Most Ransomware%Isn’tAs%Complex%As%You% …...Most Ransomware%Isn’tAs%Complex%As%You%...

26
Most Ransomware Isn’t As Complex As You Might Think Yes, we should be able to detect most of it Engin Kirda CoFounder and Chief Architect, Lastline Labs Professor @ Northeastern University

Transcript of Most Ransomware%Isn’tAs%Complex%As%You% …...Most Ransomware%Isn’tAs%Complex%As%You%...

Page 1: Most Ransomware%Isn’tAs%Complex%As%You% …...Most Ransomware%Isn’tAs%Complex%As%You% MightThink% Yes,%we%should%be%able%to%detectmostof%it Engin%Kirda% Co#Founder*and*Chief*Architect,*Lastline*Labs

Most  Ransomware  Isn’t  As  Complex  As  You  Might  Think  

Yes,  we  should  be  able  to  detect  most  of  it  

Engin  Kirda  Co-­‐Founder  and  Chief  Architect,  Lastline  Labs  

Professor  @  Northeastern  University  

Page 2: Most Ransomware%Isn’tAs%Complex%As%You% …...Most Ransomware%Isn’tAs%Complex%As%You% MightThink% Yes,%we%should%be%able%to%detectmostof%it Engin%Kirda% Co#Founder*and*Chief*Architect,*Lastline*Labs

Copyright  ©2015  Lastline,  Inc.  All  rights  reserved.  

My  Background  

•  Professor  at  Northeastern  University,  Boston  –  Started  malware  research  in  about  2004  –  Helped  build  and  release  popular  malware  analysis  and  detecRon  systems  (Anubis,  EXPOSURE,  Wepawet,  …)  

•  Co-­‐founder  of  Lastline  and  Lastline  Labs  –  Lastline  offers  protecRon  against  zero-­‐day  threats  and  advanced  malware  

–  CommercializaRon  of  many  years  of  advanced  research  –  Lastline  Labs  is  the  research  and  development  arm  of  Lastline  

2  

Page 3: Most Ransomware%Isn’tAs%Complex%As%You% …...Most Ransomware%Isn’tAs%Complex%As%You% MightThink% Yes,%we%should%be%able%to%detectmostof%it Engin%Kirda% Co#Founder*and*Chief*Architect,*Lastline*Labs

Copyright  ©2015  Lastline,  Inc.  All  rights  reserved.  

Acknowledgements  

•  This  work  is  parRally  based  on  a  study  that  my  Ph.D.  student  Amin  Kharraz  worked  on  – We  recently  published  it  at  DIMVA  2015  – “Cu>ng  the  Gordion  Knot:  A  Look  Under  the  Hood  of  Ransomware  AHacks”  

3  

Page 4: Most Ransomware%Isn’tAs%Complex%As%You% …...Most Ransomware%Isn’tAs%Complex%As%You% MightThink% Yes,%we%should%be%able%to%detectmostof%it Engin%Kirda% Co#Founder*and*Chief*Architect,*Lastline*Labs

Copyright  ©2015  Lastline,  Inc.  All  rights  reserved.  

Key  Takeaways  

•  The  majority  of  ransomware  launches  relaRvely  straight-­‐forward  a`ack  payloads  –  Using  bad  cryptography,  or  standard  

cryptography  libraries  –  DeleRng  files,  but  not  wiping  them  off  disk  

•  Compared  to  other  malware,  ransomware  has  very  disRnct,  predictable  behavior  –  Ransom  notes  with  background  behavior,  

change  in  entropy  of  files,  iteraRng  over  large  numbers  of  files,  etc.  

4  

Page 5: Most Ransomware%Isn’tAs%Complex%As%You% …...Most Ransomware%Isn’tAs%Complex%As%You% MightThink% Yes,%we%should%be%able%to%detectmostof%it Engin%Kirda% Co#Founder*and*Chief*Architect,*Lastline*Labs

Copyright  ©2015  Lastline,  Inc.  All  rights  reserved.  

