how not to code your ransomware liviu itoafă · • same ransomware was compiled also for linux...
TRANSCRIPT
![Page 1: How NOT to code your ransomware Liviu Itoafă · • Same ransomware was compiled also for Linux • Ransomware family affecting Linux and FreeBSD servers • My guess: The attacker](https://reader034.vdocuments.mx/reader034/viewer/2022043004/5f86e5f62b9ee84218378dd1/html5/thumbnails/1.jpg)
How NOT to code your ransomware
Liviu Itoafă
![Page 2: How NOT to code your ransomware Liviu Itoafă · • Same ransomware was compiled also for Linux • Ransomware family affecting Linux and FreeBSD servers • My guess: The attacker](https://reader034.vdocuments.mx/reader034/viewer/2022043004/5f86e5f62b9ee84218378dd1/html5/thumbnails/2.jpg)
About Me
$ whoami
• Security Researcher @ Kaspersky
• Hands-on work: coding, reverse engineering, vulnerability research
• Malware analysis trainings
• Tags: GTD (Getting Things Done)
![Page 3: How NOT to code your ransomware Liviu Itoafă · • Same ransomware was compiled also for Linux • Ransomware family affecting Linux and FreeBSD servers • My guess: The attacker](https://reader034.vdocuments.mx/reader034/viewer/2022043004/5f86e5f62b9ee84218378dd1/html5/thumbnails/3.jpg)
IS IT REALLY A PROBLEM?
Actually YES! Comapnies started to create vaccines for this.
![Page 4: How NOT to code your ransomware Liviu Itoafă · • Same ransomware was compiled also for Linux • Ransomware family affecting Linux and FreeBSD servers • My guess: The attacker](https://reader034.vdocuments.mx/reader034/viewer/2022043004/5f86e5f62b9ee84218378dd1/html5/thumbnails/4.jpg)
• File scramblers,
• Traditional ransomware
• Websites ransomware – CTB-Locker1
• MacOS - KeRanger2
• MBR cryptors - Petya3
• Mobile ransomware4
• OS: Windows, Android, Linux, FreeBSD, OSX
Evolution and techniques
![Page 5: How NOT to code your ransomware Liviu Itoafă · • Same ransomware was compiled also for Linux • Ransomware family affecting Linux and FreeBSD servers • My guess: The attacker](https://reader034.vdocuments.mx/reader034/viewer/2022043004/5f86e5f62b9ee84218378dd1/html5/thumbnails/5.jpg)
• Spam | Malvertising | Exploit kits | Watering hole attacks
Infection
https://tpzoo.files.wordpress.com/2013/02/lion-zebra-water-hole.jpg
![Page 6: How NOT to code your ransomware Liviu Itoafă · • Same ransomware was compiled also for Linux • Ransomware family affecting Linux and FreeBSD servers • My guess: The attacker](https://reader034.vdocuments.mx/reader034/viewer/2022043004/5f86e5f62b9ee84218378dd1/html5/thumbnails/6.jpg)
• Partnership programs
• “Distributors” can sign up as affiliates
– Get a compiled binary containing the AffiliateID and a public key
– Can distribute sample to their own target group
– Collect 40-70% of the revenues, payable in crypto-currency
Distribution
![Page 7: How NOT to code your ransomware Liviu Itoafă · • Same ransomware was compiled also for Linux • Ransomware family affecting Linux and FreeBSD servers • My guess: The attacker](https://reader034.vdocuments.mx/reader034/viewer/2022043004/5f86e5f62b9ee84218378dd1/html5/thumbnails/7.jpg)
Defences against analysis
• Obfuscations
– Many levels of packing
• Anti-forensics
– Self-deletion from disk
– Erase key from memory
– Change time of the module to that of the kernel32.dll1
• Anti-AV
– Tricks signature checks by spawning hollowed explorer.exe (RunPE)
![Page 8: How NOT to code your ransomware Liviu Itoafă · • Same ransomware was compiled also for Linux • Ransomware family affecting Linux and FreeBSD servers • My guess: The attacker](https://reader034.vdocuments.mx/reader034/viewer/2022043004/5f86e5f62b9ee84218378dd1/html5/thumbnails/8.jpg)
Psychological tactics
• Scaremongering victims
– Gradually increasing the ransom amount
– Warnings to not delete any files or run antivirus software ('don't call the police')
– Message selected based on victim's country info (geolocation)
– Voice warnings using text-to-speach emulator1
• Gaining buyers' trust
– SDLC, customer support and bug fixing
– New features and defenses against malware analysts
• Increasing victims' confidence
– Decrypts files free
– Customer support
![Page 9: How NOT to code your ransomware Liviu Itoafă · • Same ransomware was compiled also for Linux • Ransomware family affecting Linux and FreeBSD servers • My guess: The attacker](https://reader034.vdocuments.mx/reader034/viewer/2022043004/5f86e5f62b9ee84218378dd1/html5/thumbnails/9.jpg)
Close but no cigar...
