Ransomware

In May 2017, the WannaCry ransomware attack made front-page news around the world, with at least 150 countries and over 200,000 customers affected by the attack. The WannaCry ransomware made use of an exploit that targeted the SMB protocol of Microsoft Windows. The ransomware attack was able to propagate quickly in the space of a few hours. The rapid spread of this ransomware attack and the dramatic way in which the attack was finally stopped have made this attack an important case study for Security teams around the world. This blog details the lateral movement techniques used in the WannaCry ransomware attack, the impact of the attack, and other aspects of the attack. For details about other types of lateral movement techniques that have been employed by malware, refer to the published paper in Virus Bulletin.

Ransomware continues to represent the most critical threat facing organizations in 2018. In the latest breaches at Hancock Memorial Hospital, Adams Memorial Hospital, and Allscripts, SamSam ransomware was used to encrypt the files. In this blog, we dive into the technical details of the SamSam ransomware [1]. The blog then shares how the Samsam ransomware can be detected using a deception-based architecture. Technical Details: For the Samsam ransomware to execute, it will require input text file as the command line argument. The input text file will have the base64 encoded public keys in the XML format shown in figure 1.0 When the ransomware code is executed, it drops two files selfdel.exe and del.exe. Selfdel.exe and del.exe are in the resource section of the ransomware file. The dropped file selfdel.exe as shown in figure 2.0 will get the process name Samsam,  and sleep for 3000 milliseconds, after which it will delete the Samsam ransomware process. Figure 1.0 code of the selfdel.exe The ransomware encrypts 328 file extensions.the list of file extensions are shown in figure 3.0 .Since the ransomware encrypts files with extension “.sql”, “.sqlite”, “.sqlite3”, “.sqlitedb” it will encrypt databases. Figure 2.0 File extension targeted by Samsam ransomware.  The ransomware code makes the call to the API DriveInfo.GetDrives() to get a list of all the logical drives in the computer and will encrypt the files in these drives. The ransomware will encrypt the files in shared mapped SMB drives, CD drives, attached removable drives to the computer. Backups from the endpoint can often be configured to access the database via the mapped logical drive. In such configuration, database files which can be accessed via the logical drives will also get encrypted. Figure 3.0 showing call to get the logical drives to the computer. If the path of the directory contains “Windows”, “Reference Assemblies\\Microsoft”, “Recycle.Bin” the files in these folders will be skipped and will not be encrypted. Figure 4.0 code showing ransomware skipping file in specific folders. To create the encrypted file, ransomware creates a new file, writes encrypted data to it and deletes the original file. The new encrypted file will have file extension .encryptedRSA appended to the original file name. HTML file titled “HELP_DECRYPT_YOUR_FILES” having the ransomware note gets dropped to the directory. Figure 5.0 showing ransomware note Deception based detection: Deception-based architecture involves distributing breadcrumbs and lures on endpoints. When these breadcrumbs and lures are accessed, alerts from the breadcrumbs and lures will be generated and get validated by the proprietary algorithm for ransomware infection. The version of Samsam used in the breach will get detected by ShadowPlex-R. Once the infected endpoint gets identified, it get isolated from the network to prevent the spread of infection. Detection of Samsam in ShadowPlex-R For further details about deception based architecture to prevent infection,  I  would encourage readers to read my blog Deception Centric Defense Against Ransomware. The blog details the advantages of deception based architecture over the traditional architecture to detect ransomware. Conclusion: Samsam ransomware gets activated by the threat actor after they have breached an organization, it becomes a challenge for the inline monitoring architecture to detect them. As discussed in the blog to execute samsam ransomware it requires the public key in a specific format from the command line argument. Detection architecture which relies on detonation in a virtualized environment to classify the file as malicious or benign, will not be able to provide public keys in the format which is required for samsam to execute and hence malware will not show its behavior when detonated in a virtualized environment. It will be a challenge for the detection architectures which relies on capturing the behavior in the virtualized environment to classify Samsam as malicious. Deception-based architecture detects and remediates during the execution of malware,  hence it is a recommended architecture to prevent breaches and ransomware. SHA256 of the analyzed file: 0f2c5c39494f15b7ee637ad5b6b5d00a3e2f407b4f27d140cd5a821ff08acfac 710a45e007502b8f42a27ee05dcd2fba References: [1] Allscripts recovering from ransomware attack that has kept key tools offline.

