Turns Out Ransomware Variants Aren’t That Unique After All

In this SlideShare we will discuss:

The most common techniques and tricks used by malware variants

The similarities between almost every new variant that is reported in the wild

How they bypass fully-updated antivirus engines, and sometimes even anti-exploit and/or HIPS engines

1

2

3

Infection MethodsRansomware campaigns are launched on a mass scale, and as such, use a variety of infection methods to generate a constant flux of new targets.

Spear Phishing emails are (still) a very effective way of acquiring targets:

• They commonly act as a first stage followed by a download of the actual payload from a remote server

• Will often target Microsoft Office applications like Word (Cryptowall, Cryptolocker) and Excel (Locky, TeslaCrypt)

• Can masquerade as “secure” and display a slick-looking text that drives many users to click the “enable macros” warning-yellow bar

Spear Phishing Emails

Exploit Kits

The use of exploit kits for drive-by download attacks is also widespread:

• Kits such as Angler have become a fully capable product/service that attackers can buy with ready-to-use exploits and delivery framework

• Fast turnaround allows attackers to exploit the window of opportunity before users, and especially companies, are able to deploy patches

• Identifies vulnerabilities in the OS, browsers, Flash, Java and more

Targeting the Weak

Another infection method which is also becoming more prevalent targets weaknesses in the network:

• Somewhat of a shift towards targeted attacks

• Attackers attempt to collect credentials and move laterally using those credentials to install the actual payloads

• Uses known tools (which are essentially exploits) to take over servers

Ransomware TechniquesDespite the fact that the amount of ransomware variants and associated signatures is enormous and growing rapidly, we have identified a number of repeating motifs that are shared by the majority of ransomware samples seen in the wild:

Persistence

Almost all ransomware attempts to persist:

• Usually involving very standard registry locations we’ve all grown to know from traditional malware (e.g., HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun)

• Other registry keys that effectively allow a binary to autostart on reboots

• Ransomware also seen using Task Scheduler, simple script-based ransomware such as XRTN, and even overwriting the MBR itself

Use of Windows Tools

Ransomware creators love Windows tools and especially script-based frameworks, including:

• Powershell

• Batch scripts

• VB scripts

• WMI

• Many others

Shadow Copy Destruction

Ransomware is ultimately about damage, and making it as hard as possible to recover information, files and even the machine itself.

• Ransomware will commonly try to delete the local Shadow Copy by calling vssadmin.exe, the Shadow Copy (also called the Volume Snapshot Service) utility, with specific instructions that no backups are to remain

• In an effort to evade detection by AV signatures, the same mechanism has been used through WMI

• For both the VSS utility as well as WMI, a User Account Control (UAC) pop up will be presented to the user since both of these require high privileges

Disabling Windows Monitoring Mechanisms

Ransomware will modify all sorts of monitoring-related mechanisms Windows supports, including:

• Disable System Restore

• Disable Safe mode, by invoking the “bcedit” utility with the appropriate parameters

• Disable Recovery Mode and hide the boot menu options

• Stop the Windows Error Reporting (WER) service, and disable its autostart on future boots

Disabling Windows Monitoring Mechanisms

Complicate system analysis attempts

• Self-deletion: After executing the ransomware will often delete the original file

• Kill attempts to run Task Manager and other common Windows tools such as regedit

• Anti-debugging, packing, and basically every other method we’ve seen before.

Where Do We Go Now?

The variability between ransomware generations and even across ransomware families is fairly low and most ransomware variants are incredibly similar from a dynamic execution standpoint.

While we’re seeing an increasing stream of “creative” variants, a set of tools that can monitor for and detect these “core” and “shared” behaviors can effectively prevent ransomware infections before they can cause damage.

Thank You!To learn more, check out our On-Demand webinar, Ransomware is (Still) Here: What To Do