What does it mean that the mobile phone shows that the ransomware gains control without infecting the mobile phone?

Since 2005, ransomware has become the most common network threat. According to the data, in the past 1 1 year, the number of data leakage accidents involved in ransomware infection exceeded 7694 to 60 13. Over the years, there are two main types of ransomware: encryption-based ransomware and locker-based ransomware. Encrypted ransomware usually encrypts files and folders, hard disks, etc. Locker ransomware will lock the user's device, usually Android-based ransomware. The new era ransomware combines advanced distribution technology (such as pre-established infrastructure for rapid and wide distribution of ransomware) with advanced development technology (such as using crypter to ensure reverse engineering is extremely difficult). In addition, offline encryption methods are becoming more and more popular, in which ransomware uses legal system functions (such as Microsoft CryptoAPI) to eliminate the need for command control communication. Terrance DeJesus of Solutionary's Security Engineering and Research Group (SERT) discussed the development history and highlights of ransomware in recent years. AIDS Trojan The first ransomware AIDS Trojan was founded in 1989 by Joseph L.Popp, a graduate of Harvard University. 20,000 infected floppy disks were distributed to the participants of the International AIDS Conference of the International Health Organization. The main weapon of Trojan horse is symmetric encryption, and the decryption tool can quickly recover the file name, but this has opened the ransomware attack for nearly 30 years. Nearly twenty years after Archievus' first ransomware appeared (17), another ransomware appeared. The difference is that this ransomware is more difficult to remove, and RSA encryption is used for the first time in the history of ransomware. This Archiveus Trojan encrypts all the contents in the "My Documents" directory in the system, and requires users to purchase from a specific website to obtain a password-decrypted file. Archiveus was also the first ransomware debate using asymmetric encryption. 20 1 1 Five years after the unknown Trojan, the mainstream anonymous payment service made it easier for attackers to use ransomware to collect money from victims without revealing their identities. In the same year, ransomware Trojan related products became popular. A Trojan ransomware simulates the user's Windows product activation notice, telling the user that the installation of his system needs to be reactivated due to fraud, and directing the user to a false online activation option, asking the user to make an international call. The malware claimed that the call was free, but the actual call was routed to a fake operator, and the call was put on hold, causing users to bear high international long-distance telephone charges. Reviton's main ransomware, called Reviton, began to spread all over Europe. The software is based on Citadel Trojan Company, which claims that the computer has been attacked and used for illegal activities, and users need to pay a fine with the prepaid cash payment service to unlock the system. In some cases, the computer screen will display the pictures recorded by the computer camera, which will make the user feel that the illegal behavior has been recorded. Shortly after this incident, many police-based ransomware appeared, such as Urausy and Tohfy. Researchers found a new variant of Reveton in the United States, claiming that they need to use MoneyPak card to pay 200 yuan fine to the FBI. CryptoLocker 2065438+September 2003 is a critical moment in the history of ransomware, because Cryptolocker was born. CryptoLocker is the first encrypted malware, which is downloaded or sent to business people from infected websites as an email attachment. CryptoLocker infection spread rapidly because it threatened to exploit existing games on Zeus botnet infrastructure. In 20 14, the game activities of Zeus, Troy and the lockbox were terminated by operation Torval. CryptoLocker uses AES-256lai to encrypt files with a specific extension, and then uses 2048-bit RSA key generated by the command control server to encrypt AES-256-bit key. C2 server is located in Tor network, which makes decryption difficult, because the attacker puts RSA public key in its C2 server. The attacker threatened that if they didn't receive the money within three days, they would delete the private key. Cryptodefense appears on 20 14. This ransomware uses Tor and Bitcoin to remain anonymous and uses 2048-bit RSA encryption. CryptoDefense uses the CryptoAPI built into Windows, and the private key is stored in the infected computer in plain text format-this vulnerability was not immediately discovered at that time. The creator of CryptoDefense soon introduced a renamed version of CrytoWall. Unlike CryptoDefense, CryptoWall does not store encryption keys where users can get them. CryptoWall spread quickly and widely because it took advantage of the Cutwail email campaign, which was mainly aimed at the United States. CryptoWall also spread through the vulnerability toolkit and was found to be the last payload downloaded in Upatre activity. CryptoWall has had many effective activities, all of which were carried out by the same attacker. CryptoWall shows the progress of malware development, which can maintain its persistence by adding additional registry keys and copying itself to the startup folder. In 20 15, the cyber threat alliance announced a worldwide password wall activity, amounting to $325 million. Sypeng and Koler Sypeng can be considered as the first ransomware based on Android, which locks the user's screen and displays the FBI punishment warning message. Sypeng spreads through fake Adobe Flash updates in short messages, which costs MonkeyPak 200. Koler ransomware is very similar to Sypeng, and it is also punished by pretending to be a policeman and asking MoneyPak to pay the ransom. Koler is considered to be the first Lockerworm, because it contains self-replication technology, which can send customized messages to everyone's contact list, guide them to download ransomware again on specific websites, and then lock their systems. CTB- Locke and Simplock are different from other variants in the past. CTB- Locke communicates directly with C2 server in Tor instead of having a multi-layer infrastructure. It is also the first ransomware variant to start deleting shadow copies in windows. On 20 16, CTB lock was updated to the target website. SimplLocker was also found in 20 14. It is considered to be the first encrypted ransomware based on Android mobile devices, which simply encrypts files and folders instead of locking users' mobile phones. LockerPin Last September, an aggressive Android ransomware began to spread all over the United States. ESET