Techbook

Cryptovirology is a field that studies and researches about various ways by which cryptography application can be used to design malicious software's. It investigates how modern cryptographic paradigms and tools can be used to strengthen, improve and develop new malicious software's for malware attacks. Cryptovirology is a forward engineering discipline that is primarily used for attacking rather defending. This field emerged with an observation that a public-key cryptography can be used to break the symmetry between what an antivirus analyst sees regarding a malware and what attacker observes. Antivirus analyst observes a public key contained in the malware whereas an attacker sees the public key contained in the malware as well as its corresponding private key outside the malware. This public key allows the malware to perform trapdoor function on victim's computer that attacker can only undo.

WannaCry cryptoworm is a malicious code being used by cyber criminals targeting mostly Windows Operating System to hack organizations & users personal data. The motive behind this malware attack is monetary by encrypting user’s data. Once infected the victim gets an email or a popup warning that if the ransom amount is not paid by due date their files will be destroyed permanently.

ImageSource CTB LOCKER (Curve-Tor-Bitcoin Locker) also known by Critroni is an example of file encrypting malware infections. The ransomware was released middle of July 2014 targeting windows OS. Curve - comes from its persistent cryptography based on elliptic curves, which encrypts the affected files with a unique RSA key. Tor - comes from the malicious server placed in onion-domain which is very difficult to take down. BitCoin- refers to the possibility to pay in BitCoins, avoiding normal payment systems that can lead back to attackers.  **CTB-Locker is a ransomware variant that first encrypts the files, then claims you have 4 days (96 hours) to make the payment, and if the victim doesn't send money in time, their files gets permanently encrypted.

ImageSource JIGSAW RANSOMWARE This ransomware was first spotted in April 2016. A notorious virus that disables the computer and encrypts the files on it and threatens to delete them, is actually the first one that carries out this threat. Once the virus invades the system a countdown timer starts and if the demanded ransom of $150 is not paid within first hour it deletes one file and continues deleting as the timer resets every 60 minutes deleting more and more files. JIGSAW virus encrypts files using AES-128-CBC and creates a secret decryption key, which is needed to decrypt all these encrypted files. Jigsaw malware creates a number of problems:- Jigsaw drops other type of infections in order to invade your system deeply. Spam files and registries are injected on to your device. A lot of pop-up ads come out on the screen. Slows down system’s performance.

ImageSource TorrentLocker is a ‘Trojanhorse’ that encrypts files on the compromised computer using a symmetric block cipher AES to encrypt files and an asymmetric cipher RSA to encrypt the key. Monetary ransom is demanded by the criminals to unlock the infected computer. TorrentLocker was first observed in February 2014 and by the year end 5 major releases of this malware were discovered. TorrentLocker infections are initiated with a spam email. The victim is told to pay the amount in BitCoins that usually starts around $550 within 3 days.

  ImageSource TeslaCrypt now defunct was a ransomeware Trojan that first came into light in late February 2015. TeslaCrypt was distributed widely via the Angler exploit kit. It exploited AdobeFlash (CVE-2015-0311) and hence downloads the TeslaCrypt. Initially TeslaCrypt targeted game’s-play data for computer games like the  Call of Duty series, World of Warcraft, Mine-Craft & World of Tanks. Newer variants of TeslaCrypt were not only focused on games but also encrypted Word, PDF, JPEG and other files. In all cases, the victim would then be prompted to pay a ransom of $500 worth of BitCoins in order to obtain the key to decrypt the files.

ImageSource CrySiS showed up first in February 2016 is a malware mostly proliferated using deceptive e-mail messages containing infectious attachments with double file extensions and fake software updates (Java, Flash player, etc.) also through social networks and file sharing services. After successful system infiltration, the malware encrypts files stored in computers. CrySiS encryption method is a mixture of RSA and AES-128 algorithms. It adds .CrySiS file extension to the encrypted files and changes the desktop wallpaper by setting a ransom note that varies from $400 to $1200. CrySiS ransomware virus can even hijack your IP and system DNS data. The purpose is to cut off your access to the network. CrySiS ransomware could also build a backdoor for remote hackers who can collect your confidential information.

