ランサムウェアと「maline(Malicious LINE Installer)」の脅威を理解する / Understanding the Threats of Ransomware and "maline (Malicious LINE Installer)"

6OEFSTUBOEJOHUIF5ISFBUTPG3BOTPNXBSF BOENBMJOF .BMJDJPVT-*/&*OTUBMMFS 5*"OBMZTJT 3FTQPOTF5FBN $*404VQFSWJTPSZ(SPVQ ,VCJVSB )JSPNV

4FDVSJUZ&OHJOFFS3FTFBSDIFS +PJOFE-:$PSQPSBUJPOJO $POEVDUUISFBUJOUFMMJHFODFXJUIBGPDVTPO NBMXBSFBOBMZTJT • 1SFTFOUBUJPO#MBDL)BU64" #4JEFT 5PLZP • )PME$7&TSFMBUFEUP*P5EFWJDFT
• 4&$$0/$5'%PNFTUJD'JOBMTOE • 4FD)BDL0VUTUBOEJOH(SBEVBUF • *OTUSVDUPSBUUIF/BUJPOBM4FDVSJUZ$BNQ ,VCJVSB )JSPNV

$PNQVUFS7JSVTFT&YJTU"SPVOE6T 3BOTPNXBS F 5SPKBO 0UIFS

8IBUJT3BOTPNXBSF 8IBUJTNBMJOF .BMJDJPVT-*/& *OTUBMMFS $PVOUFSQMBO8SBQVQ "HFOEB

8IBUJT3BOTPNXBSF

%PZPVLOPX3BOTPNXBSF RaaS, Leak Site, Actor Groups • Why is ransomware
prevalent? • How is ransom demanded? • What types of actor groups are involved? File Encryption Logic • Why can a large number of files be encrypted? • Why can’t we decrypt them ourself? • What encryption functions are used?

"DUPSHSPVQTEPO`UEJTUSJCVUFSBOTPNXBSFEJSFDUMZJOTUFBE UIFZEJTUSJCVUFJU UISPVHIBGGJMJBUFT • "DUPS(SPVQ • %FWFMPQSBOTPNXBSFBGGJMJBUFTVTF • &BSONPOFZJTSBOTPNXBSFTVCTDSJQUJPOBOEBQPSUJPOPGUIF SBOTPNDPMMFDUFECZBGGJMJBUF
• "GGJMJBUF • "UUBDLPSHBOJ[BUJPOTXJUISBOTPNXBSF • %FNBOESBOTPNUISPVHIUISFBUTBOEOFHPUJBUFXJUIUIF PSHBOJ[BUJPO 3BB4 3BOTPNXBSFBTB 4FSWJDF d5IF3BB4NPEFMBTTFFOUISPVHI-PDL#JU d

%FQMPZSBOTPNXBSF 7JDUJN "GGJMJBUF -PDL#JU 1BZB DPNNJTTJPO 1SPWJTJPOPG JOGSBTUSVDUVSF • 3BOTPNXBSFCVJMEUPPMT
• 5PSCBTFETJUFTGPS OFHPUJBUJPOT /FHPUJBUJP O 1BZB SBOTPN

-FBL4JUF TPVSDFIUUQTXXXCJUEFGFOEFSDPNFOVTCMPHIPUGPSTFDVSJUZUIFMPDLCJUSBOTPNXBSFHBOHSFBSTJUTVHMZIFBEBHBJOBGUFSMBX FOGPSDFNFOUUBLFEPXO

