See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/313905642

RANSOMWARE: Most Recent Threat to Computer Network Security

Presentation · February 2017

DOI: 10.13140/RG.2.2.31592.67841

CITATIONS READS

0 2,239

2 authors:

Segun I. Popoola Samuel Ndueso John

Manchester Metropolitan University Nigerian Defence Academy
114 PUBLICATIONS   830 CITATIONS    48 PUBLICATIONS   171 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

ANFIS for Protection System in Transmission Line View project

Software Defined and Cognitive Radio Testbed (SoDCRaT) View project

All content following this page was uploaded by Segun I. Popoola on 24 February 2017.

The user has requested enhancement of the downloaded file.

 A Seminar Presentation on

RANSOMWARE: Most Recent Threat to Computer

Network Security

POPOOLA, Segun Isaiah

(16PCK01420)

Network Security and Management (ICE 817)

Course Lecturer: Prof. Samuel N. JOHN

Department of Electrical and Information Engineering

Covenant University
Ota, Nigeria

23rd February, 2017.

 Ransomware is a type of malicious
software designed to block access to
a computer system until a sum of
money is paid.
 Introduction
 Ransomware installs covertly on a victim's device to either mount
o the cryptoviral extortion attack from cryptovirology that holds the
victim's data hostage, or

o the cryptovirology leakware attack that threatens to publish the

victim's data.

 The malware encrypts the victim's files, making them inaccessible, and
demands a ransom payment to decrypt them [1].
 Common Ways of Launching Attacks
 Ransomware may encrypt the
oComputer's Master File Table (MFT) [2, 3] or
oEntire hard drive.
 It is a denial-of-access attack that prevents computer
users from accessing files since it is intractable to decrypt
the files without the decryption key.
 Ransomware attacks are typically carried out using
a Trojan that has a payload disguised as a legitimate file.
 Common Ways of Launching Attacks
 About 80% of ransomware attacks exploit
vulnerabilities in Flash that firms should
have patched.
 Destructive ransomware can spread by
itself and hold entire networks (i.e.
companies) hostage.
Most Recent Statistics

Source: http://blog.landesk.com/en/infographic-the-8-scariest-stats-about-ransomware
Current Trends of Ransomware Attacks
• According to 2016 Cisco Midyear Cyber-security Report [4],
ransomware has become the most profitable type of malware

Source: http://blog.landesk.com/en/infographic-the-8-scariest-stats-about-ransomware
 Current Trends of Ransomware Attacks (Cont’d)
 Nearly 40 percent of ransomware victims paid the
ransom [6]
 The business of ransomware is on pace to be a $1
billion-a-year crime [6].
 Three out of four ransomware gangs are willing to
negotiate prices for decryption.
 On average, they will give a 29% discount on the fee initially
demanded [5].
Current Trends of Ransomware Attacks
 Today, ransomware attacks are targeted at
organizations rather than individuals.
Overall, nearly half (46%) of firms have
encountered ransomware attacks [8]:
57% of medium-size organizations and;
53% of large organizations.
Current Trends of Ransomware Attacks (Cont’d)

 Willingness to pay is surprisingly high.

IBM found that [9]
20% of executives would be prepared to pay
over $40,000 each
25% would shell out $20,000-$40,000 and
11% would pay $10,000-$20,000.
 Current Trends of Ransomware Attacks (Cont’d)
 Healthcare and financial services were the
most heavily affected industries in 2016.
oThe Methodist Hospital in Henderson, Kentucky
had its patient records encrypted, but was able
to continue working, thanks to back-ups.
oThe Chino Valley Medical Centre and the Desert
Valley Hospital in California were also attacked.
Current Trends of Ransomware Attacks (Cont’d)

o Stolen administrative credentials are being used to infect

servers with a ransomware variant dubbed ‘SamSam’.
o In particular, Jboss application servers are being targeted
using the JexBoss security testing tool.
o A report from Intel [7] suggests that the criminals using
this malware are also harvesting Active Directory
credentials as a way of breaking into other servers in
order to infect them.
 2017 Ransomware Attack
 St. Louis Libraries in Missouri City, United
States of America
All the 700 computers of the city’s 16 public
libraries were infected with ransomware
The system is believed to have been infected
through a centralized computer server, and staff
emails have also been frozen by the virus.
2017 Ransomware Attack
 2017 Ransomware Attack

Hackers are demanding $35,000 (£28,000)

to restore the system after the cyber-attack.

