Skip to main content

MORE ABOUT RANSOMWARES. PART 2


Now that we've been introduced to ransomware, let's see how it spreads and infects machines.

How does it enter systems?

Common penetration techniques include:

Spam and social engineering, Direct drive-by-download or malvertising, Malware installation tools and botnets.

When ransomware first hit the scene a few years ago, computers predominantly got infected when users opened e-mail attachments containing malware, or were lured to a compromised website by a deceptive e-mail or pop-up window. Newer variants of ransomware have been seen to spread through removable USB drives or Yahoo Messenger, with the payload disguised as an image.

article-2b

CTB Locker, the ransomware making headlines and victims right now, spreads through aggressive spam campaigns. The email poses as a fax message which carries a .zip archive as an attachment. If the executable file inside the zip file is accessed, the data on the system is encrypted and the victim is asked to pay a ransom to receive the decryption key. Read more about CTB Locker.

But the latest variants can be re-engineered to propagate themselves without human action. We've recently seen an increasing number of incidents involving the so-called “drive-byâ€� ransomware. Drive-by download attacks are launched from compromised websites or through malicious ads and usually exploit vulnerabilities in browser plugins like Flash Player, Java, Adobe Reader or Silverlight. The tools used for such attacks have the functionality to achieve privilege escalation. Privilege escalation exploits allow attackers to execute malware programs with administrator or system-level privileges instead of using the victim’s local user account, which might be restricted.

Modus Operandi

Each ransomware variant can be engineered to operate differently. However, common traits include fairly complex obfuscation and covert launch mechanisms meant to avoid early antivirus detection. This means the malware wants to stay hidden and thus, uses techniques to thwart detection and analysis including obscure filenames, modifying file attributes, or operating under the pretense of legitimate programs and services. The malwareas additional layers of defense leave the data unreadable, which make the process of reverse engineering very difficult.

article-2b

It's worth adding that ransomwareas communication protocols have been upgraded from plain text (HTTP) to Tor and HTTPS, making encrypted calls to C&C servers almost impossible to track through network traffic monitoring. File encryption has also been revamped to use crypo-libraries that perform strong, asymmetric cryptography rather than using short-length keys or hard-coded ones. Earlier samples such as Cryptolocker and Cryptowall first contact the server and perform encryption afterwards, for instance.

To get a better idea of how ransomware works, lets examine Cryptolocker. Cryptolocker ransomware gets installed by a Zbot variant (Trojan used to carry out malicious tasks). After execution, it adds itself to Startup under a random name and tries to communicate with a command and control server. If successful, the servers sends a public key and a corresponding Bitcoin address. Using asymmetric encryption (a public key to encrypt and a private key for decrypting files) Cryptolocker begins encrypting more than 70 types of files that might be present on the victim's device.

article-2a

Here’s how encryption works, briefly:

encryption

Source: Microsoft

Meanwhile, a variety of messages and instructions are often localized – are displayed on the user's home screen.

cryptolocker

Infected users are instructed to pay a fee for the private key stored on their servers – without it, decryption is impossible. When the ransom is paid, decryption will start and a payment verification screen will be displayed. After decryption ends, the Cryptolocker files are deleted.

Note: Don't take hackersâfe word for it, paying the ransom does not guarantee that you can recover your files.

Who are the victims?

Ransomware doesn't just impact home computers. Businesses, financial institutions, government agencies, academic institutions and other organizations can and have been infected with ransomware. Such incidents destroy sensitive or proprietary information, disrupt daily operations and, of course, inflict financial losses. They can also harm an organization’s reputation. Attackers aim at targeted files, databases, CAD files and financial data. For example, Cryptolocker was used to target more than 70 different file extensions, including .doc, .img, .av, .src, .cad.

Labels:

Comments

Post a Comment

Popular posts from this blog

SNIFF GSM USING HACKRFX

​TOOLS  USED: •  ha ckrf_kali • brategnuradio-companion • gr-gsmgqrx • wireshark INSTALL REQUIREMENTS: First thing, you want to make sure you have all the required software installed, you can install most of them and their dependencies using your distribution package manager. Let’s start with the libraries and tools for the hackrf itself, on a Debian/Ubuntu distro you’ll install them like so: sudo  apt-get install  hackrf   libhackrf -dev libhackrf0 Once these libraries are installed, you can plug your hackrf into one of your USB ports and execute the  hackrf_info  command, at this point you should see something like the following: # hackrf_info Found  HackRF  board. Board ID Number: 2 ( HackRF  One) Firmware Version: 2014.08.1 Part ID Number: 0x00574746 0x00574746 Serial Number: 0x00000000 0x00000000 0x14d463dc 0x2f4339e1 You will now install  gnuradio  which is the software we’ll use to decode the RF signals,...
Post a Comment
Read more

MORE ABOUT RANSOMWARES. PART 1

 Not long ago, a man committed suicide after an automatically generated notice from a computer virus threatened him with jail unless he paid a ransom thousands of dollars. The year was 2014. As incredible as the story seems, it marked the first known time a computer virus actually killed somebody. The next generations stole cash from users around the globe, and Cryptolocker raised the stakes – holding data of hundreds of thousands of users hostage. Despite successive short-lived take downs, the malware has made a comeback as CTB (Curve-Tor-Bitcoin) Locker. This challenging breed of malware is continuously improving, reaching new levels of complexity as smartphones and tablets are increasingly used to store crucial personal and enterprise-level documents. Bitdefender, the anti-malware solutions provider, zooms in on the subject to show how this type of virus works and to tell users how to prevent being locked out and extorted. What is ransomware? Ransomware is a type of malware th...
Post a Comment
Read more

SHE, HE TOLD ABOUT

Her handwriting was so beautiful. Each letter had it's own boldness, elegance and I loved to look at them. A pen and a white space, even in a notice, was enough for her to begin. She would write and then look at it, enjoys it's beauty, goes into a serious thought and ends with a small smile. Every of those sequential actions I remember. It is so normal, universal and a must go reality that time moves foreward. Ages, days, hours, everything passes. My happiness on seeing those fonts kept on changing its demensions. My skin began to paint itself lines and so do she. Still, she wrote. But now there is a difference. As timestamps move, the interpretations made by my brain on those texts perplexed from simple happiness to pride, then to a feeling of belongingness, to love, to possessiveness, to responsibility to trust, to many other emotions for which I am weak in English to find words to substitute for and finally to a fear; a fear of death. Wrong. Perfectly wrong. Its not fear. ...
Post a Comment
Read more