BSidesSF 2018

2017 was a year with a large increase of ransomware families and malware technologies. Some malware technologies are not dangerous enough unless they get mixed with others, yet somehow most of them end up into ransomwares and botnets. Wannacry and Not-Petya were empowered with SMB exploits for mass spreading. Not-Petya, GoldenEye and Armalocky make use of low-level disk encryption to alter the user data at sector level. GlobeImposter, BTCWare and Troldesh/Crysis was spread using RDP sessions. We also have a large number of the first two of them, packed with the packer used by the Emotet polymorphic packer. Some of the ransom families get sold through RaaS portals, allowing any end-user to become a potential ransomware owner; Satan ransomware is an example of such a case. A strange one, UIWIX ransomware which probably was reshaped, was distributed by the Adylkuzz coinminer in certain circumstances by October 2017. The coinminer is known for its SMB exploit component and its preference for monero coin. In this presentation we will evaluate the mix of malware technologies used by the ransomwares born in 2017, both for their distribution and the encryption algorithms, in an attempt to picture what’s coming next.