The Weird & Worrisome Evolution of Ransomware

THE WEIRD & WORRISOME EVOLUTION OF ransomware THE PAST FIVE YEARS HAVE SEEN A RAPID INCREASE IN THE RANSOMWARE ARSENAL 19 19 19 19 19 19 19 19 19 19 19 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 89 90 91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 TOP SONG COMPUTING MILESTONE 1989 AL GORE TIM BERNERS-LEE INVENTS WORLD WIDE WEB "LOOK AWAY" CHICAGO INSTALLATION 5.25" floppy disk entitled "AIDS Information Introductory Diskette" is sent to a mailing list. INFECTION Replaces AUTOEXEC.BAT file, hides directories, and encrypts all file names on C drive. Some versions count up to 90 boot cycles before starting. RANSOMWARE PC CYBORG AKA AIDS TROJAN Lans o m MAIL $189 TO P.O. BOX IN PANAMA TO UNLOCK SYSTEM Author is British doctor, Dr. Joseph Popp, who claims, without proof, that profits are going to AIDS research. TOP SONG "WE BELONG TOGETHER" COMPUTING MILESTONE 2005 HITACHI SHIPS FIRST MARIAH CAREY 500 GB HARD DRIVE INFECTION Uses Public Key encryption on hardcoded list of 44 file extensions. RANSOMWARE INSTALLATION Writes text file to Desktop, replacing wallpaper, instructing victim that a ransom needs to be paid. GPCODE, TROJ.RANSOM.A, ARCHIVEUS, KROTTEN, CRYZIP, PGPCODER, AND MAYARCHIVE rans Om $100-$200 PAYABLE TO AN EGOLD OR LIBERTY RESERVE ACCOUNT Early variants make decryption fairly easy without paying. Deleted files can be undeleted and compared to their respective encrypted versions to deduce the encryption key. TOP SONG COMPUTING MILESTONE 2006 "BAD DAY" INTEL RELEASES THE DANIEL POWTER CORE 2 PROCESSOR INSTALLATION Writes text file to Desktop, replacing wallpaper, instructing victim that a ransom needs to be paid. INFECTION Uses 660-bit key to encrypt files. RANSOMWARE GPCODE.AG rans Om $100-$200 PAYABLE TO AN EGOLD OR LIBERTY RESERVE ACCOUNT TOP SONG COMPUTING MILESTONE 2008 "LOW" GOOGLE RELEASES 1ST PUBLIC BETA FLO RIDA VERSION OF CHROME BROWSER INSTALLATION Writes text file to Desktop, replacing wallpaper, instructing victim that a ransom needs to be paid. INFECTION Uses 1024-bit key to encrypt files. RANSOMWARE GPCODE.AK Lans om $100-$200 PAYABLE BY BANK TRANSFER Uses RSA-2014 and EAS-256 encryption, which can't be circumvented any more. TOP SONG "ΤΙΚ ΤΟΚ" COMPUTING MILESTONE 2010 APPLE RELEASES KESHA THE ORIGINAL IPAD INSTALLATION Imitates the Windows Product Activation notice. Indicates another user has activated this copy of Windows, and victim will have to re-activate Windows. INFECTION Non-encrypting, but prevents access until “activation" is complete. RANSOMWARE FAKE WINDOWS ACTIVATION rans om SEVERAL VARIATIONS INCLUDING CREDIT CARD VIA FAKE ACTIVATION SCREEN AND LONG DISTANCE CALL FEES INFECTION Non-encrypting, but disables TaskManager and Safe Mode and prevents access until ransom is paid. RANSOMWARE INSTALLATION Locks display with full-screen window displaying pornographic images which cannot be closed. WINLOCK rans Om SEND $10 SmS TO UNLOCK, BUT USUALLY TAKES 2 - 3 TEXTS TO GET UNLOCK CODE + Originates in Russia, with mostly Russian and Ukrainian targets. TOP SONG COMPUTING MILESTONE 2012 "SOMEBODY THAT I USED TO KNOW" INTEL DEMONSTRATES GOTYE FEAT. KIMBRA 4x4 INCH MOTHERBOARD INSTALLATION Locks display with full-screen message, purportedly from victim's national law enforcement agency, indicating victim has illegal content on the device (usually child porn or copyrighted material) and demands payment of "fine" to avoid prosecution and to regain device access. RANSOMWARE INFECTION Non-encrypting, but prevents access until ransom is paid. REVETON AKA POLICE TROJAN rans Om $200, £100, OR SIMILAR AMOUNTS THROUGHOUT EUROPE, VIA UKASH, PAYSAFECARD, MONEYPAK + Adds password stealing payload in August 2014. TOP SONG COMPUTING MILESTONE 2013 "THRIFT SHOP" MICROSOFT RELEASES MACKLEMORE & RYAN LEWIS хвох ONE FEAT. WANZ INSTALLATION Posto of celebrities, victims who click are taken to malicious sites which download the trojan. Then it acts like 2012's Police Trojan above. INFECTION Similar to the Police Trojan, with the key difference being: it masquerades as celebrity nude pics. RANSOMWARE STAMPΕΚ ΚIT, dult pictures as AKA SOFOSFO, ΑΚΑ GRANDSOFT ran's Om $300 VIA MONEYPAK + Distributed via Github and SourceForge. Uses phrase "f--- off" several times in source code, directed at Sophos and Microsoft Support. INSTALLATION Prevents victims from closing browser. Claims to be from FBI, accusing victim of viewing or distributing child porn. INFECTION Browser hijacking which won't let victim close their browser, and displays a screen similar to the Police Trojan. RANSOMWARE OS-X SPECIFIC rans om $300 VIA MONEYPAK L A 21-year old Virginia man is fooled by the message and turns himself in to authorities for having child porn. He is arrested and charged. INSTALLATION INFECTION Uses 2048-bit key. Encrypts approximately 70 predetermined file extensions. RANSOMWARE Usually distributed via email. A password protected ZIP file is attached, the password is in the body of the email. Victim unzips the file and the system is infected. CRYPTOLOCKER rans om PAYABLE VIA MONEYPAK, UKASH, CASHU, BTC. RANSOM INCREASED TO 10 BTC ($2300) IF NOT PAID IN 3 DAYS. + $27M in BTC – the conservative estimated haul by the "super villains" behind CryptoLocker; was probably much higher.* * http://www.zdnet.com/article/cryptolockers-crimewave-a-trail-of-millions-in-laundered-bitcoin/ INSTALLATION Now able to masquerade as Windows or Office activator program (cracker to illegally activate the product). INFECTION Claims to use stronger encryption (RSA-2048) but actually uses weaker encryption (RSA-1024). Re-written in C#, original was in C++. RANSOMWARE CRYPTOLOCKER 2.0 rans Om COUNTDOWN TIMER ENFORCED BUT NO LONGER DISPLAYED. now ONLY PAYABLE IN BTC. G) INSTALLATION RANSOMWARE CRYPTOWALL 1.0 INFECTION Early flaw (use of Windows Encryption API which leaves key in accessible place) was later fixed. Similar to CryptoLocker – delivered via email attachment. Displays dialog after encryption informing victim their files are encrypted; advises of ransom amount and payment URL; provides countdown timer. All victims use same payment URL. ΑΚΑ CRYPTODEFENSE AKA CRYPTOCLONE rans om DESTROYED AFTER 30 DAYS - $500, INCREASING TO $1000 AFTER Y DAYS. YOUR KEY NO WAY TO DECRYPT AFTER THAT. Early version left decryption key on target system, allowing it to be circumvented. Symantec then blogged about + flaw and the author corrected it (April 2014). Distributed via Cutwail botnet. Used same downloader as CryptoLocker on Gameover ZeuS botnet, now defunct. TOP SONG COMPUTING MILESTONE 2014 "HAPPY" SEAGATE RELEASES PHARRELL WILLIAMS 1ST 8 TB HARD DRIVE RANSOMWARE INSTALLATION INFECTION Displays notification dialog, informing victim that their files are encrypted and demands payment. Elliptic Curve algorithm, claims to be equivalent of RSA-3072 strength. CTB-LOCKER ΑΚΑ CRITRONI AMOUNT VARIES BY RANSOMER, NORMALLY < 1 BTC. ONLY Lan's om PAYABLE IN BTC. VICTIM GIVEN A PERSONAL .ONION ADDRESS AT WHICH TO PAY. Uses Tor network for C&C. Sells as a kit for $3000. Accommodates affiliate payments. CTB stands for Curve-Tor-Bitcoin (encryption, network, payment). INSTALLATION Informs victim when accessing device that "all important files on this NAS have been encrypted ... “ and asks for 0.6 BTC in ransom. RANSOMWARE INFECTION SYNOLOCKER Undisclosed rans om 0.6 BTC PAYABLE AT A PAGE IN THE TOR NETWORK + Notable because this is the first ransomware not targeted at computers or mobile devices, but at Network Attached Storage – specifically, NAS built by Synology. INSTALLATION INFECTION Pretends to be both CryptoLocker and CryptoWall. It's actually a different product. Encrypts hardcoded list of 236 file extensions. RANSOMWARE Displays window claiming files are encrypted with CryptoLocker; includes link to purchase the decryption software. TORRENT- LOCKER rans Om $550, INCREASING AFTER 3 DAYS. PAYABLE IN BTC. EACH VICTIM HAS A UNIQUE PAYMENT ADDRESS. + Biggest in Turkey, then Australia. Uses extremely simple key generation, easily undone if you have 1 original file. Decryption tools were built and made available to the public, but SANS then blogged about the issue and the author fixed it in later versions. INSTALLATION Now uses a unique payment portal per victim. Also securely deletes original files so they cannot be undeleted. Ransomers create their own web-to-Tor gateways for payment so third party gateways can't blacklist them. INFECTION Like TorrentLocker, it pretends to be previous versions of CryptoLocker and CryptoWall but is actually different. Encrypts 236 predetermined file extensions. RANSOMWARE CRYPTOWALL 2.0 AKA CRYPTOLOCKER.F rans Om $550, INCREASING AFTER 3 DAYS. PAYABLE IN BTC. EACH VICTIM HAS A UNIQUE PAYMENT ADDRESS. Not related to original CryptoLocker. Big in Australia – knocked Australian Broadcast Co. off the air (switched to studios in another city). TOP SONG COMPUTING MILESTONE 2015 01-02 2015 "UPTOWN FUNK" APPLE RELEASES MARK RONSON + BRUNO MARS APPLE WATCH RANSOMWARE G) INSTALLATION INFECTION New filenames for ransom notes, new payment gateways for 12P network, and ransom deadline extended to 7 days. No apparent change in file encryption approach, but C&C communications are now encrypted and using 12P protocol. CRYPTOWALL 3.0 Lan's om VICTIM MUST PAY IN BTC. $500-$1000 First ransomware to use 12P Anonymity network. Suspected to be Russian origin. Biggest targets seem to be Germany and Denmark. The threat of ransomware has increased greatly over the past five years as more and more variations are added to an ever-growing arsenal. WHAT'S NEXT? WILL YOU BE PREPARED? VISIT: THE LUMENSION (a HEAT Software Company) RESOURCE CENTER for more information on how to protect your organization from Ransomware. www.lumension.com/ransomware HEAT'software HEAT Software is a leading provider of Hybrid Service Management (SM) and Unified Endpoint Management (UEM) software solutions for organizations of all sizes. With our suite of HEAT applications, HEAT Software is the only company in the world that provides, from a single platform, SM and UEM software on-premise and in the cloud. 当当 当 如 ng