Sunday, 29 September 2019

GermanWiper: One More Wiper Pretending to Be Ransomware


[Authors: Viktoria Taran, Alexander Adamov]

GermanWiper was first seen on the BleepingComputer forum on July 30, 2019. After analysis, it turned out that the malware is rather a wiper than ransomware. Interestingly, GermanWiper managed to raise $9,000 almost reaching the result of $10,500 (4.13528947 BTC) earned by another wiper called NotPetya in June 2017. Let us take a close look at the ransomware to find out the installation process, communication details, and wiping details.

Tuesday, 27 August 2019

Anti-Cryptojacking Test - July 2019



Cryptojacking or malicious cryptomining is a new type of threat that can be described as the unsolicited use of a user’s computing device to mine cryptocurrency. There are two types of cryptojacking attack: general-purpose and targeted.

Saturday, 23 March 2019

Analysis of LockerGoga Ransomware


Картинки по запросу Norsk Hydro
Norsk Hydro back in 1905. 
Source: https://commons.wikimedia.org/wiki/File:Rjukan_fabrikker_-_Norsk_Hydro.jpg

This week BleepingComputer reported that LockerGoga ransomware was allegedly responsible for disrupting the Norsk Hydro's IT control system and forced the Norwegian industrial giant to switch to the manual operation mode. Later, according to Motherboard, this ransomware disrupted IT services of the two more US chemical companies Hexion and Momentive. Thus, it seems that the attackers behind LockerGoga target critical infrastructure and those mentioned above are not the only victims of the ransomware up to the moment. Further, we provide a detailed analysis of the ransomware encryption process.

Tuesday, 31 July 2018

VB2018: Artificial intelligence to assist with ransomware cryptanalysis



It's always very exciting for me to be able to attend and, moreover, speak at the Virus Bulletin Conference. Because, it is the oldest and the most respectful antivirus conference that has been running since 1991 where cybersecurity experts from academia and industry gather to share their ideas, research, and forecasts. You can meet the researches who helped to boost the antivirus industry decades ago and are now the core of the antivirus community.

This year in Montreal, we'll present an academic research conducted by my master student Kateryna Vitiuk under my supervision and devoted to Cryptanalysis of ransomware with the help of Artificial Intelligence.

When analyzing ransomware, I and my colleagues often see the hardcoded implementation of the AES, RC4, Salsa20 algorithms, for example in TeslaCrypt, Locky, GlobeImposter, MoneroPay ransomware. The ciphers' code can be poorly detected in the ransomware's memory dumps using the signature-based approach using Krypto ANALyzer (KANAL) for PEiD tool and publicly available Yara rules. Therefore, we assumed that it is possible to use the smart pattern matching method to find the known crypto primitives in the ransomware's disassembled code.

See also:
https://www.virusbulletin.com/conference/vb2018/abstracts/artificial-intelligence-assist-ransomware-cryptanalysis

Wednesday, 21 March 2018

Corporate Backup Solutions Self-Defense Test - March 2018


In the light of the growing number of ransomware attacks in which cryptolockers terminate database processes to unlock the database files for encryption (Cerber, GlobeImposter, Rapid, Serpent) and can encrypt local and network backups to demand a ransom (Rapid, Spora), we decided to test self-defense capabilities of the top backup solutions used in business environments available for trial.

The test aims at testing the sustainability of product’s processes and services against typical attacks to security software described below, as well as self-protection of local backup and product’s files. Ransomware can encrypt local backup files and configuration files that belong to a backup program thereby disabling the recovery of the files. Moreover, once access to agent’s or server’s processes is gained, an attacker can delete backup copies of the files not only locally, but also in the cloud on behalf of a backup solution.

See the full report by the link.

Sunday, 4 February 2018

Friday, 22 December 2017

VB2017 videos on attacks against Ukraine


Thanks to Virus Bulletin for giving a chance to talk about the most destructive attacks this year.
"(In)security is a global problem that affects every country in the world, but in recent years, none has been as badly hit as Ukraine.The most well known malware that affected the country is (Not)Petya, a ransomware/wiper threat that had global impact (it cost shipping firm Maersk alone $300m in lost revenues), but which hit Ukrainian businesses particularly hard. The malware spread through a compromised update pushed out by M.E.Doc's tax accounting software, which is popular in the country.
In a VB2017 presentation, NioGuard's Alexander Adamov, himself based in Ukraine, discussed how (Not)Petya and related attacks worked and what impact they had. We have now uploaded the video of his presentation to our YouTube channel."

Read more: