Chapter 1 - 03 - Define Malware and its Types - 14_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 O Ransomware Atype of malware that restricts access to the computer system’s files and folders 0O Demands an online ransom payment to the malware creator(s) to remove the restrictions Files get encrypted and access is blocked demanding ransom = Attacker in e-mall ~ - Malware executes and gets installed Victim pays ransom to get access Attacker unlocks and provides access Copyright © by [ e Victim gets access to files All Rights Reserved. Reproduction ks Strictly Prohibited Ransomware (Cont’d) Ransomware T isa Al youw ransomware that Wrte thin 30 s the ke of your s attacks victims em: ~e Families All your files have been encrypted! dreadful through —— P Vou e have ! y 1 nire pay for Socrypton i il decrypt ol your flas the - et/ Becors. The prce depends on how 1352 you wite 1 Sodinokibi us. A paprment B B e chocrypion. T St s of fhet rut b hoematon, (dstatises backips, lrgn excel sheets, o ) : A wabecen ot b 40 W CTB-Locker we wll send you B decngton todl Bat BitPaymer St s g 10 the victims to contact the threat actors viaz a : provided email address and pay in itcoins for the ACIOTIA Cerber ot ta| restore Thews, write e i 10 the ee mad FC. Tfyous you ward Quaraniee s G ask vour e erarypied o otTR rerarme Uy 15 GySe your Gats LS s s I (1o s chund), nd fhes T o S T ks CrvptXXX Yp Cryptorbit ransomware o e e TWd Darty software, £ My Cause permarent dats bes veton of your fles Wit the help of B st B Crypto Locker Ransomware Crypto jarses My Cae Noreaned proe (Tey 301 Ter foe 1 Ransom - ma Dhar ) & you €an become 3 woam of & 5cam Defense Ransomware Notes Crypto Wall Ransomware Copyright © by EC- All Rights Reserved. Reproduction ks Strictly Prohibited Ransomware Ransomware is a type of malware that restricts access to the infected computer system or critical files and documents stored on it, and then demands an online ransom payment to the malware creator(s) to remove user restrictions. Ransomware is a type of crypto-malware that might encrypt files stored on the system’s hard disk or merely lock the system and display messages meant to trick the user into paying the ransom. Module 01 Page 65 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 Usually, ransomware spreads as a Trojan, entering a system through email attachments, hacked websites, infected programs, app downloads from untrusted sites, vulnerabilities in network services, and so on. After execution, the payload in the ransomware runs and encrypts the victim’s data (files and documents), which can be decrypted only by the malware author. In some cases, user interaction is restricted using a simple payload. In a web browser, a text file or webpage displays the ransomware demands. The displayed messages appear to be from companies or law enforcement personnel falsely claiming that the victim’s system is being used for illegal purposes or contains illegal content (e.g., porn videos, pirated software), or it could be a Microsoft product activation notice falsely claiming that installed Office software is fake and requires product re-activation. These messages entice victims into paying money to undo the restrictions imposed on them. Ransomware leverages victims’ fear, trust, surprise, and embarrassment to get them to pay the ransom demanded. Files get encrypted and access is blocked demanding ransom Attaches Attacker Ransomware in e-mail Malware executes and gets installed Victim pays ransom to get access Attacker unlocks and provides access Victim gets access 8 to files Figure 1.8: Depiction of ransomware attack Ransomware Families Listed below are some of the ransomware families: = Cerber = CryptorBit = CTB-Locker = CryptoLocker = Sodinokibi = CryptoDefense = BitPaymer = = CryptXXX = CryptoWall Police-themed Ransomware Examples of Ransomware * Dharma Dharma is a dreadful ransomware that was first identified in 2016; since then, it has been affecting various targets across the globe with new versions. It has been regularly updated with sophisticated mechanisms in recent years. At the end of March 2019, Dharma struck a parking lot system in Canada. Previously, it also infected a Texas hospital and some other organizations. The variants of this ransomware have the following extension:.adobe,.bip,.combo,.cezar,.ETH,.java. Its encrypted files have new extensions, such as.xxxxx and.like. This ransomware employs an AES encryption algorithm to encrypt data and then displays ransom notes. These ransom notes are Module 01 Page 66 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 named as either Info.hta or FILES ENCRYPTED.txt. This ransomware carries out through email campaigns. The ransom notes ask victims to contact the threat actors via the provided email address and pay in bitcoins for the decryption service. eadaundcoutts®aol. con = All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Write this ID in the title of your message AC197B68 In case of no answer in 24 hours write us to theese e-mails: [email protected] You have to pay for decryption n Becons. The price depends on how fast you wiite to us. After payment we wil send you the decryption toal that wil decrypt al your fies. Free decryption as guarantee Before payng you can send us up to 1 fie for free decryption. The total sze of fies must be less than IMb (non archived), and fies shoud not contan valuable information. (databases backups, large excel sheets, etc.) to obtain Bitcoins The easest way to buy bitcons is LocaBacons site. You have to regster, dick Buy becons', and select the seler by payment method and price. e e T tion! not rename encrypted fies, not try to decrypt your data usng third party software, it may cause permanent data loss., von of your fles with the help of thrd partes may cause noreased pace (they add ther fee to our) or you can become a victim of a scam. Figure 1.9: Screenshot displaying ransom demand message of Dharma ransomware Some additional ransomware are as follows: = eChOraix = MegaCortex = SamSam = LockerGoga = WannaCry = NamPoHyu = Petya - NotPetya = = GandCrab = Module 01 Page 67 Ryuk CryptghOst Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited.