Ransomware versus Cryptojacking: Latest Trends in Modern Malware

Presented at ToorCon San Diego 20 (2018), Sept. 15, 2018, 3 p.m. (50 minutes)

Ransomware and cryptojacking have been recognized as the top malware threats in 2018. Financially motivated cybercriminals are attracted to both since both remain viable means of generating illicit income. In this talk, we delve deep into the latest characteristics observed in ransomware and cryptojacking attacks. Modern ransomware go beyond mere data encryption and come bundled with other threats, while cryptojacking attacks exploit unsuspecting web users by deploying embedded JavaScript miners concealed in websites. We discuss the intricate characteristics of sophisticated modern ransomware variants, cryptojacking attacks, and the results of our web crawl identifying websites involved in cryptojacking. Finally, we compare ransomware and cryptojacking in terms of their potential to generate illicit income for cybercriminals versus the levels of sophistication required to implement their respective campaigns.

Modern malware present multi-faceted threats that leverage a variety of attack vectors. Leading the malware threatscape in 2018 are ransomware and cryptojacking attacks, and the more evolved variants are now implementing targeted attacks against organizations (e.g. SamSam). These modern ransomware include a hybrid cryptosystem that uses a combination of symmetric and asymmetric cryptography. In recent practice, ransomware are going beyond mere data encryption and come bundled with other threats. We present real-world cases of ransomware where we observed these cryptoviral extortions drop trojan horses (e.g. RAA dropping pony) and cryptominers (e.g. BlackRuby). Our research shows that these secondary infections remain active on host even after the ransom is paid. During this talk, we will also discuss how elliptic curve cryptography (ECIES) is deployed in modern ransomware (e.g. Petya and PetrWrap) and the tactical advantages it provides (over RSA) to ransomware operators. We will show how many ransomware variants purge shadow copies (via vssadmin), encrypt network backups (using WNetAddConnection2), and use the latest anti-virus circumvention techniques such as “process doppelganging” (e.g. SynAck ransomware). In addition, we will discuss the results of our preliminary web crawl that identified cryptojacking scripts embedded across a variety of websites. We will discuss just how cryptojacking works, why it is rampantly spreading, how it effects organizations and individuals and how to effectively protect an organization and its employees against it.

In conclusion, we will discuss the future of the most potent ransomware and cryptojacking malware as predicted via analysis of real-world malware samples observed lately in the wild. We will also explore new attack vectors (besides phishing) deployed by these malware such as exploiting critical vulnerabilities (e.g. the infamous EternalBlue) or brute forcing remote services (e.g. RDP or SSH). All arguments presented during the talk will be backed by empirical evidence in form of system snapshots, code snippets, and network packet dumps as collected from real-world malware.


Presenters:

  • Pranshu Bajpai
    Pranshu Bajpai is a security researcher working towards his PhD in Computer Science and Engineering at Michigan State University. His research interests lie in computer and network security, malware analysis, digital forensics, and cyber crimes. In the past, he worked as a penetration tester. He has authored several papers in security magazines and journals and has served as a technical reviewer for books within the security domain. He has been an active speaker at industry and academic conferences and spoken at DEF CON, IEEE APWG eCrime conference, GrrCon, BSides and others. He holds an MS in Information Security and an MBA in Marketing.

Links:

Similar Presentations: