Tuesday, 27 August 2019

Anti-Cryptojacking Test - July 2019

Cryptojacking or malicious cryptomining is a new type of threat that can be described as the unsolicited use of a user’s computing device to mine cryptocurrency. There are two types of cryptojacking attack: general-purpose and targeted.

Saturday, 23 March 2019

Analysis of LockerGoga Ransomware

Картинки по запросу Norsk Hydro
Norsk Hydro back in 1905. 
Source: https://commons.wikimedia.org/wiki/File:Rjukan_fabrikker_-_Norsk_Hydro.jpg

This week BleepingComputer reported that LockerGoga ransomware was allegedly responsible for disrupting the Norsk Hydro's IT control system and forced the Norwegian industrial giant to switch to the manual operation mode. Later, according to Motherboard, this ransomware disrupted IT services of the two more US chemical companies Hexion and Momentive. Thus, it seems that the attackers behind LockerGoga target critical infrastructure and those mentioned above are not the only victims of the ransomware up to the moment. Further, we provide a detailed analysis of the ransomware encryption process.

Tuesday, 31 July 2018

VB2018: Artificial intelligence to assist with ransomware cryptanalysis

It's always very exciting for me to be able to attend and, moreover, speak at the Virus Bulletin Conference. Because, it is the oldest and the most respectful antivirus conference that has been running since 1991 where cybersecurity experts from academia and industry gather to share their ideas, research, and forecasts. You can meet the researches who helped to boost the antivirus industry decades ago and are now the core of the antivirus community.

This year in Montreal, we'll present an academic research conducted by my master student Kateryna Vitiuk under my supervision and devoted to Cryptanalysis of ransomware with the help of Artificial Intelligence.

When analyzing ransomware, I and my colleagues often see the hardcoded implementation of the AES, RC4, Salsa20 algorithms, for example in TeslaCrypt, Locky, GlobeImposter, MoneroPay ransomware. The ciphers' code can be poorly detected in the ransomware's memory dumps using the signature-based approach using Krypto ANALyzer (KANAL) for PEiD tool and publicly available Yara rules. Therefore, we assumed that it is possible to use the smart pattern matching method to find the known crypto primitives in the ransomware's disassembled code.

See also:

Wednesday, 21 March 2018

Corporate Backup Solutions Self-Defense Test - March 2018

In the light of the growing number of ransomware attacks in which cryptolockers terminate database processes to unlock the database files for encryption (Cerber, GlobeImposter, Rapid, Serpent) and can encrypt local and network backups to demand a ransom (Rapid, Spora), we decided to test self-defense capabilities of the top backup solutions used in business environments available for trial.

The test aims at testing the sustainability of product’s processes and services against typical attacks to security software described below, as well as self-protection of local backup and product’s files. Ransomware can encrypt local backup files and configuration files that belong to a backup program thereby disabling the recovery of the files. Moreover, once access to agent’s or server’s processes is gained, an attacker can delete backup copies of the files not only locally, but also in the cloud on behalf of a backup solution.

See the full report by the link.

Sunday, 4 February 2018

Friday, 22 December 2017

VB2017 videos on attacks against Ukraine

Thanks to Virus Bulletin for giving a chance to talk about the most destructive attacks this year.
"(In)security is a global problem that affects every country in the world, but in recent years, none has been as badly hit as Ukraine.The most well known malware that affected the country is (Not)Petya, a ransomware/wiper threat that had global impact (it cost shipping firm Maersk alone $300m in lost revenues), but which hit Ukrainian businesses particularly hard. The malware spread through a compromised update pushed out by M.E.Doc's tax accounting software, which is popular in the country.
In a VB2017 presentation, NioGuard's Alexander Adamov, himself based in Ukraine, discussed how (Not)Petya and related attacks worked and what impact they had. We have now uploaded the video of his presentation to our YouTube channel."

Read more:

Friday, 27 October 2017

Bad Rabbit Ransomware or Evolution of NotPetya

BadRabbit launched on the morning of Tuesday, October 24, 2017 was delivered through drive-by downloads of the fake Adobe Flash Player installer from the hacked websites. The installer came undetected with a Symantec digital certificate and 1 out of 65 detection rate on VirusTotal. The Bad Rabbit ransomware having the similar set of features and code snippets to the NotPetya wiper can be considered like its new version supposedly created by the same author. In the new version, the legitimate DiskCryptor driver used to install the bootloader and encrypt the hard disk volumes in a hidden way.

Main outcomes:
  • The BadRabbit is a new version of NotPetya, supposedly written by the same author;
  • It's a cryptolocker - you can unlock the computer and decrypt the data only by paying 0.05 BTC;
  • This is not a targeted attack, unlike NotPetya
  • The BadRabbit is distributed over the local network using the EternalRomance vulnerability in SMB1, WMI, WebDAV, brute-force with simple passwords through NTLMSSP
  • The BadRabbit uses the legitimate DiskCryptor driver
Read the full report for more details.