Since June of 2016, the world has been plagued by new variants of Locky ransomware that is based solely on JavaScript. This truly sucks because on Windows, JavaScript outside your browser runs in the Windows Script Host, which doesn't sandbox the script code; so it can do whatever it wants. Also, malware authors get access to already-built crypto APIs that makes their job much easier. This evolution has aided the spread of the malware even further than previously seen with other ransomware. In this talk, we will dissect the JS/Ransom-DDL malware and see how it works -- in terms of its installation, payload, command & control, encryption, obfuscation, etc., and even its evil attempt to install a secondary Trojan to steal passwords. Finally, we will try to come up with some practical countermeasures to help thwart it and its variants in the future.
Jeremy is an adjunct professor at the University of South Florida and founder of the USF Whitehatters Computer Security Club (WCSC). Since 2000, he has taught USF courses in Cryptography and Network Security, Computer Forensics and Investigations, Ethical Hacking, Embedded Systems Security, and Mobile & Wireless Security. Jeremy has about 25 years of experience in developing secure communications systems, cryptographic devices, and cybersecurity solutions. His company Abacode provides the Cyber Lorica network security monitoring solution. His team also performs network vulnerability audits, forensic incident response, product vulnerability analysis, penetration testing/red teaming, security policy development, cybersecurity training, and R&D into automated software assurance tools and secure mobile platforms. He is a past speaker at BSides Tampa.
Paolo is a senior cybersecurity engineer at Abacode. He earned a BS in Computer Science from UC Berkeley and specializes in the field of mobile security--specifically in the Android and iOS platforms. His research on evading host-based intrusion detection has been published in the ACM Conference on Computer and Communications Security. Paolo prefers researching exploitation techniques involving memory corruption and privacy flaws in mobile applications. He is a past speaker at Black Hat Europe.