim ID: Online Locky creates a victim ID that needs to identify unique systems. The victim ID is created from the following information: • Volume GUID of the WindowsDirectory • MD5 hash of the GUID value e.g. victim_ID = 4DF383039AB03953 25

  26. Victim ID: Offline The victim ID is created from the following information: • GUID of the WindowsDirectory • Default UI Language • OS version • Domain Controller • Affiliate ID from the configuration • Public key ID from the configuration Encodes it using a hard coded 32 character value: “ YBNDRFG8EJKMCPQX0T1UWISZA345H769 ”. e.g. victim_ID = IZ8FDGTNEN85I7JZ 26

  27. C&C Communication 27

  28. Communication Protocol: C&C Connect to YES NO Hardcoded IP Start Http Use DGA to POST connect to C&C Request 28

  29. Communication Protocol: Data Format: Key = value ; Uses & as its delimiter id =4DF383039AB03953& act =getkey& affid =5& lang =en& corp =0=& serv =0& os =Windows+XP& sp =3& x64 =0 29

  30. Communication Protocol: Data Architecture 0: x86 Format: Key = value ; Uses & as its delimiter 1: x64 0: not member or a domain 1: member of a domain Service Pack 2: primary domain controller id =4DF383039AB03953& act =getkey& affid =5& lang =en& corp =0=& serv =0& os =Windows+XP& sp =3& x64 =0 Victim ID Operating System Language getkey 0: not server Affiliate ID gettext 1: server gethtml stats 30

  31. Communication Protocol: Http request Victim C&C 31

  32. File Encryption 32

  33. File Encryption: Targeted drives • Drive_Removable • Drive_Fixed • Drive_Remote • Drive_Ramdisk 33

  34. File Encryption: Targeted extensions Total of 194 file extensions: .n64, .m4a, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .qcow2, .vdi, .vmdk, .vmx, . wallet , .upk, .sav, .re4, .ltx, .litesql, .litemod, .lbf, .iwi, .forge, .das, .d3dbsp, .bsa, .bik, .asset, .apk, .gpg, .aes, .ARC, .PAQ, .tar, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .djv, .djvu, .svg, .bmp, .png, .gif, .raw, .cgm, .jpeg, .jpg, .tif, .tiff, .NEF, .psd, .cmd, .bat, .sh, .class, .jar, .java, .rb, .asp, .cs, .brd, .sch, .dch, .dip, .pl, .vbs, .vb, .js, .h, .asm, .pas, .cpp, .c, .php, .ldf, . mdf , .ibd, .MYI, .MYD, .frm, .odb, .dbf, .db, .mdb, . sql , . SQLITEDB , .SQLITE3, .011, .010, .009, .008, .007, .006, .005, .004, .003, .002, .001, .pst, .onetoc2, .asc, .lay6, .lay, .ms11(Securitycopy), .ms11, .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .mml, .sxm, .otg, .odg, .uop, .potx, .potm, .pptx, .pptm, .std, .sxd, .pot, .pps, .sti, .sxi, .otp, .odp, .wb2, .123, .wks, .wk1, .xltx, .xltm, . xlsx , .xlsm, .xlsb, .slk, .xlw, .xlt, .xlm, .xlc, .dif, .stc, .sxc, .ots, .ods, . hwp , .602, .dotm, .dotx, .docm, . docx , .DOT, .3dm, .max, .3ds, .xml, .txt, . CSV , .uot, .RTF, . pdf , .XLS, .PPT, .stw, .sxw, .ott, .odt, . DOC , .pem, .p12, .csr, .crt, .key, wallet.dat 34

  35. File Encryption: Targeted extensions From 194 to 460 file extensions: .yuv, .qbx, .ndd, .exf, .cdr4, .vmsd, .dat, .indd, .pspimage, .obj, .ycbcra, .qbw, .mrw, .erf, .cdr3, .vhdx, .cmt, .iif, .ps, .mlb, .xis, .qbr, . moneywell , .erbsql, .bpw, .vhd, .bin, .fpx, .pct, .md, .x3f, .qba, .mny, .eml, .bgt, .vbox, .aiff, .fff, .pcd, .mbx, .x11, .py, .mmw, .dxg, .bdb, .stm, .xlk, .fdb, .m4v, .lit, .wpd, . psafe3 , .mfw, .drf, .bay, .st7, .wad, .dtd, .m, .laccdb, .tex, .plc, .mef, .dng, .bank, .rvt, .tlg, .design, .fxg, .kwm, .sxg, .plus_muhd, .mdc, .dgc, . backupdb , .qcow, .st6, .ddd, .flac, .idx, .stx, .pdd, .lua, .des, .backup, .qed, .st4, .dcr, .eps, .html, .st8, .p7c, .kpdx, .der, .back, .pif, .say, .dac, .dxb, .flf, .st5, .p7b, .kdc, .ddrw, .awg, .pdb, .sas7bdat, .cr2, .drw, .dxf, .srw, .oth, .kdbx, . ddoc , .apj, .pab, .qbm, .cdx, . db3 , .dwg, .srf, .orf, .kc2, .dcs, .ait, .ost, .qbb, .cdf, .cpi, .dds, .sr2, .odm, .jpe, .dc2, .agdl, .ogg, .ptx, .blend, .cls, .css, .sqlite, .odf, .incpas, .db_journal, .ads, .nvram, .pfx, .bkp, .cdr, . config , .sdf, .nyf, .iiq, .csl, .adb, .ndf, .pef, .al, .arw, .cfg, .sda, .nxl, .ibz, .csh, .acr, .m4p, .pat, .adp, .ai, .cer, .sd0, .nx2, . ibank , .crw, .ach, .m2ts, .oil, .act, .aac, .asx, .s3db, .nwb, .hbk, .craw, .accdt, .log, .odc, .xlr, .thm, .aspx, .rwz, .ns4, .gry, .cib, .accdr, .hpp, .nsh, .xlam, .srt, .aoi, .rwl, .ns3, .grey, .ce2, .accde, .hdd, .nsg, .xla, .save, .accdb, .rdb, .ns2, .gray, .ce1, .ab4, .groups, .nsf, .wps, . safe , . 7zip , .rat, .nrw, .fhd, .cdrw, .3pr, .flvv, .nsd, .tga, .rm, .1cd, .raf, .nop, .fh, .cdr6, .3fr, .edb, .nd, .rw2, .pwm, .wab, .qby, .nk2, .ffd, .cdr5, .vmxf, .dit, .mos, .r3d, .pages, .prf, .oab, .msg, .mapimail, .jnt, .dbx, .contact 35

  36. File Encryption: Algorithm Encryption used: • Uses both RSA and AES algorithms • The AES-128 key is randomly generated for each file • The AES-128 key is used to encrypt the file and it’s filename • After encryption, the AES-128 key will be encrypted by RSA- 2048 36

  37. File Encryption: Filename Format of filenames of encrypted files. 4DF383039AB03953D81660EB4CADC28D.locky Victim ID File ID 37

  38. File Encryption: Filename Format of filenames of encrypted files. 4DF383039AB03953D81660EB4CADC28D.locky Victim ID File ID 0X3U7IYC-IA09-CQ94-D26F-CFA67B8E895D.zepto Victim ID File ID 38

  39. File Encryption: Filename Format of filenames of encrypted files. 4DF383039AB03953D81660EB4CADC28D.locky Victim ID File ID 0X3U7IYC-IA09-CQ94-D26F-CFA67B8E895D.zepto Victim ID File ID 0X3U7IYC-IA09-CQ94-D26F-CFA67B8E895D.odin Victim ID File ID 39

  40. File Encryption: File layout Encryption Encrypted Encrypted AES Key File 40

  41. File Encryption: File layout Encrypted Data *Encryption used: AES-128 Hardcoded Value Victim ID & File ID Encrypted AES Key *Encryption used: RSA-2048 Encrypted Filename *Encryption used: AES-128 41

  42. HTML Ransom Note 42

  43. Decryptor Page 43

  44. Harvest Locky Configuration 44

  45. Automate Configuration Extraction: Overview 45

  46. Cuckoo Module NO YES YES NO 46

  47. Demo: Locky Config Extraction in Cuckoo Sandbox 47

  48. Conclusion 48

  49. FortiGuard – Q&A Thank you fbacurio@fortinet.com rjoven@fortinet.com @fbacurio @rommeljoven17 49

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

1 February 4, 2020 Ransomware works Who: Ransomware is a threat vector that is rife for bad

1 February 4, 2020 Ransomware works Who: Ransomware is a threat vector that is rife for bad

Geoff Hale 1 February 4, 2020 Ransomware works Who: Ransomware is a threat vector that is rife for bad actors, both criminal enterprises and nation-states have made use of ransomware. What: Ransomware is a type of malware that encrypts

358 views • 6 slides
Responding To Ransomware Ransomware Nightmares X by Invincea Ransomware is getting more

Responding To Ransomware Ransomware Nightmares X by Invincea Ransomware is getting more

X by Invincea Responding To Ransomware Ransomware Nightmares X by Invincea Ransomware is getting more sophisticated, and shifting to an enterprise threat Ransomware Nightmares X by Invincea To Pay Or Not To Pay? X by Invincea Your money or

780 views • 23 slides
How NOT to code your ransomware Liviu Itoaf About Me $ whoami Security Researcher @

How NOT to code your ransomware Liviu Itoaf About Me $ whoami Security Researcher @

How NOT to code your ransomware Liviu Itoaf About Me $ whoami Security Researcher @ Kaspersky Hands-on work: coding, reverse engineering, vulnerability research Malware analysis trainings T ags: GTD (Getting Things

392 views • 24 slides
On Deception-Based Protection Against Cryptographic Ransomware Ziya Alper Gen, Gabriele

On Deception-Based Protection Against Cryptographic Ransomware Ziya Alper Gen, Gabriele

On Deception-Based Protection Against Cryptographic Ransomware Ziya Alper Gen, Gabriele Lenzini, and Daniele Sgandurra June 20, 2019 Ransomware Threat 1 Ransomware Threat 1 Deception-Based Anti-Ransomware In the context of ransomware,

507 views • 22 slides
Redemption: Real-Time Protection Against Ransomware at End-Hosts WRITTEN BY: PRESENTED BY: AMIN

Redemption: Real-Time Protection Against Ransomware at End-Hosts WRITTEN BY: PRESENTED BY: AMIN

Redemption: Real-Time Protection Against Ransomware at End-Hosts WRITTEN BY: PRESENTED BY: AMIN KHARRAZ NICHOLAS BURTON ENGIN KIRDA What is Ransomware? What is Ransomware? u Ransomware is malicious software that encrypts user data, and

718 views • 33 slides
Ransomware Overview Our analysis leads us to expect increased ransomware activity over 2016 (new

Ransomware Overview Our analysis leads us to expect increased ransomware activity over 2016 (new

Ransomware Overview Our analysis leads us to expect increased ransomware activity over 2016 (new attacker entrants, lower cost through kit automation, etc.) Take consumer and enterprise digital assets hostage using high- strength encryption

365 views • 18 slides
Introduction Your local Stop Smoking Service Background on smoking How to offer Very

Introduction Your local Stop Smoking Service Background on smoking How to offer Very

Introduction Your local Stop Smoking Service Background on smoking How to offer Very Brief Advice Smoking in pregnancy How to refer to the Stop Smoking Service The Huge Burden of Smoking 10 million adults in the UK smoke

314 views • 17 slides
Ransomware Eradication using Biomorphic Perimeterisation Introduction Types of