Authors: Deepak Gujraniya, Mohammad Waseem, Balamurali AR, and Satnam Singh Since the first attack in 1989 [1], ransomware attacks have gained popularity. Especially in 2017, it has created havoc in every possible industry, including the government offices, public-sector departments, and hospitals. Apart from the financial strain that ransomware can bring, it also affects everyday aspects of the public life. For instance, the WannaCry attack on hospitals, police stations, government offices have hindered daily life of the regular citizens of numerous countries [2]. To make the things worse, ransomware is now available as a service on the darknet. Any novice attacker can also avail the ransomware service to start their own attack. This leads to the situation in which same entity is attacked more than once. Like other malware, ransomware also has a kill chain. That typically includes luring the victim via phishing or other means, loading the payload i.e. installing the ransomware on the target host, and finally spreading and detonating the ransomware i.e. encrypting the host’s memory and demanding for the ransom via a ransomware note. The ransomware attack starts when a user clicks a malicious web link or opens the attached file in a phishing email. Now, ransomware is installed on the target machine. Depending on the strain, the detonation can happen before it spreads. To encrypt machine’s data, ransomware need to use an encryption key. It may or may not use the Command and Control (C&C) to get the encryption keys. The ransomware without C&C use hardcoded encryption keys or locally generated keys and use the same keys for all the infected hosts. In this case, the security experts can reverse engineer the malware binaries and may find the keys. However, the ransomware using the C&C get the encryption keys from the C&C server hosted by the attacker. CryptoLocker, WannaCry, TeslaCrypt, Cerber, and Locky are some of the ransomware using the C&C that makes nearly impossible for the defenders to recover the encryption keys from the ransomware. Figure 1: Ransomware attack using command & control (C&C) for encryption key management Ransomware use different asymmetric and symmetric encryption techniques e.g. RSA, AES for generating encryption keys. The attackers are becoming more sophisticated and using both techniques in combination. An AES key is hardcoded within the payload to encrypt the files on the infected machine and then an RSA public-private key pair is generated and used to encrypt the AES encryption key and the private RSA key is uploaded onto the C&C server. In early variants of ransomware, the C&C server addresses were hardcoded in the malware binaries. It was easy for the defenders to find these addresses and block them. Once blocked, C&C servers could not spread the infection and encrypt files. To evade such security measures ransomware started using Domain Generation Algorithm (DGA)-based techniques to connect to C&C servers. With the DGA, attackers generate dynamic domain names and redirect their C&C servers to these dynamic addresses. Using DGA-based C&C the attackers can easily evade perimeter-based security defense tools such as firewalls, IDS/IPS, and even threat intelligence feeds. The main use of the C&C is to contact the C&C server using a domain name, if the domain can be detected and blocked immediately, the attack can be stopped from spreading to other machines. For example, thisisyourchangeqq.com and gvludcvhcrjwmgq.in are two C&C domains that are used by TeslaCrypt and Locky ransomware respectively. Ransomware connects to the C&C server using DNS queries. To establish the connection, DNS resolution queries are made for domains generated by the ransomware. These queries are captured in the DNS logs of the system. By analyzing DNS logs we can detect domains used for the C&C. In machine learning (ML), this problem can be posed as a classification problem where there are two classes i.e. benign DNS server and malicious C&C domain server. Several machine learning classifiers, such as Random Forest [3], Support Vector Machine (SVM) [4], Artificial Neural Networks etc. can be used as classifiers. Using discriminatory and informative features from the DNS logs, one can build a classification model to detect the C&C domains. We trained a ML classifier using a Random Forest classifier to detect domains generated by DGAs. Features such as bigram and trigram scores are informative and discriminating to classify the C&C domains from benign domains. A bigram score tells how often that bigram is likely to occur in a normal english word [5].  This score is less in a DGA-generated domain. We computed trigram_benign and trigram_malicious scores that are fractions of trigrams present in the benign and malicious corpus respectively. The entropy of a domain is also different for both malicious and benign classes of domains. We used Shannon entropy [6] as another feature to differentiate between benign and malicious domains. Example domain: google.co.in bigrams [‘$g’, ‘go’, ‘oo’, ‘og’, ‘gl’, ‘le’, ‘e$’, ‘$c’, ‘co’, ‘o$’, ‘$i’, ‘in’, ‘n$’] trigrams [‘$go’, ‘goo’, ‘oog’, ‘ogl’, ‘gle’, ‘le$’, ‘$co’, ‘co$’, ‘$in’, ‘in$’] Figure 2: An example of how bigrams and trigrams are extracted from a domain Below histograms shows how these features are discriminative for benign and malicious domains. Some features are more discriminative than others however all of them complement each other and improve the classification. Figure 3: Frequency distribution plots of entropy, bigrams and trigram features Example: Benign domains url bigram_score entropy trigram_benign trigram_malicious class label google.co.in 7.28 0.44 1.0 0.0 benign bloomberg.com 7.94 0.30 1.0 0.0 benign conservativetribune.com 7.53 0.77 1.0 0.0 benign howstuffworks.com 8.21 0.35 1.0 0.0 benign Example: Malicious domains url bigram_score entropy trigram_benign trigram_malicious class label 52uo5k3t73ypjije.zzis8p.bid 10.02 0.18 0.54 0.45 malicious equityaccountants.nl 7.88 0.56 1.00 0.0 malicious 3qbyaoohkcqkzrz6.tordonator.li 8.65 0.52 0.68 0.32 malicious Figure 4: Precision-Recall curve for the classifier Figure 5: Code snippet of C&C Detection Classifier Figure 6: Test run on some normal domains and some C&C In the above example, “google.com” and “howstuffworks.com” are benign domains and other domains are used by Locky [7] ransomware for the C&C. The domain “fofsslkwvwee.de” got the maximum malicious score (=1.0), however, other 3 malicious domains that look like normal domains got a score less than one. Typically, ML-based the C&C detection is deployed at the perimeter to monitor every DNS domain that needs big data infrastructure to process a high volume of DNS logs. Acalvio’s solution to the C&C detection is different and more effective than other solutions as our approach is event-driven instead of traditional boiling-the-ocean approach where every DNS query needs to be monitored. In our approach, we use deception to detect the ransomware and then leverage machine learning to detect the C&C. In this approach, one does not need to monitor all the DNS traffic all the time. Once detected, these domains can be blocked to stop spreading of the ransomware in the organization. We analyse the domains only when we detect ransomware attack from our deception-based solution ShadowPlex-R [8], hence the false positive detection rate is very low. Figure 7: Low False-Positive rate against various ransomware families We tested our approach on nearly 20 different ransomware families and results are summarised in Figure 7. “Detected C&C domains” is the number of domains detected by our solution and “Actual C&C domains” was the actual number of the C&C domains used by the ransomware.  Our solution can achieve nearly 100% true detection rate i.e. detect all the ransomware with a false positive rate of nearly 2.5%. The results demonstrate the power of combining deception along with machine learning for the C&C detection. Conclusion: Ransomware attacks are evolving at an unprecedented pace today and it is becoming impossible to detect them beforehand. In this blog, we explained how ransomware uses the C&C to encrypt the user data and how one can extract features from domains and train a ML classifier to detect the C&C domains. Many current techniques for detecting the C&C monitor logs continuously and inspect every domain request. This leads to a high number of false positives and is computationally expensive. With Acalvio’s deception-based solution ShadowPlex-R, we can detect a ransomware attack in real time and use a ML-based classifier to detect the C&C domains. A demonstration of ransomware attack and the C&C detection is available in our webinar [9] hosted by Acalvio and Splunk. References: [1]:Lord, Nord (2017, July 17), A history of ransomware attacks: the biggest and worst ransomware attacks of all time [2]: SANS whitepaper 2017 https://www.sans.org/reading-room/whitepapers/threats/sensitive-data-risk-2017-data-protection-survey-37950 [3]: Breiman, L., 2001. Random forests. Machine learning, 45(1), pp.5-32. [4]: Burges, C.J., 1998. A tutorial on support vector machines for pattern recognition. Data mining and knowledge discovery, 2(2), pp.121-167. [5]: Cheng Qi, Xiaojun Chen, Cui Xu, Jinqiao Shi, Peipeng Liu, A Bigram based Real Time DNS Tunnel Detection Approach, In Procedia Computer Science, Volume 17, 2013, Pages 852-860 [6]: Shannon, C.E., 1951. Prediction and entropy of printed English. Bell Labs Technical Journal, 30(1), pp.50-64. [7]: Locky. Wikipedia.,Retrieved November 19, 2017, from  https://en.wikipedia.org/wiki/Locky [8]: ShadowPlex-r, Retrieved November 19, 2017, from /shadowplex-r/ [9]: Splunk webinar, Retrieved November 19, 2017, from https://www.splunk.com/blog/2017/08/18/webinar-learn-how-to-use-deception-to-defend-against-ransomware.html

