Ransomware & Beyond

When asked to speak about the topic “Ransomware” and especially with an experienced audience that attends “BotConf” – what new can one tell? Well, maybe sharing some experiences around the research in ransomware we conducted, the explosive increase in 2016, why did it take so long for the industry to come up with solutions, experiences in take-downs and where does ransomware goes next?

A few years ago I transferred internally towards another department. After been running IR teams and some major IR gigs around the world my mission was to assist IR folks and start designing better threat-intelligence correlation and analysis to support detection of breaches. One of my first mission was to keep an eye on the development of ‘CryptoLocker’ – a crypto-ransomware family that was getting loud and needed proper coverage. After setting up some hunting rules internally and externally, we nicely collected the samples and indicators, verified if they were covered by our signatures, and if not adjust and push… easy right? Well you can keep up with that if there’s no massive change or custom DGA’s and there are a few ransomware families. After participating in operation Tovar, the infrastructure to seed CryptoLocker was gone and it seemed to be nice and quiet. Wrong! The next culprit popped up after a bumpy start but CryptoWall was taking over the ranks. With some other families popping up as well, it was clear that ‘traditional’ ways of detecting malware were not sufficient for detecting and blocking ransomware. During the presentation I will share some of the approaches we have been researching around ransomware, where the challenges are.

In 2016 we saw a huge increase starting in Feb/March. Where in January we were tracking 10-15 major ransomware families, we soon faced 5-6 new families a week, where currently we have passed the 200 families. What happened, why this explosion and why did it push the industry to change the approach towards ransomware and come up with a solution?

Not only as a private industry we needed the call to action, but also international Law Enforcement received more and more complaints of ransomware victims. After many months of meetings, the initiative “no more ransom”, was started where government and private parties joined forces to start dealing with ransomware. Assisting in identifying the ransomware family, deliver decryption tools and take-down infrastructures that resulted in the prevention of 1.35 million euro’s to be paid out to the criminals where some of the first successes.

Where goes ransomware goes? It was a question we asked ourselves this year and we started to develop some proof-of-concept project applying the “Frankenstein-model” aka put a few evil pieces together to create a new concept. Will show some demo-videos of our research where we put ransomware on a access-point that also is the controller of the home-automation. Secondly, we were successful in uploading ransomware to a car-IVI, in which we could stop the brakes of the car and display the ransomware note on the display.

Print Friendly
Christiaan Beek

Latest posts by Christiaan Beek (see all)