smoking the locky ransomware code
play

Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven - PowerPoint PPT Presentation

Mar 09, 2023 •156 likes •647 views

Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard Lion Team September 1, 2017 1 Cryptowall 2 This one? 3 Prevalence: Global ransomware Global Ransomware IPS Hits - February

  1. Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard Lion Team September 1, 2017 1

  2. Cryptowall 2

  3. This one? 3

  4. Prevalence: Global ransomware Global Ransomware IPS Hits - February 19 to September 15 2016 50.00% 45.00% 40.00% 35.00% 30.00% 25.00% 20.00% 15.00% 10.00% 5.00% 0.00% CryptoWall Locky Cerber TorrentLocker CryptXXX Series1 45.53% 45.13% 8.93% 0.35% 0.06% 4

  5. Prevalence: Top countries Locky Ransomware IPS Hits – Locky-est February 19 to September 15 2016 US 11,858,085 FR 6,959,892 Total Hits: 36,314,789 JP 3,071,596 KW 2,732,454 TW 1,338,216 AR 970,339 CL 890,784 PR 709,372 IT 556,602 IL 540,992 5

  6. Prevalence: Affiliate program The following is a list of affiliate methods that have been observed: affid Method 1 Spam email containing an attached JavaScript, MS Office Macro downloader or Windows Script File 3 Spam email containing an attached JavaScript or Microsoft Office Macro downloader 5 Spam email containing an attached JavaScript downloader 13 Compromised sites that redirects to Nuclear or Neutrino Exploit Kit 15 Spam email containing an attached JavaScript or HTA downloader 6

  7. Locky Developments 7

  8. Timeline of Developments: 2016 8

  9. Timeline of Developments: 2016  No packer  “ Locky ” registry key  Configuration: { AffiliateID; ccservers; } 9

  10. Timeline of Developments: 2016  Packed  Registry key based on VolumeGUID  Configuration(encrypted): { AffiliateID; DGASeed; delaySeconds; FakeSvchost; Persistence; IgnoreRussian; ccServers; 10 }

  11. Timeline of Developments: 2016  Encrypted HTTP communication  Configuration: { AffiliateID; DGASeed; delaySeconds; FakeSvchost; Persistence; IgnoreRussian; urlPath; ccServers; 11 }

  12. Timeline of Developments: 2016  New URI used  Encrypted HTTP POST data is now encoded using percent encoding 12

  13. Timeline of Developments: 2016  Requires argument. (e.g “123”, “321”) 13

  14. Timeline of Developments: 2016 14

  15. Timeline of Developments: 2016  Offline Mode encryption 15

  16. Timeline of Developments: 2016 16

  17. Timeline of Developments: 2016 17

  18. Technical Analysis 18

  19. Configuration Autorun: 01 Skip: 00 Drop svchost.exe : 01 Check RU: 01 Skip: 00 Skip: 00 Delay(Sleep) C&C offset DGA Seed Affiliate ID 19

  20. Configuration URI for its C&C C&Cs • • main.php /upload/_dispatch.php • • submit.php /php/upload.php • • userinfo.php /data/info.php • • access.cgi /apache_handler.php 20

  21. Configuration 21

  22. Configuration: Offline Online mode No C&C offset No DGA Seed Offline mode Offline mode No C&Cs and URI 22

  23. Configuration: Offline Offline mode Embedded Public RSA key 23

  24. Configuration: Offline Embedded Ransom Text Embedded HTML Ransom Text 24

  25. Victim ID: Online Locky creates a victim ID that needs to identify unique systems. The victim ID is created from the following information: • Volume GUID of the WindowsDirectory • MD5 hash of the GUID value e.g. victim_ID = 4DF383039AB03953 25

  26. Victim ID: Offline The victim ID is created from the following information: • GUID of the WindowsDirectory • Default UI Language • OS version • Domain Controller • Affiliate ID from the configuration • Public key ID from the configuration Encodes it using a hard coded 32 character value: “ YBNDRFG8EJKMCPQX0T1UWISZA345H769 ”. e.g. victim_ID = IZ8FDGTNEN85I7JZ 26

  27. C&C Communication 27

  28. Communication Protocol: C&C Connect to YES NO Hardcoded IP Start Http Use DGA to POST connect to C&C Request 28

  29. Communication Protocol: Data Format: Key = value ; Uses & as its delimiter id =4DF383039AB03953& act =getkey& affid =5& lang =en& corp =0=& serv =0& os =Windows+XP& sp =3& x64 =0 29

