Robinhood Ransomware | Eternal Blue strikes again

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello and welcome to the PC security channel today we'll be taking a look at the Robin Hood ransomware only fitting given that I'm actually in Nottingham this is the threat that was linked to the Baltimore government network attacks and also the resurgence of the eternal blue exploit for those of you that are not aware eternal blue was the NSA based exploit that wanna cry used to pretty much take over the world that's what I felt like essentially an SMB vulnerability allowed it to spread without any user intervention it was actually patched by Windows long ago but apparently a lot of systems haven't caught up yet even though it's over a year now one of the reasons I want to take a look at the sample in particular is because it's a great example of targeted attacks and how around summer can actually be specifically deployed on systems without researchers being able to access it I think you'll be quite evident what I'm talking about once we start with the demo so let's do that as you can see I have the sample on the desktop if I just run it it launches command prompt disappears it's hard to kind of tell what it's doing but if I launch it via command prompt it'll be a bit clearer so I'll just first go to desktop and then we'll just run Robinhood dot exe and as you can see we get this error saying windows temp pop key system cannot find the fault specified which is great right so the ransom or doesn't even work why am I even doing this video actually it works the thing is pub key as the name suggests is actually the RSA key that the rounds Mars going to use to encrypt your data now the way RSA works is it is a symmetric encryption as in the key that you use to encrypt the data cannot be used to decrypt it there's a public key and a private key the public key is what you give out to send messages and the private key is what you need in order to actually decrypt the messages so in this case it uses the public key generated via I'm guessing some other script run by at the attacker in order to demonstrate this we can of course create our own RSA key and just place it in this folder and you'll see how that will work out so let's do that I'm going to open up notepad because that's the premium fancy way of doing things right long live Windows XP now I do have an RSA key generated over here I'll just run copy and paste ah and now we'll save this as pop duckie in Windows and temp because that's what it's looking for so we go in here st. pump donkey and save all right so this should completely change what happens when I run this file I know a lot of you will be asking whether or not this fall is detected by my a-v will Kaspersky protect me against this will BitDefender protect me against this as of now this round Smurfs detected by 53 out of 72 engines in Barstow ttle so yeah if you watch TPS see if you use anything that's remotely decent you should be good now it's worth noting that this ransomware was already on first total and was actually discovered a month before the major attacks hit all the other misconceptions about signatures aside I think this is something you need to realize is that with a lot of these major attacks the threat isn't always new so using some kind of AV filter no matter how basic it is is still very useful there a countless number of existing threats that get reused and if you just don't use a blacklist you're still vulnerable to all of them on the bright side Microsoft was actually fairly quick on this one so if you have Windows Defender and it's up to date that would be good as well but again as I said at this point the original sample is over a month old so unless you don't update your AV or you update it once a year or once every three months or you use one of one of these if you just use f-prot or if you just use superantispyware and nothing else well yeah about time right what do you expect subscribe to TPS see already all right enough of this back to the video and boom there you go we're seeing action already look at that look at the mess I'm sure it's still going but as you can see there's already a list of encrypted files on the desktop itself and a lot of ransom notes everywhere I don't see what happens if we open one of these there's the rounds message all your faults were encrypted with RSA 4 0 9 6 hmm actually that's not really compatible with the key I specified but ok we encrypted your files with our public key to decrypt you need the private key which is in our hands see they explain it very nicely is it possible to get your data back of course not unless you pay us X amount of Bitcoin in this case it is three Bitcoin four affected system or 13/4 also you see they have a licensing policy like you know regular software vendors you get it at a discounted price if you want to get it for your entire organization so only 13 for as many computers as you want what have we gone to and to make it better be careful the cost of your payment increases ten thousand dollars each day after the fourth day there's the onion address and there you have it that's the ransom message nothing atypical here now the interesting thing of course is how did a lot of these systems get infected even though this vulnerability was patched ages ago at the moment it seems that ransomware creators aren't necessarily targeting home computers because it's not particularly profitable even if they in fact a bunch of systems first of all it's harder and this is one of the things people don't talk about as much having a diverse multi-layered security strategy is actually very helpful because the attacker can't predict what they're getting into whereas if you're just trying to infiltrate one particular target you can spend days trying to break into it before you actually deliver it the rounds more payload so in case of a supply chain and talk or infecting a company or a cloud server or an organization the cyber criminals are going to do their research they're gonna scout it out there to figure out how they can get remote code execution on some of those machines and once they have all of that then they're going to design the ransomware I mean they're obviously these days they're just using rounds from where as a service templates but they can customize the ransomware to their attack vector so that when it hits it's brand new and completely takes over whereas if they wanted to infect a ton of user computers they would have to individually compromise all of those computers using some attack vector like an online download again can be blocked blacklisted people may not click on it but when you have one target it's a lot easier to figure out a path and effectively set up the attack lessons to learn if you run an organization please make sure that your machines are patched sometimes it can take days or months to do it but it's definitely worth it especially for your mission critical systems believe it or not there's still millions of dollars being spent every year paying for ransomware either because people don't backup their systems don't use proper protection so don't be that guy in this case funnily enough there was a lot of finger pointing towards NSA and I'm like come on eternal blue was a year ago are you guys asleep until now and the result of these attacks is a lot of services go down so even though as a home user you're not directly affected you're indirectly affected in this case you can pay your bills you can log into your local services and that can be much more damaging than just an individual ransomware attack not just to the organization but to end-users as well so once again highly recommend patching your systems using decent protection if you don't know what that is I can share this video subscribe to TPS see that's what this channel is all about this is Leo thank you very much for watching and as always stay informed stay secure [Music]

Info

Channel: The PC Security Channel

Views: 19,291

Rating: 4.9212599 out of 5

Keywords: TPSC, The PC Security Channel, security, cybersecurity, Internet Security, Antivirus Reviews, Security software reviews, test, malware, prevention, detection, removal, AntiMalware, tutorial, virus, trojan, PUP, Ransomware, 2018, finance, antivirus, review, free, Robinhood, Baltimore Ransomware attacks, Robinhood Ransomware, Eternal Blue, NSA Exploit, Wannacry

Id: hCxpfggM6Ro

Channel Id: undefined

Length: 8min 13sec (493 seconds)

Published: Sun Jun 02 2019