5IFGPMMPXJOHQPJOUTBSFFTTFOUJBMGPSUIFDPSFGJMFFODSZQUJPOGVODUJPOPG SBOTPNXBSF • 'BTUFODSZQUJPOTZTUFN • "CJMJUZUPEFDSZQU 4ZNNFUSJDLFZFODSZQUJPOBMHPSJUINTMJLF"&4 BOE3$ BSFDPNNPOMZVTFE 5IFTFBSFPGUFODVTUPNJ[FECZFBDIBDUPS
NBLJOHJUDIBMMFOHJOHGPSBOBMZTUT "EEJUJPOBMMZ CZFODSZQUJOHBOEFNCFEEJOHUIFLFZVTFEGPSGJMFFODSZQUJPO UIF WJDUJNJTVOBCMFUPEFDSZQUUIFGJMFT XIJMFUIFBDUPSSFUBJOTUIFBCJMJUZUPEFDSZQU UIFN #ZFYBNJOJOHUIFSBOTPNOPUF JUTQPTTJCMFUPEFUFSNJOFIPXUIFSBOTPNXBSFXBTCVJMUBOE EFQMPZFE XIJDIDBOSFWFBMUIFEFDSZQUJPOLFZ 'JMF&ODSZQUJPO-PHJD d"OBMZ[FUIF3BOTPNXBSFUPVODPWFSJUTGVMMTDPQFd

-FUbTSFBEJOHUIFWJSVT *GUIFGJMFTJ[FFYDFFETBQQSPYJNBUFMZ .# BEJGGFSFOUFODSZQUJPOGVODUJPOJTDBMMFE

&ODSZQUJPOPG'JMF %BUB &ODSZQUJPOPG"&4 ,FZ 5IFTBNF,FZBOE*7BSFVTFEGPS FODSZQUJOHCPUIUIFGJMFEBUBBOE"&4 ,FZ I&Y'JMF&YJTU'JMF 0SJHJOBM%BUB I/F'JMF/FX'JMF
&ODSZQUFE%BUB

&ODSZQUJPOPG'JMF %BUB 5ISFFDIVOLTBSFSFBEBOE DPODBUFOBUFE&BDIDIVOLTJ[FJT Y

8IBUJTNBMJOF

%FGJOJUJPOPGNBMJOF 8JOEPXT1$*OTUBMMFS0OMZ &YDMVEFT-*/&#BTFE4DBNT1IJTIJOH 4JODFBSPVOE DPNQVUFSWJSVTFTIBWFCFFOPCTFSWFEEJTUSJCVUJOH3"5 3FNPUF"DDFTT5SPKBO VTJOHGBLF8JOEPXT1$-*/&JOTUBMMFST NBMJOF
.BMJDJPV T -*/&

'FBUVSFPGNBMJOF • "UZQFPGNBMXBSFLOPXOBTB5SPKBO • -*/&JTDPSSFDUMZJOTUBMMFEBOEVTBCMF • *UIBTCFFOPCTFSWFETJODFBSPVOE • 7JDUJNTBSFEJSFDUFEUPGBLFEPXOMPBE
TJUFTUISPVHI4&0QPJTPOJOH • *UUBSHFUT$IJOFTFTQFBLFST BOEIBT CFFOPCTFSWFEJO4PVUIFBTU"TJBBOE &BTU"TJB *O BWBSJBOUPGNBMJOF XBTPCTFSWFE 5IJTUZQFEJTUSJCVUFTB3"5 LOPXOBT7BMMFZ3"5 7BMMFZ3"5 JTVTFECZBOBDUPS HSPVQLOPXOBT4JMWFS'PY"15 XIJDIJTCBTFEJO$IJOB /FX%JTDPWFSZ ʂ

'BLF8FCTJUF

*OGFDUJPO$IBJO NBMJOFUP7BMMFZ3"5 'BLF 8FCTJUF &BTJ/PUFEM M 4IFMM&YQFSJFODF)PTUTFY F ZZ[Z#BTFEM M
SUCYT[XYQOH 7BMMFZ3"5 .BMJDJPVTCJOBSJFT $SFBUFCBDLVQ JNQPSU

-FUbTSFBEJOHUIFWJSVT *UVTFT%--TJEFMPBEJOHUFDIOJRVFTUPDBMMNBMJDJPVT GVODUJPOT 5IJTNFUIPEJTDPNNPOMZPCTFSWFEBNPOH$IJOFTFBDUPS HSPVQT

