Embed Size (px)
DESCRIPTION
The CryptoLocker Malware encrypts certain files with a private key and demands payment to regain access to the files. Nick Bilogorskiy, Director of Security Research, presents this deep dive into CryptoLocker and looks at the latest information around what is called one of the two most sophisticated and destructive forms of malicious software in existence. (The other being Gameover Zeus.) Malware’s Most Wanted is a monthly series to inform IT security professionals on the details of the most dangerous advanced persistent threats. Attendees receive a special edition t-shirt.
Citation preview
Dissecting the Cryptolocker Ransomware
Cyphort Labs Malware’s Most Wanted Series June 2014
Your speakers today
Nick BilogorskiyDirector of Security Research
Jean KrahulecEvent Marketing Director
Agenda
o What is Cryptolockero Major incidents involving Cryptolockero Dissecting the malwareo Wrap-up and Q&A
Cyph
ort L
abs
T-sh
irt
We work with the security ecosystem
•••••
Contribute to and learn from malware KB
•••••
Best of 3rd Party threat data
We enhance malware detection accuracy
•••••
False positives/negatives
•••••
Deep-dive research
Threat Monitoring & Research team
•••••
24X7 monitoring for malware events
•••••
Assist customers with their Forensics and Incident Response
About Cyphort Labs
Poll #1Who does Cryptolocker target?o Governmentso Individualso Corporations
What is Cryptolocker?
o Began September 2013 o Encrypts victim’s files, asks for $300
ransomo Impossible to recover files without a keyo Ransom increases after deadlineo Goal is monetary via Bitcoino 250,000+ victims worldwide
(According to Secureworks)
If you see this screen - You are infected
Image source: FBI
Who pays the ransom?
Police department paid $750 to decrypt images and word documents
PGPCoder Trojan – 1024 RSA key, collects money via EGOLD
Bitcoin was invented by Satoshi Nakamoto
Reveton Trojan, aka Police Trojan. collects money via Moneypak
BitCoin becomes popular, price increases
Cryptolocker
Ransomware History
2005
2009
2012
2013
2013
Cryptolocker History
September2013
October2013
November 2013
December2013
February 2014
May2014
June2014
Cryptodefense, BitCrypt
Android - Simplelocker
Cryptolocker author identified and added to most wanted list
Cryptolocker 2.0
CryptoLocker Decryption Service introduced
Cryptolocker 1.0 appeared
Attribution
According to the FBI, losses are “more than $100 million.”
Image source: FBI
AttributionEvgeniy Mikhailovich Bogachev, 30, of Anapa, Russia. nickname “Slavik” ,indicted for conspiracy, computer hacking, wire fraud, bank fraud, and money laundering .
Bogachev is identified as a leader of a cyber gang of criminals based in Russia and Ukraine that is responsible both GameOver Zeus and Cryptolocker.
Cryptolocker Victims and Damages
o Dell SecureWorks estimates that CryptoLocker has infected 250,000 victims. The average payout is $300 each
o 1 million dollars a day.
o $27 million in ransom in first 2 months (FBI)
Cryptolocker Victims and Damages
Image source: FBI
Poll #2
What percentage of victims pay the ransom?o 0.1%o 1%o 25%o 41%
41% of people pay ransom
Data from a Jan 2014 survey by University of Kenthttp://www.cybersec.kent.ac.uk/Survey2.pdf
Cryptolocker overview
z
Bitcoin Ransom Sent C&C
Server
Private Key Sent
Locked Files
Unlocked Files
Cryptolocker analysis
- Drops copy of itself in %APPDATA%\{random}.exe
- It creates the following autorun key. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "CryptoLocker":<random>.exe - It creates two processes of itself. The other acts as a watchdog.
Later versions of CryptoLocker create an additional registry entry:HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce "*CryptoLocker":<random>.exe
Cryptolocker C&C
Domain Generation AlgorithmIt uses any of the following TLD for every generated domain:
.com , .net , .biz, .ru , .org , .co.uk , .info
1 23
4
Encrypt Files with the public key flow
5
6
Cryptolocker C&C
CnC - Sinkholed – what does it mean?
CryptoLocker Victims
Filename and Extensions Encrypted by CryptoLocker
Cryptolocker analysis
It searches in all local and remote drives for files to encrypt. All files that are encrypted are also saved in the following registry for record: HKEY_CURRENT_USER\Software\CryptoLocker\Files
The only way to decrypt is to buy the private key from the attackers.
Cryptolocker Ransom
Payment options: moneypak, ukash, cashu, bitcoin
Price: $300 USD or 2 BTC
Cryptolocker 2.0
Original Cryptolocker Cryptolocker 2.0
Compiler C++ .NET
Encryption RSA-2048 RSA-4096
C&C servers Employs DGA No DGA
Payment Scheme moneypak, ucash, cashu, bitcoin
bitcoin only
Around December 2013, a new ransomware emerged claiming to be Cryptolocker 2.0. Drops copy of itself in %system%. As msunet.exe
Cryptodefense aka Cryptowall
o Cryptodefense is a newer variant of Cryptolocker.o appeared in Feb 2014o no GUIo pops up a webpage, drops text file
o Uses TOR for anonymous payments
Cryptodefense aka Cryptowall
Android SimpleLocker
May 2014 – Simplelocker appears in Ukraine- Asks for $22 USD using Monexy- Uses TOR for C&C
Checks SD card for:jpeg, jpg, png, bmp, gif, pdf, doc, docx, txt, avi, mkv, 3gp, mp4
Unlike Cryptolocker, Encryption key is hardcoded on the malware. Encrypted files are appended with “.enc”.
Conclusions1. Cryptolocker evolved into a major threat
allowing criminals to easily monetize malware infections via Bitcoin
2. Due to current geopolitical situation, Russian attackers will likely continue the barrage against US businesses and individuals while enjoying safe haven in their home country.
3. Cryptolocker needs public key to encrypt files so blocking known C&C servers may help prevent data encryption
4. Backup your files! Since decrypting the cryptolocker encrypted files is not impossible frequent backups become even more critical. And keep your backup offline.
Q and Ao Information sharing
and advanced threats resources
o Blogs on latest threats and findings
o Tools for identifying malware
Thank You!
