This document discusses ransomware and its future impact. It begins with an introduction to the speaker, Peter Wood, and his background. It then provides definitions of ransomware, discusses its growing scale and impact on businesses. It outlines how ransomware infects systems and evolves its methods. Specifically, it discusses the evolution of targeted ransomware like Samas that aims to encrypt entire networks of large organizations. Finally, it discusses defenses against ransomware including regular backups, patching, and education along with the risks of paying ransom demands.
Report
Share
Report
Share
1 of 25
More Related Content
All your files now belong to us
1. Peter Wood
Chief Executive Officer
First Base Technologies LLP
Ransomware:
All your files now belong to us
The future and impact of ransomware
It starts with a pen-testing/attack server searching for potential vulnerable networks to exploit with the help of a publicly-available tool named reGeorg, which is used for tunnelling. Java-based vulnerabilities were also observed to have been utilized, such as CVE-2010-0738 related to outdated JBOSS server applications.
It can use other information-stealing malware (Derusbi/Bladabindi) to gather login credentials as well. When it has done so, it will list the stolen credentials into a text file, for example, list.txt, and use this to deploy the malware and its components through a third party tool named psexec.exe through batch files that we detect as Trojan:BAT/Samas.B and Trojan:BAT/Samas.C.
One of the batch files that we detect as Trojan:Bat/Samas.B also deletes the shadow files through the vssadmin.exe tool.
Trojan:MSIL/Samas.A usually takes the name of delfiletype.exe or sqlsrvtmg1.exe and does the following:
Look for certain file extensions that are related to backup files in the system.
Make sure they are not being locked up by other processes, otherwise, the trojan terminates such processes.
Delete the backup files.
Ransom:MSIL/Samas demonstrates typical ransomware behaviour by encrypting files in the system using AES algorithm and renaming the encrypted file with extension encrypted.RSA. It displays the ransom note when it has encrypted the files and will delete itself with the help of a binary in its resource named del.exe.
It starts with a pen-testing/attack server searching for potential vulnerable networks to exploit with the help of a publicly-available tool named reGeorg, which is used for tunnelling. Java-based vulnerabilities were also observed to have been utilized, such as CVE-2010-0738 related to outdated JBOSS server applications.
It can use other information-stealing malware (Derusbi/Bladabindi) to gather login credentials as well. When it has done so, it will list the stolen credentials into a text file, for example, list.txt, and use this to deploy the malware and its components through a third party tool named psexec.exe through batch files that we detect as Trojan:BAT/Samas.B and Trojan:BAT/Samas.C.
One of the batch files that we detect as Trojan:Bat/Samas.B also deletes the shadow files through the vssadmin.exe tool.
Trojan:MSIL/Samas.A usually takes the name of delfiletype.exe or sqlsrvtmg1.exe and does the following:
Look for certain file extensions that are related to backup files in the system.
Make sure they are not being locked up by other processes, otherwise, the trojan terminates such processes.
Delete the backup files.
Ransom:MSIL/Samas demonstrates typical ransomware behaviour by encrypting files in the system using AES algorithm and renaming the encrypted file with extension encrypted.RSA. It displays the ransom note when it has encrypted the files and will delete itself with the help of a binary in its resource named del.exe.