Over the past 2 years or so the security community has been dealing with a swarm of ransomware, ranging from big, long-lasting campaigns like CryptoLocker and CryptoWall (now in its 4th generation) which are making multi-million dollar profits, to more recent ninjas such as Locky and SamSam. The general definition of ransomware is malware that takes hostage some of the information stored on the target machine, and asks for ransom to restore access to it.
Targets range from individuals and SMBs to law firms, hedge funds and hospitals. The primary method used to “hold” the target hostage is through encrypting files (often all documents and images) on their machine, as well as making the device unusable until the ransom is paid. While the latter condition can sometimes be easily removed with sufficient knowledge, the encryption commonly uses codes considered unbreakable (e.g. AES-256), or simply can’t be beaten if implemented properly.
While the vast majority of targets (and consequently, malware variants) are Windows-based, non-Windows variants have begun to emerge, notably on the Linux platform. These include the Linux.Encoder family which targets Linux-based web servers, and KeRanger which is based on the same code but has been recompiled to attack OS X targets.
In this post I’ll describe the most common techniques and tricks used by these malware variants, and explain the similarities that we’re seeing in almost every new variant that is reported in the wild. It’s also worth noting that most, if not all, victims are typically running fully-updated antivirus engines, and sometimes even anti-exploit and/or HIPS engines. Due to rapid changes in builds and versions of the malware used by the campaign’s creators, they repeatedly evade detection by traditional protections.
Ransomware campaigns are launched on a mass scale, and as such, use a variety of infection methods to generate a constant flux of new targets.
Spearphishing emails are (still) a very effective way of acquiring targets. In particular, ransomware is notorious for using Office files containing macros that will either load a PE file embedded in the document, or more commonly act as a first stage followed by a download of the actual payload from a remote server. We’ve seen numerous variants that use Word (Cryptowall, Cryptolocker) and Excel (Locky, TeslaCrypt) macros throughout our customer base. While macros are disabled by default on any Office version post 2007, the filename and text used in these files are often confusing to users. They often masquerade as “secure” and display a slick-looking text that drives many users to click the “enable macros” warning-yellow bar.
The use of exploit kits for drive-by download attacks is also widespread. Kits such as Angler have become a fully capable product/service that attackers can buy with ready-to-use exploits and delivery framework, or with actual targets. The Angler creators are very quick to create (or buy) exploits for every promising vulnerability that is discovered and not yet patched, sometimes within a couple of weeks of their disclosure. This fast turnaround allows attackers to exploit the window of opportunity before users, and especially companies, are able to deploy patches. This applies to any software component running on a machine: the OS, browsers, Flash, Java and so on. We’ve seen Angler (and sometimes Nuclear and Neutrino) deliver everything from Cryptowall to AlphaCrypt.
Another infection method which is also becoming more prevalent targets weaknesses in the network. For example, the recent SamSam campaign is targeting vulnerable JBoss application servers and uses known pentesting tools (which are essentially exploits) to take over those servers. This is somewhat of a shift towards targeted attacks. Once a foothold inside the network is established, the attackers attempt to collect credentials and move laterally using those credentials to install the actual SamSam payloads, and eventually get to the ransom stage.
Despite the fact that the amount of ransomware variants and associated signatures is enormous and growing rapidly, we have identified a number of repeating motifs that are shared by the majority of ransomware samples seen in the wild:
Persistence: Almost all ransomware attempts to persist, and in most cases involves very standard registry locations we’ve all grown to know from traditional malware (e.g., HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun) and other registry keys that effectively allow a binary to autostart on reboots. We’ve also seen ransomware using the (somewhat naive) startup folder, Task Scheduler and most recently in a variant called Petya (which we’ll write more about in the next blog post) even overwriting the MBR itself (!). As a matter of fact, even simple script-based ransomware such as XRTN would still attempt to persist using this known location. This makes persistence a great place to focus on when detecting ransomware behaviors.
Use of Windows Tools: In part due to evasion advantages, but mostly for convenience and development power, ransomware creators love Windows tools and especially script-based frameworks. These include Powershell and Batch scripts, VB scripts, WMI and others. Did we say that Ransomware creators love scripts? The actual use is quite varied and may cover persistence, Shadow Copy deletion, communication and even the encryption itself.
Damage: Ransomware is ultimately about damage, and making it as hard as possible to recover information, files and even the machine itself. Here’s what we’ve seen in order of importance:
Shadow Copy destruction: This is **extremely** common. Shadow copies allow users to easily recover files from a local backup based on Restore Points created by Windows. These are essentially complete snapshots taken at different times. Ransomware will commonly try to delete the local Shadow Copy by calling vssadmin.exe, the Shadow Copy (also called the Volume Snapshot Service) utility, with specific instructions that no backups are to remain. In the last year we’ve also seen the same mechanism being used through WMI, in an effort to evade detection by AV signatures. It is also important to note that for both the VSS utility as well as WMI, a User Account Control (UAC) pop up will be presented to the user since both of these require high privileges. This however will often not stop users from going forward and enabling the encryption process.
Disabling Windows monitoring mechanisms: Ransomware will modify all sorts of monitoring-related mechanisms Windows supports, including:
- Disable System Restore, by creating the registry key in HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionSystemRestore with “DisableSR” as the entry and “1” as the value (there are other methods to accomplish this)
- Disable Safe mode, by invoking the “bcedit” utility with the appropriate parameters
- Disable Recovery Mode and hide the boot menu options (using bcedit)
- Stop the Windows Error Reporting (WER) service, and disable its autostart on future boots. We’ve seen this happen for Windows Defender and other Windows services as well.
- Complicate system analysis attempts: We have repeatedly seen these techniques used in traditional malware and are now seeing them in almost every ransomware variant:
- Self-deletion: After executing the ransomware will often delete the original file. We’ve also seen documents where variants delete the content of the infecting document.
- Kill attempts to run Task Manager and other common Windows tools such as regedit
- Anti-debugging, packing, and basically every other method we’ve seen before.
Where do we go now
While the techniques described above can easily fill a handful of white papers, the variability between ransomware generations and even across ransomware families is fairly low. There are public resources that demonstrate these shared characteristics (sometimes graphically) between ransomware families such as CryptoWall (CryptoWall Tracker is an awesome resource as well).
By and large, most ransomware variants are incredibly similar from a dynamic execution standpoint (i.e. when we analyze their interaction with the OS). While we’re seeing an increasing stream of “creative” variants such as Petya, a set of tools that can monitor for and detect these “core” and “shared” behaviors can effectively prevent ransomware infections before they can cause damage.