Ransomware Eradication using Biomorphic Perimeterisation Introduction Types of

Ransomware Eradication using Biomorphic Perimeterisation Introduction Types of Ransomware Technology Perspective and Attacked Devices Ransomware Economy Security Conditions Biomorphic Perimeterisation How to generate a

860 views • 61 slides
Who is starting smoking? An investigation of smoking initiation among all ages using

Who is starting smoking? An investigation of smoking initiation among all ages using

Who is starting smoking? An investigation of smoking initiation among all ages using prospectively collected data Richard Edwards, Kristie Carter, Jo Peace, Background Tobacco industry argues that decision to smoke is an informed choice by

302 views • 12 slides
Smoking - IVF Smoking and ectopic pregnancy -smo ex-smo +smo Odds ratio 3,5 3,5

Smoking - IVF Smoking and ectopic pregnancy -smo ex-smo +smo Odds ratio 3,5 3,5

Lifestyle and infertility Lifestyle and infertility Age, smoking, caffeine, alcohol Some definitions and male fertility How big is the problem? Age and fertility Smoking jvind Lidegaard Alcohol Dept. Obstetrics &

328 views • 9 slides
Update on Ransomware Technology 60 Minutes Video ransomware ( noun) A type of malware that

Update on Ransomware Technology 60 Minutes Video ransomware ( noun) A type of malware that

Update on Ransomware Technology 60 Minutes Video ransomware ( noun) A type of malware that prevents or limits users from accessing their system, either by locking the system's screen or by locking the users files unless a ransom is paid.

517 views • 30 slides
Troubling Times: Ransomware Across Texas Deputy Chief Information Security Officer Andy

Troubling Times: Ransomware Across Texas Deputy Chief Information Security Officer Andy

Troubling Times: Ransomware Across Texas Deputy Chief Information Security Officer Andy Bennett 2019 Cybersecurity Awareness Month Event October 22, 2019 2019 Texas Headlines Ransomware Ransomware Cyber criminals holding your data and

450 views • 23 slides
How To Not Be A Victim Of Ransomware The thoughtful integration of healthcare and technology How

How To Not Be A Victim Of Ransomware The thoughtful integration of healthcare and technology How

How To Not Be A Victim Of Ransomware The thoughtful integration of healthcare and technology How Healthcare IT Differs From General IT Agenda The Growing Threat of Ransomware What You Can Do Today To Protect Your Business How Healthcare IT

440 views • 32 slides
Tracking Ransomware End-to-end Danny Y. Huang Maxwell Matthaios Aliapoulios, Vector Guo Li Luca

Tracking Ransomware End-to-end Danny Y. Huang Maxwell Matthaios Aliapoulios, Vector Guo Li Luca

Tracking Ransomware End-to-end Danny Y. Huang Maxwell Matthaios Aliapoulios, Vector Guo Li Luca Invernizzi, Elie Bursztein, Kylie McRoberts, Jonathan Levin Kirill Levchenko, Alex C. Snoeren, Damon McCoy Ransomware causes financial damages

798 views • 54 slides
Smoking Bylaw Recap Original bylaw passed in 2003 Alberta Tobacco and Smoking Reduction Act

Smoking Bylaw Recap Original bylaw passed in 2003 Alberta Tobacco and Smoking Reduction Act

Smoking Bylaw Recap Original bylaw passed in 2003 Alberta Tobacco and Smoking Reduction Act passed in 2005 Cannabis legalization forced a knee jerk review initially Initial amendment to smoking bylaw Federal Government

499 views • 10 slides
UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware Paul Weliczko

UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware Paul Weliczko

UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware Paul Weliczko https://arstechnica.com/information-technology/2012/11/mushrooming-growth-of-ransomware- extorts-5-million-a-year/

298 views • 13 slides
(ORF-RE) Program Round 9 Information Sessions March/April 2017 Ministry of Research, Innovation

(ORF-RE) Program Round 9 Information Sessions March/April 2017 Ministry of Research, Innovation

Ontario Research Fund Research Excellence (ORF-RE) Program Round 9 Information Sessions March/April 2017 Ministry of Research, Innovation and Science Presenter: Karla Morris, Senior Policy Advisor MRIS Contact:karla.morris@ontario.ca The

473 views • 20 slides
ECO 317 Economics of Uncertainty Lectures: Tu-Th 3.00-4.20, Avinash Dixit Precept: Fri

ECO 317 Economics of Uncertainty Lectures: Tu-Th 3.00-4.20, Avinash Dixit Precept: Fri

ECO 317 Economics of Uncertainty Lectures: Tu-Th 3.00-4.20, Avinash Dixit Precept: Fri 10.00-10.50, Andrei Rachkov All in Fisher Hall B-01 1 ECO 317 Fall 09 No.1 Thu. Sep. 17 RISK MARKETS Intrade: http://www.intrade.com

279 views • 8 slides
of predicate abstraction A. Cimatti, J. Dubrovin, T. Junttila, M. Roveri Fondazione Bruno

of predicate abstraction A. Cimatti, J. Dubrovin, T. Junttila, M. Roveri Fondazione Bruno

Structure-aware computation of predicate abstraction A. Cimatti, J. Dubrovin, T. Junttila, M. Roveri Fondazione Bruno Kessler, Trento, Italy Helsinki Institute of Technology, Finland Predicate abstraction: symbolic view Concrete state as

586 views • 24 slides
Orthogonal Random Forests for Causal Inference Steven Wu University of Minnesota Joint work

Orthogonal Random Forests for Causal Inference Steven Wu University of Minnesota Joint work

Orthogonal Random Forests for Causal Inference Steven Wu University of Minnesota Joint work with: Miruna Oprescu and Vasilis Syrgkanis Microsoft ResearchNew England Motivating examples Dynamic pricing Clinical trials Targeted advertising

341 views • 7 slides
DPA, Bitslicing and Masking at 1 GHz Josep Balasch, Benedikt Gierlichs, Oscar Reparaz, and Ingrid

DPA, Bitslicing and Masking at 1 GHz Josep Balasch, Benedikt Gierlichs, Oscar Reparaz, and Ingrid

DPA, Bitslicing and Masking at 1 GHz Josep Balasch, Benedikt Gierlichs, Oscar Reparaz, and Ingrid Verbauwhede KU Leuven ESAT / COSIC (Belgium) CHES 2015 Saint-Malo, France 16 September 2015 CHES 2015 Motivation (I) Typical targets of side

516 views • 25 slides
2015 Fourth Quarter Update February 3, 2016 Safe Harbor Statement Some of what well discuss

2015 Fourth Quarter Update February 3, 2016 Safe Harbor Statement Some of what well discuss

2015 Fourth Quarter Update February 3, 2016 Safe Harbor Statement Some of what well discuss today concerning future company performance will be forward-looking information within the meanings of the securities laws. Actual results may

452 views • 10 slides
Disclosures I have nothing to disclose Current Status of Organ Donation in Japan Shigeyoshi

Disclosures I have nothing to disclose Current Status of Organ Donation in Japan Shigeyoshi

9/30/2016 Disclosures I have nothing to disclose Current Status of Organ Donation in Japan Shigeyoshi Yamanaga, MD Chief of Renal Transplantation Program Department of Surgery, Japanese Red Cross Kumamoto Hospital Japanese Red Cross

734 views • 8 slides
Great & Growing Need Knowledge and Diabetes rates are much higher and rising more

Great & Growing Need Knowledge and Diabetes rates are much higher and rising more

9/29/2016 Great & Growing Need Knowledge and Diabetes rates are much higher and rising more Spirituality surrounding quickly Organ Donation in the Prevalence of end-stage renal disease is 3.5 times Native American higher compared

572 views • 8 slides

More recommend