BSidesSF 2018 has ended
Back To Schedule
Monday, April 16 • 4:10pm - 4:40pm
Prospecting Ransomware Tech

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
2017 was a year with a large increase of ransomware families and malware technologies. Some malware technologies are not dangerous enough unless they get mixed with others, yet somehow most of them end up into ransomwares and botnets. Wannacry and Not-Petya were empowered with SMB exploits for mass spreading. Not-Petya, GoldenEye and Armalocky make use of low-level disk encryption to alter the user data at sector level. GlobeImposter, BTCWare and Troldesh/Crysis was spread using RDP sessions. We also have a large number of the first two of them, packed with the packer used by the Emotet polymorphic packer. Some of the ransom families get sold through RaaS portals, allowing any end-user to become a potential ransomware owner; Satan ransomware is an example of such a case. A strange one, UIWIX ransomware which probably was reshaped, was distributed by the Adylkuzz coinminer in certain circumstances by October 2017. The coinminer is known for its SMB exploit component and its preference for monero coin. In this presentation we will evaluate the mix of malware technologies used by the ransomwares born in 2017, both for their distribution and the encryption algorithms, in an attempt to picture what’s coming next.


Vlad Craciun

Senior Team Lead, Cyber Threat Intelligence Lab, Bitdefender
Vlad Craciun was born in Piatra Neamt in 1986. He has been analyzing different types of malware and file infectors in an R&D lab since 2009. He finished his Master's degree in 2012 at the "Gh. Asachi" technical University of Iasi with a thesis entitled "Advanced binary analysis using... Read More →

Monday April 16, 2018 4:10pm - 4:40pm PDT
City View - Presidio