ImageSource CryptoLocker is a malicious cyber threat, it first appeared in September 2013. The ransomware spreads itself through email with a password protected ZIP file claiming  to be from a logistic firm. It then uses social engineering techniques to trick user into running it.  As soon as the victim opens it using password provided, the Trojan goes  memory resident on the computer and saves itself in the user profile. The Trojan generates a random symmetric key for each file it encrypts with the AES algorithm compromised computer and then prompts the user to purchase a password  in order to decrypt. **Operation Tovar was carried out and CryptoLocker was isolated by the seizure  of the GameOver ZeuS botnet.

LOCKY quite a derogatory name ! ImageSource LOCKY is a ransomware that scrambles and renames all your files with .locky extension, released in 2016 LOCKY is an email-worm and macro virus Trojan program similar to Cryptolocker. This ransomware is spread through email with an attached MS-Word document containing the malicious macros to thousands of computers. When the victim enables the macros setting in the word, the macros then save and run a binary file that downloads the actual encryption Trojan, which will encrypt all files to a unique 16-digit combination using the RSA-2048 and AES-1024 algorithms. **The files could be decrypted using a decrypter given by criminals costing 0.5 BitCoins.

LECHIFFRE The manually distributed malware ! ImageSource LECHIFFRE means “the number” ! Unlike other cyber criminals manually proliferate this malware on the compromised and run a malicious executable file. Once LeChiffre infects the device successfully, it changes the system settings and encrypts the files using an RSA 1024 algorithm. To inform users about their options to recover the enciphered data an email address is provided to contact the cyber criminals. **Lechiffre reported in spring of 2015 infected three Indian banks and a pharmaceutical company, demanding one BitCoin per compromised computer and reportedly causing millions of dollars in damage.

ImageSource RAA-Delivering the pony R ansom Malware ! RAA was spotted early 2016. The malware is written completely on JavaScript to infect computers. RAA has been spreading via email attachments that pretend to be .doc files with names like mgJaXnwanxlS_doc_.js. Once the JS file is opened the malicious process starts scanning the system and encrypts the files on the computer and will then demand a ransom of ~$250 to decrypt back the files. *JS malware are gaining popularity as they are easier to write and debug and are harder to be analyzed by AV scanners.

Cryptowall demands money and mocks you ! CryptoWall Ransomware is among the most persistent viruses. CryptoWall virus occupies a significant position in the crypto-malware market. The threat typically affects computer through spam emails, exploit kits hosted through malicious ads, compromised sites and other malware. The Trojan prevents the user from accessing their files and force the victim to pay in order to regain access. It does this by encrypting a wide variety of files on the compromised computer using public/private key encryption with a strong 2048-bit RSA key. **CryptoWall infected over 600,000 computer systems and held 5 billion files hostage, earning its creators more than $325 billion dollars worldwide.

KERANGER the first wild  MacOS Ransomware ! KeRanger also known by OSX.KeRanger.A is known as the first CryptoRansomware Trojan effectively targeting Apple computers. Discovered on March 4, 2016, has affected more than 7,000 Mac users. KeRanger is remotely executed on the victim's computer from a flaw in transmission of Bit Torrent client. The only way this malware could invade the victim's computer was by using a valid developer signature issued by Apple, that allowed it to bypass Apple's built-in OS X’s security feature designed to block software’s from untrusted sources. **The malware display’s a ransom message, demanding the victim to pay 1 BitCoin (~ $408)

REVETON One brand of RansomWare ! ImageSource REVETON began to spread in 2012. The threat pretends to be a warning from National Police Service for copyright violations and other cyber offences and threatens criminal proceedings within 48 hours after locking your PC. Because of this it is also known as ‘PoliceTrojan’ This ransomware is spread by BEDEP malware, following a system infection caused by the Angler Exploit Kit, upon execution of the ransomware, it encrypts the infected system’s files and appends a .crypt extension to the filename. **The extortion amount is typically around $200, anonymous prepaid cash service like Ukash, PaySafeCard or MoneyPak payment are asked by hackers to pay the fines.

