Skip to content

Ransomware as a service

Hunting on the dark web is interesting to find new malicious activities running in the background. Besides the classic sites where you can order drugs and all kind of counterfeited material, I discovered an interesting website which offers a service to create your own ransomware! The process is straightforward, you just have to:

  • specify your Bitcoin address to get the ransom,
  • select the amount (minimum amount is 0.01 BTC, max 1BTC)

and you get a nice malicious PE file delivered a few seconds later:

The business model behind the service is simple: the bad guys keep 10% of the ransom.

Based on the strange XMPP address provided on the webpage, I think that the service is not yet available or is just a proof of concept. However, it was really tempting so I generated my own ransomware sample. Note that a valid Bitcoin address must be provided. Thanks to Google, I found some “public” ones that I used for my test. The generated files is a 64bits PE file. I don’t know the reasons of this restriction.… 64 bits only is a real limitation to hit many victims.

| Key      | Value                                                                                                                            |
| Name     | YzBvIyROuOZGbcf6sFl8CKGQzqDgbb7Rzua.exe                                                                                          |
| Tags     | ransomware, isc                                                                                                                  |
| Path     | /home/nonroot/workdir/binaries/7/0/0/5/7005535e034576fdb66b5b32eb198b48d7755758e77bd66909f8dd7288c1e069                          |
| Size     | 5580288                                                                                                                          |
| Type     | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows                                                         |
| Mime     | application/x-dosexec                                                                                                            |
| MD5      | 493640f022a7ac07ad4e8d6f2cd3740e                                                                                                 |
| SHA1     | 4c4a1df308e415ab356d93ff4c5884f551e40cf5                                                                                         |
| SHA256   | 7005535e034576fdb66b5b32eb198b48d7755758e77bd66909f8dd7288c1e069                                                                 |
| SHA512   | d29b40298f00ba619a59f4aa7cec1bb1ec753df948b9fa50e7e158150ca21801783d701c8ed32a8e3811f138ad948b4077c8cf2b7da5b25917ec8eebe7435c26 |
| SSdeep   | 49152:U6q9fOpwcf1pHot9E4IaCf1kin7N0Iu1YES/N4ggvewaFSenC00qTQeVptYt1dmT:ofk3oC9n7N0Iu19SV4ISeLQevtYVmS                            |
| CRC32    | 29B4ED1C                                                                                                                         |
| Parent   |                                                                                                                                  |
| Children |                                                                                                                                  |

The file hash was of course unknown on VT. When I submitted it, the score was only 7/66[1]. This is quite good (from the attacker perspective). No big player was able to detect it.
I tested the ransomware in a sandbox running a Windows 7 64bits protected by the Microsoft AV and all security features enabled. A few minutes later, my files were encrypted.
The communication with the victim is performed via a file on the desktop:

When you click on the link to are redirected to a website which discloses more details:

The webpage proposes to downloaded a decryption tool:
| Key      | Value                                                                                                                            |
| Name     | decrypter.exe                                                                                                                    |
| Tags     | ransomware, isc                                                                                                                  |
| Path     | /home/nonroot/workdir/binaries/c/b/7/3/cb73927aa749f88134ab7874b15df898c014a35d519469f59b1c85d32fa69357                          |
| Size     | 5605888                                                                                                                          |
| Type     | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows                                                         |
| Mime     | application/x-dosexec                                                                                                            |
| MD5      | 3eadfae2ff4c4eb1c8e6ad48efdfff21                                                                                                 |
| SHA1     | 5845d32cfae8f554847fa95d28d5c6849c416b84                                                                                         |
| SHA256   | cb73927aa749f88134ab7874b15df898c014a35d519469f59b1c85d32fa69357                                                                 |
| SHA512   | 62efa2e1c8a8530b076b54e0e431492bf6a1d9d42addca8f95db1a1fce82e4288afe79a585d61831fc3d76f0d705b98324dc35e353cd19692779a3a8916f421f |
| SSdeep   | 49152:ymdRKnjBwhy1Bz/0RvVJr7eUBUr6DXxgqw5PgAXzzX691yW/0qTQN9sUL2z47tQ+:9RZaMoAxgqw5x691JQNmULd5L                                 |
| CRC32    | 9D8D2721                                                                                                                         |
| Parent   |                                                                                                                                  |
| Children |                                                                                                                                  |

Communications with the C2 server are performed via HTTPS: kdvm5fd6tn6jsbwh[.]onion[.]to (185[.]100[.]85[.]150) located in Romania.
The encryption key is downloaded and stored in %APPDATA%\encryption_key
Here is a dump of the file I received:

00000000: 2455 e231 0f56 cae2 3bad 8fe7 a116 3a67  $U.1.V..;.....:g
00000010: 50b7 f761 2bcb 237a 4634 6fbc fd01 12f0  P..a+.#zF4o.....
00000020: e38f 6bbf 7b74 46f1 6b4f 7235 a44e b1e1  ..k.{tF.kOr5.N..
00000030: 5ce7 51a1 8b46 22fc 3e45 9e68 cc35 2613  \.Q..F".>E.h.5&.
00000040: 78bc 2a60 071c 9955 7aa5 8bd5 3161 d86d  x.*`...Uz...1a.m
00000050: 5939 770a 2321 1815 4372 c307 5f6c e6c7  Y9w.#!..Cr.._l..
00000060: 0023 73e7 bcb6 2c08 545c 07c0 b5ce 437a  .#s...,.T\....Cz
00000070: 332c 4f48 88d8 62d7 771d 45ce c24c 230a  3,OH..b.w.E..L#.
00000080: 57e3 de14 bf83 4931 673f e47f 5f71 f337  W.....I1g?.._q.7
00000090: fd57 e3f7 99c0 7fad 31da 2965 e9a1 a993  .W......1.)e....
000000a0: 16de aca8 eae6 9003 d0b3 186c 45c6 bced  ...........lE...
000000b0: c10a 76ae aaa5 b699 8a1e fd51 bc06 993a  ..v........Q...:
000000c0: 9dda 14e7 cfe1 67f1 e135 c9ad 1f69 850e  ......g..5...i..
000000d0: 370c 0f50 16e6 8604 23bc fabb 6eee 3a1a  7..P....#...n.:.
000000e0: b3a5 655d 9327 2a4f fe75 c6d2 b2cb a192  ..e].'*O.u......
000000f0: ba87 6e06 02ca f460 8fbf ee4f 6ab4 f74c  ..n....`...Oj..L

The PE file is not obfuscated and interesting strings can be found like the list of file extensions that I scanned to be encrypted:


The following drives are tested to find network shares:

K:, L:, M:, N:, O:, P:, Q:, R:, S:, T:, U:, V:, W:

Encrypted files have a new extension ‘.cypher’. Based on the strings present in the PE file, it has been written in Go. Do you have more information about this kind of ransomware? (“.cypher”), please share!


Xavier Mertens (@xme)
ISC Handler – Freelance Security Consultant



Framework for Improving Critical Infrastructure Cybersecurity Version 1

The NIST CSF was designed with the intent that individual businesses and other organisations use an assessment of the business risks they face to guide their use of the framework in a cost-effective way.

The framework is divided into three parts: the Framework Core, Framework Implementation Tiers and Framework Profiles:

  • The Framework Core is a set of activities, outcomes and references that detail approaches to aspects of cyber security. The core comprises five functions, which are subdivided into 22 categories (groups of cyber security outcomes) and 98 subcategories (security controls).
  • Framework Implementation Tiers are used by an organisation to clarify for itself and its partners how it views cyber security risk and the degree of sophistication of its management approach.
  • Framework Profile is a list of outcomes that an organisation has chosen from the categories and subcategories, based on its business needs and individual risk assessments.

nist framework colour coded

Core functions, categories, subcategories and informative references

The five Framework Core functions are:

  • Identify – Develop the organisational understanding to manage cyber security risk to systems, assets, data and capabilities.
  • Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
  • Detect – Develop and implement the appropriate activities to identify the occurrence of a cyber security event.
  • Respond – Develop and implement the appropriate activities to take action regarding a detected cyber security event.
  • Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired because of a cyber security event.