What  We  Will  Discuss  •  Significance  of  the  ransomware  threat  •  Complexity  and  sophisRcaRon  of  a`acks  •  A`ack  mechanisms  •  Main  ransomware  weaknesses  •  Be`er  miRgaRon  

5  

Page 6: Most Ransomware%Isn’tAs%Complex%As%You% …...Most Ransomware%Isn’tAs%Complex%As%You% MightThink% Yes,%we%should%be%able%to%detectmostof%it Engin%Kirda% Co#Founder*and*Chief*Architect,*Lastline*Labs

Copyright  ©2015  Lastline,  Inc.  All  rights  reserved.  

The  Anatomy  of  An  A`ack  

•  A  vicRm  machine  is  compromised  – Ransomware  is  installed  – Once  the  a`ack  payload  is  executed  (if  there  is  one),  ransomware  informs  vicRm  of  the  a`ack  

– The  vicRm  needs  to  pay  -­‐-­‐  otherwise,  his/her  data  is  kept  hostage  or  destroyed  

6  

Page 7: Most Ransomware%Isn’tAs%Complex%As%You% …...Most Ransomware%Isn’tAs%Complex%As%You% MightThink% Yes,%we%should%be%able%to%detectmostof%it Engin%Kirda% Co#Founder*and*Chief*Architect,*Lastline*Labs
Page 8: Most Ransomware%Isn’tAs%Complex%As%You% …...Most Ransomware%Isn’tAs%Complex%As%You% MightThink% Yes,%we%should%be%able%to%detectmostof%it Engin%Kirda% Co#Founder*and*Chief*Architect,*Lastline*Labs
Page 9: Most Ransomware%Isn’tAs%Complex%As%You% …...Most Ransomware%Isn’tAs%Complex%As%You% MightThink% Yes,%we%should%be%able%to%detectmostof%it Engin%Kirda% Co#Founder*and*Chief*Architect,*Lastline*Labs

Copyright  ©2015  Lastline,  Inc.  All  rights  reserved.  

Ransomware  EvoluRon  

•  The  ransomware  concept  dates  back  to  1989  •  Clearly,  ransomware  a`acks  have  increased  in  numbers  over  the  last  5  years  – Many  security  reports  talk  about  the  sophisKcaKon  and  complexity  of  individual  a`acks  

– The  general  public  is  lef  with  the  impression  that  we  are  faced  with  a  new  threat  that  is  very  difficult  or  impossible  to  prevent  

9  

Page 10: Most Ransomware%Isn’tAs%Complex%As%You% …...Most Ransomware%Isn’tAs%Complex%As%You% MightThink% Yes,%we%should%be%able%to%detectmostof%it Engin%Kirda% Co#Founder*and*Chief*Architect,*Lastline*Labs
Page 11: Most Ransomware%Isn’tAs%Complex%As%You% …...Most Ransomware%Isn’tAs%Complex%As%You% MightThink% Yes,%we%should%be%able%to%detectmostof%it Engin%Kirda% Co#Founder*and*Chief*Architect,*Lastline*Labs

–  FBI  Security  BulleRn,  June  2015  

“Between  April  2014  and  June  2015,  the  IC3  received  992  CryptoWall-­‐related  complaints,  with  vicRms  reporRng  losses  totaling  over  $18  million.”    

Page 12: Most Ransomware%Isn’tAs%Complex%As%You% …...Most Ransomware%Isn’tAs%Complex%As%You% MightThink% Yes,%we%should%be%able%to%detectmostof%it Engin%Kirda% Co#Founder*and*Chief*Architect,*Lastline*Labs
Page 13: Most Ransomware%Isn’tAs%Complex%As%You% …...Most Ransomware%Isn’tAs%Complex%As%You% MightThink% Yes,%we%should%be%able%to%detectmostof%it Engin%Kirda% Co#Founder*and*Chief*Architect,*Lastline*Labs

Copyright  ©2015  Lastline,  Inc.  All  rights  reserved.  

Complexity  and  SophisRcaRon  

•  Typical  way  of  measuring  ransomware  sophisRcaRon  – Looking  at  evasion  (e.g.,  packing,  dynamic  checks,  encrypRon,  etc.)  