ImageSource WINLOCKER Transforming The Plot of Cyber Ransomware ! WinLocker infected machines are controlled centrally using two C&C panels. One of the C&C panels is used for verification of the transaction generated to pay the ransom. If the transaction is verified and the required amount is transferred to the attacker’s account, an email is sent to the attacker to unlock the infected system. The other C&C panel is used for managing the administrative operations such as sending unlock commands to the infected system. Developers of WinLocker have started a stealthy Affiliate Program (IWAP) in which WinLocker is provided as a crimeware service, buyers of the service gets access to the C&C panel that monitors successful infections for ransom payments however they don’t have access to the administrative control panel. **This Trojan also displays fake warning messages from Police/Security.

CERBER Evolving & Evading Machine Learning Tools ! ImageSource CERBER discovered early 2016 is a ransomware-type malware that infiltrates systems, encrypting files with RSA-512 cipher & RC4 encryption algorithm Cerber adds a .cerber extension or randomly generated four alphanumeric characters to each encrypted file. When infected, victim's data files are enciphered and a ransom note of 1.24 BitCoins pops-up and also adds a .vbs file, which speaks out its ransom note to get their files back. **Cerber ransomware is probably a new ransomware as a service, where affiliates can join in order to distribute the ransomware, while the developers earn a commission 40% from each ransom payment and the affiliate getting 60% of profit.

ImageSource PETYA _a whole n ew a pproach t o m ess things up ! PETYA is of a different from of ransomware. Instead of encrypting files one by one, it denies access to the full system and encrypts the whole hard drive all at once by tampering with the MBR and encrypting the MFT. Petya writes the malicious code at the beginning of the disk. Then the affected system’s master boot record (MBR) is overwritten by the custom boot loader that loads a tiny malicious kernel. Then, this kernel proceeds with further encryption. The malware causes a system crash (Blue Screen of Death) and a system reboot. This ransomware has targeted mostly business users, as it is distributed by emails pretending job applications. These email contains a link to DropBox to a file supposed to be resume. But actually contains an .exe file. Once the file gets clicked PETYA makes it’s way to the user’s PC.

SATANA Trojan encrypts files and corrupts windows Master Boot Record (MBR) thus blocking the Windows boot process. SATANA behaves quite similarly like the notorious PetyaRansomware . Image Source To encrypt PC files, PETYA relies on the help of a tagalong Trojan called Mischa, while SATANA manages tasks on its own. Once the ransomware start running it disappears, and hides under a different name in the %TEMP% folder. Then after it will always prompt the user to download a malicious file until they click yes. Once the action starts, the malicious code will be written to the beginning of disk. After it installs and runs its malicious code, SATANA then waits for the computer to reboot. But the system won’t start instead it will show a screen with the ransom note, like most ransomware.

Image Source: Commonly two types of ransomwares are in circulation:- ENCRYPTORS: They incorporates advanced encryption algorithms. Encryptors are designed to block system files and hence demand ransom to provide the victim with the key that can decrypt the system files. LOCKERS: They unlike encryptors lock the victim out of the operating system, making it impossible for the user to access the desktop and files on the system. The victim has to pay ransome to get the system unlocked.             **Some Lockers infect the Master Boot Record (MBR). The MBR is a section of computer hard drive that enables the operating system to boot up. When MBR ransomware strikes, the boot process can’t complete as usual and displays a ransom note on the screen.

ImageSource WannaCry One of the most prolific attacks ! WannaCry is an ongoing ransomware cyber attack, that holds your computer hostage until the  demanded ransom is paid. This Crypto Worm started its attack on 2017 May 12, and was reported to infect more than 2,30,000  PC in more than 150 countries. The malware attacks vulnerable operating systems running older v ersions of windows. Hackers used cyber tools stolen from the US National Security Agency to strike the attack. WannaCry encrypts and scrambles all the data in the infected computer, then the malware pops up with a screen displaying the ransom note and demanding fee payable in **Crypto Currency (BitCoins). The malware has now evolved into a new worm EternalRock, which does not have the “kill switch” like that of WannaCry.

Image Source RANSOMWARES   are sophisticated piece of malware/codes that blocks the victim's access to his/her files, and the only way to regain access to the files is to pay a ransom. They can target any PC users, whether it’s a home computer, endpoints in an enterprise network, or servers used by a government agency and healthcare provider. There are different types of ransomware. However, all of them will prevent you from using your PC normally, and they will all ask you to do something before you can use your PC normally they will demand that you pay money (BitCoins). **There is no guarantee that after paying the fine or doing what the ransomware ask you will give access to your PC or files again.