Syed Asad Ali Zaidi

Networks Dept.

Headquarters| NADRA
31/3/2016

A Growing Threat
 What is Ransomware?

 A type of malware which restricts access to the

computer system that it infects, and demands a
ransom paid to the creator(s) to restore access.

 Encrypting - encrypts files on the victims computer and then

demands money for a private key to decrypt the files.

 Non-encrypting - restricts access to the computer often by

setting the Windows shell to itself or modifying the boot record
until a “fix” is purchased from the creator(s).
 Examples of Ransomware

 Reveton

 CryptoLocker

 Email threats

 Locky

 You simply can’t recover includes Cryptolocker,

Cryptowall, Reveton, Winlocker, FBI Virus, Moneypak,
and more.
 Reveton

 Nicknamed the “police trojan”

 Displays a message from “authorities” (local police
station, FBI, etc.) saying that your computer has been
locked because illegal material was found and the user
must pay a fine to have it unlocked
 Pornographic material
 Pirated music, movies, etc.
 Often displays the correct name and logo for area
authorities
 Can contain footage from the computer’s webcam to
make the user believe their actions are being recorded
 All bad??
Reveton
 CryptoLocker

 Displays a message saying that your computer has been

encrypted and you must pay to obtain the key to decrypt
your files
 If not paid within a certain amount of time (usually 72
hours) the key will be destroyed
 More recent versions allow users to decrypt a few files for
free to prove they can be recovered
 Creator(s) have been known to make over $30 million in
just a few months
CryptoLocker
 Email Threats

 Sony
 Three days before the attacks that crippled Sony Pictures, the
hackers sent an email to two executives that claimed to “do
great damage to the company” if they weren’t paid
 Apparently they didn’t pay….

 Clay County Hospital in Flora, Illinois

 The hospital received an email containing patient names,
addresses, Social Security numbers and dates of birth
 The sender threatened to make the information public unless
“a substantial payment from the hospital” was made
 Predictions for 2016

 The healthcare industry is at a particularly high risk

 The mandate to move to electronic records
 The sensitive nature of health care data
 The immaturity of the information security practices that exist in the
health care industry today
 The cost of compromise could range from an inconvenience to loss of
life
 Targeted extortion-ware
 An expansion on ransomware that targets users that have something
to hide and threatens to expose evidence of infidelity, incriminating
data, etc.
 Much more targeted but the payment amount requested will be
much higher per victim
 Victims are much less likely to involve law enforcement due to the
sensitive nature of the data
 Predictions for 2016 cont…

 McAfee predicts that ransomware variants will

specifically target endpoints that subscribe to cloud-
based storage solutions
 Once the endpoint has been infected, the ransomware will
attempt to exploit the logged-on user’s stored credentials to
also infect backed-up cloud storage data

 McAfee also predicts a rise in ransomware targeting

mobile devices using virtual currency as the ransom
payment method.
 Bitcoin has become a very popular method for payment
requests because the requestor can remain anonymous
 Locky Ransomware

• crypto-ransomware rides in on malicious Word document macro

 Locky Encrypts

 Locky will use the AES encryption algorithm to encrypt all files with the
following extensions: .mid, .wma, .flv, .mkv, .mov, .avi, .asf, .mpeg, .vob,
.mpg, .wmv, .fla, .swf, .wav, .qcow2, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC,
.PAQ, .tar.bz2, .tbk, .bak, .tar, .tgz, .rar, .zip, .djv, .djvu, .svg, .bmp, .png,
.gif, .raw, .cgm, .jpeg, .jpg, .tif, .tiff, .NEF, .psd, .cmd, .bat, .class, .jar,
.java, .asp, .brd, .sch, .dch, .dip, .vbs, .asm, .pas, .cpp, .php, .ldf, .mdf, .ibd,
.MYI, .MYD, .frm, .odb, .dbf, .mdb, .sql, .SQLITEDB, .SQLITE3, .asc, .lay6,
.lay, .ms11 (Security copy), .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .mml,
.sxm, .otg, .odg, .uop, .potx, .potm, .pptx, .pptm, .std, .sxd, .pot, .pps, .sti,
.sxi, .otp, .odp, .wks, .xltx, .xltm, .xlsx, .xlsm, .xlsb, .slk, .xlw, .xlt, .xlm, .xlc,
.dif, .stc, .sxc, .ots, .ods, .hwp, .dotm, .dotx, .docm, .docx, .DOT, .max, .xml,
.txt, .CSV, .uot, .RTF, .pdf, .XLS, .PPT, .stw, .sxw, .ott, .odt, .DOC, .pem,
.csr, .crt, .key, wallet.dat
 However, Locky will not encrypt any files where the full Pathname and
Filename contain one of the following strings: tmp, winnt, Application
Data, AppData, Program Files (x86), Program Files, temp, thumbs.db,
$Recycle.Bin, System Volume Information, Boot, Windows
 Risk measurement

Sri Lanka, Saudi Arabia,

Brunei Darussalam,
Pakistan, Cambodia,
24.02.2016 12
Great Britain, Taiwan,
Guatemala, Curacao,
Canada, Portugal, Japan
 Solution

 Preventive method:
 Awareness of Secure using of computer – Trainings
 Updated antivirus suites

 Defensive method
 Using Automatic Backups of Files on Twice a day
interval with Acronis Backup system.
 Copying Backup files on different computers.
 Links

 SC Magizine - Expect more ransomware and 'extortionwoare'

in 2015
 McAfee Threats Predicitions
 The Sony Hack and the Rise of Cyber Ransoms
 New CTB-Locker Variant Allows Victims to Recover 5 Files for
Free
 Patient data held for ransom at rural Illinois hospital
 SentinelOne Labs - Advanced Threat Intelligence Report -
2015 Predictions
 Ransomware to Target Cloud Storage in 2015 – Are You
Ready?
 https://blog.avast.com/a-closer-look-at-the-locky-
ransomware