The library authority has resolved not to

pay but to wipe its entire computer system
and rebuild it from scratch, a solution that
may take weeks.
 Failed Ransomware Attacks

 Hitler Ransomware
It claims to have encrypted the victim's files, but in fact
simply deletes file extensions for anything found in
certain directories.
After an hour it crashes the PC and, on reboot, deletes the
files.
The payment demanded is a cash code for a E25 Euro
Vodafone Card.
Text found in the code suggests it originates in Germany.
 Failed Ransomware Attacks (Cont’d)
 Fake Windows 10 Lock Screen
It tells the user that their license has expired, turns out to have
the decryption key buried in the code.
Researchers from Symantec discovered that, while the
criminals had gone to considerable effort to set up fake tech
support websites for the scam, the phone number they gave out
for victims to call was never answered and was soon
disconnected.
On reverse engineering the code, the researchers found the
decryption key (8716098676542789) plainly visible.
 Failed Ransomware Attacks (Cont’d)

 ‘PowerWare’ and ‘Bart’

They have been cracked by security researchers who
found flaws in the malware.
A team at Palo Alto Networks found that PowerWare,
while trying to emulate the notorious Locky strain, had
weak encryption and hard-coded keys.
The company published a decryption tool and AVG
created a decryptor for Bart due to the malware's poor
encryption algorithm.
 Failed Ransomware Attacks (Cont’d)

 Chimera ransomware
The decryption keys of the Chimera ransomware
have also been published by a rival ransomware
gang known as Janus.
Janus aimed at ensuring there are enough
victims available for its own malware, dubbed
Mischa, which also uses some of the Chimera
source code.
 Failed Ransomware Attacks (Cont’d)
The Chimera malware was never especially widespread,
being aimed mainly at smaller German businesses.
But it was notable for the threat from its creators that they would
publish victims' private documents and login credentials if they didn't
pay up.
Security firms had yet to write a decryptor using the
published keys.
Victims are advised to keep the encrypted versions of their files safe
for later decryption once the relevant tool is available.
 Current Solution
 Kaspersky Lab and Intel have joined forces with
Interpol and the Dutch National Police to set up a
website (www.nomoreransom.org) aimed at helping
people to avoid falling victim to ransomware.

The website will host decryption keys and tools for those
ransomware strains that have been cracked by security
researchers.
 References
1. Mehmood, Shafqa. "Enterprise Survival Guide for Ransomware
Attacks". SANS Information Security Training | Cyber
Certifications | Research. Available at www.sans.org.
2. Jack Schofield. "How can I remove a ransomware infection?" The
Guardian. Retrieved 28 July 2016.
3. Michael Mimoso. "Petya Ransomware Master File Table
Encryption". Available at www.threatpost.com.
4. Cisco, Midyear Cyber-security Report. Available at
https://newsroom.cisco.com/press-release-content?type=press-
release&articleId=1780586
 References
5. Security firm F-Secure Report.
https://fsecureconsumer.files.wordpress.com/2016/07/customer_j
ourney_of_crypto-ransomware_f-secure.pdf
6. Malwarebytes.
ttps://go.malwarebytes.com/OstermanRansomwareSurvey.html
7. Intel Incorporation. http://intel.ly/1SC6Cwy
8. News. Ransomware becomes most popular form of attack as
payouts approach $1bn a year, Network Security, Volume 2017,
Issue 1, January 2017, Pages 1-2
9. IBM. https://ibm.biz/RansomwareReport

View publication stats