  30. Communication Protocol: Data Architecture 0: x86 Format: Key = value ; Uses & as its delimiter 1: x64 0: not member or a domain 1: member of a domain Service Pack 2: primary domain controller id =4DF383039AB03953& act =getkey& affid =5& lang =en& corp =0=& serv =0& os =Windows+XP& sp =3& x64 =0 Victim ID Operating System Language getkey 0: not server Affiliate ID gettext 1: server gethtml stats 30

  31. Communication Protocol: Http request Victim C&C 31

  32. File Encryption 32

  33. File Encryption: Targeted drives • Drive_Removable • Drive_Fixed • Drive_Remote • Drive_Ramdisk 33

  34. File Encryption: Targeted extensions Total of 194 file extensions: .n64, .m4a, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .qcow2, .vdi, .vmdk, .vmx, . wallet , .upk, .sav, .re4, .ltx, .litesql, .litemod, .lbf, .iwi, .forge, .das, .d3dbsp, .bsa, .bik, .asset, .apk, .gpg, .aes, .ARC, .PAQ, .tar, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .djv, .djvu, .svg, .bmp, .png, .gif, .raw, .cgm, .jpeg, .jpg, .tif, .tiff, .NEF, .psd, .cmd, .bat, .sh, .class, .jar, .java, .rb, .asp, .cs, .brd, .sch, .dch, .dip, .pl, .vbs, .vb, .js, .h, .asm, .pas, .cpp, .c, .php, .ldf, . mdf , .ibd, .MYI, .MYD, .frm, .odb, .dbf, .db, .mdb, . sql , . SQLITEDB , .SQLITE3, .011, .010, .009, .008, .007, .006, .005, .004, .003, .002, .001, .pst, .onetoc2, .asc, .lay6, .lay, .ms11(Securitycopy), .ms11, .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .mml, .sxm, .otg, .odg, .uop, .potx, .potm, .pptx, .pptm, .std, .sxd, .pot, .pps, .sti, .sxi, .otp, .odp, .wb2, .123, .wks, .wk1, .xltx, .xltm, . xlsx , .xlsm, .xlsb, .slk, .xlw, .xlt, .xlm, .xlc, .dif, .stc, .sxc, .ots, .ods, . hwp , .602, .dotm, .dotx, .docm, . docx , .DOT, .3dm, .max, .3ds, .xml, .txt, . CSV , .uot, .RTF, . pdf , .XLS, .PPT, .stw, .sxw, .ott, .odt, . DOC , .pem, .p12, .csr, .crt, .key, wallet.dat 34

  35. File Encryption: Targeted extensions From 194 to 460 file extensions: .yuv, .qbx, .ndd, .exf, .cdr4, .vmsd, .dat, .indd, .pspimage, .obj, .ycbcra, .qbw, .mrw, .erf, .cdr3, .vhdx, .cmt, .iif, .ps, .mlb, .xis, .qbr, . moneywell , .erbsql, .bpw, .vhd, .bin, .fpx, .pct, .md, .x3f, .qba, .mny, .eml, .bgt, .vbox, .aiff, .fff, .pcd, .mbx, .x11, .py, .mmw, .dxg, .bdb, .stm, .xlk, .fdb, .m4v, .lit, .wpd, . psafe3 , .mfw, .drf, .bay, .st7, .wad, .dtd, .m, .laccdb, .tex, .plc, .mef, .dng, .bank, .rvt, .tlg, .design, .fxg, .kwm, .sxg, .plus_muhd, .mdc, .dgc, . backupdb , .qcow, .st6, .ddd, .flac, .idx, .stx, .pdd, .lua, .des, .backup, .qed, .st4, .dcr, .eps, .html, .st8, .p7c, .kpdx, .der, .back, .pif, .say, .dac, .dxb, .flf, .st5, .p7b, .kdc, .ddrw, .awg, .pdb, .sas7bdat, .cr2, .drw, .dxf, .srw, .oth, .kdbx, . ddoc , .apj, .pab, .qbm, .cdx, . db3 , .dwg, .srf, .orf, .kc2, .dcs, .ait, .ost, .qbb, .cdf, .cpi, .dds, .sr2, .odm, .jpe, .dc2, .agdl, .ogg, .ptx, .blend, .cls, .css, .sqlite, .odf, .incpas, .db_journal, .ads, .nvram, .pfx, .bkp, .cdr, . config , .sdf, .nyf, .iiq, .csl, .adb, .ndf, .pef, .al, .arw, .cfg, .sda, .nxl, .ibz, .csh, .acr, .m4p, .pat, .adp, .ai, .cer, .sd0, .nx2, . ibank , .crw, .ach, .m2ts, .oil, .act, .aac, .asx, .s3db, .nwb, .hbk, .craw, .accdt, .log, .odc, .xlr, .thm, .aspx, .rwz, .ns4, .gry, .cib, .accdr, .hpp, .nsh, .xlam, .srt, .aoi, .rwl, .ns3, .grey, .ce2, .accde, .hdd, .nsg, .xla, .save, .accdb, .rdb, .ns2, .gray, .ce1, .ab4, .groups, .nsf, .wps, . safe , . 7zip , .rat, .nrw, .fhd, .cdrw, .3pr, .flvv, .nsd, .tga, .rm, .1cd, .raf, .nop, .fh, .cdr6, .3fr, .edb, .nd, .rw2, .pwm, .wab, .qby, .nk2, .ffd, .cdr5, .vmxf, .dit, .mos, .r3d, .pages, .prf, .oab, .msg, .mapimail, .jnt, .dbx, .contact 35

