Friday 5 October 10:00 - 10:30, Green room
Alexander Adamov (NioGuard Security Lab)
Despite threat actors switching from crypto extortion to cryptomining – a promising new area in which to earn millions of dollars [1], overtaking, for instance, the WannaCry ransomware in number of infections [2] – it is too early to talk about the extinction of ransomware. Cybersecurity Ventures predicted that global costs of damage due to ransomware would exceed $11.5 billion annually by 2019 [3]. Meanwhile, the cryptocurrency hype helps criminals push even more ransomware [4].
The new ransomware-as-a-service (RaaS) GandCrab (for which a decryptor is available at [5]) showed an unexpected rise at the beginning of 2018, threatening to become the number one piece of ransomware [6] and outshine the well known RaaS players from 2016 and 2017: Cerber, Locky and Spora [7]. Waiting for a GandCrab update.
The question most ransomware victims usually ask is: 'Can I decrypt my files without paying the ransom?' To answer this, it is necessary first to figure out how the ransomware encrypts the user's files. In particular:
This is where ransomware cryptanalysis comes into play. Unfortunately, such an analysis requires significant effort on the part of an expert with specific reverse engineering skills and may take an indefinite time [8]. To assist a crypto researcher in his honourable path, artificial intelligence may come in handy.
In this talk, we’ll take a deep look under the hood at the top ransomware families of 2017: Locky [9], Cerber [10], Spora [11], as well as MoneroPay ransomware [12] - a fake cryptocurrency discovered at the beginning of 2018 (for which a decryptor is available at [13]).
Specifically, we’ll shed light on:
Artificial intelligence will help us to recognize cryptographic primitives via machine learning algorithms that will dramatically reduce the time needed for the crypto code localization and attribution during ransomware analysis where a signature-based approach does not work.
This talk will appeal to fans of reverse engineering, machine learning, and ransomware analysis.
[3] https://cybersecurityventures.com/ransomware-damage-report-2017-part-2/
[4] https://www.fortinet.com/blog/threat-research/spritecoin-another-new-cryptocurrency-or-not.html
[5] https://www.nomoreransom.org/en/index.html
[6] https://twitter.com/WDSecurity/status/968270740549193730
[8] https://blog.checkpoint.com/wp-content/uploads/2016/10/GreatCryptoFailuresWhitepaper_Draft2.pdf
[9] https://www.acronis.com/en-us/blog/posts/locky-empire-strikes-back
[10] https://nioguard.blogspot.com/2017/07/new-variant-of-cerber-ransomware-ferber.html
[11] https://blog.malwarebytes.com/threat-analysis/2017/03/spora-ransomware/
[12] https://nioguard.blogspot.com/2018/02/decryptor-for-moneropay-ransomware.html
[13] https://github.com/AlexanderAda/Ransomware-Decryptors/tree/master/MoneroPay
Alexander Adamov Alexander Adamov is the founder and CEO of NioGuard Security Lab analysing targeted attacks and ransomware to create smart cybersecurity solutions with AI. As a teacher, he develops and teaches the Advanced Malware Analysis course in universities in Ukraine and Sweden. Alexander has worked for Kaspersky Lab, Lavasoft, Samsung, Mirantis and has spoken at various security conferences and workshops such as Virus Bulletin, Kaspersky Virus Analysts Summit, OpenStack Summit, OWASP, HackIT, and BSides. |
Michael Daniel (Cyber Threat Alliance)
Paul Rascagneres (Cisco Talos)
Warren Mercer (Cisco Talos)
Alexander Vukcevic (Avira)
Jiri Sejtko (Avast)