ToorCon XX - Ransomware Versus Cryptojacking


Ransomware and cryptojacking have been recognized as the top malware threats in 2018. Financially motivated cybercriminals are attracted to both since both remain viable means of generating illicit income. In this talk, we delve deep into the latest characteristics observed in ransomware and cryptojacking attacks. Modern ransomware go beyond mere data encryption and come bundled with other threats, while cryptojacking attacks exploit unsuspecting web users by deploying embedded JavaScript miners concealed in websites. We discuss the intricate characteristics of sophisticated modern ransomware variants, cryptojacking attacks, and the results of our web crawl identifying websites involved in cryptojacking. Finally, we compare ransomware and cryptojacking in terms of their potential to generate illicit income for cybercriminals versus the levels of sophistication required to implement their respective campaigns. Modern malware present multi-faceted threats that leverage a variety of attack vectors. Leading the malware threatscape in 2018 are ransomware and cryptojacking attacks, and the more evolved variants are now implementing targeted attacks against organizations (e.g. SamSam). These modern ransomware include a hybrid cryptosystem that uses a combination of symmetric and asymmetric cryptography. In recent practice, ransomware are going beyond mere data encryption and come bundled with other threats. We present real-world cases of ransomware where we observed these cryptoviral extortions drop trojan horses (e.g. RAA dropping pony) and cryptominers (e.g. BlackRuby). Our research shows that these secondary infections remain active on host even after the ransom is paid. During this talk, we will also discuss how elliptic curve cryptography (ECIES) is deployed in modern ransomware (e.g. Petya and PetrWrap) and the tactical advantages it provides (over RSA) to ransomware operators. We will show how many ransomware variants purge shadow copies (via vssadmin), encrypt network backups (using WNetAddConnection2), and use the latest anti-virus circumvention techniques such as “process doppelganging” (e.g. SynAck ransomware). In addition, we will discuss the results of our preliminary web crawl that identified cryptojacking scripts embedded across a variety of websites. We will discuss just how cryptojacking works, why it is rampantly spreading, how it effects organizations and individuals and how to effectively protect an organization and its employees against it. In conclusion, we will discuss the future of the most potent ransomware and cryptojacking malware as predicted via analysis of real-world malware samples observed lately in the wild. We will also explore new attack vectors (besides phishing) deployed by these malware such as exploiting critical vulnerabilities (e.g. the infamous EternalBlue) or brute forcing remote services (e.g. RDP or SSH). All arguments presented during the talk will be backed by empirical evidence in form of system snapshots, code snippets, and network packet dumps as collected from real-world malware.

Sep 15, 2018
San Diego, CA



Pranshu Bajpai
Pranshu Bajpai
Security Architect

PhD, Michigan State University.