Each function is divided into categories – groups of cyber security outcomes that relate to particular activities. Examples include ‘Asset Management’, ‘Access Control’ and ‘Detection Processes’.

nist protect.gif

Subcategories further divide a category into specific outcomes of technical and/or management activities (security controls). Examples include ‘External information systems are catalogued’, ‘Data-at-rest is protected’ and ‘Notifications from detection systems are investigated’.

For each subcategory, the CSF provides informative resources that cite specific sections of a variety of information security standards, including ISO 27001, COBIT®, NIST SP 800-53, ISA 62443, and the Center for Internet Security’s 20 Critical Security Controls.

NIST Cybersecurity Framework version 1, 2014

NIST Cybersecurity Draft Framework version 1.1, 2017


Draft NIST Roadmap for Improving Critical Infrastructure Cybersecurity Version 1.1 December 5, 2017

This companion Roadmap to the Framework for Improving Critical Infrastructure
Cybersecurity (Cybersecurity Framework or the Framework) describes plans for
advancing the Framework development process, discusses the National Institute of
Standards and Technology’s (NIST’s) next steps with the Framework, and identifies key
areas of development, alignment, and collaboration. This plan provides a description of
anticipated future activities related to the Framework and offers stakeholders another
opportunity to participate actively in the continuing Framework development process.
While the plan is focused on the Cybersecurity Framework, the results of work described
in this roadmap are expected to be useful to a much broader audience to improve
cybersecurity risk management in much the same way that the Framework itself is useful
to many sectors and organizations that are not strictly defined as part of the critical
infrastructure. This Roadmap reflects revisions to the original planning document
released in February 20141 when Version 1.0 of the Framework was released, and
contains updates corresponding with draft Version 1.1 of the Framework.


Intel fix reduces server performance by 2% to 25% for large volumes of data

Intel says devices are rebooting more than usual after being patched with fixes it has issued to the Spectre and Meltdown security flaws in its chips.

The company said it had reproduced the problem and was “making progress toward identifying the root cause”.

It also shared information about how the patches might affect computer performance in data centres.

One financial industry expert told the BBC he was concerned about the numbers being quoted.

Intel said its tests showed a reduction in performance ranging from 2% to 25%.

The US company said it was working with partners and customers to find ways to “address” the issue.

In an update on its website, Intel said the reboot problem had been identified in its Ivy Bridge, Sandy Bridge and Skylake processors.

It also affected Kaby Lake chips – its most recent offering.

‘Initial analysis’

Two separate security flaws, known as Meltdown and Spectre, were publicly disclosed in January.

Researchers discovered gaps in security stemming from central processing units – better known as the chip or microchip – that could allow privately stored data in computers and networks to be hacked.

Experts suggested fixing the problem could reduce the performance of Intel chips significantly.

Intel said its “initial analysis” for business cases such as running website servers showed a slowdown of 2%.

But it added that when it simulated a stock brokerage making transactions, the chips saw a 4% reduction in performance.

One industry insider suggested that figure was more significant than it might seem at first glance.

“In a company like ours, 4% would be a massive difference,” said Alasdair Haynes from the stock exchange Aquis.

“We measure the time of trades in microseconds. Firms spend an enormous amount of time and money trying to get the fastest speed out of a server.”

The most significant reduction in performance involved computer servers that store and retrieve large volumes of data. For those, the slowdown could be as severe as 25%.


The reluctant cyber hero: How a 22-year-old stumbled across the worst computer chip flaw in history while reading huge Intel processor manuals with thousands of pages – INTEL FLAW

In cybersecurity circles at least, the 22-year-old German shot to fame this month when he was revealed as the man who exposed the worst computer chip flaw ever.

In uncovering the fault, which has existed for more than two decades but went completely unnoticed, he beat teams of analysts working from years of research.

Even more incredibly, he stumbled across the defect by accident while reading through thousand-page processor manuals for a completely different project.

The flaw affects most processors manufactured by Intel since 1995 but went completely undiscovered until Horn happened upon it

Horn was actually trying to work out whether processors could handle an intense piece of number-crunching code he had devised when he began picking through the doorstop-sized manuals last year, Bloomberg reports.