–  In  this  work,  we  are  looking  at  the  sophisRcaRon  of  the  a`ack  afer  compromise  

13  

Page 14: Most Ransomware%Isn’tAs%Complex%As%You% …...Most Ransomware%Isn’tAs%Complex%As%You% MightThink% Yes,%we%should%be%able%to%detectmostof%it Engin%Kirda% Co#Founder*and*Chief*Architect,*Lastline*Labs

Copyright  ©2015  Lastline,  Inc.  All  rights  reserved.  

A  Closer  Look  at  Ransomware  

•  2006-­‐2014  •  1359  samples  •  15  families  (incl.  Cryptolocker  and        Cryptowall)  

14  

Page 15: Most Ransomware%Isn’tAs%Complex%As%You% …...Most Ransomware%Isn’tAs%Complex%As%You% MightThink% Yes,%we%should%be%able%to%detectmostof%it Engin%Kirda% Co#Founder*and*Chief*Architect,*Lastline*Labs

Copyright  ©2015  Lastline,  Inc.  All  rights  reserved.  

Methodology  

•  Automated,  dynamic  analysis  for  all  samples  •  Manual  analysis  in  some  cases  •  VerificaRon  of  samples  and  cross-­‐checking  with  VirusTotal  – Ransomware  if  three  or  more  scanners  agree  

•  All  samples  showed  ransomware  behavior  

15  

Page 16: Most Ransomware%Isn’tAs%Complex%As%You% …...Most Ransomware%Isn’tAs%Complex%As%You% MightThink% Yes,%we%should%be%able%to%detectmostof%it Engin%Kirda% Co#Founder*and*Chief*Architect,*Lastline*Labs

Ransomware  A`ack  Payloads  

Page 17: Most Ransomware%Isn’tAs%Complex%As%You% …...Most Ransomware%Isn’tAs%Complex%As%You% MightThink% Yes,%we%should%be%able%to%detectmostof%it Engin%Kirda% Co#Founder*and*Chief*Architect,*Lastline*Labs

Copyright  ©2015  Lastline,  Inc.  All  rights  reserved.  

EncrypRon  Mechanisms  

•  About  5%  of  the  samples  use  some  encrypRon  – Earlier  samples  ofen  have  custom  encrypRon  (which  leads  to  mistakes)  

– Current  popular  families  like  Cryptolocker  and  Cryptowall  use  Windows  crypto  libraries  •  Is  this  sophisRcaRon,  or  just  good  sofware  engineering?  

– Using  strong  crypto  libraries  is  a  double-­‐edged  sword  for  the  a`ackers  •  Dynamic  analysis  can  catch  the  use  of  these  libraries  

17  

Page 18: Most Ransomware%Isn’tAs%Complex%As%You% …...Most Ransomware%Isn’tAs%Complex%As%You% MightThink% Yes,%we%should%be%able%to%detectmostof%it Engin%Kirda% Co#Founder*and*Chief*Architect,*Lastline*Labs

Copyright  ©2015  Lastline,  Inc.  All  rights  reserved.  

DeleRon  Mechanisms  

•  About  36%  of  the  five  common  ransomware  families  in  data  set  delete  files  – Most  deleRon  is  straight-­‐forward  – Master  File  Table  (MFT)  entries  are  manipulated,  but  the  data  remains  on  disk  

– Hence,  recovery  is  possible  in  many  cases  – The  MFT  is  an  effecRve  venue  for  detecRng  ransomware  during  analysis  

18  

Page 19: Most Ransomware%Isn’tAs%Complex%As%You% …...Most Ransomware%Isn’tAs%Complex%As%You% MightThink% Yes,%we%should%be%able%to%detectmostof%it Engin%Kirda% Co#Founder*and*Chief*Architect,*Lastline*Labs

Copyright  ©2015  Lastline,  Inc.  All  rights  reserved.  

Locking  Mechanisms  

•  Classic  ransomware  behavior:  Lock  the  desktop  of  computer  – More  than  60%  of  the  samples  simply  use  CreateDesktop  to  create  a  persistent  new  desktop  

– Another  approach  is  to  display  HTML  page  and  disable  components  

•  In  all  cases:  A  message  is  displayed  to  the  vicRm  •  Locking  mechanisms  are  a  nuisance,  but  the  data  is  typically  not  harmed  

19  

Page 20: Most Ransomware%Isn’tAs%Complex%As%You% …...Most Ransomware%Isn’tAs%Complex%As%You% MightThink% Yes,%we%should%be%able%to%detectmostof%it Engin%Kirda% Co#Founder*and*Chief*Architect,*Lastline*Labs
Page 21: Most Ransomware%Isn’tAs%Complex%As%You% …...Most Ransomware%Isn’tAs%Complex%As%You% MightThink% Yes,%we%should%be%able%to%detectmostof%it Engin%Kirda% Co#Founder*and*Chief*Architect,*Lastline*Labs

Be`er  MiRgaRon  

Page 22: Most Ransomware%Isn’tAs%Complex%As%You% …...Most Ransomware%Isn’tAs%Complex%As%You% MightThink% Yes,%we%should%be%able%to%detectmostof%it Engin%Kirda% Co#Founder*and*Chief*Architect,*Lastline*Labs

Copyright  ©2015  Lastline,  Inc.  All  rights  reserved.  

Achilles’  Heel  of  Ransomware  •  Ransomware  has  to  inform  vicRm  that  a`ack  has  taken  place  – Behavior  inherent  in  its  nature  

•  Ransomware  has  certain  behaviors  that  are  predictable  – e.g.,  entropy  changes,  modal  dialogs  and  background  acRvity,  accessing  “honey”  files  

22  

Page 23: Most Ransomware%Isn’tAs%Complex%As%You% …...Most Ransomware%Isn’tAs%Complex%As%You% MightThink% Yes,%we%should%be%able%to%detectmostof%it Engin%Kirda% Co#Founder*and*Chief*Architect,*Lastline*Labs

Copyright  ©2015  Lastline,  Inc.  All  rights  reserved.  

Example:  DissecRng  Cryptolocker  

23  

•  Analysis  Overview  

Page 24: Most Ransomware%Isn’tAs%Complex%As%You% …...Most Ransomware%Isn’tAs%Complex%As%You% MightThink% Yes,%we%should%be%able%to%detectmostof%it Engin%Kirda% Co#Founder*and*Chief*Architect,*Lastline*Labs

Copyright  ©2015  Lastline,  Inc.  All  rights  reserved.  

Example:  DissecRng  Cryptolocker  

24  

•  Loaded  libraries…  

Page 25: Most Ransomware%Isn’tAs%Complex%As%You% …...Most Ransomware%Isn’tAs%Complex%As%You% MightThink% Yes,%we%should%be%able%to%detectmostof%it Engin%Kirda% Co#Founder*and*Chief*Architect,*Lastline*Labs

Copyright  ©2015  Lastline,  Inc.  All  rights  reserved.  

Key  Takeaways  

•  The  majority  of  ransomware  launches  relaRvely  straight-­‐forward  a`ack  payloads  –  Using  bad  cryptography,  or  standard  

cryptography  libraries  –  DeleRng  files,  but  not  wiping  them  off  disk  

•  Compared  to  other  malware,  ransomware  has  very  disRnct,  predictable  behavior  –  Ransom  notes  with  background  behavior,  

change  in  entropy  of  files,  iteraRng  over  large  numbers  of  files,  etc.  

25  

Page 26: Most Ransomware%Isn’tAs%Complex%As%You% …...Most Ransomware%Isn’tAs%Complex%As%You% MightThink% Yes,%we%should%be%able%to%detectmostof%it Engin%Kirda% Co#Founder*and*Chief*Architect,*Lastline*Labs

THANK YOU!