![Page 10: How NOT to code your ransomware Liviu Itoafă · • Same ransomware was compiled also for Linux • Ransomware family affecting Linux and FreeBSD servers • My guess: The attacker](https://reader034.vdocuments.mx/reader034/viewer/2022043004/5f86e5f62b9ee84218378dd1/html5/thumbnails/10.jpg)
Client side flaw #1Client side flaw #1 – NO encryption
![Page 11: How NOT to code your ransomware Liviu Itoafă · • Same ransomware was compiled also for Linux • Ransomware family affecting Linux and FreeBSD servers • My guess: The attacker](https://reader034.vdocuments.mx/reader034/viewer/2022043004/5f86e5f62b9ee84218378dd1/html5/thumbnails/11.jpg)
Client side flaw #2Client side flaw #2 - Weak encryption
![Page 12: How NOT to code your ransomware Liviu Itoafă · • Same ransomware was compiled also for Linux • Ransomware family affecting Linux and FreeBSD servers • My guess: The attacker](https://reader034.vdocuments.mx/reader034/viewer/2022043004/5f86e5f62b9ee84218378dd1/html5/thumbnails/12.jpg)
Client side flaw #3 – OPSEC fails
Recipe● Read the source file● Create encrypted version● Forget to delete the original files● Delete original files but not erase them● Erase the files but forget about MFT1
● Erase everything but forget about Shodow Copies2● Delete everything but forget the encryption key3
![Page 13: How NOT to code your ransomware Liviu Itoafă · • Same ransomware was compiled also for Linux • Ransomware family affecting Linux and FreeBSD servers • My guess: The attacker](https://reader034.vdocuments.mx/reader034/viewer/2022043004/5f86e5f62b9ee84218378dd1/html5/thumbnails/13.jpg)
• Same ransomware was compiled also for Linux
• Ransomware family affecting Linux and FreeBSD servers
• My guess: The attacker took the sources from some Internet forum and Google'ed how to compile them
Client side flaw #4 Client side flaw #4 – Compilation „errors“
![Page 14: How NOT to code your ransomware Liviu Itoafă · • Same ransomware was compiled also for Linux • Ransomware family affecting Linux and FreeBSD servers • My guess: The attacker](https://reader034.vdocuments.mx/reader034/viewer/2022043004/5f86e5f62b9ee84218378dd1/html5/thumbnails/14.jpg)
Client side flaw #5Client side flaw #5 – Key management
![Page 15: How NOT to code your ransomware Liviu Itoafă · • Same ransomware was compiled also for Linux • Ransomware family affecting Linux and FreeBSD servers • My guess: The attacker](https://reader034.vdocuments.mx/reader034/viewer/2022043004/5f86e5f62b9ee84218378dd1/html5/thumbnails/15.jpg)
![Page 16: How NOT to code your ransomware Liviu Itoafă · • Same ransomware was compiled also for Linux • Ransomware family affecting Linux and FreeBSD servers • My guess: The attacker](https://reader034.vdocuments.mx/reader034/viewer/2022043004/5f86e5f62b9ee84218378dd1/html5/thumbnails/16.jpg)
![Page 17: How NOT to code your ransomware Liviu Itoafă · • Same ransomware was compiled also for Linux • Ransomware family affecting Linux and FreeBSD servers • My guess: The attacker](https://reader034.vdocuments.mx/reader034/viewer/2022043004/5f86e5f62b9ee84218378dd1/html5/thumbnails/17.jpg)
Client side flaw #6
![Page 18: How NOT to code your ransomware Liviu Itoafă · • Same ransomware was compiled also for Linux • Ransomware family affecting Linux and FreeBSD servers • My guess: The attacker](https://reader034.vdocuments.mx/reader034/viewer/2022043004/5f86e5f62b9ee84218378dd1/html5/thumbnails/18.jpg)
Client side flaw #7
![Page 19: How NOT to code your ransomware Liviu Itoafă · • Same ransomware was compiled also for Linux • Ransomware family affecting Linux and FreeBSD servers • My guess: The attacker](https://reader034.vdocuments.mx/reader034/viewer/2022043004/5f86e5f62b9ee84218378dd1/html5/thumbnails/19.jpg)
![Page 20: How NOT to code your ransomware Liviu Itoafă · • Same ransomware was compiled also for Linux • Ransomware family affecting Linux and FreeBSD servers • My guess: The attacker](https://reader034.vdocuments.mx/reader034/viewer/2022043004/5f86e5f62b9ee84218378dd1/html5/thumbnails/20.jpg)
Server side flaw #1
![Page 21: How NOT to code your ransomware Liviu Itoafă · • Same ransomware was compiled also for Linux • Ransomware family affecting Linux and FreeBSD servers • My guess: The attacker](https://reader034.vdocuments.mx/reader034/viewer/2022043004/5f86e5f62b9ee84218378dd1/html5/thumbnails/21.jpg)
Server side flaw #2
It's not more secure than rand(), it's just faster!
![Page 22: How NOT to code your ransomware Liviu Itoafă · • Same ransomware was compiled also for Linux • Ransomware family affecting Linux and FreeBSD servers • My guess: The attacker](https://reader034.vdocuments.mx/reader034/viewer/2022043004/5f86e5f62b9ee84218378dd1/html5/thumbnails/22.jpg)
Server side flaw #3
• Normal flow: (1) Read data; (2) Init chipher; (3) Decrypt data; (4) Write decrypted data; (5) Update flag
• Alterative flow: (1), (2), (3), (4) + (1), (2), (3), (4) + ...+ (5)
![Page 23: How NOT to code your ransomware Liviu Itoafă · • Same ransomware was compiled also for Linux • Ransomware family affecting Linux and FreeBSD servers • My guess: The attacker](https://reader034.vdocuments.mx/reader034/viewer/2022043004/5f86e5f62b9ee84218378dd1/html5/thumbnails/23.jpg)
Server side flaw #4
![Page 24: How NOT to code your ransomware Liviu Itoafă · • Same ransomware was compiled also for Linux • Ransomware family affecting Linux and FreeBSD servers • My guess: The attacker](https://reader034.vdocuments.mx/reader034/viewer/2022043004/5f86e5f62b9ee84218378dd1/html5/thumbnails/24.jpg)
Summary
• Crypto is HARD
• OPSEC
• Don't rush to get the bitcoins
• Don't trust everything
• Always backup
• User education
• In-depth protection