Ransomware: History Analysis & Mitigation
An hour long look at ransomware's beginnings, ransomware in the news, variants throughout the years, cutting edge malware analysis, and mitigation techniques.
Andy Thompson is a member of the Shadow Systems Hacker Collective, and Dallas Hackers Association, I'm active in the Dallas InfoSec community. Currently a Technical Advisor for CyberArk Software, I work with Fortune 500 companies assisting them in advancing their CyberSecurity Programs.
2. @NTXISSA #NTXISSACSC3
Whoami – Andy Thompson - @R41nM4k3r
• Customer Success Strategic Advisor – CyberArk
Software
• B.S. MIS – University of Texas at Arlington
• COMPTIA A+ & Sec+
• VMWare VCA-DCV
• (ISC)2 SSCP & CISSP
• Married, Father of 2 girls.
• Member of Shadow Systems Hacker Collective
• Member of Dallas Hackers Association
3. @NTXISSA #NTXISSACSC3
Agenda
• Overview
• in the News
• Timeline
• Technical Analysis
• Analysis of Client Infection
• Command & Control (C2) Architecture
Setup/Design
• Evolved Ransomware
• Mitigation techniques
• Final thoughts
14. @NTXISSA #NTXISSACSC3
Malvertising
• Up 325% from 2014-2015
• Recently as of March 15th, 2016
• Companies outsource their advertising
through advertising networks
• Tainted ads with the Angler toolkit.
• Nytimes, BBC, MSN, AOL, Answers.com,
ZeroHedge, Infolinks, my.xfinity, nfl, realtor.com,
theweathernetwork, thehill, and newsweekall
served up ransomware.
• Other victims include:
• Spotify, TMZ, Skype, Ebay, Drudge Report, and
many many many others.
38. @NTXISSA #NTXISSACSC3
Petya – The MBR Encryptor
• Rewrites systems MBR and forces BSOD.
• Fake “check disk” runs and encrypts Master
File Table.
• Masquerades as a job application
• Links to a shared dropbox folder containing
self extracting archive containing applicant
resume and fake photo
39. @NTXISSA #NTXISSACSC3
PowerWare – Using your own tools against you.
• Disguised in spam as an “invoice”
• Leverages MS Word and Native
PowerShell.
• Does not pull down any additional
binaries, and leverages PowerShell
(already on the system and approved to
be there) to do the dirty work.
52. @NTXISSA #NTXISSACSC3
SIPLockr – 1st Android Encrypting Ransomware
• Detected June 1st, 2014
• Lots of Android Screen Lockers, but
this was the first file encrypter.
• Encrypts *.jpg, *.jpeg, & *.png
to *.enc
• Communicates to C2 via Tor network
• Decrypter is currently available.