Embed Size (px)
Citation preview
진화하는 랜섬웨어의글로벌 동향한국트렌드마이크로
Crypto-Ransomware Evolation
2
Ransomware Lineup
3
CRYPCTB
2015
CRYPTOWALL 3.0
Jan AugApril July
Re-appear
CRYPTOWALL 3.0
Update from EXE to DLL
CRYPTESLA CRYPTESLA 2.0
Updated encryption
CRYPVENGION
HIDDENTEAR
done
done next
next
nextnowCRYPCTB
nownow
Top-Ranking Ransomware Families
4
Source: https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/rpt-trendlabs-201
5-1q-security-roundup-bad-ads-and-zero-days-reemerging-threats-challenge-tr.pdf
Recent cases of Global
TorrentLocker Ransomware - 2016/1/20
6
Ransomware outbreak continues: Fake AFP websites spreading TorrentLocker.
At the present we have seen 121 fake websites (the list is still growing):
hxxp://1av{block}ool.ru/4tniHrVA3KWR/xPA1FdrU4vK.php
hxxp://71{block}ur.ru/wiStsd1o7PVF/nyKeJq31A8jdh9Q.php
…
hxxp://yei{block}nd.ru/iADG6vOnu08l/NDgptPiU.php
hxxp://zna{block}-otl.ru/5yDm6e09Ih3/HYFosw6iz.php
Advise users not to enter Captcha codes to any AFP site.
Be especially careful about anything purporting to be a AFP / infringement related sites and email.
TorrentLocker Ransomware - 2015/12/10
7
Ransomware outbreak: Fake Australia Post websites spreading TorrentLocker.
They are continuing to use auspost_index.php in the URLs.
TorrentLocker is not using landing pages – they are directly putting their fake website on the compromised websites.
At the moment we have seen 40 new fake websites (the list is still growing):
hxxp://aq{block}pic.ru/EC9V7yFL/1ZzdCv.php
…
hxxp://www{DOT}tornagografica.it/h3MJv/A7DIO01lvwKFQP.php
Advise users not to enter Captcha codes to any postal tracking sites,
Be especially careful about anything purporting to be a parcel notification or Australia Post
(use the phone to call Australia Post and confirm any such email).
CryptoWall 4 Ransomware - 2016/1/19
14
The spam (distributing Cryptowall 4) is using an obfuscated JavaScript attachment.
The javascript downloads Cryptowall malware from sites such as:
hxxp://neo{block}otes.com/img/script.php?ak1.jpg
hxxp://neo{block}otes.com/img/script.php?ak2.jpg
hxxp://neo{block}otes.com/img/script.php?ak3.jpg
If you are not a Trend Micro customer, put this URL in your firewall.
Advise users not to open attachments which they did not expect to receive
CryptoWall 4 Ransomware - 2016/1/12
9
The spam (distributing Cryptowall 4) is using an obfuscated JavaScript attachment.
The javascript downloads Cryptowall malware from sites such as:
hxxp://fig{block}n.com/img/script.php?dcm1.jpg
hxxp://fig{block}n.com/img/script.php?dcm2.jpg
If you are not a Trend Micro customer, put this URL in your firewall.
Advise users not to open resume attachments which they did not expect to receive
TeslaCrypt Ransomware - 2015/12/21
10
The spam (distributing Cryptesla) is using an obfuscated JavaScript attachment.
The javascript downloads Cryptesla malware from sites such as:
hxxp://[BLOCKED}whatdidyaysay.com/80.exe?1
hxxp://[BLOCKED}iamthewinnerhere.com/80.exe?1
hxxp://[BLOCKED}washawaydesctrucion.com/90.exe?1
hxxp://[BLOCKED}fernytowd.com/69.exe?1
hxxp://[BLOCKED}fernytowd.com/73.exe?1
If you are not a Trend Micro customer, put this IP / URL in your firewall.
Advise users not to open such invoice attachments which they did not expect to receive.
CRYPTWALL v4: Threat Background
11
Impact
HIGH
Severity
HIGH
Volume
HIGHEmerging Threat: CRYPTWALL (4.0)
Ransomware in Japan
JP Industry Customers with Ransomware Cases
13
Manufacturing30%
Others20%
Government12%
IT service11%
Trading company
6%
Education6%
Partner3%
Transportation2%
Telecommunication2%
Food2%Finance
2%Electricity
/ Gas / Water
2%
Travel1%
Medical1%
Manufacturing
Others
Government
IT service
Trading company
Education
Partner
Transportation
Consumer Inquiry Count for Ransomware
14
Ransomware Samples Submitted from JP Customers
15
A significant decrease
in sample submitted
but what about the
actual infection?
42%
7%17%
11%
6%
8%5%4%
Crypto-Ransomware Type
CTB Locker CryptoDefense
CryptoWall CryptoLocker
TorrentLocker Tesla Crypt
TROJ_RANSOM FILECODER
1/29/2016 16Confidential | Copyright 2012 Trend Micro Inc.
감 사 합 니 다
2016년은 온라인 약탈의 해가 될 것이다.- 트렌드마이크로 2016 보안 예측 보고서
