Security experts Lance James and John Bambenek tell the Black Hat USA audience how they got together on the CryptoLocker ransomware case and how it went.
Black Hat USA host: With no further ado, I will introduce our speakers today. We have John Bambenek and Lance James.Lance James: So, everybody knows what ransomware is this year, right? Please raise your hand. Anybody get infected with it? Keep those hands up. No, just kidding. Has anyone actually had a problem with it this year, whether it’s clients or personal – grandma, whatever? In a room this size, at 9 am, we’ve got a significant amount.
John, really, gets most of the credit for writing this talk, because he’s not a procrastinator like I am. We aren’t going to talk about ransomware, obviously, from the perspective of people who don’t know. We are going to skip that, if most people got a clue there. We are going to talk about some history of ransomware.
And a study of CryptoLocker – John and I kind of put together the CryptoLocker working group when this whole incident last year came about, CryptoLocker coming on the scene. We are going to go through that (see image above). We will discuss the intelligence response to it and the success. And pieces that were difficult as well, slowdowns, things like that. The lessons you can learn and take for the next round.
And we have kind of a major theme we want to talk about that’s important – how to do takedowns right. Liaisons of law enforcement and the industry – where the industry plays and where the government or law enforcement may stop; how to work with international laws and also just in general how to work with people’s skills, really. And then, we’ll look at what we’re dealing with in the future.
By the way, I’m Lance James, Head of Cyber Intelligence at Deloitte.John Bambenek: And he smells delicious. Afterwards you should really smell him, because it’s quite mansome. My name is John Bambenek, I run my own firm Bambenek Consulting and I’m also affiliated with the SANS Internet Storm Center.
Lance: Is “Bambenek” related to Bambenek you?
Lance: Ok, cool. I was just double-checking.
John: I just lack creativity.
Lance: Got it. You’re going to have to work on that when we leave.John: I’ll be right on that. So, a quick description of what ransomware is – you know, any attack that relies on extortion. It wouldn’t be a talk if it didn’t involve a lolcat, but this one is actually relevant (see left-hand image). There are generally two types (see right-hand image). There’s “cop” ransomware – you know, we’re locking your computer, pay a fine to the FBI or NCA, or whatever particular thing. Generally, you get it because you’ve done something naughty. There have been a couple of cases where somebody has been perusing child pornography, gets ransomware that says, “Oh, thanks for reporting this problem; oh, by the way, you are under arrest for child porn. But no, thank you for reporting this.”
And the second type, which is mostly what we are going to talk about today, is cryptography/locker ransomware, where basically information is being held hostage for ransom.
Lance: Yeah. I’m going to bring up the first piece, even though it’s not the biggest theme in our talk. It’s ransomware in general, from a psychological perspective. We are going to go through CryptoLocker’s psychological effect to the user. The first type we’ve seen, actually, was a situation that I think was in Romania. Someone actually committed suicide over a piece of ransomware, believing it was real. I don’t know necessarily all the details or anything like that, but it has caused severe kinetic effects.
John: You actually jumped ahead. We’re talking about that in the next slide.
Lance: Oh damn!John: Ransomware, despite CryptoLocker and ransomware generally being in the news since late 2013, is not something that’s really new. It’s not a new phenomenon (see left-hand image). The first known prominent case goes all the way back to 1989, where ransomware was spread with what’s called the AIDS trojan, or AIDS virus, on floppy disks. You had to send money to a PO Box to get whatever to unlock your computer. So, very slow – I guess it was effective for 89 – but there wasn’t a whole lot you could do with it. But this is a concept that has been around for a long time. Early this century, because of ways technology developed, there’s all sorts of new means to leverage this particular attack threat (see right-hand image). You’ve got electronic delivery via network, watering hole attacks, which we’ve seen just recently and which I’ll talk about towards the end. There’s all sorts of naughty websites, where you get the “cop” ransomware. The means of electronic payment – sending money to a PO Box in Panama and waiting for something to come back takes time. With Bitcoin, you can process that fairly quickly. There are some other means of payment that we’ll talk about.
But generally, at least prior to CryptoLocker, the encryption was still unsophisticated. I mean, just think of how much we as an industry screw up encryption – the bad guys have basically the same problem.
Lance: Yeah, tons of it is usually homebrew. If you have never done any malware reversing and don’t really understand this, the difference between the symmetric and asymmetric in the effectiveness is that the symmetric key is usually a part of the binary of the malware itself. Historically, security researchers have recovered this quite easily and been able to provide a quick way to unlock one’s files. Today, with two-key encryption, this is something we thought probably would come a lot earlier than it did, I would say, but it actually came last year pretty much. And that was our big scare, like, when is that going to happen? Someone is going to actually implement public-key cryptography for malware in generally, and in this case ransomware.John: Ransomware generally was a growing threat. There’s Reveton, a couple of other things that I mentioned in the bottom of that slide (see left-hand image), that have been happening. Encryption is hard, and people get it right. Lance talked about it. Even when people did asymmetric encryption, there were ways to get the private key, either it was on the machine or there were some other means of recovering it. Or they used the same private key to encrypt all of their victims, so once you steal one key you’ve got everything done. So usually there was some way to recover the data. With all these things in mind, there’s a research where somebody says, “Oh, ransomware – this is scary.” I’m not taking it particularly seriously. When somebody says “ransomware” I’m thinking something more along the lines of this (see right-hand image). A crying baby who’s got her Angry Birds stolen. It’s a marketing threat. Ransomware was kind of the purview, at least in my mind, of chumbolones and jackalopes. And right know you’re hearing a bunch of people look up chumbolones in the Urban Dictionary.
Those are unsophisticated actors. People who may have caused harm, because you don’t need a lot of skill to cause harm, but nothing that’s really going to cause large-scale, real things that would capture my interest. As somebody who grew up on MTV, when they still played music, I’ve kind of got ADD, so it’s kind of hard to capture my interest.