Monday, August 1, 2016

Fighting Ransomware Threats

I wrote a little bit about Ransomware general view and Ransomware general infection methods here.
Today, after some more months working on the field and after having meet much more Ransomware than I thought, I'd like to write a little bit about how to "fight them".

Before starting the review of some of the most known strategies to fight Ransomware let me explain why nowadays Ransomware are not "fair" as they were few months ago. Indeed while back at the beginning of 2016 Ransomware writers would assure your data back once paid the ransom, today's Ransomware writers don't assure it (there are several  paid ransoms with unrecovered files examples just few of them: here, here and here ).  This situation has been made possible by users who paid the ransoms during the past months. Those users arose the Ransomware ecosystem reputation by increasing the trust of entire supply chain.  

For example we experienced many infected users saying:
"Ok, I took a ransomware and my backup sucks. Let's pay the ransom, it only asks for few bucks. I'll pay more attention next time!"

This user' behaviour increased the Ransomware reputation such as today nobody doubts about paying the ransom and getting back own files. This "well reputation" made possible for "not super skilled" attackers and/or to attackers who wanted to make quick money, to implement "half of the Ransomware (without decryption module)". This made very angry the whole Ransomware 's writer community (which happens to be a professional community) who actually is divided into two main parties: the one who wants to increase the Ransomware reputation by giving back files once the ransom has been payed (usually Ransomware as a service writers) and the one who exploits the Ransomware community reputation writing quick and dirty Ransomware (available on black market as a service as well) who actually wont give back files once the ransom has paid (usually single hosted Ransomware).

Ok, nice story but how do we fight them ?

Today there are two main known strategies so far:
  1. Try to block the ransomware infection before it "fires up".
  2. Try to detect it before it can create a real "damage".
I wont write about prevention on this "post" but just about mitigation. So I assume the Ransomware is already landed on the victim's machine.

Methods to try to block a Ransomware infection before it "fires up".
Three main methods to try to block a Ransomware infection assuming the Malware already landed into victim's PC are implemented so far:

1. Signature Based (AV) Approach. 
As common virus the known Ransomware own signatures. If the signature (that could be static ore dynamic) matches the sample file, the sample itself is blocked and trashed away.
This is the romantic approach that will work only for known ransomware. Useless in today's technology.

2. Policy Based Approach.
Files executable could not be run from every folder (for example from the eMail folder or from temporary folders)
It could be a first and important way to "decelerate" the infection rate. In fact many infections happen through "avid clickers" who open untrusted email and/or click on untrusted links. Having them to move the "downloaded file" or to copy the malicious attachment to another destination often helps the "avid clickers" to get distracted and to not get infected.

3. CallBack Based approach.
Every recent Ransomware needs to comunicate to external servers to get  encryption key or to communicate the infection to the attacker and later on to get back the decryption key. A primitive approach is to detect the callback and to block it avoiding the initial communication.
This approach is hard in the real life since the communication methods can be very brilliant and innovative. Indeed the communication to command and control could be (just for example) end-to-end encrypted and/or the contacting addresses could be a legitimate hacked domain.

Methods to try to detect it before it can create a real "damage"
Some of the main methods implemented by commercial products try to block the Ransomware Infection once it has been fired up. Following the most implemented strategies. 

1. Flag processes who read and write too many files too quickly. 
This method, is used by MalwareBytes AntiRansomware which is based on Nathan Scott's CryptoMonitorIt counts how often untrusted processed have modified “a certain number of personal files, under a certain time.” A similar method implemented by Adam Kramer’s hande_monitor tool on the frequency with which processes create handles through which they can access files.
Implementing this method solo could have a tons of false positives (and white/black listing on them). Let's image DropBox process or GoogleDrive during a sync phase. How many file does it modify/delete/create and how quickly does it ? Or CAD software who constantly saves tons of partial rendered piece of files before assembling them ? It's clear that this strategy solo is not gonna work.
2. Flag processes that changes file's entropy values.
Encrypted files tend to have a more uniform distribution of byte values than other files. Their contents are more uniform. Our tool could compare the file’s entropy before and after the change. If a modified file has higher entropy, it might have gotten encrypted, indicating that the responsible process might be ransomware. 
Implementing this method solo you might find issues on real encrypted files and/or on compressed files who tend to have a while flat ad uniform distribution of charset.

3. Flag processes who change entropy of selected "untouchable" files.
Specific canary files are dynamically injected into hidden or not hidden folders and monitored. If a process tries to modify them, the process will be considered as malicious.
Implementing this method solo could generate false positives since an unsuspecting user could open the canary file at any time.

4. SyncHoling folders.
By creating a nested tree of recursive folders to trap single processes Ransomware who will loop into it by consuming a lot of resources but without encrypting any real user file.
Once the process (Ransomware process) is identified by one or more techniques as expressed above the system could kill it or suspend it (putting it in holding mode) asking to user what to do.


Ransomware infections are one of the most spread threats in todays' Internet (foreground internet). They have been evolved over years (a super great paper on the Ransomware evolution could be found here) since the last evolution defined Ransomworm (conied at the beginning of 2016), which includes self propagating skills, such as for example: infecting public accessible folders and/or running vulnerability scanning on network machine for known exploitable vulnerabilities which will be used in order to propagate itself. The following image shows the activity of used bitcoin address in a Ransomware campaign. As you might observe the average time frame of a Bitcoin address used in a Ransomware fraud is between 0 to 5 days which makes super hard to catch the owner by cross-correlation over multiple transitions.

Figure 1: The duration of activity for Bitcoin addresses. Approximately 50% of Bitcoin addresses have zero to five days of active life (from here).

Nowadays there are plenty quick fixes that promise to solve the issue but not a real solver has been released to public (at least as far as I know) so far. At this point I wont give you the consolidated suggestion to keep up to date your OS and to download the last AntiVirus Engine because it really do not matter at all. Apply the policies, inform your users about this threat and stay tuned, the answer to such a threat will come and something will happen in the Anti Malware market soon :)  .

No comments: