Ransomware: Coming soon to a desktop near you!

Malware just got personal

Ransomware is unlike other types of malware – it affects victims in a very direct, immediate and personal way

Are you worried you might be infected with ransomware?

Don’t worry – you’ll know!

A brief historical overview

• The first “ransomware” is considered to be the AIDS virus from 1989

– Distributed on infected floppy disks during the World Health Organization’s international AIDS conference

• GPCode (2006) – first public-key ransomware• Then, everything was quiet for 7 years...• CryptoLocker (2013) – first bitcoin-based

ransomware• 2014-2016 exponential explosion of attacks!

Ransomware is here to stay

• Effects are immediate and irreversible• Personal damage increases the chance

victims will pay• Modern developments allow for

untrackable and irrevocable payments

Bottom line:

Ransomware is an excellent business plan!

Evolution of payment methods

• The AIDS ransomware required victims to send $189 to a post office box in Panama

• GPCode required them to pay $200 to an e-gold or Liberty Reserve account

• CryptoLocker was the first to use Bitcoin, demanding between $100 and $500 (1-2BTC)

• Bitcoin is now de-facto currency of ransomware attacks

– Anonymous– Irrevocable– Perfectforpayingransom!

BTC transactions over time

Trending “ransomware”

Meet the gang!

Top ransomware families 2015-2016

CryptoLocker• First seen in 2013

• Considered to be the first modern ransomware

• Distributed using the Zeus Gameover infrastructure

CryptoWall• First seen in 2013

• First ransomware malvertising distribution

– Malicious ads infected unsuspecting visitors to popular websites (including one.co.il and J.post)

TeslaCrypt• First seen in 2015• Became the dominant ransomware of 2015• Also targeted gaming files (WoW, Call-of-Duty, etc.)• Inexplicably shut down by its own operators on May

2016 (decryption keys were released)

Locky• First seen in 2016• Distributed over the Dridex infrastructure• First to target healthcare sector specifically

Cerber (Cerberus)• First seen in 2016• Uses text-to-speech to talk to victims• https://clyp.it/ovwyvomj

Powerware• First seen in 2016• Written purely as a PowerShell script• Part of a wider “fileless malware” trend

RAA• Written purely in Javascript• Can potentially run from inside the browser• Potentially cross-platform

Strains come and go...

Ransomware-as-a-Business

• As the market grows, ransomware attacks developed into ransomware operations

• Sporadic infections became streamlined campaigns

• The clear monetary incentive is an engine that drives this “industry” to constantly improve and evolve

A full-scale evolution

• Delivery methods• Encryption algorithms• Key generation and infrastructure• C&C communication• Monetization• Code quality• Self protection

• Some ransomware authors offer their code to willing partners through a criminal-to-criminal affiliate program

– Programmers write the code and maintain the servers and keys

– Crime organizations distribute the payload to victims and share the ransom with the programmers

• High quality ransomware is available to non-technical but well-established criminals

• Pseudo-random variants are easily generated to create an infinite number of payloads

Ransomware-as-a-Service

Randomly-generated variants

Daily new & unique hashes identified as ransomware in VirusTotal

http://go.cybereason.com/rs/996-YZT-709/images/Cybereason%20Labs%20Reasearch%20Analysis%20-%20Kofer.pdf

Ransomware modus operandi

• Step #1 - get a public key (usually RSA)– Pre-generated public key hard-coded into

ransomware– Server generates public key-pair on demand,

sends it to ransomware

• Step #2 - get a symmetric key (usually AES)– Generated randomly on victim’s machine– Server generates key, sends it to ransomware

encrypted with private key

• Step #3 - encrypt files with symmetric key– File names are often modified– All your files are belong to us!

Ransomware modus operandi

• Step #4 - encrypt symmetric key with public key and destroy original key– Send encrypted key to server– Store encrypted key with files

• Step #5 - post encryption– Show threatening ransom note– Direct victim to pay the ransom to get the

private key or decrypt the symmetric key

• Step #6 - profit!

How to defeat ransomware?

Always have a backup plan

• Backup often, backup early• Many commercial solutions available• Microsoft’s own Volume Shadow Copy Service is built into the OS…

– ...and is also the first victim of ransomware

• So have a backup for your backup

The (obvious) approach

• Filter emails• Filter attachments• Enforce UAC• Don’t persist network drives’ credentials• Show file extensions (disabled by default)

The signature-based approach

• Hash-based solutions cannot protect against randomly-generated samples

• More than half a million new hashes since Jan 2016

– ...that we know of

• A heuristic solution is needed...

Ransomware research

• Find ransomware samples• Put them in a cage• Give them something to chew on• Observe closely…• What do they all have in common?

Execution method?

• Most ransomware simply run from the original executable file

• Some ransomware use randomized process names

– Both completely random or word-based

• Some mimic existing process names• Some inject code into explorer.exe, svchost.exe, iexplore.exe etc.

• Some are fileless and script-based

Shadow-copy deletion?

• Some use vssadmin.exe to delete all shadow copies

– vssadmin.exe delete shadows /all /quiet

• Others use wmic.exe, Powershell, VB or even Windows API directly

– IVssBackupComponents::DeleteSnapshots

• This is a good idea in general, but about 50% of ransomware samples do not touch the shadow-copy in any way

External communications?

• New domains constantly registered and then abandoned

– Maintaining blacklists is an impossible mission

• DGA is now the standard• Path and parameters used in URLs constantly change

• Some use TOR• Many do not need a C&C server at all

– Emails– Deep-web domains– Bitcoin wallet addresses

Encrypted file names?

• Original filename, new extensions– .encrypted– .breaking_bad & .heisenberg– .mp3– .id-5685627508968728-wisemind@zmail.com– Random extension per execution (e.g, .afsqyse)

• Mangled filenames– 1.R5A

• Files converted into self-extracting executables with a .exe extension

• Some do not change filenames at all

Ransom notes?

• Opens HOW_TO_RESTORE_FILES.html• Creates !Decrypt-All-Files-afsqyse.txt in all directories

• Changes desktop background image to ransom note

• Runs dedicated unkillable ransomnote process

• Locks screen using iexplore.exe in Kiosk-mode (not a bug - a feature!)

The common factor

No matter how a ransomware got there,no matter how it generates keys,no matter how it communicates home,no matter how it was written,no matter how it’s being executed...

...it must encrypt important files,and this creates predictable file activitypatterns which cannot be avoided

File encryption methods

• Write into original file +Rename original file

• Create a new file +Delete original file

• Create a new temporary file +Rename temporary file +Delete original file

• … not many other combinations

Watching existing files

• Which files should be watched?• How do we know they’re being encrypted?

– And not simply modified by a benign program?

• What about legitimate encryption programs?

– Or even the simple & loveable WinRAR?

• What should be considered a “critical mass” of encrypted files?

– Isn’t it too late by then? Ransomware may encrypt as many as 100 files per second!

• This is often not enough...

Evolution of targeted files

.doc, .html, .jpg, .xls, .zip, .rar

GPCode (2006) targeted extensions:

Modern targeted extensions

• Create multiple disposable Canary files• Monitor file activity for these files• If the canaries got encrypted - we got a suspect!

– No reason for legitimate programs to modify them

• Determine whether thesource was automatedand malicious

The proactive approach

DownloadCybereason RansomFree

ransomfree.cybereason.com