  36. File Encryption: Algorithm Encryption used: • Uses both RSA and AES algorithms • The AES-128 key is randomly generated for each file • The AES-128 key is used to encrypt the file and it’s filename • After encryption, the AES-128 key will be encrypted by RSA- 2048 36

  37. File Encryption: Filename Format of filenames of encrypted files. 4DF383039AB03953D81660EB4CADC28D.locky Victim ID File ID 37

  38. File Encryption: Filename Format of filenames of encrypted files. 4DF383039AB03953D81660EB4CADC28D.locky Victim ID File ID 0X3U7IYC-IA09-CQ94-D26F-CFA67B8E895D.zepto Victim ID File ID 38

  39. File Encryption: Filename Format of filenames of encrypted files. 4DF383039AB03953D81660EB4CADC28D.locky Victim ID File ID 0X3U7IYC-IA09-CQ94-D26F-CFA67B8E895D.zepto Victim ID File ID 0X3U7IYC-IA09-CQ94-D26F-CFA67B8E895D.odin Victim ID File ID 39

  40. File Encryption: File layout Encryption Encrypted Encrypted AES Key File 40

  41. File Encryption: File layout Encrypted Data *Encryption used: AES-128 Hardcoded Value Victim ID & File ID Encrypted AES Key *Encryption used: RSA-2048 Encrypted Filename *Encryption used: AES-128 41

  42. HTML Ransom Note 42

  43. Decryptor Page 43

  44. Harvest Locky Configuration 44

  45. Automate Configuration Extraction: Overview 45

  46. Cuckoo Module NO YES YES NO 46

  47. Demo: Locky Config Extraction in Cuckoo Sandbox 47

  48. Conclusion 48

  49. FortiGuard – Q&A Thank you fbacurio@fortinet.com rjoven@fortinet.com @fbacurio @rommeljoven17 49

Recommend

1 February 4, 2020 Ransomware works Who: Ransomware is a threat vector that is rife for bad

1 February 4, 2020 Ransomware works Who: Ransomware is a threat vector that is rife for bad

Geoff Hale 1 February 4, 2020 Ransomware works Who: Ransomware is a threat vector that is rife for bad actors, both criminal enterprises and nation-states have made use of ransomware. What: Ransomware is a type of malware that encrypts

358 views • 6 slides
Responding To Ransomware Ransomware Nightmares X by Invincea Ransomware is getting more

Responding To Ransomware Ransomware Nightmares X by Invincea Ransomware is getting more

X by Invincea Responding To Ransomware Ransomware Nightmares X by Invincea Ransomware is getting more sophisticated, and shifting to an enterprise threat Ransomware Nightmares X by Invincea To Pay Or Not To Pay? X by Invincea Your money or

780 views • 23 slides
How NOT to code your ransomware Liviu Itoaf About Me $ whoami Security Researcher @

How NOT to code your ransomware Liviu Itoaf About Me $ whoami Security Researcher @

How NOT to code your ransomware Liviu Itoaf About Me $ whoami Security Researcher @ Kaspersky Hands-on work: coding, reverse engineering, vulnerability research Malware analysis trainings T ags: GTD (Getting Things

392 views • 24 slides
On Deception-Based Protection Against Cryptographic Ransomware Ziya Alper Gen, Gabriele

On Deception-Based Protection Against Cryptographic Ransomware Ziya Alper Gen, Gabriele

