Every week we hear of several new high profile ransomware incidents affecting hospitals, schools, businesses and government. It’s gotten so bad that cybersecurity agencies in the U.S. and Canada recently issued an alert about the growing number of ransomware attacks affecting health care organizations. Clearly ransomware attackers are winning. Why?
First, it’s important to understand, that most (if not all) ransomware victims are typically running fully-updated antivirus engines, and sometimes even anti-exploit and/or HIPS engines. The problem is, rapid changes made in the builds and versions of the malware used in ransomware campaigns creators allows the code to repeatedly evade detection by traditional security measures.
To make matters worse, non-Windows variants have begun to emerge, notably on the Mac OS X and Linux platforms. These include the Encoder family which targets Linux-based web servers, and KeRanger which is based on the same code but has been recompiled to attack OS X targets.
The root of the ransomware problem lies in our reliance on signature-based detection techniques.
The methods attackers use to infect victims are well-known, very effective and difficult to eliminate no matter how end-user education and patching organizations perform. These include spearphishing emails and silent drive-by downloads that use exploit kits to take advantage of system vulnerabilities. Or more recently have taken a network-based approach, like the SamSam campaign, that targets vulnerable JBoss application servers, using accessible pentesting tools. Once inside the network the attackers collect credentials to install the actual payloads, and eventually get to the ransom stage.
It’s All About Behaviors
If signature-based techniques aren’t able to detect ransomware, what else can we do? Well, despite the fact that the number of ransomware variants and associated signatures is enormous and growing rapidly, there are small number of repeating motifs that are shared by the majority of ransomware samples seen in the wild. By looking for behaviors, instead of signatures, we can stop ransomware before it executes.
Here are some of the common behaviors most ransomware (and malware) share:
Almost all ransomware attempts to persist on a system, meaning that it will remain active in the event of a reboot. In most cases, ransomware authors use very similar registry locations as those used by traditional malware that effectively allow a binary to autostart on reboots. Some even use the startup folder and Task Scheduler. The new Petya variant which encrypts the entire system (not just files) overwrites the master boot record (MBR) itself. This makes persistence a great place to focus on when detecting ransomware behaviors.
In part due to evasion advantages, but mostly for convenience and development power, ransomware creators love Windows tools and especially script-based frameworks. These include Powershell and Batch scripts, VB scripts, WMI and others. These are used in a variety of ways including persistence, Shadow Copy deletion, communication and even the encryption itself.
Ultimately, ransomware is designed to do damage, and make it as hard as possible to recover information, files and even the machine itself. Here’s a sample of destruction behaviors commonly exhibited by ransomware:
Shadow Copy Destruction
This is **extremely** common. Shadow copies allow users to easily recover files from a local backup based on Restore Points created by Windows. These are essentially complete snapshots taken at different times. Ransomware will commonly try to delete the local Shadow Copy by calling vssadmin.exe, the Shadow Copy (also called the Volume Snapshot Service) utility, with specific instructions that no backups are to remain.
Disabling Windows Monitoring mechanisms
Ransomware will modify all sorts of monitoring-related mechanisms Windows supports, including:
● Disable System Restore
● Disable Safe mode
● Disable Recovery Mode and hide the boot menu options
● Stop the Windows Error Reporting (WER) service
● Disable its autostart on future boots
Complicate System Analysis
Examples include “self-deletion” where after executing the ransomware, the attack will often delete the original file, or delete the content of the infecting document. “Kill” which attempts to run Task Manager and other common Windows tools such as regedit. Or anti-debugging, packing, etc.
Although it may seem counter intuitive, most ransomware variants are incredibly similar in the methods they use to interact with the operating system of the target device. Therefore, even though ransomware authors continue to create a steady stream of new variants such as Petya, we have an ace in the hole. By monitoring for and detecting the underlying and shared behaviors of malware we can effectively stop ransomware infections before they can cause damage.