Unlock the Key to Repel Ransomware
Mark Villinski
@markvillinski
Kaspersky Lab
What is Ransomware?
Ransomware is “a type of software that is
designed to block access to a computer
or data
system until a sum of money is paid.”*
* oxforddictionaries.com
Phishing E-mails are used for distribution
Sample Ransomware Messages
The Anatomy of A Ransomware Attack
TorLocker (Trojan-Ransom.Win32.Scraper)
The Ransomware Attack in Action
• Once launched, the Trojan starts by decrypting its data section with a
256-bit AES key. The first 4 bytes of this key are used as a sample ID,
added to the end of the encrypted files. Then the Trojan is copied to a
temporary folder, and a registry key for that copy's autorun is created.
• Next the Trojan creates several threads to do the following:
1. Search for and terminate the taskmgr.exe, regedit.exe,
procexp.exe, procexp64.exe processes.
2. Delete all system recovery points.
3. Encrypt the user's office documents, video and audio files,
images, archives, databases, backup copies, virtual machines
encryption keys, certificates and other files on all hard and
network drives
Encryption
• The user's files are
encrypted with AES256 with a randomly
generated one-time
key
Key № = (VolumeSerialNumber * strlen(ComputerName)) mod 128,
where strlen(ComputerName) is the length of the computer's name, and
VolumeSerialNumber is the serial number of the logical drive on which
Windows is installed.
What is a “256-bit key”?
• A string of 256 ones or zeroes: “1001010010101010111…..”
• 2256 possible combinations.
• If you had a billion of modern GPUs: 1 billion GPUs @ 2 gigaflops each
(2 billion flops), you’d be able to crack 6.3x1025 keys per year
• 2255 ÷ 6.3x1025 = 9.1x1050 years
• It would take approximately 7x1040 times longer than the age of
the universe to exhaust half of the keyspace of a AES-256 key.
http://www.reddit.com/r/theydidthemath/comments/1x50xl/time_and_energy_required_to_bruteforce_a_aes256/
The Ransom Demand
To Pay or Not to Pay?
Decryption
• When the ransom payment is received,
TorLocker contacts the cybercriminals' C&C
servers via the Tor network and the polipo
proxy server, to receive a private RSA key.
With this key, the Trojan decrypts the AES
key for each encrypted file, and then
decrypts the files.
• Although Trojan-Ransom.Win32.Scraper (TorLocker) encrypts all files with
AES-256 + RSA-2048, in 70%+ cases they can be decrypted because of
the errors made during the implementation of cryptography algorithms.
Ransomware is Big Business
• The Kaspersky Security Network indicates that in 1st half of 2015 the
number of cryptor attacks equals the whole 2014.
•
In 2013, 2.8 million crypto attacks were registered, nine times more than
in 2012
•
According to a 2014 survey conducted by the Interdisciplinary Research
Center in Cybersecurity at the University of Kent, more than 40% of
CryptoLocker victims agreed to pay
•
A Dell SecureWorks report estimates that ransomware rakes in $30 million
every 100 days
•
Expanding victim base means unlimited financial potential
The Evolution of Ransomware
•
The first crypto malware used a symmetric-key algorithm, with the same
key for encryption and decryption.
•
In 2008, Kaspersky Lab’s experts cracked a 660-bit RSA key used by the
GPCode Trojan, but soon its authors upgraded key to 1,024 bits, making
it practically impossible to decrypt.
•
The CryptoLocker Trojan also uses a public-key algorithm. The private key
used to unlock the computer is only accessible to the ransomware
authors. It’s impossible to decrypt files without this private key.
Ransomware Victims
Ransomware Gangs
Countermeasures
System Watcher Features
•
•
•
•
Crypto malware Countermeasures Subsystem
Protection Against Screen Lockers
Automatic Exploit Prevention (AEP) Subsystem
Roll-back
Turning Back the Clock on Ransomware
Kaspersky Security for Business
Thank You
Mark Villinski
[email protected]
@markvillinski
Contact Kaspersky Lab:
• 866-563-3099
• [email protected]
• www.kaspersky.com