On Deception-Based Protection Against Cryptographic Ransomware Ziya Alper Gen, Gabriele Lenzini, and Daniele Sgandurra June 20, 2019 Ransomware Threat 1 Ransomware Threat 1 Deception-Based Anti-Ransomware In the context of ransomware,

507 views • 22 slides
Redemption: Real-Time Protection Against Ransomware at End-Hosts WRITTEN BY: PRESENTED BY: AMIN

Redemption: Real-Time Protection Against Ransomware at End-Hosts WRITTEN BY: PRESENTED BY: AMIN

Redemption: Real-Time Protection Against Ransomware at End-Hosts WRITTEN BY: PRESENTED BY: AMIN KHARRAZ NICHOLAS BURTON ENGIN KIRDA What is Ransomware? What is Ransomware? u Ransomware is malicious software that encrypts user data, and

718 views • 33 slides
Ransomware Overview Our analysis leads us to expect increased ransomware activity over 2016 (new

Ransomware Overview Our analysis leads us to expect increased ransomware activity over 2016 (new

Ransomware Overview Our analysis leads us to expect increased ransomware activity over 2016 (new attacker entrants, lower cost through kit automation, etc.) Take consumer and enterprise digital assets hostage using high- strength encryption

365 views • 18 slides
Introduction Your local Stop Smoking Service Background on smoking How to offer Very

Introduction Your local Stop Smoking Service Background on smoking How to offer Very

Introduction Your local Stop Smoking Service Background on smoking How to offer Very Brief Advice Smoking in pregnancy How to refer to the Stop Smoking Service The Huge Burden of Smoking 10 million adults in the UK smoke

314 views • 17 slides
Ransomware Eradication using Biomorphic Perimeterisation Introduction Types of

Ransomware Eradication using Biomorphic Perimeterisation Introduction Types of

Ransomware Eradication using Biomorphic Perimeterisation Introduction Types of Ransomware Technology Perspective and Attacked Devices Ransomware Economy Security Conditions Biomorphic Perimeterisation How to generate a

860 views • 61 slides
Who is starting smoking? An investigation of smoking initiation among all ages using

Who is starting smoking? An investigation of smoking initiation among all ages using

Who is starting smoking? An investigation of smoking initiation among all ages using prospectively collected data Richard Edwards, Kristie Carter, Jo Peace, Background Tobacco industry argues that decision to smoke is an informed choice by

302 views • 12 slides
Smoking - IVF Smoking and ectopic pregnancy -smo ex-smo +smo Odds ratio 3,5 3,5

Smoking - IVF Smoking and ectopic pregnancy -smo ex-smo +smo Odds ratio 3,5 3,5

Lifestyle and infertility Lifestyle and infertility Age, smoking, caffeine, alcohol Some definitions and male fertility How big is the problem? Age and fertility Smoking jvind Lidegaard Alcohol Dept. Obstetrics &

328 views • 9 slides
Update on Ransomware Technology 60 Minutes Video ransomware ( noun) A type of malware that

Update on Ransomware Technology 60 Minutes Video ransomware ( noun) A type of malware that

Update on Ransomware Technology 60 Minutes Video ransomware ( noun) A type of malware that prevents or limits users from accessing their system, either by locking the system's screen or by locking the users files unless a ransom is paid.

517 views • 30 slides
Troubling Times: Ransomware Across Texas Deputy Chief Information Security Officer Andy

Troubling Times: Ransomware Across Texas Deputy Chief Information Security Officer Andy

Troubling Times: Ransomware Across Texas Deputy Chief Information Security Officer Andy Bennett 2019 Cybersecurity Awareness Month Event October 22, 2019 2019 Texas Headlines Ransomware Ransomware Cyber criminals holding your data and

450 views • 23 slides
How To Not Be A Victim Of Ransomware The thoughtful integration of healthcare and technology How

How To Not Be A Victim Of Ransomware The thoughtful integration of healthcare and technology How

How To Not Be A Victim Of Ransomware The thoughtful integration of healthcare and technology How Healthcare IT Differs From General IT Agenda The Growing Threat of Ransomware What You Can Do Today To Protect Your Business How Healthcare IT

440 views • 32 slides
Tracking Ransomware End-to-end Danny Y. Huang Maxwell Matthaios Aliapoulios, Vector Guo Li Luca

Tracking Ransomware End-to-end Danny Y. Huang Maxwell Matthaios Aliapoulios, Vector Guo Li Luca