5IFDBMMFEGVODUJPOTQFSGPSNGJMFDPQZJOH DPNNBOEFYFDVUJPO BOEDPNNVOJDBUJPOXJUI UIF$TFSWFS

5IFCJOBSZSFDFJWFEGSPNUIF$ TFSWFSJTVOQBDLFEJOUPNFNPSZ 6QPOFYUSBDUJPO JUCFDPNFTDMFBS UIBUUIJTJTUIFGJOBMQBZMPBE 7BMMFZ3"5

$PVOUFSQMBO8SBQVQ

$PVOUFSNFBTVSFT"HBJOTU3BOTPNXBSF • %POÙDPNQMZXJUISBOTPNEFNBOET • 1BZJOHUIFSBOTPNEPFTOÙHVBSBOUFFUIBUZPVSGJMFTXJMMCF GVMMZEFDSZQUFE • 1BZJOHUIFSBOTPNDBOGVSUIFSFNQPXFSBOEFYQBOEBDUPS HSPVQT •
%POÙEPXOMPBEGJMFTBUUBDIFEUPTVTQJDJPVTFNBJMT • %POÙUSVTUTVTQJDJPVTDPOUFOUJOWBSJPVTTJUVBUJPOT OPUKVTUJO FNBJMT $PVOUFSQMBO

$PVOUFSNFBTVSFT"HBJOTU'BLF*OTUBMMFS 5SPKBO • *OTUBMMGSPNPGGJDJBMXFCTJUFT • 4JUFTEJTQMBZFEUISPVHIBEWFSUJTFNFOUTBSFPGUFOGBLF • )PXFWFS EPO`UCFDPNQMBDFOUJOUIJOLJOHZPVDBOBMXBZTUFMM UIFEJGGFSFODF
$PVOUFSQMBO

5IJTBOBMZTJTJTDPOEVDUFEPOB7.XJUIBQQSPQSJBUFDPOGJHVSBUJPOT1MFBTF EPO`UQFSGPSNUIFBOBMZTJTPOZPVSMPDBMFOWJSPONFOU .BMXBSFFYJTUTBMMBSPVOEVT*OTUFBEPGCFJOHPWFSMZGFBSGVM MFUTMFBSOXIZ JOGFDUJPOTPDDVSBOEIPX BUUBDLFSTDPOEVDUUIFJSPQFSBUJPOT l஌൴஌ݾɺඦፌෆຆz ଙࢠ *GZPVLOPXZPVSFOFNZBOEVOEFSTUBOEZPVSPXOTUSFOHUIT ZPVOFFEOPUGFBSUIFSFTVMUPGBIVOESFECBUUMFT
4VO5[V 8SBQVQ

8SBQVQ IUUQTUFDICMPHMZDPSQDPKQKB B IUUQTUFDICMPHMZDPSQDPKQKB B

5IBOLZPV https://www.linkedin.com/in/hiromu-kubiura-b795b2362/

ランサムウェアと「maline(Malicious LINE Installer)」の脅威を理...

ランサムウェアと「maline(Malicious LINE Installer)」の脅威を理解する / Understanding the Threats of Ransomware and "maline (Malicious LINE Installer)"

LINEヤフーTech (LY Corporation Tech) PRO

More Decks by LINEヤフーTech (LY Corporation Tech)

Other Decks in Technology

Featured

Transcript

6OEFSTUBOEJOHUIF5ISFBUTPG3BOTPNXBSF BOENBMJOF .BMJDJPVT-/&OTUBMMFS 5"OBMZTJT 3FTQPOTF5FBN $404VQFSWJTPSZ(SPVQ ,VCJVSB )JSPNV

4FDVSJUZ&OHJOFFS3FTFBSDIFS +PJOFE-:$PSQPSBUJPOJO $POEVDUUISFBUJOUFMMJHFODFXJUIBGPDVTPO NBMXBSFBOBMZTJT • 1SFTFOUBUJPO#MBDL)BU64" #4JEFT 5PLZP • )PME$7&TSFMBUFEUP*P5EFWJDFT

$PNQVUFS7JSVTFT&YJTU"SPVOE6T 3BOTPNXBS F 5SPKBO 0UIFS

8IBUJT3BOTPNXBSF 8IBUJTNBMJOF .BMJDJPVT-/& OTUBMMFS $PVOUFSQMBO8SBQVQ "HFOEB

8IBUJT3BOTPNXBSF

%PZPVLOPX3BOTPNXBSF RaaS, Leak Site, Actor Groups • Why is ransomware

"DUPSHSPVQTEPO`UEJTUSJCVUFSBOTPNXBSFEJSFDUMZJOTUFBE UIFZEJTUSJCVUFJU UISPVHIBGGJMJBUFT • "DUPS(SPVQ • %FWFMPQSBOTPNXBSFBGGJMJBUFTVTF • &BSONPOFZJTSBOTPNXBSFTVCTDSJQUJPOBOEBQPSUJPOPGUIF SBOTPNDPMMFDUFECZBGGJMJBUF

%FQMPZSBOTPNXBSF 7JDUJN "GGJMJBUF -PDL#JU 1BZB DPNNJTTJPO 1SPWJTJPOPG JOGSBTUSVDUVSF • 3BOTPNXBSFCVJMEUPPMT

-FBL4JUF TPVSDFIUUQTXXXCJUEFGFOEFSDPNFOVTCMPHIPUGPSTFDVSJUZUIFMPDLCJUSBOTPNXBSFHBOHSFBSTJUTVHMZIFBEBHBJOBGUFSMBX FOGPSDFNFOUUBLFEPXO

5IFGPMMPXJOHQPJOUTBSFFTTFOUJBMGPSUIFDPSFGJMFFODSZQUJPOGVODUJPOPG SBOTPNXBSF • 'BTUFODSZQUJPOTZTUFN • "CJMJUZUPEFDSZQU 4ZNNFUSJDLFZFODSZQUJPOBMHPSJUINTMJLF"&4 BOE3$ BSFDPNNPOMZVTFE 5IFTFBSFPGUFODVTUPNJ[FECZFBDIBDUPS

-FUbTSFBEJOHUIFWJSVT *GUIFGJMFTJ[FFYDFFETBQQSPYJNBUFMZ .# BEJGGFSFOUFODSZQUJPOGVODUJPOJTDBMMFE

&ODSZQUJPOPG'JMF %BUB &ODSZQUJPOPG"&4 ,FZ 5IFTBNF,FZBOE*7BSFVTFEGPS FODSZQUJOHCPUIUIFGJMFEBUBBOE"&4 ,FZ I&Y'JMF&YJTU'JMF 0SJHJOBM%BUB I/F'JMF/FX'JMF

&ODSZQUJPOPG'JMF %BUB 5ISFFDIVOLTBSFSFBEBOE DPODBUFOBUFE&BDIDIVOLTJ[FJT Y

8IBUJTNBMJOF

%FGJOJUJPOPGNBMJOF 8JOEPXT1$OTUBMMFS0OMZ &YDMVEFT-/&#BTFE4DBNT1IJTIJOH 4JODFBSPVOE DPNQVUFSWJSVTFTIBWFCFFOPCTFSWFEEJTUSJCVUJOH3"5 3FNPUF"DDFTT5SPKBO VTJOHGBLF8JOEPXT1$-*/&JOTUBMMFST NBMJOF

'FBUVSFPGNBMJOF • "UZQFPGNBMXBSFLOPXOBTB5SPKBO • -/&JTDPSSFDUMZJOTUBMMFEBOEVTBCMF • UIBTCFFOPCTFSWFETJODFBSPVOE • 7JDUJNTBSFEJSFDUFEUPGBLFEPXOMPBE