His research led him to a process known as speculative execution – where a chip tries to guess what it might be asked to do next and starts performing that task ahead of time in order to increase speed.

In doing so it starts fetching data from various parts of the machine and storing that information in its memory.

Horn discovered that, even if the chip guessed wrong, the data it had retrieved would still be stored and could potentially be stolen by a clever hacker.

Working from Google’s Project Zero lab in Zurich, he compared notes with other researchers before making his discovery – chips could be tricked into retrieving data of a hacker’s choosing, which could then be stolen.



Quit social media | Dr. Cal Newport | TEDxTysons

‘Deep work’ will make you better at what you do. You will achieve more in less time. And feel the sense of true fulfillment that comes from the mastery of a skill.

Former Facebook executive: social media is ripping society apart

Former Facebook exec: “I think we have created tools that are ripping apart the social fabric of how society works. The short-term, dopamine-driven feedback loops we’ve created are destroying how society works. No civil discourse, no cooperation; misinformation, mistruth. You are being programmed” (2017)



Nice to see some honesty from Facebook, even if only from an ex employee.

Edward Snowden’s new app turns any Android phone into a surveillance system

The app was developed by The Guardian ProjectFreedom Of The Press and Snowden to offer eyes and ears to prevent, or at least increase awareness, of whether a device has been tampered with.

So, for example, you’d set up a burner Android device in a hotel safe alongside your laptop. Haven could then be set to broadcast any audio or movement, basically if anyone opened the safe it will snap a photo, record audio and detect motion. Alerts can be sent via SMS, Signal or to a Tor-based website.


Writing for The Intercept, Micah Lee, a member of Freedom Of The Press who help set up and test the app, admitted that the app does have some shortcomings — such as maintaining constant internet access for notifications, preventing battery drain and false positives — but it offers something new for those who would welcome the peace of mind from additional surveillance. While beyond helping keep hardware secure, it could also have other uses.

“Haven can also be used as a cheap home or office security system to detect break-ins or vandalism while you’re away, positioning the phone to send you photographs when someone walks within range. Or you can use it to monitor for wildlife in rural areas, or to capture evidence of human rights violations and disappearances,” Lee wrote.

Or even something more festive…

Haven can be downloaded via Google Play and open source Android app store F-Droid.

Snowden, who remains exiled in Russiapreviously helped develop an iPhone case that detects when a device is transmitting data that can put users at risk of detection, and he’s been very vocal about services that he believes are problematic for privacy. He previously advised that people get rid of Dropbox and avoid using Google and Facebook and has spoken at length on why data collection is “the central problem of the future.”


Randomize your WiFi MAC address on Ubuntu 16.04

Your device’s MAC address can be used to track you across the WiFi networks you connect to. That data can be shared and sold, and often identifies you as an individual. It’s possible to limit this tracking by using pseudo-random MAC addresses.

A captive portal screen for a hotel allowing you to log in with social media for an hour of free WiFi

Image courtesy of Cloudessa

Every network device like a WiFi or Ethernet card has a unique identifier called a MAC address, for example b4:b6:76:31:8c:ff. It’s how networking works: any time you connect to a WiFi network, the router uses that address to send and receive packets to your machine and distinguish it from other devices in the area.

The snag with this design is that your unique, unchanging MAC address is just perfect for tracking you. Logged into Starbucks WiFi? Noted. London Underground? Logged.

If you’ve ever put your real name into one of those Craptive Portals on a WiFi network you’ve now tied your identity to that MAC address. Didn’t read the terms and conditions? You might assume that free airport WiFi is subsidised by flogging ‘customer analytics’ (your personal information) to hotels, restaurant chains and whomever else wants to know about you.

I don’t subscribe to being tracked and sold by mega-corps, so I spent a few hours hacking a solution.

MAC addresses don’t need to stay the same

Fortunately, it’s possible to spoof your MAC address to a random one without fundamentally breaking networking.

I wanted to randomize my MAC address, but with three particular caveats:

  1. The MAC should be different across different networks. This means Starbucks WiFi sees a different MAC from London Underground, preventing linking my identity across different providers.
  2. The MAC should change regularly to prevent a network knowing that I’m the same person who walked past 75 times over the last year.
  3. The MAC stays the same throughout each working day. When the MAC address changes, most networks will kick you off, and those with Craptive Portals will usually make you sign in again – annoying.

Manipulating NetworkManager

My first attempt of using the macchanger tool was unsuccessful as NetworkManager would override the MAC address according to its own configuration.

I learned that NetworkManager 1.4.1+ can do MAC address randomization right out the box. If you’re using Ubuntu 17.04 upwards, you can get most of the way with this config file. You can’t quite achieve all three of my requirements (you must choose randomor stable but it seems you can’t do stable-for-one-day).

Since I’m sticking with Ubuntu 16.04 which ships with NetworkManager 1.2, I couldn’t make use of the new functionality. Supposedly there is some randomization support but I failed to actually make it work, so I scripted up a solution instead.

Fortunately NetworkManager 1.2 does allow for spoofing your MAC address. You can see this in the ‘Edit connections’ dialog for a given network:

Screenshot of NetworkManager's edit connection dialog, showing a text entry for a cloned mac address

NetworkManager also supports hooks – any script placed in /etc/NetworkManager/dispatcher.d/pre-up.d/ is run before a connection is brought up.

Assigning pseudo-random MAC addresses

To recap, I wanted to generate random MAC addresses based on the network and the date. We can use the NetworkManager command line, nmcli, to show a full list of networks:

> nmcli connection
NAME                 UUID                                  TYPE             DEVICE
Gladstone Guest      618545ca-d81a-11e7-a2a4-271245e11a45  802-11-wireless  wlp1s0
DoESDinky            6e47c080-d81a-11e7-9921-87bc56777256  802-11-wireless  --
PublicWiFi           79282c10-d81a-11e7-87cb-6341829c2a54  802-11-wireless  --
virgintrainswifi     7d0c57de-d81a-11e7-9bae-5be89b161d22  802-11-wireless  --

Since each network has a unique identifier, to achieve my scheme I just concatenated the UUID with today’s date and hashed the result:

# eg 618545ca-d81a-11e7-a2a4-271245e11a45-2017-12-03

> echo -n "${UUID}-$(date +%F)" | md5sum

53594de990e92f9b914a723208f22b3f  -

That produced bytes which can be substituted in for the last octets of the MAC address.

Note that the first byte 02 signifies the address is locally administered. Real, burned-in MAC addresses start with 3 bytes designing their manufacturer, for example b4:b6:76 for Intel.

It’s possible that some routers may reject locally administered MACs but I haven’t encountered that yet.

On every connection up, the script calls nmcli to set the spoofed MAC address for every connection:

A terminal window show a number of nmcli command line calls

As a final check, if I look at ifconfig I can see that the HWaddr is the spoofed one, not my real MAC address:

> ifconfig
wlp1s0    Link encap:Ethernet  HWaddr b4:b6:76:45:64:4d
          inet addr:  Bcast:  Mask:
          inet6 addr: fe80::648c:aff2:9a9d:764/64 Scope:Link
          RX packets:12107812 errors:0 dropped:2 overruns:0 frame:0
          TX packets:18332141 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:11627977017 (11.6 GB)  TX bytes:20700627733 (20.7 GB)

The full script is available on Github.

This looks interesting, as a privacy technique.



Thank you for Two Million hits

Do you know how this blog started?  During the final year of the BSc course, our tutors wanted to ensure that our research was on course.  Therefore we were asked to create a blog to support our thesis.

Comments from here indicated that everyone was intrigued with privacy, so the blog ventured heavily into tutorials for VPN’s.  At that point, traction started to increase dramatically.

Next, the privacy part of the thesis was selected for publication, and I had to present it to a room full of barristers, whilst standing on a gold podium.

Now, today, I have to say thank you for two million hits.

It’s been a real pleasure.

Finally, did you know the Uni gave me a First – and that listening to your comments were pivotal in that.

Thank you for Two Million hits – and for your comments.

%d bloggers like this: