#RSAC
SESSION ID: SEM-W02G
CRYPTOCURRENCY MALWARE
Laurence Pitt Director, Security Strategy Juniper Networks @LAURENCEPITT Our discussion today #RSAC
1. What is cryptocurrency 2. Ransomware history 3. Cryptojacking 4. Tips to avoid cryptocurrency malware 5. Conclusions What is Cryptocurrency Malware #RSAC
Any malware that uses or mines crypto coins. For example: crypto ransomware and miner trojans. Bitcoin Primer #RSAC
• easy to use, • fast, • publicly available, • decentralized, • anonymity serves to encourage extortion. Bitcoin up 10x in a year — and highly adopted #RSAC
Value shift during 2017 Number of Bitcoin Wallets
Source: Blockchain.info Mining Bitcoin
China, Japan, Iceland, Georgia, Sweden #RSAC Ethereum vs Bitcoin
Oil vs Gold #RSAC Anonymity #RSAC
o Mixer o Private coin Cryptojacking
CoinHive #RSAC
2 1 Threat actor
Compromised Website with Cryptomining script embedded 3 End-users
3 4
Cryptocurrency mining STEPS 1. The threat actor compromises a website 2. Users connect to the compromised website and the cryptomining script executes 3. Users unknowingly start mining cryptocurrency on behalf of the threat actor 4. Upon successfully adding a new block to the blockchain, the threat actor receives a reward in cryptocurrency coins #RSAC Cryptojacking #RSAC Defense
o CryptoJackingTest.com o NoCoin o MinerBlock o AdBlock o NoScript Prediction #4
#RSAC More IOTCRYPTO (Internet RANSOMWARE Of Things) security incidents RANSOMWARE ATTACK EVERY 40 SECONDS Source: Kaspersky Security Bulletin 5.99bn RANSOMWARE ATTACKS 1H/18 Source: Sonicwall annual Cyber Threat Report 2018 Asymmetric encryption #RSAC The ransomware business model #RSAC
90% of people do not backup daily Data theft in place Extortion Focus on ease of use to drive conversion Currently 50% pay the ransom, up from 41% 2 years ago The ransomware business model #RSAC
Locked Files Bitcoin Ransom Sent C&C Server
Unlocked Files Private Key Sent 38% of businesses hit in 2017 #RSAC Costs of ransomware #RSAC
2015: $24,000,000
2016: $1,000,000,000
2017: $5,000,000,000 Additional Costs #RSAC
Network mitigation Network countermeasures Loss of productivity Legal fees IT services Purchase of credit monitoring services for employees or customers Potential harm to an organization’s reputation Ransomware Timeline #RSAC
Endgame What is Cryptolocker? #RSAC
Began September 2013 Encrypts victim’s files, asks for $300 ransom Impossible to recover files without a key Ransom increases after deadline Goal is monetary via Bitcoin 250,000+ victims worldwide Cryptodefense aka Cryptowall #RSAC
Cryptodefense was the next version of Cryptolocker appeared in Feb 2014 no GUI pops up a webpage, drops text file Uses TOR for anonymous payemens … And as it makes it harder to track Locky #RSAC
2016 Installed by Dridex gang Word documents with macros over email Used JavaScript, Powershell Over 400,000 victims in hours Keranger #RSAC First Ransomware on OSX
Appeared in March 2016 1BTC – $400 at the time Signed software! Uses an Infected Transmission BitTorrent client installer IOT – Smart TV Ransomware #RSAC aka Frantic Locker
Flocker Ransomware infects Smart TVs Locks the screen and demands $200 in iTunes gift cards IOT Thermostat Ransomware
DEFCON Proof of Concept #RSAC
Locks temperature at 99 degrees until the owner pays the ransom to obtain a PIN which would unlock it CryptoShuffler #RSAC
Stolen 23 bitcoins so far Attacks Dogecoin, Litecoin, Dash, Ethereum, Monero, and Zcash Watches the user's clipboard and replaces any string that looks like a Bitcoin wallet with the attackers' address Ransomware has PEAKED
Or has it… #RSAC WANNACRY
The new peak for ransomware #RSAC
Group linked to North Korea launched a global ransom worm. Same group hacked Sony.
For the first time, ransomware payload was merged with NSA developed SMB exploit. It infected 2.3 Million computers quickly. Accidental Kill Switch #RSAC www.iuqerfsodp9ifjaposdfjhg osurijfaewrwergwea.com
If the connection succeeds, the binary exits.
Most likely an anti-sandbox technique. Damages Estimated at $4 Billion Dollars #RSAC PETYA (June 2017) #RSAC
Russia attacked Ukraine via a malware wiper disguised as ransomware.
Unusual attack as the goal of Petya was disruption of infrastructure.
Seeded via MeDoc accounting software is mandated for tax reporting by the Ukrainian government. BADRABBIT #RSAC
• BadRabbit hit on Oct 24, 2017
• Seeded via compromised websites that offered a bogus update to Adobe Flash software.
• Believed to be from the same actor (Telebots) who wrote Petya.
• 200+ victims in Eastern Europe FACEX Worm #RSAC o Discovered in May 2018 o Malicious Chrome extension o Spreads via Facebook messenger links o Hijacks bitcoin transactions o Hijacks Coinhive and other cryptocurrency websites Tips to avoid Ransomware #RSAC
Install the latest patches for your software, especially Adobe, Microsoft and Oracle Use network traffic monitoring Use a comprehensive endpoint security solution with behavioral detection Turn Windows User Access Control on Block Macros Disable Windows Management Instrumentation (WMI) service Tips to avoid Ransomware #RSAC
Be skeptical: Don’t click on anything suspicious Block popups and use an ad-blocker Override your browser’s user-agent* Consider Microsoft Office viewers Disable Windows Script Host Disable SMBv1 Windows tips to avoid Ransomware #RSAC
Disable Autoplay Enable UAC Windows 10 – Controlled Folders #RSAC
Prevents unauthorized apps from modifying files in protected folders In Windows 10 version 1709, aka "Redstone 3" On a mac - RansomWhere #RSAC Tips to Avoid Losing Data to Ransomware #RSAC
Identify Ransomware and look for a decryptor:
https://id-ransomware.malwarehunterteam.com/
Shadow Copies Turn off computer at first signs of infection Remember: the only effective ransomware defense is backup List of decryptors #RSAC
http://bit.ly/decryptors Conclusions #RSAC
1. Ransomware has evolved into a major threat allowing criminals to easily monetize malware via Bitcoin, Monero, Zcash
2. Every platform is vulnerable to ransomware
3. Backup your files! Since decrypting files is not always possible frequent backups become even more critical. And keep your backups offline How can I apply this to my business? #RSAC
What should you do next? Ensure that you educate the workforce on the dangers of cryptocurrency malware attacks. The best prevention is awareness. In the short-term you need to Make sure that systems run up-to-date antimalware solutions Backups are CRITICAL should ransomware hit. Review existing plan. Ongoing and for the future Watch the news, tense geopolitical situations can signal attacks Assume that the bad-guys are watching and monitoring.
42