Cisco Ransomware Overview (with video) · Cisco Ransomware Defense Solutions. Ransomware is a Massive Market Size of the ransomware market –$1B and growing $1B $209M in Q1 CY2016

Cisco Ransomware Overview (with video) · Cisco Ransomware Defense Solutions. Ransomware is a Massive Market Size of the ransomware market –$1B and growing $1B $209M in Q1 CY2016

Lastline Analyst - AsiaNet...Lastline Analyst can be accessed through either an on-prem solution or through a hosted option. Binaries, web pages (URLs), PDF documents, Microsoft Office

Lastline Analyst - AsiaNet...Lastline Analyst can be accessed through either an on-prem solution or through a hosted option. Binaries, web pages (URLs), PDF documents, Microsoft Office

CSIO: Ransomware

CSIO: Ransomware

Malwarebytes Anti-Ransomware Administrator Guide · Malwarebytes Anti-Ransomware Administrator Guide 1 What is Ransomware? In the simplest terms, the name ransomware says it all.

Malwarebytes Anti-Ransomware Administrator Guide · Malwarebytes Anti-Ransomware Administrator Guide 1 What is Ransomware? In the simplest terms, the name ransomware says it all.

Ransomware Statistics 2016: A Ransomware Roundup

Ransomware Statistics 2016: A Ransomware Roundup

Thermostat Ransomware

Thermostat Ransomware

LockBit Ransomware

LockBit Ransomware

Amenazas para la ciberseguridad en la gestión del software ... · 17 Ransomware. 18 Ransomware ENDESA. 19 Ransomware ENDESA 19 820 casos resueltos del Ransomware de la Campaña Endesa.

Amenazas para la ciberseguridad en la gestión del software ... · 17 Ransomware. 18 Ransomware ENDESA. 19 Ransomware ENDESA 19 820 casos resueltos del Ransomware de la Campaña Endesa.

Acknowledgments Giovanni Vigna (UCSB) Chris Kruegel (UCSB) Engin Kirda (Eurecom) Paolo Milani (TUV)

Acknowledgments Giovanni Vigna (UCSB) Chris Kruegel (UCSB) Engin Kirda (Eurecom) Paolo Milani (TUV)

Ransomware: Wannacry

Ransomware: Wannacry

modern NSM toolchest Observations on theFor the Bro oldtimers 3 ← my fault. 4. The open-source NSM toolchest... 5 or ? Background on Lastline 6. Lastline is... 7 A software platform

modern NSM toolchest Observations on theFor the Bro oldtimers 3 ← my fault. 4. The open-source NSM toolchest... 5 or ? Background on Lastline 6. Lastline is... 7 A software platform

RANSOMWARE - healthyagingcore.ca

RANSOMWARE - healthyagingcore.ca

Ransomware ly

Ransomware ly

Ransomware - asecuritysite.com · Types •Locker Ransomware. Locks the computer. •Crypto Ransomware. Requires decryption key. •Master Boot Record Ransomware. Attack MBR so that

Ransomware - asecuritysite.com · Types •Locker Ransomware. Locks the computer. •Crypto Ransomware. Requires decryption key. •Master Boot Record Ransomware. Attack MBR so that

Lastline Analyst API Documentation · The Lastline Analyst API provides functionality for submitting resources for analysis and obtaining the results. Cur-rently, it supports URLs

Lastline Analyst API Documentation · The Lastline Analyst API provides functionality for submitting resources for analysis and obtaining the results. Cur-rently, it supports URLs

The Threat of Evasive Malware - Cloud Distribution · The Threat of Evasive Malware Lastline Labs ... Lastline relies on system emulation. With a system emulator, we gain the advantages

The Threat of Evasive Malware - Cloud Distribution · The Threat of Evasive Malware Lastline Labs ... Lastline relies on system emulation. With a system emulator, we gain the advantages

Ransomware- success stories Triangle InfoSeCon · Ransomware Ransomware WannaCry,Petya,CryptoLocker,and TeslaCrypt are some of the more notable examples of such ransomware. In general,

Ransomware- success stories Triangle InfoSeCon · Ransomware Ransomware WannaCry,Petya,CryptoLocker,and TeslaCrypt are some of the more notable examples of such ransomware. In general,

Poradnik ransomware

Poradnik ransomware

Hive Ransomware

Hive Ransomware

Ransomware Characteristics

Ransomware Characteristics