Eg Cryptolocker

Cyber Extortion July 18, 2014

A brief overview of the history of personal cyber extortion (e.g. CryptoLocker); current trends; strategies for both prevention and clean-up; and a pinch of prognosticating about future trends. For the latest version of this document go to https://MavenSecurity.com/resources Presented on July 18, 2014 at a joint meeting of ISACA Philadelphia and InfraGard Delaware.

About the Author David Rhoades is a director with Maven Security Consulting Inc. (www.mavensecurity.com). Maven Security Consulting Inc. provides information security assessments and training, and is headquartered in Delaware (USA). David’s expertise includes web application security, network security architectures, and vulnerability assessments. Past customers have included domestic and international companies in various industries, as well as various US government agencies. David has been active in information security consulting since 1996, when he began his career with the computer security and telephony fraud group at Bell Communications Research (Bellcore). David teaches domestically and internationally at various security conferences, including Interop and others. David has a Bachelor of Science degree in Computer Engineering from the Pennsylvania State University (psu.edu). www.MavenSecurity.com

MTV: Nokia paid several million to extortionists to keep code secret | Yle Uutiset | yle.fi http://yle.fi/uutiset/mtv_nokia_paid_several_million_to_extortionists_to_keep_source_code_s ecret/7305200 Domino’s Pizza hacked, customer database held to ransom | Naked Security http://nakedsecurity.sophos.com/2014/06/16/dominos-pizza-hacked-customer-database-held- to-ransom/

CodeSpace.com eventually figured out the attacker had access to their Amazon EC2 admin portal. They changed the password in hoping to kick out the attacker. However, the attacker anticipated this by creating secondary logins for the account, and upon seeing CodeSpaces.com's attempt to sever his access he decided to trash the data.

Screenshot collection of Reveton as seen in numerous countries across the world:

ChronoPay CEO was arrested June 23, 2011. June 22, 2011 The FBI (Operation Trident Tribunal) seized 22 computers and servers in the US that were put of a scareware scheme. The Security Service of Ukraine (SBU) seized at least 74 pieces of computer equipment and cash from a criminal group related to conficker and scareware. McAfee tracked a 60% decrease in fake AV infections between June and July 2011.

"Liberty Reserve was a Costa Rica-based centralized digital currency service. In May 2013, Liberty Reserve was shut down by United States federal prosecutors under the Patriot Act after an investigation by authorities across 17 countries. …money laundering and operating an unlicensed financial transaction company." Source: Liberty Reserve - Wikipedia, the free encyclopedia http://en.wikipedia.org/wiki/Liberty_Reserve Eran Tromer. "Cryptanalysis of the Gpcode.ak ransomware virus" http://rump2008.cr.yp.to/6b53f0dad2c752ac2fd7cb80e8714a90.pdf ~ May 2008 PGPCoder or GPCode - encrypted files & demanded payment

Stealing bank credentials and initiating unauthorized wire transfers has been all the rage in the past few years. The amounts documented in the press are staggering, and likely only the tip of the iceberg: http://krebsonsecurity.com/category/smallbizvictims/

‘Operation Tovar’ Targets ‘Gameover’ ZeuS Botnet, CryptoLocker Scourge — Krebs on Security http://krebsonsecurity.com/2014/06/operation-tovar-targets-gameover-zeus-botnet- cryptolocker-scourge/ FBI — U.S. Leads Multi-National Action Against GameOver Zeus Botnet and Cryptolocker Ransomware, Charges Botnet Administrator http://www.fbi.gov/news/pressrel/press-

Copyright 2014 – www.MavenSecurity.com Cyber Extortion July 18, 2014 releases/u.s.-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker- ransomware-charges-botnet-administrator USDOJ: OPA: Documents and Resources from the June 2, 2014 Announcement in U.S. v Evgeniy Mikhailovich Bogachev et al and Disruption of Gameover Zeus and Cryptolocker http://www.justice.gov/opa/gameover-zeus.html

Copyright 2014 – www.MavenSecurity.com Cyber Extortion July 18, 2014 http://www.justice.gov/opa/documents/dgzc/complaint.pdf A quick read about some of the capabilities of GameOver (GOZ) and a few sample victims. Page 4 section 15 lists some victims: Victims of the GOZ scheme to defraud and unauthorized interception include, among others: a. A composite materials company in the Western District of Pennsylvania, which lost more than after an unauthorized wire transfer was initiated its bank account using credentials stolen by the Defendants through the use of GOZ; b. An Indian tribe in Washington which lost more than $277,000 after an unauthorized wire transfer was initiated from its bank account using credentials stolen by the Defendants through the use of GOZ; c. A corporation operating assisted living facilities in Eastern Pennsylvania, which lost more than after an unauthorized wire transfer was initiated from its bank account using credentials stolen by the Defendants through the use of GOZ; d. A regional bank in Northern Florida, which lost nearly seven million dollars after an unauthorized wire transfer was initiated from its bank account using credentials stolen by the Defendants through the use of GOZ.

Fast flux - Wikipedia, the free encyclopedia http://en.wikipedia.org/wiki/Fast_flux

Some GameOver also sent via Blackhole and Magnitude exploit kits.

Image credit: CryptoLocker developers charge 10 bitcoins to use new Decryption Service - News http://www.bleepingcomputer.com/forums/t/512668/cryptolocker-developers-charge-10- bitcoins-to-use-new-decryption-service/

These current numbers are subject to change without notice. 

Photo: Mjanja Tech | Great success! http://mjanja.co.ke/2013/09/backing-up-389- ldap/borat_great_success/

Software Restriction Policy has been a feature in Windows since 2001…time to start using it.

Bruteforcing the decryption is not practical Disconnect it from your wireless or wired network to prevent further encrypting of remote files. Do not remove the infection from the %AppData% folder if you want to pay the ransom. Check if shadow volumes still exist. You might be able to restore from them. Otherwise delete the Registry values and files; program will not load anymore. You can then restore your data via other methods. CryptoLocker spawns two processes of itself. Use Process Explorer and right click on the first process and select Kill Tree. This will terminate both at the same time. Details for various scenarios (e.g. restoring from Shadow Volumes, recovering Dropbox files, etc) http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware- information

There was also CryptoBit as of December 2013. It doesn't encrypt data fully, but corrupts the first 512 bytes of the every file, and supposedly encrypts the original 512 bytes somewhere. It also runs a cryptocoin miner on your system to earn the attacker some virtual currency. CryptorBit and HowDecrypt Information Guide and FAQ http://www.bleepingcomputer.com/virus-removal/cryptorbit-ransomware-information

Threatens negative online reviews; BBB complaints; harassing phone calls; fake delivery orders; phone DoS; vandalism; mercury contamination; Anonymous reports of health code violations, tax evasion, illegal drug sales, terrorist training camp.

Pizza Joint Owners Being Extorted for Bitcoin Don't Know What Bitcoin Is - The Wire http://www.thewire.com/technology/2014/06/pizza-joints-extorted-for-bitcoin-dont-know- what-bitcoin-is/373710/

Of course you know about your OS and AV auto-updates. But they are not enough. You want to update all your software, since a flaw in any piece of installed software may be leveraged to compromise the system. Secunia Online Software Inspector (OSI) – online via browser https://secunia.com/vulnerability_scanning/online/ Secunia Personal Software Inspector (PSI) – install https://secunia.com/vulnerability_scanning/personal/

Comparison of Secunia OSI and PSI and CSI: http://secunia.com/products/consumer/compare/ BTW - “Update Notifier” by CleanSofts.com (was/is not getting updated): I lost interest in this software because it said the latest version was “Firefox v3.5.5” in August 2010 when in fact the current version was 3.6.9. So I stopped using it (awhile ago). Perhaps it is better now. “Update Notifier” http://cleansofts.org/view/update-notifier.html I still use an alternative tool for my home systems that looks for software updates. Give File Hippo a try: http://www.filehippo.com/updatechecker/ When installing new software or updating existing software, be sure to verify the digital signature and/or the file hash (SHA-256 ideally, but MD5 & SHA-1 are more common). Free Windows software for checking file hash: HashTab by Beeblebrox.org

VirusTotal has PC plugin so you can right-click any file and "Send to VirusTotal". They grab file hash and look in their database to show you when it was last scanned and the results. If the file has not been scanned before (or not recent enough for your paranoia) then you can opt to upload the file for a fresh scan. All of this from the right-click menu. Very convenient. It will scan the file against 40+ up-to-date AV scanners.

Using Software Restriction Policies to Protect Against Unauthorized Software http://technet.microsoft.com/en-us/library/bb457006.aspx