Tracking Ransomware End-to-end Danny Y. Huang Maxwell Matthaios Aliapoulios, Vector Guo Li Luca Invernizzi, Elie Bursztein, Kylie McRoberts, Jonathan Levin Kirill Levchenko, Alex C. Snoeren, Damon McCoy Ransomware causes financial damages

798 views • 54 slides
Smoking Bylaw Recap Original bylaw passed in 2003 Alberta Tobacco and Smoking Reduction Act

Smoking Bylaw Recap Original bylaw passed in 2003 Alberta Tobacco and Smoking Reduction Act

Smoking Bylaw Recap Original bylaw passed in 2003 Alberta Tobacco and Smoking Reduction Act passed in 2005 Cannabis legalization forced a knee jerk review initially Initial amendment to smoking bylaw Federal Government

499 views • 10 slides
UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware Paul Weliczko

UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware Paul Weliczko

UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware Paul Weliczko https://arstechnica.com/information-technology/2012/11/mushrooming-growth-of-ransomware- extorts-5-million-a-year/

298 views • 13 slides
to Defend Against Encryption Ransomware Jian Huang Jun Xu Xinyu Xing Peng Liu

to Defend Against Encryption Ransomware Jian Huang Jun Xu Xinyu Xing Peng Liu

FlashGuard: Leveraging Intrinsic Flash Properties to Defend Against Encryption Ransomware Jian Huang Jun Xu Xinyu Xing Peng Liu Moinuddin K. Qureshi Encryption Ransomware Is Becoming More Aggressive May 12,

772 views • 75 slides
What is Ransomware? Ben Spear Director, EI-ISAC January 31, 2020 Confidential & Proprietary

What is Ransomware? Ben Spear Director, EI-ISAC January 31, 2020 Confidential & Proprietary

What is Ransomware? Ben Spear Director, EI-ISAC January 31, 2020 Confidential & Proprietary 1 Confidential & Proprietary Ransomware Overview Malware that blocks access to a system, device, or file until a ransom is paid

248 views • 11 slides
Vembu BDR Suite Vembu Technologies 100+ Decade + G2 crowd Countries Experience Top

Vembu BDR Suite Vembu Technologies 100+ Decade + G2 crowd Countries Experience Top

Vembu BDR Suite Vembu Technologies 100+ Decade + G2 crowd Countries Experience Top Leaders-2019 www.vembu.com How to protect your business from a Ransomware attack? What is Ransomware? Types of Ransomware How it attacks? Stats for year

454 views • 16 slides
Tracking desktop ransomware payments end to end Elie Bursztein, Kylie McRoberts, Luca Invernizzi

Tracking desktop ransomware payments end to end Elie Bursztein, Kylie McRoberts, Luca Invernizzi

Tracking desktop ransomware payments end to end Elie Bursztein, Kylie McRoberts, Luca Invernizzi with the help of many people from UCSD, NYU, and Chainalysis Only 37% of users backup their data g.co/research/protect Since 2016 ransomware

746 views • 62 slides
Teen Smoking Alexis Primm Types of Smoking People can smoke, chew, or even There are:

Teen Smoking Alexis Primm Types of Smoking People can smoke, chew, or even There are:

Teen Smoking Alexis Primm Types of Smoking People can smoke, chew, or even There are: sniff tobacco. cigarettes Tobacco products can be loose or cigars packed. bidis kreteks dip snuff hookah pipe What

545 views • 13 slides
No Smoking Day Vishnee Sauntoo Local Organisers Health professionals NHS stop smoking services

No Smoking Day Vishnee Sauntoo Local Organisers Health professionals NHS stop smoking services

No Smoking Day Vishnee Sauntoo Local Organisers Health professionals NHS stop smoking services Local Councils Pharmacists GPs Dentists Opticians Prisons, Military Schools, Colleges MPs Leaptastic launch on Leap Year Day More than

184 views • 16 slides
Secondhand smoking means involuntarily breathing in other people tobacco smoke. Every time

Secondhand smoking means involuntarily breathing in other people tobacco smoke. Every time

What is What is Secondhand Smoking? Secondhand Smoking? Formerly known as passive smoking. Secondhand smoking means involuntarily breathing in other people tobacco smoke. Every time someone smokes around a child that child is smoking

717 views • 23 slides
Smoking with smoke condensate Contemporarely technique for modern requirements of smoked food

Smoking with smoke condensate Contemporarely technique for modern requirements of smoked food

Smoking with smoke condensate Contemporarely technique for modern requirements of smoked food Overview Smoking a traditional process Smoking methods in comparison Consideration of environment Manufacturing and

486 views • 38 slides

More recommend