بخش دوم: معماری امن ذخیره و بازیابی اثربخش اطالعات

علیرضا کامرانی، مدیر گوهر بانکی بابک امین آزاد، کارشناس گوهر بانکی

1

بخش اول: باج‌افزارها و راهکارهای مقابله با آن‌ها

رضا صاحب زمانی، مشاور مدیر عامل

باج‌افزارها و راهکارهای مقابله با آن‌ها

علیرضا کامرانی، مدیر گوهر بانکی بابک امین آزاد، کارشناس گوهر بانکی

2

3

Goals

Generating a malware is not difficult With cooking a sample Ransomware

The most useful solutions could be the simple ones Consider a backup policy

Kaspersky Lab’s web antivirus detected 121,262,075 unique malicious objects: scripts, exploits, executable files, etc.

there were 1,966,324 registered notifications about attempted malware infections that aimed to steal money via online access to bank accounts.

2015 – an interesting year for ransomware

Malwares

4

5

6

What are Ransomwares?

7

88

How Malware Finds Its Way onto Your Computer

9

in 100 days

30 Million Dollars

10

Technologies involved

DGA

11

Sample Domain Generation Algorithm

E.g., on January 7th, 2014, this method would generate the domain name intgmxdeadnxuyla, while the following day, it would return axwscwsslmiagfah

12

Targets

Home Users Businesses Public Agencies

13

Unbreakable AES, CHM infection, Bitcoin, I2P Proxy(anonymity)

Infection: RAR Attachment containing .chm file, runs in %temp% foldervia Localized spam, sophisticated language and grammar

1. Deletes shadow copies (vssadmin.exe Delete Shadows /All /Quiet)

2. Launches svchost.exe injects itself into it3. Gets unique rsa public key from c2 (via Hardcoded c2 urls)4. Localized ransom note language based on ip geolocation5. Saves list of encrypted files in registry6. Can decrypt one file freely to prove they got the key and it

works

Cryptowall

14

15

Cryptolocker’s method

16

CTBLocker’s method

17

18

Let’s Do The Math

19

.sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie,

.sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf…

Target File Extensions

20

Ransomware as a Service(RaaS)

19 May 2015

21

22

23

Cryptolocker/GOZ takedownA.K.A Operation Tovar

160 people worldwide took partCracked DGA. same as Flashback OSX Trojan, they likely bought itRPZ all domains? Sinkhole? Surveil the infrastructure!

Participants:US Dpt of Justice, Europol, FBI, UK National Crime AgencySecurity Companies (Dell Secureworks, Microsoft, F-Secure, McAfee, Symantec, Sophos, TrendMicro)Carnegie Mellon, Georgia institute of technology

June 2014

24

Ransomware going Open Source

Aug 16, 2015

25

CountermeasuresPreventive action

Backup, Backup, BackupStandard anti-malwareAvoidance of risky activitiesUse OSINT feeds to block C&Cs

Corrective actionDisaster/recovery planTime is money!Challenge: FBI to state: “… To be honest, we often advise people just to pay the ransom”

25

2626

تماس با کاشف

info@kashef.irCERT@kashef.ir

22266478

1000527433

Email Address :

Phone :

SMS :

Website :www.kashef.ir