Ransomware demand in 2016 was around a billion dollars[1].  WannaCry[3] was the recent ransomware campaign that spread across 150 countries affecting 200,000 users. It is estimated that in 2017[2], damages due to ransomware will exceed $5 billion. Modern defenses make use of virtualized environments or machine learning algorithms to ensnare the threat actor. This blog will detail some of the evasion techniques that modern ransomware uses to bypass such defenses. Virtualized Environment Detection: Inline detection solutions that monitor the web or email traffic, make use of virtualized environment for detonating of the incoming file. Once the file is dropped in the virtualized environment, its behavior is captured and is used to determine if the file is malicious or not. CryptoLuck, makes use of Windows API RegOpenKeyExA to open the registry keys and checks for the presence of VMWare, Virtualbox, etc.  If any of these conditions are found, it is an  obvious sign of a virtualized environment, the code exits, hiding its real behavior. Techniques to detect the presence of virtualized environment have been used by other families of ransomware as well such as UIWIX. The ransomware checks for the presence of SbieDll.dll, which is one of the DLL used only by Sandboxie sandbox. It also checks if the execution environment is a cuckoo sandbox. If it detects the presence of Sandboxie or cuckoo sandbox, execution of ransomware terminates thus hiding its intended behavior. DLL Hijacking: When an application loads a DLL, the application searches for the DLL  in the directory where it is executing. If the DLL is not found, then the application searches for the DLL in the windows system32 folder.  In the case of DLL hijacking, the threat actor will place the malicious DLL in the same directory as the application. Since the application will first search for DLL, in the current directory, the malicious DLL will get loaded and executed. This technique can evade the detection algorithm which makes use of the host process for classifying the activity as malicious or benign.  CryptoLuck ransomware uses legitimate application googleupdate.exe to load the malicious DLL with the ransomware payload. Password protected zip files:  Detection architecture which monitors the emails, extracts the attachment from the emails and detonates them in the virtualized environment. If the attachments are passwords protected files, the file asks for password and will not get executed in a virtualized environment, and hence the actual behavior of the file is not revealed. One of the techniques to detonate the password protected files is to scan the body of the email for the password, and then enter the password.  However, if the password and password protected files are in different emails, then it becomes a challenge to obtain the password and use it to detonate the file in a virtualized environment. Some ransomware leverage password protected Zip files to avoid execution in a virtualized environment. Bart family of ransomware[4] is one such example, which has used password protected zip files. Delivery Vector & File Formats: Threat actors have employed spam campaigns, downloaders and botnets, Malvertisement, exploit kits, etc. to distribute ransomware.  The wide variety of delivery channels make it challenging for any organization looking to implement safeguarding approaches. In addition to email and the web, threat actors have used other more sophisticated approaches. Threat actors compromised an external-facing server, harvested the details from Active Directory and distributed the SAMSAM [5] ransomware to the compromised network. Psexec was then used to execute the ransomware. Today, an organization will need to monitor every delivery channel and back-door approaches.  Each of these delivery vectors may require a different security architecture along with the algorithms to detect ransomware. File Format Delivery Vector by Ransomware Ransomware also used different file formats for delivering the malicious payload. If the malicious payload gets delivered via a new file format, then a new set of features might have to be extracted for the file format and a new classifier based algorithm might have to be developed. Similarly, for ones that employ file detonation in a virtualized environment, the environment might have to be updated to ensure that the new file format gets detonated and the virtualized environment has appropriate instrumentation to capture the true behavior of the file. Development and deployment of detection algorithms for the new file formats carrying a malicious payload will require time, and therefore will open a window of opportunity for the threat actor to exploit the organization.  Conclusion: Ransomware campaigns have employed techniques to evade the traditional security defenses making it an arms race. It is estimated that the total damages due to ransomware will reach around 5 Billion US dollars in 2017.  In our upcoming blogs, we will detail the deception-centric solution to detect ransomware and its inherent advantages over traditional detection solutions. References: Ransomware demand is a billion dollar crime and now growing, http://www.nbcnews.com/tech/security/ransomware-now-billion-dollar-year-crime-growing-n704646 Ransomware damages rise to 15x to hit 5 billion in 2 years. Wann Cry Ransomware, Bart Ransomware  Locks files in Password Protected ZIP files. SAMSAM Ransomware