I Wrote my Own Ransomware; Did Not Make 1 Iota Of A Bitcoin presented at deepsec 2017

by Thomas Fischer,

Summary : 2016 saw a substantial rise in ransomware attacks and in some cases the return of some favourites with Cryptowall, CTB-LOCKER and TeslaCrypt being some of the most popular. The volume of attacks was in fact pretty steady for a good part of the year, with regular campaigns coming out on a weekly basis. It was interesting to see the variety in mechanisms used for the ransomware which not only included self-contained binaries but went all the way to the use of scripts. As part of the research I conducted last year, I wanted to understand why there's such a drive and lure for ransomware, outside of the victims payment, as well as have some way of properly testing "anti-ransomware" solutions with an unknown variant. So to do that, I went ahead and built my own ransomware and drew some conclusions on why it became so popular. This talk explore the background and process used to build a live ransomware that I was able to use for controlled testing. To finally draw some of my own personal conclusions.
With over 25+ years experience, Thomas has a unique view on security in the enterprise with experience in multi domains from risk management, secure development to incident response and forensics. In his career, he's held varying roles from incident responder to security architect for fortune 500 companies as well as industry vendors and consulting organizations. Currently he plays a lead role in advising customers while investigating malicious activity and analyzing threats for Digital Guardian. He's also a strong advocate of knowledge sharing and mentoring through being an active participant in the infosec community, not only as a member but also as director of Security BSides London and as an ISSA UK chapter board member.
Enhancing Control Flow Graph Based Binary Function Identification
Clemens Jonischkeit, Julian Kirsch (Technical University of Munich)
Detection of binary functions in compiled code is a major stepping
stone towards any advanced binary analysis technique. Nucleus [1]
is a novel algorithm based on the idea of using the interprocedural
control flow graph to detect function boundaries. Building upon this
technology we propose a new approach to solve the related problem
of identifying previously-seen known functions within a binary.
Our idea is based on comparing the control flow graphs (CFGs)
of unknown functions from a binary to known functions from a
previously generated database. Compared to traditional approaches,
our method is aware of the underlying graph matching problem
being performed on CFGs of binary code: First, it utilizes instruction
level knowledge about basic blocks as additional constraints for
graph isomorphism. Second, optimizations and transformations
introduced by different compilers affecting the shape of the CFG
are taken into account.
Our approach aims to avoid false positives (wrongly assigning a
known function symbol to an unknown function) at all cost: The
evaluation shows that this method is very effective in reducing false
positive matches (below one percent in most cases) maintaining
recall rates as high as 72.8% when matching functions across two
different nginx versions (1.12.1 and 1.10.3).