security researchers have discovered the first real malware that can reset the phone Pin code to permanently lock the device, which is called LockerPin. This malware modifies the lock code of the infected device and prevents the victim from entering the screen. LockerPin needs $500 to unlock the device. On 20 15, ransomware as a service (RaaS) began to appear. These services usually include user-friendly ransomware toolkits, which can be purchased on the black market and usually cost 1000 to $3,000. Buyers also need to share the profits of 10% to 20% with sellers. Tox is generally regarded as the first and most widely distributed RaaS toolkit/ransomware. TeslaCrypt TeslaCrypt also appears in 20 15, which may be a constant threat, because developers have made four versions. It is first distributed through the Angler vulnerability toolkit, and then distributed by others. TeslaCrypt encrypts files with AES-256, and then encrypts AES private key with RSA-4096. C2 field in Tor is used for payment and distribution. It contains multiple layers in its infrastructure, including proxy servers. TeslaCrypt itself is very advanced, and it contains functions that allow flexibility and persistence on the victim's machine. On 20 16, the author of TeslaCrypt failed to give its master decryption to ESET. LowLevel04 and Chimera LowLevel04 ransomware were discovered on 20 15, mainly targeting remote desktop and terminal services. Unlike other ransomware activities, attackers do it manually through remote access. They access the server remotely and draw the internal system. In this case, the attacker will delete the application, security and system logs. Chimera ransomware was discovered at the end of 20 15. It is considered to be the first doxing ransomware, which will threaten to publicly publish sensitive or private documents online. Chimera uses P2P protocol of Bitmessage for C2 communication, and these C2 are just BitMessage nodes. Ransom32 and 7ev3n Ransom32 are considered to be the first ransomware written in JavaScript. Malware itself is larger than other software, reaching 22MB. It uses NW.js, which makes it possible to handle and execute similar operations as other ransomware written by C++ or Delphi. Ransom32 is considered revolutionary because it can theoretically run on multiple platforms, such as Linux, Mac OSX and windows. 7ev3n ransomware has attracted people's attention in the past few months. In 13 bitcoin, it may be the ransomware with the highest ransom demand. 7ev3n ransomware not only performs typical encryption blackmail, but also destroys windows system. Malware developers seem to be mainly concerned with ensuring that 7ev3n can destroy any method of recovering encrypted files. 7ev3n-HONE$T was subsequently released, which reduced the ransom demand and added some effective functions. Locky 2065 438+06, malicious software writers of EDA2 and Hidden Tear publicly released the source code on GitHub, claiming that it was for research purposes, and those attackers who quickly copied and changed the code and made custom changes led to a large number of random variants. The infamous Locky ransomware was also discovered in 20 16, and Locky spread rapidly through fishing activities and using Dridex infrastructure. Rocky also made headlines by infecting hospitals in many parts of the United States. Attackers soon found that infected medical institutions paid ransoms quickly, which led to the widespread spread of phishing emails containing ransomware downloads in the medical industry. SamSam SamSam or SAMAS ransomware was found to be specially distributed to vulnerable JBoss servers. At first, the attacker will spy on the JBoss server through the JexBoss tool, and then use the vulnerability to install SamSam. Unlike other ransomware, SamSam contains a channel that allows attackers to communicate with victims in real time. Onion website. KeRanger's first official ransomware based on Mac OSX was discovered in 20 16, and it was delivered through the Transmission BitTorrent client of OSX. The ransomware is signed with a MAC development certificate, which allows it to bypass Apple's gatekeeper security software. Petya Petya 20 16 became popular. It is sent through the drop box, overwrites the master boot record (MBR) of the infected machine, and then encrypts the physical drive itself. It still uses a fake CHKDISK prompt when encrypting the drive. If the ransom of $4,365,438 +0 is not paid within 7 days, the payment fee will be doubled. The Petya update contains a second payload, which is a variant of Mischa ransomware, and it has no encrypted hard disk. Maktub Maktub was also discovered on 20 16, which indicates that ransomware developers are trying to create very advanced variants. Maktub is the first ransomware that uses Crypter, which is used to hide or encrypt the source code of malicious software. Maktub uses windows CryptoAPI to perform offline encryption instead of C2 to retrieve and store encryption keys. Jigsaw Jigsaw ransomware includes Jigsaw characters who are popular in chainsaw movies, and threatens to delete a file every 60 minutes if the ransom of 150 is not paid. In addition, 1000 files will be deleted if the victim tries to stop the process or restart the computer. CryptXXX 2065 438+06 At the end of May, CryptXXX was widely debated about the latest ransomware. The researchers think it is related to the variant of Reveton ransomware, because it has a similar footprint in the infection stage. CryptXXX spreads through various exploit toolkits, mainly Angler, which is usually observed after bedep infection. Its functions include but are not limited to anti-sandbox detection, mouse activity monitoring capability, C2 communication protocol customization and payment through TOR. Zcryptor Microsoft published an article detailing a new ransomware variant ZCryptor. In addition to the adjusted functions (such as encrypting files, adding registry keys, etc. ), Zcryptoer is also considered to be the first encryption worm. It spreads through spam, and has self-replication technology to infect external devices and other systems, while encrypting each machine and * * * shared drives. The future of ransomware? Experts predict that we will continue to observe many new variants on 20 16, and only a few of these variants may have a great impact-it depends on the malware authors and the network gangs involved. Now ransomware writers are still continuing their development work, updating pre-existing ransomware or making new ransomware. We predict that enhancing flexibility and persistence will become the standard of ransomware. If ransomware has this ability, it will be a global nightmare. According to recent ransomware using crypter, ransomware authors know that many researchers try to reverse engineer their software, which may lead ransomware developers to improve their ransomware variants.