Understanding Ransomware and Strategies to Defeat it

White Paper Table of Contents Author: Robert Leong, Director of Product Management, McAfee Labs Held Hostage in Hollywood. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Ransomware History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 The World of Digital Currency Payments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Why Ransomware Has Such Strong Growth. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ....
White Paper Table of Contents Author: Robert Leong, Director of Product Management, McAfee Labs Held Hostage in Hollywood. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Ransomware History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 The World of Digital Currency Payments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Why Ransomware Has Such Strong Growth. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Contributors: Christiaan Beek Cedric Cochin Nicola Cowie Craig Schmugar Primer: How Ransomware Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 The Latest in Ransomware Tricks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Intel Security Malware Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Primer: Ransomware Remediation Strategies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Understanding Ransomware and Strategies to Defeat It 3 White Paper Ransomware History It may surprise you to know that ransomware has been around for quite a long time. The first asymmetric ransomware prototypes were developed in the mid-1990s. The idea of using public-key cryptography for computer attacks was introduced in 1996 by Adam L. Young and Moti Yung in the 1996 Proceedings of the IEEE Symposium on Security and Privacy. In the abstract, Young and Yung said their prototype was meant to show how cryptography could be “used to mount extortion-based attacks that cause loss of access to information, loss of confidentiality, and information leakage, tasks which cryptography typically prevents.” Young and Yung presented a proof-of-concept cryptovirus for the Apple Macintosh SE/30 using RSA and TEA asymmetric block ciphers. What does “asymmetric” mean and why does that matter? The defining characteristic of publickey cryptography is the use of an encryption key by one party to perform either encryption or decryption and the use of another key in the counterpart operation. In symmetric-key algorithms, there is a single key used and shared between receiver and sender, thus the key used by the receiver and sender is “symmetric” because it is the same. The use of multiple keys in asymmetric publickey cryptography allows ransomware to encrypt items on a system with a public key while never exposing the private key, thus keeping it secret. For ransomware, this is essential for “mangling” data files without exposing anything that someone could use to figure out how to undo the encryption. Timeline of Some Noteworthy Ransomware Familes • First asymmetric ransomware prototypes 1996 • Bitcoin invented 2006 • GPCode 2009 • CryptoWall • CTB-Locker • Virlock 2013 • Reveton • CryptoLocker • CryptoDefense 2014 2015 • TorrentLocker • CrytoWall • Ransomwareas-a-Service • TeslaCrypt • AlphaCrypt Figure 1. Ransomware proofs of concept are 20 years old, but the business really took off in the past three years. Even though this first asymmetric ransomware prototype was well publicized, there was a logistical problem. How could the ransom be paid without exposing the malware author to risk? Send payments to a post office box? The “AIDS” Trojan ransomware author tried that and law enforcement officials tracked the money and arrested him. Thus until a usable ransomware “food chain” could be created, there wasn’t much point in trying to leverage the idea of malicious encryption for making money. As a result, things were pretty quiet until 2005, when GPCode, also called PGPCoder, was launched. It was a relatively simple Trojan encrypting common user files that matched the extensions matching those in its code. (These extensions included .doc, .html, .jpg, .xls, .zip, and .rar.) The Trojan would drop a text file that demanded payment in each directory with affected files. Back then, the payment was typically between $100–$200 in e-gold or a Liberty Reserve account. The security industry was able to come up with a variety of solutions to this Trojan (such as virus detection and utilities to combat GPCode). GPCode was considered modestly successful in that the malware author(s) behind GPCode and its variants were able to collect some money, but many variants had flaws (using symmetric encryption, deleting the unencrypted files in a way that allowed disk scanners to recover the files, etc.) that permitted users to recover data without paying the ransom. Understanding Ransomware and Strategies to Defeat It 4
Read more...